Header image alt text

Naavi.org

Building a Responsible Cyber Society…Since 1998

TRAI Consultation Paper on Privacy

By Vijayashankar Na
Filed Under Cyber Law 
| No Comments»

TRAI has released a consultation paper on Privacy for comments from Stake holders. A Copy of the Consultation paper is available here: 

Comments from stake holders have been invited by 8th September 2017 and counter comments can be submitted by 22nd September 2017.

Comments and counter comments can be sent by e-mail to arvind@trai.gov.in or bharatgupta.trai@gmail.com


“Privacy” is a complicated subject which is presently under discussion in different fora including the Supreme Court. “Protecting Privacy” is a democratic principle and addressed as a part of the Human Rights commitment of the society. Privacy Protection is presently recognized in India through various Supreme Court Judgements as a derivative of the Rights under Article 21. (Refer here). As a constitutional right a Citizen may be able to seek remedy from the Government but when seeking remedy from others there is a need for statutory provision that defines what is the extent of the Right, how to evaluate damage and how the compensation can be provided etc.

At the same time, when “Privacy Information” is available in the form of “Data in electronic form”, other legislation such as ITA 2000/8 have provided remedies in different forms. Many times, industry recognizes “Data Protection” as synonymous with “Privacy Protection”.

We shall leave for now the larger debate of whether Privacy protection is equivalent to protection of the data related to Privacy of a person or it is a reasonable approximation.

We know that at present a “Data Protection Act” is being drafted and it may define the scope of data protection and its relation to Privacy. Supreme Court may simply recognize “Privacy” as a “Fundamental Right” subject to “Reasonable Restrictions” and leave it to the legislature and executive to define what is “Reasonable”. The ball will be back in the Court of the legislature and Executive to take this forward.

In this direction, we can appreciate that TRAI is trying to pre-empt a discussion on what the “Data Protection Act” can do through the issue of the Consultation Paper. If the Supreme Court leaves it to the legislature and the legislature through the Data Protection Act agrees for a “Sectoral Data Protection Officer for Telecom Industry”, then TRAI’s present efforts will give it a head start for defining the policies and procedures for data protection by the “Telecom Sector Data Protection Officer”.

Government of India has already proposed a “CERT for Telecom” and this CERT_TEL has to define what constitute a “Breach” that needs to be monitored by the CERT-TEL. The definition of the “Breach” in this context is linked to the expectations of “Data Protection” requirements which this consultation paper tries to address.

Hence TRAI appears to be thinking ahead and preparing itself to draft the guidelines for its CERT-TEL besides assisting the Data Protection Act to be drafted with sufficient scope for TRAI to retain its hold on the industry.

Keeping all this complications in mind, it is not easy to comment on the consultation paper without a good debate. I wish different groups of experts discuss the consultation paper and come up with their own views.

As always, it is better to start with a template for discussion and hence Naavi.org would like to place its preliminary views on the consultation paper for public view here and request members of the public to either submit their comments directly to TRAI or atleast send their comments here and enable me to consolidate and submit.

My Preliminary Views are therefore presented here in below:

 

Q.1        Are the data protection requirements currently applicable to all the players in the eco-system in India sufficient to protect the interests of telecom subscribers? What are the additional measures, if any, that need to be considered in this regard?

Current data protection requirements from the consumer perspective are addressed by ITA 2000/8. The Telco is an “Intermediary” subject to Section 79 of ITA 2000/8 in some instances of data flow. In some other instances of data flow such as the subscriber information, Telco is a Body Corporate which collects and uses the data for its own purpose and is therefore subject to Section 43A of ITA 2000/8. Under Sec 72A, (as well as Sec 79) Telco is also liable for contractual breaches and Sec 72A applies to all  “Personal Information” though under Section 43A, the liabilities are limited to Sensitive personal Information only.

The requirements of law enforcement for interception are also addressed adequately both under the Telegraph Act and ITA 2000/8 (Sec 69,69A,69B,70B) of the ITA 2000/8.

These provisions if properly implemented are good enough to provide protection of the data from the privacy perspective of an individual availing a service from the Telco.

The problem however is that the law regarding data protection is not properly implemented and there is no proper deterrence for violation.

Under ITA 2000/8 any contravention has to be handled by means of a complaint by the affected party to the “Adjudicator” or the “Police”. Police are overburdened and will accept complaints only if a serious criminal offence has taken place. Adjudicators are largely not keen to take up complaints suo-moto and complaints can be filed only of the telecom subscriber can prove a financial damage.

