Will Fintech Steering Committee report bring changes to PDPA?

The Subhash Garg Committee’s report on Fintech has touched on several aspects of the industry. It has interalia recommended on two aspects which are immediately relevant for us as observers of ITA 2000 and PDPA.

Firstly it has recommended changes to ITA 2000, to bring in the documents kept out of ITA 2000 under Section 1(4).

The recommendation is as under

Para 2.4.6: Re-engineering Legal Processes for the Digital world

The Committee recommends review by Department of Legal Affairs of all such legal processes that have a bearing on financial services and consider amendments permitting digital alternatives in cases such as power-of-attorney, trust deeds, wills, negotiable instrument, other than a cheque, any other testamentary disposition, any contract for the sale or conveyance of immovable property or any interest in such property, etc., (where IT Act is not applicable), compatible with electronic service delivery by financial service providers.

These exemptions had come in due to some specific thoughts which were relevant in 1998-2000 when the law was drafted. There are certain changes that have occurred in technology that may warrant a rethink on some of the aspects. However, the steering committee was neither tasked to think about changes in ITA 2000 nor it had the necessary expertise.

Hence the suggestions can only be taken as nothing more than an indication to the Government and should be handled with care.

Secondly, the committee has also made suggestions regarding the powers of the proposed Data Protection Authority proposed under PDPA, as under.

Para 4.4.3: Coordination with Financial Regulators:

The Committee is of the view that in some cases, data privacy requirements in existing legislation may need to be reviewed in order to tailor them to the emerging data privacy legislation. The Committee also considers that given the fact that sectoral regulators are already taking steps to maintain the security and confidentiality of consumer data in their respective jurisdictions, some obligations the Data Protection Bill seeks to place on the DPA may be given to the sectoral regulators to discharge. Regulators must therefore carefully review their existing regulatory framework and identify any changes or modifications that may be required to the current regulatory framework.

It appears that the committee was apprehensive of the loss of power of some of the other authorities who may have to work as per the directions of the DPA. It is obvious that the DPA will respect the sectoral regulators and accommodate their views in the implementation of the Data Protection regulations. But there has been a tendency by different departments of the Government to come up with their own Privacy related regulations that could overlap with the PDPA and confuse the market players.

This should be avoided. Let the DPA come into existence as per law with suitable flexibility in defining the codes and practices in different sectors and then discussions can be had with individual sectoral regulators so that their views can be accommodated.


Print Friendly, PDF & Email
Posted in Cyber Law | Leave a comment

FINTECH Steering Committee Report

On 5th March 2018, GOI constituted a Steering Committee on Fintech related issues which has now come up with its recommendations. It was comprised of Secretaries of different ministries and headed by the Secretary of Economic Affairs (DEA) , Mr Subhash Chandra Garg.

Refer copy of Report here

The objective of the committee was to “Consider various issues relating to development of Fintech space in India with a view to make Fintech related regulations more flexible and generate enhanced entrepreneurship in an area where India has distinctive comparative strengths vi a vis emerging economies”.

We look at the salient features of the recommendations as briefly indicated below.

