Naavi.org

Section 65B of Indian Evidence Act (IEA) was a very important amendment made to the age old Indian Evidence Act 1872 consequent to the passing of Information Technology Act 2000 (ITA 2000) notified on 17th October 2000.

This section provided the means of bringing electronic evidence as an admissible evidence in a Court of law and Naavi.org has discussed this several times in the last 20 years. Naavi even published an E Book on the topic (Which is now due for revision).

Now with the passage of the Bharatiya Sakshya Adhiniyam 2023 (BSA 2023) which has been notified for effectiveness on 1st July 2024 along with the new IPC and new CrPC., the section 65B of IEA will be replaced by Section 63 of BSA 2023 with similar provisions.

The objective of this article is to highlight the difference between Section 65B of IEA 1872 and Section 63 of BSA 2023. Section 65B of IEA had 5 sub sections and Section 63 of BSA also has 5 subsections along with a Schedule that prescribes a draft form of a certificate.

Naavi had presented the first Section 65B certificate in any Indian Court in the case of Government of Tamil Nadu vs Suhas Katti in AMM Egmore in 2024 which resulted in a successful conviction of the accused. Subsequently Naavi has provided many such certificates. Till 2012 when Supreme Court came out with the famous Basheer Judgement, views of Naavi were not being accepted by a part of the community but the Basheer judgement cleared most of the doubts prevalent in the market.

However there was no uniformity on the format in which the certificates were provided and all sorts of certificates might have been provided and accepted by the Courts.

Now the Section 63 of BSA clears most of the doubts and has brought some clarity. At the same time it might introduce some additional questions which need to be clarified by domain experts. An attempt has been made below to explain the thoughts of Naavi in this regard.

Let us now analyse this section in depth.

Section 63 of BSA 2023 Vs Section 65B of IEA:

Admissibility of Electronic Records

Section 63 of BSA 2023

Section 65B of IEA 1872 (amended in 2000)

63 Admissibility of electronic records. – (1) Notwithstanding anything contained in this Adhiniyam, any information contained in an electronic record which is printed on paper, stored, recorded or copied in optical or magnetic media or semiconductor memory which is produced by a computer or any communication device or otherwise stored, recorded or copied in any electronic form (hereinafter referred to as the computer output) shall be deemed to be also a document, if the conditions mentioned in this section are satisfied in relation to the information and computer in question and shall be admissible in any proceedings, without further proof or production of the original, as evidence or any contents of the original or of any fact stated therein of which direct evidence would be admissible.

65B. Admissibility of electronic records. –– (1) Notwithstanding anything contained in this Act, any information contained in an electronic record which is printed on a paper, stored, recorded or copied in optical or magnetic media produced by a computer (hereinafter referred to as the computer output) shall be deemed to be also a document, if the conditions mentioned in this section are satisfied in relation to the information and computer in question and shall be admissible in any proceedings, without further proof or production of the original, as evidence or any contents of the original or of any fact stated therein of which direct evidence would be admissible

It is important to note that this subsection defines what is a “Computer Output” to which the other subsections of Section 63/65B applies. According to the section information contained in an electronic record is referred to as “Computer output” and it can be either “Printed on paper” or “Stored” on an optical media or magnetic media or semi conductor memory.

In ITA 2000, a document printed out of a computer or binary documents that are processed by a computer are all considered electronic documents and hence the word “Electronic Record” includes such documents even if it is not mentioned.

The critical aspect of the section is that such a Computer output when produced as per this section “Shall” be admissible in the proceedings without the production of the original. The judiciary does not have a discretion not to admit an electronic document unless some lacuna in the process of certification is brought to its notice. Hence this section will be widely debated in all future discussions in the Court involving electronic documents as evidence.

Overall considering the effect of this sub section, there is no difference between the two versions of the sub section 1.

The next sub section 63(2) and 65B(2) compare as follows.