We therefore need to strengthen the “Grievance Redressal mechanism”  under the ITA 2000/8. Though this is mandatory under Section 79 of ITA 2000/8, no TELCO is presently compliant with ITA 2000/8 and hence there is no proper grievance redressal mechanism in place. Presently the TELCO grievance redressal is only focused on the billing disputes and most of the time, TELCOs get away by cheating the customers with false billing and the grievance redressal mechanism becomes a sham.

TRAI has failed to respond to customer complaints even when it is brought to their attention since it does not have its own mechanism to handle subscriber complaints against TELCOs.

We therefore need the following action:

  1. TELCOs need to introduce online dispute resolution mechanism and appointment of a suitable Ombudsman (could be at least one for each state) to address the grievances.
  2. TRAI should respond to subscriber complaints by raising an automatic Customer Complaint Ticket on line and keeping it open until the TELCO resolves it.

Q: 2:  In light of recent advances in technology, what changes, if any, are recommended to the definition of personal data? Should the User’s consent be taken before sharing his/her personal data for commercial purposes? What are the measures that should be considered in order to empower users to own and take control of his/her personal data? In particular, what are the new capabilities that must be granted to consumers over the use of their Personal data?

There are three kinds of data that a subscriber interaction with the TELCO generates and the policies may have to be different for each of these kinds of data.

The three kinds of data are

  1. Data supplied by the subscriber at the time of creation of an account
  2. Data generated for billing and usage purpose by the TELCO
  3. Data that accumulates about the usage habits of the subscriber which automatically flows through the network of the TELCO and can be either stored or discarded at the discretion of the TELCO.

(a) Data supplied by the subscriber at the time of creation of an account

Data supplied by the subscriber at the time of creation of the account  includes data  like the name, address, family particulars, age profile, income profile, asset ownership, PAN number etc which are part of the application form for seeking the TELCO’s service on which “Consent” can be obtained.

If the TELCO obtains biometric data, it becomes “Sensitive Personal Information” and a mere “Consent” from an unsuspecting and un-informed customer is not to be considered as adequate. The biometric devices used for e-KYC through Aadhar will be the biggest threat to the Privacy of the subscribers and a key point of data breach.

TRAI therefore has to ensure that the devices are properly audited and accredited before they are used.

Though most of the time TELCOs abuse the consent obtained in the application form, the mechanism for getting the consent is in place and it is for the TRAI and the grievance redressal mechanism to address the violations.

(b) Data generated for billing and usage purpose by the TELCO

However, during the course of the service, data such as the CDR and Tower Data emerge. This is data on which “Joint Ownership” can be claimed.

However, for the TELCO, the CDR is only relevant for billing purpose and nothing more. Tower data is relevant only for technical purpose and would be of use even in a de-identified form.

But for the subscriber, these are “Sensitive Personal Data” which can provide critical information which can infringe on the subscriber’s privacy rights. It is however open to TRAI to treat is as such.

At present CDR or Tower Data is not classified by ITA 2000/8 as “Sensitive Personal Data”. But they are to be treated as such.

The Law enforcement has a specific requirement for access to the CDR and Tower data from the point of view of law enforcement both as intelligence measure before any crime occurs and after a crime occurs.

From the point of view of national security, law enforcement must have access to such data when required and procedural enablement for the same has to be provided.

Some times Law Enforcement may need to even block communication and TELCOs need to implement such orders or emergent basis.

However, in such cases the issues of Human Rights, Freedom of Expression etc are normally raised.

We therefore need to establish a mechanism to enable Law enforcement to block communication without adversely affecting critical services.

I have suggested that in times of network blockade, an emergent network needs to be set up to carry critical communications just as “Ambulance Service operates in a Curfew situation”. I have called this as “Digital Data Ambulance” system and this should specially take care of Financial and Health related communication when the network is otherwise blocked.

Required technical enablement has to be provided for this purpose by TELCOs and necessary procedure for the subscribers to invoke such services need to be established.

(c) Data that accumulates about the usage habits

The third category of data that accumulates during the interaction between the subscriber and the TELCO is the information about “Data Usage” such as the websites visited, Advertisement links clicked etc.

This information has a commercial value and is often the target of Data mining in the “Big Data” scenario.