  1. The committee recommends the use of fintech, especially by PSE financial service companies to bolster cybersecurity, fraud control and anti-money laundering. The Committee also recommends that fintech firms specialising in this field should be encouraged to set up their businesses in India and provided necessary regulatory approvals for expanding their services in the country.
  2. The Committee recommends that the Ministry of Finance may develop a marketplace model of debt financing in India by reforming the present model of P2P lending platforms. Potential hindrance in terms of restrictions on overall and individual exposure limits may be reviewed and options like allowing Mudra Bank to directly fund or co-fund SMEs and MSMEs through P2P platforms may also be examined as an alternative credit delivery channel.
  3. The Committee recommends that DFS and RBI may examine the suitability of ‘virtual banking system’ in the Indian context, costs and benefits regarding allowing virtual banks and prepare for a possible future scenario where banks do not need to set up branches and yet deliver the full scale retail banking services ranging from extending loans, savings accounts, issuing cards and offering payment services through their app or website.
  4.  For facilitating KYC by Fintech industry, the Committee recommends that various options, including possibility of Video-based KYC, making available validated electronic versions of KYC related documents through DigiLocker, making these available for verification by service providers with prior customer consent, etc., may be considered early.
  5. In order to increase access to credit and to stabilise the growth of such practices and keeping in view recommendations of the Justice Srikrishna
  6. A Taskforce has been recommended to be set up with the participation of the regulators and make suitable recommendations to safeguard the interests of Consumers, while also enabling a positive climate for innovation.
  7. The Committee notes that the poor and the unbanked are often unable to access credit due to the lack of formal credit history and non-availability of other relevant documents. Fintech companies focus on a number of unconventional sources of data and advanced data analytics to create better credit profiles of such individuals. These fintech companies collect information pertaining to social media behaviour, financial transaction behaviour, product purchase behaviour etc. These kinds of information are not captured by CICs. Fintech companies collect these kinds of information from the mobile phones of consumers with prior consent. Banks are being encouraged to explore the possibility of establishing new alliances with players like fintech companies for ease of loan sanctioning process enabled by new technologies. In order to increase access to credit and to stabilise the growth of such practices and keeping in view recommendations of the Justice Srikrishna Committee, this Committee recommends that MeitY and TRAI may formulate a policy to enable such practices through a formal, consent-based mechanism.
  8. Centers of Excellence for FINTECH are recommended to be set up in 2 or 3 premier National institutions like IITs/NITs and Government Financial sector institutions like IDRBT/NIBM/NIFM
  9. The Committee recommends that the Ministry of MSME should work with DFS and RBI for testing and implementing block-chain solutions in trade finance for MSMEs in public sector banks as well.
  10. The Committee recommends that the Government takes up modernisation and standardisation of land records in the country on a war footing with a deadline to complete such a system in the country in a period of three years. For this purpose, a steering committee comprising of Department of Economic Affairs, Department of Financial Services, Ministry of Agriculture, Ministry of Rural Development, Department of Land Resources and MEITY with involvement of State Land and Registration departments should be constituted to draw up a blueprint for doing so.
  11. The Committee recommends review by Department of Legal Affairs of all such legal processes that have a bearing on financial services and consider amendments permitting digital alternatives in cases such as power-of-attorney, trust deeds, wills, negotiable instrument, other than a cheque, any other testamentary disposition, any contract for the sale or conveyance of immovable property or any interest in such property, etc., (where IT Act is not applicable), compatible with electronic service delivery by financial service providers.
  12. The Committee recommends that MEITY coordinate the process of identification of the datasets that can be shared through open APIs, setting targets for the creation of such APIs by the relevant Ministries while enabling and supporting Central, State and Local governments to create relevant open APIs. The Committee also recommends that greater nudge from all regulators combined with development of open API eco system will enable account aggregator services to take off.
  13. Regulators should establish prudential regulations for fintech to enable the moderate and high impact scenarios of fintech development to emerge.
  14. The Committee recommends that RBI may consider making available banking data (such as transaction and account history data) for use by the financial sector, including fintech firms, (based on consumer consent and with other appropriate safeguards) through APIs. It also recommends that all financial sector regulators study the potential of open data access among their respective regulated entities, for enhancing competition in the provision of financial services.
  15. It therefore recommends that all financial sector regulators fix deadlines for on-boarding existing KYC data to the Central KYC registry and make C-KYC (central KYC) fully operational and make KYC a digital and paperless process. At least the KYC data from the time the concept of Officially Valid Documents was introduced vide PML rules should be uploaded. In respect of legacy accounts, data may be uploaded by banks during the process of re-KYC.
  16. The Committee recommends that a legal framework for consumer protection be put in place early keeping mind the rise of fintech and digital services. It further recommends enacting such a law early keeping the rise of financial technologies in view.
  17. The Committee recommends creating a common digital platform for all micro-pension schemes and Government pension schemes, including EPF, through which pension subscribers can subscribe to specific schemes seamlessly and reduce access barriers by allowing payments through various modes such as Jan Dhan Yojana accounts, debit card, credit card, internet banking, mobile wallets etc.
  18. In order to expand the reach of small savings schemes, provide ease of access and transactions to consumers, reduce risk of frauds, enable trading in secondary markets, etc., the Committee also recommends that all Small Savings Products, which are neither accessible online nor available in demat form, should be brought on a common online platform in demat form. For vulnerable groups and weaker sections who are neither digitally and financially literate, a combination of both human interface and technological application may be effective.
  19. The Committee recommends use of fintech by Public sector commercial banks to enhance credit scoring, follow up of repayments, predictive analytics, etc., so as to enable reduction of NPAs in this space.