(2) The conditions referred to in sub-section (1) in respect of a computer output shall be the following, namely:— (a) the computer output containing the information was produced by the computer or communication device during the period over which the computer or communication device was used regularly to create, store or process information for the purposes of any activity regularly carried on over that period by the person having lawful control over the use of the computer or communication device; (b) during the said period, information of the kind contained in the electronic record or of the kind from which the information so contained is derived was regularly fed into the computer or communication device in the ordinary course of the said activities; (c) throughout the material part of the said period, the computer or communication device was operating properly or, if not, then in respect of any period in which it was not operating properly or was out of operation during that part of the period, was not such as to affect the electronic record or the accuracy of its contents; and (d) the information contained in the electronic record reproduces or is derived from such information fed into the computer or communication device in the ordinary course of the said activities.

(2) The conditions referred to in sub-section (1) in respect of a computer output shall be the following, namely: –– (a) the computer output containing the information was produced by the computer during the period over which the computer was used regularly to store or process information for the purposes of any activities regularly carried on over that period by the person having lawful control over the use of the computer; (b) during the said period, information of the kind contained in the electronic record or of the kind from which the information so contained is derived was regularly fed into the computer in the ordinary course of the said activities;   (c) throughout the material part of the said period, the computer was operating properly or, if not, then in respect of any period in which it was not operating properly or was out of operation during that part of the period, was not such as to affect the electronic record or the accuracy of its contents; and (d) the information contained in the electronic record reproduces or is derived from such information fed into the computer in the ordinary course of the said activities

We may observe here that the word” Or Communication device” has been added in the section so that mobile data is clearly within the purview of the section. This was also redundant but clarity is welcome.

Since sub section (1) speaks of “Computer output” the sub section (2) should be attributed to the “Computer Output”. Hence the device referred to in this sub section refers to the computer from which the “Computer Output” is produced. Since “Computer Output” could also be a “Stored” or “Copied” version, the computer device referred to in the sub section (2) should be considered as referring to that computer in which the “Computer Output” was stored or copied and from which the evidence is being extracted.

This interpretation is important since in the cases of documents on the web some people will argue that the hosting operations need to be certified as “working properly” etc., which is incorrect and infeasible. If Mr X is using his computer K to generate the “Computer Output” then K is the device whose owner is relevant for this section and K needs to be working properly etc.

Generating of a “Computer Output” is an activity such as “Printing out”, “Storing”, “Making a copy in a media” etc and the period referred to here is the period of creating such an output. If the print out is a 10 year Bank statement, it is not necessary that it is to be certified that the computer was working properly for 10 years.

Sub section 63(3) is slightly differently worded than 65B(3) though the objective of both is to ensure that a computer output created by a combination of computers such as a Server and a Client etc is within the definition of the section.

The section states as follows:

(3) Where over any period, the function of creating, storing or processing information for the purposes of any activity regularly carried on over that period as mentioned in clause (a) of sub-section (2) was regularly performed by means of one or more computers or communication device, whether— (a) in standalone mode; or (b) on a computer system; or (c) on a computer network; or (d) on a computer resource enabling information creation or providing information processing and storage; or (e) through an intermediary, all the computers or communication devices used for that purpose during that period shall be treated for the purposes of this section as constituting a single computer or communication device; and references in this section to a computer or communication device shall be construed accordingly.

(3) Where over any period, the function of storing or processing information for the purposes of any activities regularly carried on over that period as mentioned in clause (a) of sub-section (2) was regularly performed by computers, whether–– (a) by a combination of computers operating over that period; or (b) by different computers operating in succession over that period; or (c) by different combinations of computers operating in succession over that period; or (d) in any other manner involving the successive operation over that period, in whatever order, of one or more computers and one or more combinations of computers, all the computers used for that purpose during that period shall be treated for the purposes of this section as constituting a single computer; and references in this section to a computer shall be construed accordingly.

It is interesting to note that Section 63 provides a clarity that even if part of the process of producing a computer output involves a different legal entity which is an “Intermediary”, it is considered as a valid document created by the subject computer owner. During this process the document leaves the custody of the subject computer owner, gets processed outside and returns back.

This operation of processing through an intermediary involves “transmission of data out”, “Storage in the intermediary resources”, “Processing in intermediary resources” and “Re-transmission back to the subject computer owner”. It is difficult to accept the integrity of the document processed with the intermediary except with a “Certificate from the Intermediary” that the data received, processed and re-transmitted has not modified the evidentiary value of the electronic record.