The TELCOs have little use of this for their main business of providing service and even if they do, they donot need identified data and can make use of de-identified data.

However if the TELCOs factor in the value of this data as part of their legitimate revenue they need to recognize that they need to provide appropriate notice to the customers and take their consent.

If TELCOs donot take the consent of the customers but monitor their browsing and usage habits particularly with use of some software tools as Airtel was once accused of doing (and could be doing even now), it would amount to a violation of ITA 2000/8 under Section 66 and 69A.

TELCOs therefore need to introduce a system according to which, by default such information can be de-identified so that they can be used for most data analytics requirements at the higher level and seek specific consent from the customer for use of “Identified usage habits”.

Such consents have to be incentivized by some return favour to the consenting customers which is distinguishable from other customers. The nature of incentives can be left to the TELCOs to structure but there has to be some incentive for the customers to share marketable information that is entirely their own creation.

Q.3        What should be the Rights and Responsibilities of the Data Controllers? Can the Rights of Data Controller supersede the Rights of an Individual over his/her Personal Data? Suggest a mechanism for regulating and governing the Data Controllers.

My response to the earlier questions also defines the rights and responsibilities of the data controller. If they follow the principles of Privacy which Section 79 of ITA 2000 captures such as Disclosure, Consent, Responsible Use, Security, etc. it should suffice.

However, the problem is that a TELCO operates with thousands of sub-contractors and employees distributed across the country and also uses couriers as agents all of which introduced additional elements of risk for data misuse.

The mechanism for monitoring the TELCO’s Privacy and Information Security implementation  particularly at the dealer/street level offices level is currently inadequate and this has to be strengthened.

The TELCO is liable for the inadequate security at all levels and TRAI has to impose penalties on TELCOs whenever deficiencies are observed at the lower levels. Obviously the grievance redressal mechanism has to address this since TRAI may not be able to conduct its own audits in this regard.

The responsibility should however be placed on the TELCOs to periodically inspect and audit the dealers and other offices and submit a confirmation to TRAI and in the event of any breaches observed later, the audits can be questioned and penalized.

Q: 4 Given the fears related to abuse of this data, is it advisable to create a technology enabled architecture to audit the use of personal data, and associated consent? Will an audit-based mechanism provide sufficient visibility for the government or its authorized authority to prevent harm? Can the industry create a sufficiently capable workforce of auditors who can take on these responsibilities?

 If properly structured a technology enabled architecture to audit use of personal data and associated consent can be effective. There is always a possibility of manual supervision over riding the automated audits on a sampling basis to ensure a high degree of compliance.

The development of the architecture should be done in such a manner that available manpower of skilled auditors can be used for over riding supervision of exceptional observations collated by the automated systems.

An innovatively structured system can achieve the objective though at present nothing more can be said in this regard.

Q: 5:  What,  if  any,  are  the  measures  that  must  be  taken  to encourage the creation of new data based businesses consistent with the overall framework of data protection?

Presently TELCOs have a business interest that introduces a conflict with the Privacy related responsibilities. Any effort of TRAI to improve the Privacy Protection will be resisted since there is a perceived cost escalation.

Hence there could be a specialized intermediary that takes care of e-KYC for multiple TELCOs along with the “Privacy Disclosure on behalf of TELCOs” and “Obtention of Consent”. Such agencies can be called “TELCO Enrolment Agencies” such as the “Certifying Authorities of a Digital Certificate System”. They should be licensed directly by TRAI after suitable checks and according to some norms to be developed. They can provide “Certificate of TELCO Enrolment” which can be used by multiple TELCOs. The cost will be absorbed in higher efficiency and avoidance of duplication.

Presently customers hold accounts with multiple TELCOs and undergo multiple KYC verifications. Whenever they port the numbers, there is a repetition of KYC. The KYC process is done by inexperienced sub contractors who donot know the importance of KYC and this gives room for fake customers. On the other hand a few specialized “Enrollment Certification Agencies” can serve all TELCOs more efficiently.

The Government has already created a “Digi Locker” service and enabled many service providers to be created for maintaining of the “Digi Locker” service. This can also be used either directly by the TELCOs or by the Enrollment Certification agencies to further make the system more efficient and economical.

Obviously the scheme cannot be discussed in detail here but if the concept is accepted, further details can be worked out.

Similarly agencies can be licensed for information security audits of dealers who may report their findings to the TELCOs under copy to TRAI for follow up.