A rough glance at the above indicate that the recommendations indicate several new business opportunities which can be explored by the industry. However, most recommendations need to be carefully evaluated for the risks before they are actually implemented.

A lot more discussion is required on the recommendations.


Print Friendly, PDF & Email
Posted in Cyber Law | Leave a comment

Data Laundering ..is it covered under PDPA?

In continuation of our discussions of yesterday regarding TransUnion CIBIL, further thoughts on the data protection regulatory aspects are being discussed below to draw the attention of RBI, CERT In, MeiTy, Ministry of Commerce etc.

Data Protection laws try to protect personal data handling by insisting that

    1. The first collector of personal data from the data subject provides a clear Privacy notice and obtains an informed consent, which shall be an “Explicit Consent” in the case of sensitive personal information. GDPR considers the collector as the “Data Controller” or a Data processor working under a contractual direction of another Data Controller.
    2. Subsequently, every transfer of the personal data is subject to consent and a contract that binds the downstream receiver to the same level of protection that the consent expects.
    3. There is also a clear “Cross border transfer” restrictions that need to be adhered to.

In the case of CIBIL, data subjects donot have any direct communication from CIBIL that they have collected the personal data which is being processed in a specific manner etc. They have silently collected the data from the Banks and using it to influence the new loan applications of the data subjects without informing them the reasons why their rating has gone up or down.

In the case of CIBIL, which was initially promoted by a consortium of Indian Banks and regulated under RBI regulations, the personal data of millions of Indian citizens were aggregated. The objective of this was to prevent bad borrowers from taking the Banks for a ride by borrowing from multiple Banks and defaulting in the repayment.

However, contrary to this original objective the Credit Information Companies (CICs) used the data to “Profile” the borrowers and assign a “Credit Rating”. Initially, this was meant to assist new lenders with an indication of the credit worthiness of the borrowers.

As days passed, many lenders took the easy way out and did not conduct their own credit check on the borrowers and depended entirely on the credit rating of the CICs. The borrowing limits were fixed on the basis of the “Credit Score”. Lower the Score, lower would be the limit. In a way, this resulted in an “Automated Decision Making” by the lenders on the basis of the credit rating.

At the back end, the CICs used parameters such as length of credit history, number of defaults, overdues, loan enquiries made etc.., and arrive at the  credit rating using some kind of an algorithm. Considering the way technology is used today, it can be presumed that the final credit score is the outcome of the processing of the set of parameters chosen in the chosen algorithm. There is most likely no human element in assessing the credit risk and the decision is “Automatic”.

Thus the decision to lend or not to lend taken by the lender is directly influenced by the credit rating which is a result of an automated decision making in itself.

Hence the credit score determination falls into the category of profiling with automated decision making under the data protection laws. This therefore requires an “Explicit Consent” from the data subject.

When the credit scores are incorrectly computed either because the algorithm is imperfect or the input data is inaccurate, the data subject is subject to a loss of reputation and denial of credit. This is therefore a serious legal issue that creates a liability on the credit rating agencies.

In this case the CICs need to be subjected to the rigorous privacy protection measures contemplated under the privacy regulations.

Data Laundering

One of the data protection requirements is the data transfer regulations. In India there is now a debate on “Data Sovereignty” and “Data Localization”. In this context , the data collected for profiling borrowers and developing the Credit scores become “Sensitive Personal Data” that should be subject to the Data Localization requirements.

To overcome the regulatory controls, some companies may use devious means to access the sensitive personal data and indulge in “Data Laundering” by taking over companies who already posses such data. In such cases a foreign company that takes over an Indian company will have access to the data and once access is availed, it is not difficult for the company to transfer it out.

Hence in case of “Critical Personal Data Processing companies”, it may be necessary to prevent the take over to prevent cross border transfer or have an increased oversight or conditions imposed on take over.

TransUnion take over of CIBIL appears to be one such transaction where, TransUnion took over CIBIL by acquiring equity and thereby got control of a huge amount of data of 550 million citizens of India.  Whether this was “Data laundering”  and whether there was a suitable over sight from RBI is a matter to be investigated.

Trans Union -CIBIL take over

When CIBIL was initially in operation, it was controlled by Indian Banks and we could presume that the data was held in India. Probably some time later the data could have been hosted on cloud servers belonging to non Indian Companies and stored abroad.

Presently we understand that Trans Union CIBIL is owned by TransUnion to the extent of 92.1%. According to the website of TransUnion in 2017, TransUnion acquired 92.1% stake in 2017 during the first Modi Government.