In other words the Intermediary has to provide his own “certificate” as an agent of the subject computer owner as part of his data processing network. The drafting of this aspect is therefore open to interpretation which may be disputed and requires a future clarification from the Supreme Court.

For the time being the Jurisprudential advice from us would be that

“Where the processing of the computer output involves computers owned by multiple owners, the owner who presents the evidence must hold confirmatory certificates from the other sub processors that during the processing of data at their end, the material value of the evidentiary content has not been altered”.

For this purpose the sub processor may be called to the Court for evidence or may submit the details of the tool and how it processes the data in the form of a certified document.

The next most important section is Section 65B(4) or Section 63 (4) which speaks of the manner in which certificate has to be issued.

(4) In any proceeding where it is desired to give a statement in evidence by virtue of this section, a certificate doing any of the following things shall be submitted along with the (a) identifying the electronic record containing the statement and describing the manner in which it was produced; (b) giving such particulars of any device involved in the production of that electronic record as may be appropriate for the purpose of showing that the electronic record was produced by a computer or a communication device referred to in clauses (a)to (e) of sub-section (3); (c) dealing with any of the matters to which the conditions mentioned in sub-section (2) relate, and purporting to be signed by a person in charge of the computer or communication device or the management of the relevant activities (whichever is appropriate) and an expert shall be evidence of any matter stated in the certificate; and for the purposes of this sub-section it shall be sufficient for a matter to be stated to the best of the knowledge and belief of the person stating it in the certificate specified in the Schedule.

(4) In any proceedings where it is desired to give a statement in evidence by virtue of this section, a certificate doing any of the following things, that is to say, –– (a) identifying the electronic record containing the statement and describing the manner in which it was produced; (b) giving such particulars of any device involved in the production of that electronic record as may be appropriate for the purpose of showing that the electronic record was produced by a computer; (c) dealing with any of the matters to which the conditions mentioned in sub-section (2) relate, and purporting to be signed by a person occupying a responsible official position in relation to the operation of the relevant device or the management of the relevant activities (whichever is appropriate) shall be evidence of any matter stated in the certificate; and for the purposes of this subsection it shall be sufficient for a matter to be stated to the best of the knowledge and belief of the person stating it.

This sub section defines the contents of the Certificate and how it is to be issued.

The certificate needs to contain the “Identity of the electronic record”, “Particulars of the devices involved in its production” and “Signed by the person in charge of the computer” and an expert. A copy of such certificate is provided in the schedule also.

The persons who have drafted this sub section have considered that the “Person in charge of a computer” and the “Expert” are two different persons. When this is looked at along with the earlier sub section related to an “Intermediary”, it is possible to interpret that certificate is required by the “Intermediary” also which is not ordinarily feasible.

We should therefore jurisprudentially interpret that certificate is required only from the owner of the computer from which the computer output was produced and will be supported by a “Declaration” that the owner believes that the processing at the hands of the intermediary has not materially altered the evidentiary value of the document.

The sub section uses a terminology “an Expert”. Fortunately it does not use the term “The expert”. In case the words “The expert” had been used, it would have introduced a confusion with the Section 79A expert. “An Expert” means any other person with necessary expertise.

The copy of the certificate template as given in the schedule is as follows:

It is observed that the “Computer Output” in the form of a print out may not have a hash value of its own and the hash value stated here should be considered as referring to the original from which the print out was taken. This means that the electronic document should be first saved as a document in the media for the purpose of calculating the hash value. Whoever drafted this was not fully aware of the implications of this suggestion and hence we need to develop a work around for this. The “Expert” should either store one electronic version of the document which is printed out or state that since the computer output is in the form of a paper document, the hash value refers to the scanned copy of the print out.

The last sub section namely 63(5) refers to a context where the subject computer device from which the evidence is extracted and certified may itself get the feed from another computer. It is not necessary that it should originally be produced by the computer itself.

This sub section states as follows:

(5) For the purposes of this section,— (a) information shall be taken to be supplied to a computer or communication device if it is supplied thereto in any appropriate form and whether it is so supplied directly or (with or without human intervention) by means of any appropriate equipment;   (b) a computer output shall be taken to have been produced by a computer or communication device whether it was produced by it directly or (with or without human intervention) by means of any appropriate equipment or by other electronic means as referred to in clauses (a) to (e) of sub-section (3).