Q:6       Should government or its authorized authority setup a data sandbox, which allows the regulated companies to create anonymized data sets which can be used for the development of newer services?

Yes.. This requirement of segregating data as “Identified” and “de-identified” has already been covered earlier. It is an essential requirement.

Q:7 How can the government or its authorized authority setup a technology solution that can assist it in monitoring the ecosystem for compliance? What are the attributes of such a solution that allow the regulations to keep pace with a changing technology ecosystem?

It is necessary for certain basic policy level agreement to be drawn up before we can address the question of “How” the technology solution can be developed.

We need to ensure that we donot end up with too many regulatory bodies that will introduce more complications.

TRAI should be the apex regulatory authority for all TELECOM companies and rest of the regulation can be done by licensed operators such as what has been suggested above for enrollment certification.

Q:8 What are the measures that should be considered in order to strengthen and preserve the safety and security of telecommunications infrastructure and the digital ecosystem as a whole?

 There are established techno legal processes used for information security. At higher levels this is fortified by a proper management of the people involved. These can be used for securing TELCO networks also. The actual measures will however be dynamic and case specific.

Q: 9 What are the key issues of data protection pertaining to the collection and use of data by various other stakeholders in the digital ecosystem, including content and application service providers, device manufacturers, operating systems, browsers, etc? What mechanisms need to be put in place in order to address these issues?

Content and Application service providers use TELCOs as their sub contractors and the mutual legal liabilities are settled out of the contractual liabilities and provisions of ITA 2000/8.

Except proper awareness creation and dispute resolution mechanism, there need not be major issues in meeting the requirements of protection of the public from misuse of content and applications.

Q: 10 Is there a need for bringing about greater parity in the data protection norms applicable to TSPs and other communication service providers offering comparable services (such as Internet based voice and messaging services). What are the various options that may be considered in this regard?

 The distinction between different types of communication providers is no longer relevant since the entire system runs on data network. All services today are digital and any attempt to segregate them for commercial purpose is futile and can be avoided.

Q: 11 What   should   be   the   legitimate   exceptions   to   the   data protection requirements imposed on TSPs and other providers in the digital ecosystem and how should these be designed? In particular, what are the checks and balances that need to be considered in the context of lawful surveillance and law enforcement requirements?

There need not be any exceptions other than what is done in the law enforcement and consent based contexts.

There has to be procedures in place along with an implementation mechanism and sanction policy for misuse. Drafting such policies is not difficult but they are often abused without proper deterrence. The regulatory agency such as TRAI has the control which it needs to fortify with the will.

“Regulated Anonymity” (Check details here) which is one of the suggestions I have made in different contexts to ensure that de-identification is controlled by a committee which is trusted by the data subjects. Some variant of this thought needs to be used for ensuring that law enforcement does not violate the norms of Privacy protection developed for a larger purpose.

However, law enforcement rights in the interest of security has to be preserved at all costs.

Q.12        What are the measures that can be considered in order to address the potential issues arising from cross border flow of information and jurisdictional challenges in the digital ecosystem?

 The cross border flows of information cannot be prevented in the context of globalization of data management as well as the reasons of cost optimization.

The Government needs to separately address the issue of incentivizing the creation of data centers in India for global usage (not necessarily for Indian usage).

This requires not only financial and technological incentives but also legal incentives such as creating “Special Data Protection Zones” where data protection laws of a different  country are allowed to be applied with immunity from application of local laws. This concept has also been discussed by the undersigned separately in a different context and can be shared if required.

Naavi


An interesting debate is happening in the Supreme Court on whether “Aadhaar is Constitutional” and whether it should be scrapped. We are informed that the Anti Aadhaar advocates have started putting through their view points to convince the Court that Aadhaar is a violation of “Privacy” and it creates a “Surveillance State” and hence it should be scrapped.

I donot see the same commitment of these advocates when it comes to issues like banning Crypto Coins but on Aadhaar they feel that a great injustice is being done to the Indian citizens.

The essence of the anti Aadhaar arguments can be two fold.

First objection to Aadhaar could be that it is being linked to many activities and becoming a universal ID and therefore it will enable creation of a “Surveillance State”.

The second objection to Aadhaar is that the UIDAI has failed to secure the system and hence the system poses a Cyber Crime risk.