Initially, the shareholding of CIBIL’s was held by State Bank of India, Housing Development Finance Corporation Limited, Dun & Bradstreet Information Services India Private Limited and Trans Union International Inc. The shareholding pattern was in the proportion of 40:40:10:10 respectively.

This changed in 2009 to what is indicated  (reference:taxguru.com)  in the following diagram which shows  that as of 15th September 2009, the shareholding of CIBILwas as follows.


State Bank of India 10%
HDFC 10%
ICICIBank 10%
Dun & Bradstreet 10%
TransUnion 10%
Bank of Baroda 5%
Bank of India 5%
Indian Overseas Bak 5%
Punjab National Bank 5%
Union Bank of India 5%
Central Bank of India 5%
Citicorp Finance (India) ltd 5%
The Hongkong and Shanghai Banking Corporation Ltd 5%
Standard Chartered Bank 5%
Sundaram Finance Ltd 2.5%
GE Strategic Investment India 2.5%





It is clear therefore that the initial shareholders had diluted the shareholding mostly in favour of the other Indian Banks. TransUnion also maintained its share holding at  10%.

From this stage to the current level of 92.1%, TransUnion must have grabbed the share holding of most of the other share holders.

It is intriguing that RBI allowed the Banks and each of the Banks got their shareholder’s approval to divest their holdings in favour of one US company as a coordinated approach. If the share holding of one foreign entity raised to 92.1%, then it was a matter that should be the concern of Direct Foreign Investment in a Banking related activity.

How was this FDI  permitted in 2017 is intriguing.

How did all the Banks were made to agree to sell their stakes to one foreign entity?

What was the price?

What were the board decisions at that time?

Did any board member object to this sell out? ….etc

are issues that need investigation from the CBI itself.

Modi Government needs to Clarify

A deal of this nature provides a definite scent of corruption and members of the Modi Government including Mrs Nirmala Sitharaman and Suresh Prabhu who were the commerce ministers in 2017 need to clear their positions.

Going forward, action should be initiated to disallow the majority share transfers to TransUnion and the shareholding has to be reverted back to the Indian Banks.

The heads of the Indian Banks in 2017 who must be aware of the reasons why they agreed to divest their shares also need to clear their position as otherwise it would be presumed that all the Banks were forced to sell their shares probably by the RBI and they did not raise any objections either because they were naive enough not to see anything wrong in the deal or were silenced otherwise.

It is interesting to note that Mr Raghuram Rajan was the RBI Governor of that time and he was a close associate of Mr P Chidambaram. Did he have a hand in these deals? is a doubt which naturally arises.

Mr Modi and Mr Amit Shah may be busy in other things and would like to let this pass and go un-investigated. But this will explode into a scam sooner or later and that time, questions will be asked why Mr Modi and Amit Shah decided not to pursue this. Was it because Mr Arun Jaitely was the finance minister of the time and they donot want any discredit to come to him?

Now that this issue has come to public, the public will be awaiting a clarification from the RBI, the Ministry of Finance and the Ministry of Commerce.

I have not at present obtained any direct information from TransUnion or the ministries. It is possible that the entire transaction is above board. But it needs to be clarified by the right persons.

I look forward to the clarifications from any of the parties who have been indicated here, including the 16+ share holders of CIBIL.

Academically, we need to check if PDPA provides sufficient cover to recognize and punish Data Laundering.


Print Friendly, PDF & Email
Posted in Cyber Law | Leave a comment

Is TransUnion-CIBIL guilty of Accessing Critical Personal Data through surreptitious means?

Indian consumers of Credit Card services have been frequently expressing their dissatisfaction against the role of CIBIL as a credit rating agency.

It is often accused of cheating the public by not providing the free credit report which they are supposed to provide once a year, are accused of inefficiency in not updating the customer data and on occasions receiving false data from the Banks due to error or design.

The travails of the credit subjects have been well captured in the article “How CIBIL Can mess-up your credit score” in moneylife.in.

I would not go into discussion of this more except to say that this happens fairly regularly and reflects the callous manner in which the service is managed.

But I would like to point out that the life for CIBIL will not remain as comfortable as it is now in the coming days where PDPA (Personal Data Protection Act) will become a law and a Data Protection Authority would be set up in India. Then CIBIL and the other Personal Credit rating agencies in India will be answerable to the Data Protection regulations which will include civil and criminal liabilities.