(5) For the purposes of this section, –– (a) information shall be taken to be supplied to a computer if it is supplied thereto in any appropriate form and whether it is so supplied directly or (with or without human intervention) by means of any appropriate equipment; (b) whether in the course of activities carried on by any official, information is supplied with a view to its being stored or processed for the purposes of those activities by a computer operated otherwise than in the course of those activities, that information, if duly supplied to that computer, shall be taken to be supplied to it in the course of those activities; (c) a computer output shall be taken to have been produced by a computer whether it was produced by it directly or (with or without human intervention) by means of any appropriate equipment. Explanation.––For the purposes of this section any reference to information being derived from other information shall be a reference to its being derived therefrom by calculation, comparison or any other process.]

This subsection provides a possible solution to the problem of obtaining a certificate of assurance from the sub processors that when the evidentiary computer output is produced in multiple computers owned by different owners.

The observation is that after the processing by the sub processor, a final version is back with the subject computer owner. If the certificate is produced for the “As is where is version of the electronic document”, it may be possible not to insist on the assurance certificates from the previous processors.

As an example, let us say there is a document D1 with Mr X in a Computer K. This is sent to an intermediary M who returns a version of the document D2.

Now the document provided for evidentiary purpose may be either D1 or D2.

D1 may be in a format that is not easily readable and hence converting it to D2 may be essential.

The question that arises is whether M should be considered as an intermediary and if so how should we account for the change of D1 to D2 and possible implication on the integrity of the evidence.

In the earlier paragraph we suggested that we can take the certificate of assurance from M that the evidentiary integrity of D1 has not been altered in D2. (eg: D1 is an image which is compressed into D2 and no other change is made).

In view of the 63(5) an alternative exists to avoid the need for the certificate from the intermediary.

We may consider that D2 is the evidentiary document provided to the Court and earlier processing is not under the control of the person who owns the computer and produces D2 as evidence with necessary certification.

The experts who provide Section 63 certificates need to therefore incorporate these description of how the document originated in the annexure to the certificate using the scheduled format as a covering certificate.

To sum up, there is a fresh requirement of experts and lawyers to understand Section 63 of Bharatiya Sakshya Adhiniyam and for Judges also to appreciate the points mentioned above.

I am certain that the above discussion is the first such discussion on the section and there will be many more discussions and seminars in which this will be discussed till one day the Supreme Court also understands it and puts it into one of its judgements.

Naavi in the meantime continue to use the thoughts provided here to issue certificates if required. (P.S: At present Naavi has stopped issuing Section 65B certificates due to his pre-occupations with DPDPA related activities).

Naavi

I draw the attention of the readers to our earlier article “Climate Change impact on ISO 42001” and the “RBI Reference on thee impact of Climate Change on Financial Risk”. RBI had also released the draft guidlines on “Disclosure Framework on Climate related Financial Risls, 2024”

In the FY 2025-26, it is expected that some Banks may start adopting the guidelines.

The key report areas were

1.Governance with board level oversight of climate related risks and opportunities

2.Straegy for managing the short, medium and long term climate related risks

3.Risk Management

4.Metrics and targets.

RBI seem to recommend a phased approach for the disclosures from FY 25-26 onwards going into FY 27-28.

Obviously there are technology companies which are recommending the use of tools with AI to support the organizations in assessing the Climate Risk and perhaps mitigating the risks also.

It is in this context that we need to remember an earlier study of the University of Texas which said that every Chat GPT query consumes 500ml of water to cool the servers. Another estimation was that every LLM interaction may consume power equivalent to running a LED bulb of low intensity for one hour.

Irrespective of the actual metrics, the impact of AI on power consumption cannot be neglected. We have earlier highlighted this in the “Cyrpto Mining” scenario.

It is now time to start thinking if the climate impact of Computing in general should be considered as a risk that needs to be disclosed by all entities not necessarily the REs.

Probably the AI industry should start a disclosure of the impact of their use of AI on climate and necessary metrics need to be developed.

Naavi

FDPPI welcomes the rules being framed on DPDPA 2023 so as to give effect to the Act at the earliest.

The Act has defined the responsibilities of a Data Fiduciary and the Rights of a Data Principal. It has also indicated provisions related to Data Breach Notification and penalties for various non compliance issues.