The two aspects may have some common link since “Lack of Security” leads to “Leakage of Information relevant for Privacy”.

But the objection so far presented is not because of the security risks but mostly on the ground that it enables the Modi Government to exercise a tight control on information flow particularly related to the financial activities of an individual. So far Black money owners had a field day in having “Benami” holdings of assets and the proposal to link Bank accounts and PAN to Aadhaar as a first step and now to link immovable properties to Aadhaar has really sent shivers down the spine of all the Benamis in India. The opposition to Aadhaar today is vocal because this population of Benamis of India is huge and encompasses politicians, bureaucrats and businessmen.

It is precisely for this reason, I support Aadhaar at present though I have serious reservations on the security aspects of Aadhaar. I believe that security aspects can be addressed if UIDAI is humble enough to admit the security challenges and seek help from appropriate experts, which UIDAI is at present avoiding.

The opposition to Aadhaar from the angle of the recent Supreme Court judgement in which Privacy is held as a “Fundamental Right” is not sustainable if properly countered. Mr Shyam Divan who presented the initial arguments seem to have heavily relied upon this angle and quoted extensively from the Justice Puttaswamy judgement to impress the bench.

We must remember that the Justice Puttaswamy judgement was a one page judgement and just held Privacy as a fundamental Right. It also contained hundreds of pages of reminiscences which did not form part of the order and hence has little value in defining how Aadhaar hurts the Privacy Right of an Indian citizen.

The essence of the Puttaswamy judgment was that “Privacy” cannot be defined and therefore there cannot be a direction on protecting Privacy. However, “Information Privacy” is one aspect of Privacy which can be protected and the Government should work on this.

“Information Privacy Protection” is nothing different from “Data Protection” related to “Personally identifiable information” and more particularly some of the “personally identifiable information” which can be classified as “Sensitive”.

Aadhaar system collects and stores “Individually identifiable Personal Information” and it also collects “Biometrics” which is a sensitive personal information. Aadhaar however does not collect and retain information which is “Health related”, Finance Related” or information related to sexual orientation, racial view points etc. Even before  Aadhaar, Banks have been collecting personal information and generating sensitive personal information. Similarly, health care operators have been collecting sensitive health information and storing them. The Privacy concerns can therefore be expressed even if Aadhaar link is not there to such information.

The only reason why Aadhaar is being discussed is that instead of blaming the Bank account number Privacy for data leakage in Banks and some other IDs for other data leakages, we have a new whipping boy called Aadhaar which is now a common factor for all data breach possibilities.

There is no doubt that convergence of risks do occur when multiple types of data are linked to one central identity parameter like Aadhaar. But it is important to note that leakages occur not because there is a link between the sensitive data and a common number but because the data managers fail to de-identify the data or secure the access to data while in their custody.  If the access to data in Banks or Hospitals can be secured and properly de-identified (or pseudonomized), then even if data is leaked, it will be “Information not identifiable with a living individual” and therefore becomes “Non Sensitive and Non Personal”.

If therefore the security of Aadhaar usage at the intermediary usage points is fortified, then Aadhaar per-se does not pose threat to Privacy of individuals. It is for this reason that the recent measures introduced/suggested by UIDAI to use “Virtual Aadhaar IDs” and to “Fortify the finger prints with a face identity parameter” assumes importance. If these measures are properly implemented, one can argue that the “Privacy Risk arising from the Aadhaar data base” becomes minimal.

The real risk areas are the network links through which the authorized aadhaar users (AUA/KUA agents) access the CIDR and the use of Aadhaar in the AEPS (Aadhaar enabled payment systems), besides the stored data at the user end. Currently, ITA 2000/8 considers these intermediaries as liable for any loss to the citizens arising out of their lack of due diligence or lack of reasonable security practice. This will continue and needs to be made more robust in implementation so that any member of public who loses his data due to the negligence of the Aadhaar intermediaries would be adequately compensated.

The grievance redressal mechanism under ITA 2000/8 will be improved upon when the new data protection act becomes effective and this has to be taken into account by the Supreme Court now.

Blaming Aadhaar system for the negligence of  Aadhaar User agencies which leaks out Aadhaar number of different persons is not fair.

We can blame UIDAI for not having adequate monitoring mechanism to make these intermediaries implement strong security measures and push them for better implementation of security along with deterrance which should be effective. We can also question them for not suspending defaulters for a long time and impose heavy fines, (all of which will be now possible through the new Data protection Act).