CIBIL  or Credit Information Bureau (India) Limited) came into existence on August 2000, entered consumer operations in 2004 and into commercial credit operations in 2006.

Initially, CIBIL was perceived to be a Company started by RBI with equity contributions from different Banks as indicated in the above share holding pattern. (Reference taxguru.com)

However, current information indicates that 92.1% of its shares are now held by TransUnion. Transunion is a US based Company. The ownership of TransUnion CIBIL is therefore in the hands of a foreign company. This company now holds about 550 million India’s credit data which is “Sensitive Personal Information” under ITA 2000 and will be “Critical Personal Information” under the PDPA. Hence this company will come under the Data Localization rules.

Further, this company has so far collected personal data not from the data subjects but from the Banks. There was initially no consent from the data subject. Subsequently since the Credit Information Companies (Regulation) Act, 2005, was notified on 23rd June 2005, the presumption is that Banks are sharing the personal data under permission from RBI. But this is not the correct legal position. TransUnion is a commercial entity which has about 2400 members from the Banking and FinTech companies in India and collecting a fat fee from them for every credit score reference they receive.

TransUnion CIBIL is therefore an entity that is a MNC which has taken over an Indian company along with a highly valuable critical personal data worth billions of rupees and is making a huge profit.

The manner in which the TransUnion has acquired access to the critical personal data of Indian citizens is through a clever manipulation of take over of a company along with its data assets. This is “Data Laundering”

How was this allowed to happen is a matter which needs investigation. Who gave the permission? Was it the Finance Ministry headed by Mr P Chidambaram? Who was the RBI Governor who allowed this set up? all needs to be verified.

Is there a scent of a scam?… I request Dr Subramanyam Swamy/Pgurus to take a look.

From the case referred to above, it is clear that TU-CIBIL is guilty of

a) Not keeping the personal data properly updated and accurate

b) Using  an automated decision making process to make profiling decisions about the individuals

c) Not obtaining explicit consent from the data subjects for the profiling

d) Not informing the data subjects that their personal data is being collected from third parties for profiling and generating the Credit Score

e) Sharing the credit score which may be incorrect and adversely affect the reputation of the individuals.

f) Transferring the critical personal data across the border for processing without explicit consent…etc

The apparent violations of the company are extremely serious and need immediate action from the Government of India first under Information Technology Act to check if they are practicing “Reasonable Security Practice” and “Due Diligence”. An immediate audit from CERT-IN is warranted.

RBI has powers under the Credit Information Companies (eRegulation) Act, 2005, was notified on 23rd June 2005, to regulate such credit rating agencies. It would be interesting to note if RBI has ever conducted an audit of CIBIL or like PNB, left it to the God’s wish that the security of information takes care of itself. Perhaps the current RBI administration may answer this.

When PDPA becomes effective, the data collected prior to the implementation date will become illegal and has to be destroyed. This means that unless TransUnion CIBIL obtains “Explicit Consent” on or after the date of PDPA notification, it cannot be allowed to continue in business.

I warn the CIBIL users to take note that if the Government takes action against CIBIL as they should do their business continuity may be adversely affected. They need to therefore secure themselves against such contingent event.

I am looking forward to receiving a counter from CIBIL regarding the above and if received, would be happy to publish it here. If no response comes from them, it would be presumed that the inference drawn here are perhaps true.

Those in Nasscom and DSCI who have been championing the opposition to the Data Localization also need to comment on whether TransUnion should be allowed to transfer the data outside India and what action is to be taken to ensure that the data already transferred out is erased in the servers in US or elsewhere.


Comments Welcome

Print Friendly, PDF & Email
Posted in Cyber Law | Tagged , , , | 1 Comment

The petition for Data Sovereignty

Mr Vinit Goenka, of the Center of Knowledge sovereignty has floated a petition on Data Sovereignty at change.org.

The link to sign the petition can be found here:

For immediate reference some of the salient features of the petition are reproduced here along with my comments.

The petition is in the context of the PDPA Bill which is to be introduced in the next session of the parliament.

Petition and comments: 

“Government of India cannot be a mere silent spectator here when data of millions of people in India (common man) is been compromised by tech gaints and foreign entities. The common man gets lured by Free Apps and doesn’t understand the terms and conditions drafted by these tech companies and social media giants.