In order to implement the Act, Government will be setting up a Data Protection Board.

Some of the applicability aspects such as the “Significant Data Fiduciary” and their special responsibilities will also need to be clarified through additional notifications beyond the 25 rules required under different sections of the Act.

Once the formalities of the operationalizing the new Loksabha is completed, it is expected that the Government will release the draft rules for public comments.

In order to collate the views of the industry on the published rules, FDPPI is planning a physical event in Bangalore at the earliest inviting representatives from the Industry to contribute their views on the rules to be consolidated and presented to the MeitY.

We request senior professionals in the industry particularly from the Fintech, HealthCare, Digital Marketing, etc and different Classes of Data Fiduciaries such as Manufacturing Companies, Social Media Intermediaries, AI developers, AI users, Payment Gateways, KYC agencies, Certifying authorities under ITA 2000, Privacy Enhancement technology suppliers etc., who are interested in sharing their views on the published rules to participate in the Industry interaction.

Interested professionals and Companies particularly in Bangalore may kindly contact naavi/FDPPI immedaitely so that the program details can be finalized.

Naavi

Chapter V of the DPDPA 2023 provides the legal provisions related to the constituion of the DPB of India which will be the supervisory body for DPDPA 2023.

Now the draft rules issued has indicated the process for selection of the Chairperson and the members of the Board.

The draft notification is yet to indicate the number of the members to be appointed in the DPBI but indicated that two Search-Cum-Selection Committees will be constituted one for the selection of the Chairperson and the other for the members. The Central Government (meaning the Meity) will approve the selection.

The Search cum Selection Committee for selection of Chairman will consist of

1.Cabinet Secretary who shall be the Chairman

2. Two experts of repute who possess special knowledge or practical experience in the fields of data governance, administration or implementation of laws related to social or consumer protection, dispute resolution, information and communication technology, digital economy, law, regulation or techno-regulation or in any other field which in the opinion of the Central Government may be useful to the Board

3.Secretary to the Government of India in the department of legal affairs

4. Secretary to the Government of India in the Ministry of Electronics and Information Technology who shall be the convener

Similarly, the Search Cum Selection Committee for selecting the members of the Board will consist of

1.Secretary to the Government of India in the Ministry of Electronics and Information Technology, who shall be the Chairperson;

2.two experts of repute, who possess special knowledge or practical experience in the fields of data governance, administration or implementation of laws related to social or consumer protection, dispute resolution, information and communication technology, digital economy, law, regulation or techno-regulation or in any other field which in the opinion of the Central Government may be useful to the Board

3.Secretary to the Government of India in the Department of Legal affairs and

4.The Chairperson

This indicates that the members of the Board will be chosen only after the Chairman is chosen, appointed and takes charge. However there is a provision that this committee can work without the Chairman in the period when he/she has not been appointed/joined.

If the Government insists that the draft rules will be kept for public comments for 45 days and notified only there after, the search cum selection committee can only start its function after the notification which is around 2 months from date. There after the search committee needs to have at least two or three meetings before selection which needs to be approved by the Government.

The search, selection and appointment of members may have to start after the Chairman is in place and may take further time unless the Government decides to proceed with the selection of the members even before the first search committee completes its search and the Chairman joins duty.

Hence there is a need for MeitY to work in the background so that the constitution of the DPBI may be speeded up.

The salary and allowances of the Chairman and the Members are also indicated in the rules as Rs 4.5 lakhs per month for the Chairman and Rs 4.0 lakhs per month for the members along with the other facilities as applicable to the Government employees of the relevant grade.

Let us look forward to an early completion of the process so that further notification of operating rules may be completed without further delay.

Naavi

Naaavi.org has been debating the concept of “Consent Manager” under DPDPA 2023 and the possibility of making it animprovement over the concept of “Consent Manager under the DEPA Framework” which has been adopted under the Account Aggregator scheme.

Now going through the current version of DPDPA rules, the MeitY has chosen not to exercise its option to improve upon the DEPA Framework but retain the concept with which they are more familiar.

Every consent manager needs to be registered with the DPB and shall be an Indian company with its directors and senior management having reputation for record of fairness and integrity. Any conflict of interest with any data fiduciary either at the corporate level or the executive level needs to be avoided.

The Minimum networth of the company has to be not less than Rs 2 crores.

Under sub rule (3) of this Rule 5, it is stated that one of the obligations of the Consent Manager is …

“to establish an accessible, transparent and interoperatble platform that enables a data principal to give, manage, review and withdraw her consent to herslef obtain her personal data from a data fiduciary or to ensure that such personal datails shared with another data fiduciary of her choice, without the consent manager being in a position to access that personal data”

This clause highlights the “Intermediary” role of the Consent Manager under ITA 200o while the sub rule 1(c) states that the Consent Manager shall act in a “Fiduciary” capacity.

The “Fiduciary” capacity and “Intermediary” status are mutually exclusive. They are different and this has been ignored.

Further while the sub clause (1) states that the Consent Manager shall be a Company, sub clause (7) implies that it can be a firm or an association of persons. Further the rule at some place also refers to the “Consent Manager” as “her” indicating that it could even be an individual.

These are probably unintended and can be corrected in the next version.

The rule also prescribes a data retention period of 7 years or longer which could influence the due diligence of data fiduciaries in similar circumstances.

The question is that if the Consent Manager is required to keep the consent information for 7 years or more why not the Primary Data Fiduciary?

Also, is there a “Purpose” for the Consent Manager to collect and hold the consent. If so, is there an expiry period for the same differently? …

Also if according to sub rule (2)(b) the consent Manager needs to to maintain a digial record of and offer to a data principal digital access to
(i) every request for consent approved or rejected by her and
(ii) every data fiduciary who has shared her personal data in response to a reuest for consent approved by her.

how does the sub clause (3) stating that the Consent Manager shall not have access to the Consent can be fulfilled.

Probably a more detailed discussion is required in this regard…

Naavi

The draft rules currently under discussion regarding the management of Data Principal’s Rights tries to provide clarity to Sections 11, 12, 13 and 14 of DPDPA 2023.

It is noted that the rules does not make any reference to Section 15 on the duties of the data principal which is a condition precedent to the exercise of Rights and should have been mentioned.

While refering to the requirements, the clause starts with the words,

“(1)For enabling data principals to exercise their rights under Chapter III of the Act, the Data Fiduciary and, where applicable, the Consent Manager, shall publish on her website or app or both, as the case may be,-“

I would like to again point out that the rules refer to the Data Fiduciary or Consent Manager in terms of “her website” as if the Data Fiduciary or the Consent Manager is an “individual”. While the “Data Fiduciary” can be an “individual”, it is not practically feasible for the Consent Manager to be an “Individual” or rather it should not be from the regulatory requirement of business continuity. In fact another rule (yet to be discussed by us) categorically mentions that the Consent Manager shall be a Company.

Hence the use of the word “her” in this context is incorrect and this obsession needs to be avoided. It may lead to un necessary legal issues at some point of time in future. There is a need to go through the entire document and ensure that all references to a Data Fiduciary or Consent Manager shall be changed to “it”or “their” instead of “she” or “her”.

While most of the rules under this clause are a paraphrasing of the Act the lack of reference to the Duties is glaring. The “Rights” guaranteed under the Act is intrinsically linked to the “Duties” both because of the Secton 15 of the Act as well as the Article 19(2) of the constitution restricting the “Right to Privacy” in certain specific contexts.

It is most important to note that under Section 15 of the Act, a Data Principal shall ” comply with the provisions of all applicable laws for the time being in force while exercising rights under the provisions of this Act;”

This has to be highlighted so that no irresponsible attack is mounted on a data fiduciary by motivated data principals who may be encouraged by the competitors or anti nationals.

Similarly, the “Right for Erasure” has to be effectively tempered with the need to ensure through appropriate documentation that there is no need to reain the data because of any other reasons. “Electronic Data” is an evidence for many civil claims and criminal prosecution and irresponsible erasure could become an offence under Section 65 of ITA 200 and also under IPC/IEA.

Compliance officers are unlikely to have adequate appreciation of the laws related to retention of data under other statutes and hence they have to be warned while they try to meet the requirements of the “Right to Erasure”.

Some of these corrections are required in the next draft.

Naavi