The social media platforms carrying such Apps/advertisements on their channels as well as new apps making entry into Indian cyberspace have to clearly be monitored.

This is not censorship but the right over our data, maintain our privacy, respect our individuality and to ensure we are not made DIGITAL SLAVES. Its high time, the Government of India takes some strong steps as each day’s delay is a ticking timebomb and we are losing the Digital race.

1) It is the need of the hour to bring in strong laws to monitor and check the social media channels and also revisit the laws every year in the ever-changing cyberspace.

Comment: PDPA read along with ITA 2000 would be reasonably strong to address the requirement if it is passed quickly by the Parliament. 

2)It must be made mandatory for these companies to store data inside India and take the permission of the Government of India to take the data overseas.

Comment: Already available under PDPA

3) It must also be mandatory for the parent company of the apps or social media company to have an office in India, registered business address in India and occupier in India. This responsible officer must cooperate with law enforcement agencies.

Comment:. Social Media companies spreading fake news require a different treatment. Some cases may come under right to free speech. Hence this aspect must be handled with finesse. ITA 2000 and the intermediary guidelines are good enough to handle this if the provisions are enforced properly. The data localization is a means of such enforcement.

4)It should also be made compulsory for the social media companies to highlight in the agreements any clauses that infringe the data privacy of the users .

Comments: Already incorporated under PDPA. 

5) The agreement should also be in drafted in at least 5 more Indian languages so that the people of India can understand the terms and conditions before using the application and platform.

Comments: The question of taking consent is not an efficient way of privacy protection. There are other means which are out of scope for discussion here. Anyway the suggestion is a step in the right direction. But the problem is why five? which five? etc…

6)The laws must define clearly the provisions for violation of privacy and the said officer and organisation must cooperate with the law enforcement agencies.

Comment: PDPA with ITA 2000 ensures this

7)The minimum age limit of the user of the applications must be defined clearly . Minors should not be allowed to use / register on platforms without parental vigilance.

Comment: PDPA with ITA 2000 ensures this.

8)The Social Media App must be linked to some Government Id or Any verifiable identity to make traceability, stop children from accessing Social media before the stipulated age and curb fake news.

Comment: PDPA with ITA 2000 can be applied to ensure this. Already discussions have taken place with WhatsApp. There was also a discussion in Madras High Court in which the IIT professor Dr Kamakoti also provided some technical solutions.

9) The laws must provide the user with the right to delete his/ her data from common view or access if they later find it inappropriately posted on such platform or application. This data must be wiped out from the servers for common commercial or other use except for law enforcement reasons.

Comment: This has some issues… ITA 2000, Sec 79 has some provisions. PDPA also will have some provisions. Removal from public view is necessary in case of objectionable fake news. But truth cannot be suppressed except in emergencies for which specific provisions in ITA 2000 are available.

10) Social media companies must not use any data without the explicit consent each time while sharing, using, reproducing our content, images, data .

Comment: We need to work with PDPA with ITA 2000 to ensures this

11) These social media companies must pay legitimate taxes in India as per the provisions of law.

Comment: This is outside the purview of the Privacy discussion.

Other Views

We are aware that the industry lobby is strongly opposing the provisions of the PDPA bill under clause 40 which states as under:

(1) Every data fiduciary shall ensure the storage, on a server or data centre located in India, of at least one serving copy of personal data to which this Act applies.

(2) The Central Government shall notify categories of personal data as critical personal data that shall only be processed in a server or data centre located in India.

(3) Notwithstanding anything contained in sub-section (1), the Central Government may notify certain categories of personal data as exempt from the requirement under sub- section (1) on the grounds of necessity or strategic interests of the State.

(4) Nothing contained in sub-section (3) shall apply to sensitive personal data.

The above restriction applies to only non sensitive and non critical personal data. Besides only one serving copy is required to be kept and transfer is available on various conditions including adequacy, standard contractual clause, explicit  consent, medical emergency etc. These are not different from GDPR which says that Cross border transfer is permissible under similar conditions which indirectly means that it is not transferable otherwise.

The social media companies are making an unnecessary issue out of this provision and their objections are not justified.

We also know how these companies like Twitter are helping anti India activities and spreading fake news. When called upon to correct as per the provisions of ITA 2000, they donot respond. These companies who are  subservient to FBI and allow backdoors only have problems with Indian requests. Hence their arguments are not to be considered genuine.

Apart from this, some of the points mentioned by Mr Vinit Goenka may require further discussion. One such point is point no 10 on deletion of the data. This has to be subjected to provisions of Section 79 of ITA 2000 and the data erasure provisions under PDPA. There is a proposal to amend a rule notified under Section 79 which also has been placed in the background due to the opposition raised by the vested interests in the industry who donot want fake news in social media to be strongly regulated. MeitY should go ahead with the notification without further delay.

I have proposed other mitigation efforts under PDPA which may be discussed on a different occasion. Subject to these, PDPA is a strong enough law and when implemented along with ITA 2000, can force the intermediaries to cooperate with the law enforcement authorities.

From the petition it appears that there is a lobby in the Government which is interested in yielding to the pressure from the industry  which Mr Vinit Goenka is trying to counter. We know that this lobby includes the NASSCOM which is working through DSCI. DSCI submitted a dissent note to the Srikrishna Committee but the Committee went ahead with its proposal for data localization. It is this lobby which has delayed the presentation of the bill so far and may still be fighting for dilution of the PDPA Bill.

I strongly object to the MeitY if it wants to succumb to the pressures of vested interests and hope the Government will be firm in implementing the PDPA provision on data localization.

I therefore  support the petition and I feel that Data Localization will give a big boost to the local data industry and must be implemented.


Print Friendly, PDF & Email
Posted in Cyber Law | 1 Comment

IDBI Bank held liable in Phishing Case a-la Umashankar Vs ICICI Bank

The adjudication complaint of S Umashankar Vs ICICI Bank was a historic case in which the Adjudicator of Tamil Nadu, Mr PWC Davidar held that ICICI Bank is liable for negligence despite the phishing mail having been answered by the innocent victim.

This decision of the Adjudicator was challenged by ICICI Bank in the Cyber Appellate Tribunal and on 10th January 2019, the TDSAT to which the Cyber Appellate Tribunal was merged into in 2017 delivered it’s judgement upholding the Adjudicator’s verdict and rejecting the appeal of ICICI Bank.

Now in yet another case, TDSAT has upheld the Gujarat Adjudicator’s decision to hold the Bank responsible to pay compensation.

Refer the judgement here: Cyber Appeal 7 of 2013 IDBI Bank Vs Sudhir S Dhupia

This was an ex-parte order

It was interesting to note that the hearing was ex-parte and the victim got justice despite his inability to be present during the hearings . The TDSAT must be specially commended for this decision since justice was upheld without the necessity for the victim to explain to the Court that he was a victim and needs justice. If all Courts adopt this sort of stand, the Judicial system in India will come to be respected far more than at present.

Some Courts which swear on formalities need to take a fresh look at their procedures and make justice more easily accessible to the common man.

The Judgement quotes the precedence of Umashankar Vs ICICI Bank

It was interesting to note that the judgement made a reference to the Umashankar Vs ICICI Bank case both the adjudication verdict and the TDSAT’s own verdict. (Cyber Appeal 1/2010).

Other Banks should take note of such judgements and withdraw their cases against the hapless customers who cannot pursue expensive litigation to fight for their justice. Banks have public money and they are wasting their money on continuing the litigation. Banks are also ignoring the RBI guideline that RBI has given that they need to  have Cyber Insurance cover and use it such cases of third party frauds.

While looking at the negligence under Section 43 and 43A, we need to also draw the attention of the public on the Kerala High Court judgement in the case of SBI vs P V George which has been discussed earlier here where the Court has held that even not responding to the SMS alert cannot be held against the customer for denying reimbursement for such frauds.

We can also draw the attention to the following news report which reports a fraud in

Mangalore, Karnataka, where the customer has lost money even without sharing OTP or answering the Phishing mail. This highlights the fact that such frauds occur because of an inherent security flaw in the Banking system which includes the insider involvement in the frauds.

Hence Courts should take note of the increased level of security expectation on the Banks and ensure that customers who are victims of the insecure banking practices are not made to suffer the loss.

I request the Finance Minister Mrs Nirmala Sitharaman and the RBI Governor to advice the Banks to withdraw all cases of similar nature in which they are continuing to litigate with the use of public funds.

I also request shareholders of these Banks such as ICICI Bank, SBI, HDFC Bank, PNB, IDBI Bank etc., to question the boards as to why they are continuing the litigation and not settling the victim’s claims immediately.


Print Friendly, PDF & Email
Posted in Cyber Law | Leave a comment