But we cannot jump to the conclusion that Aadhaar must be scrapped because of the risks of data leakage.

Some time back the honourable Supreme Court made a huge mistake in scrapping Section 66A of ITA instead of reading down the section and removing the deemed conflict with the “Freedom of Expression”. They should not repeat the same mistake now and end up scrapping Aadhaar.

Scrapping of Section 66A of ITA 2000/8 gave a “License to Defame” and diluted the Act for offences such as Cyber Stalking, Spam, Cyber Extortion, Phishing etc. The Court in a bid to dish out a populist judgement ignored the beneficial aspects of Section 66A.

Similarly, the beneficial aspects of Aadhaar needs to be kept in mind by the Court now before being tempted to give out another populist judgement. If Aadhaar is scrapped, there will no doubt a huge sensation created in the country and the opposition political parties would rejoice. It would also make the judges well known. But it would also immediately assist all Benamis who want to hide their financial transactions from being monitored by the State.

What the Court needs to focus is in asking questions on what checks and balances are planned by the Government to prevent misuse of Aadhaar infrastructure. So far no body seems to have urged the Government in this direction nor this has been a point of debate in the Aadhaar discussions amongst NGOs and other Privacy Activists.

I invite the Privacy activists therefore to start suggesting the infrastructure required to prevent misuse of Aadhaar and in the event of misuse providing proper grievance redressal to the Citizens as also the checks and balances to punish those Government officials who may misuse the system for harassing honest citizens rather than pursue the sole objective of getting Aadhaar scrapped.

If Supreme Court proceeds to take another Sec 66A kind of populist decision, then we will be removing an effective instrument of Governance, defeating the fight against Black money and corruption.

Supreme Court may not be responsible for Governance and hence it may not be their problem if Black Money in India grows and Benamis thrive.

But the progeny may blame the Court for missing an opportunity to drive India on a path to a good economic future and blame them that under the cover of providing Privacy Protection, they provided a Cover of secrecy for criminals to exploit.

Naavi

India is presently in the process of re-writing some of the Cyber laws regarding

a) Privacy… through the Supreme Court’s view on whether Privacy is a Fundamental Right?

b) Data Protection Act under drafting

c) Health Data Privacy Act under drafting

d) TRAI draft guideline on Privacy under discussion

e) Information Technology Act

We can presume that Supreme Court will say that “Privacy” is a “Fundamental Right” of an Indian Citizen subject to “Reasonable Restrictions”. It may make some lofty noises but will not make much change in the Privacy Environment. More will be done through the other laws.

In the meantime, another issue has cropped up in the Cyber Space on “Ad Blocking” which has been challenged under “Copyright” legislation as if “Advertisement is a fundamental right” of business and removal would be an offence. (See this article for more information)

In India, ITA 2000 defines any “Program” that “Without the permission of the owner of the computer”, “diminishes the value or utility of a service”, which should include unauthorized use of “My Bandwidth usage Rights” as a “Computer Contaminant”. Introduction of such Computer contaminants is a cognizable offence under Section 66 of ITA 2000/8 read with Section 43.

Unfortunately the clarity that “Advertisements” could be considered as “Computer Contaminants” have not been properly recognized by Law enforcers and Consumers and hence no action is being taken when consumers are being cheated by Advertisers.

Many times content is being completely covered by Ads repeatedly or video ads starting rolling as soon as we visit a website etc. This menace has now started affecting the Mobile Users also to the extent that “Ad Supported Apps” have become a nightmare to the content/service users.

There are many instances when without the knowledge of the App owners, Obscene ads and invitation to pornographic websites are appearing even in mobile apps meant for common usage. I have pointed out such issues in “Google Ads” in one Radio app and have also seen it in the Chess Online App. This indicates that whatever filters are supposed to block such ads at the end of the ad supplier, is not working.

“Ad Blocking” has therefore become a necessary requirement at the user end as a “Consumer Right”. However many content providers including media websites have started a trend to block content unless the AdBlocker is removed. The recent DMCA attack on “Easylist” which was asked to remove a site from its filter. This may snow ball into a serious fight between greedy content providers and the Consumers.

While Advertisement industry (of which I was a part in the past) has a legitimate reason to exist, it has to recognize that Advertisement has to be an appendage to content and not the other way round. The media trend now in print started by Times Group is that the first page of a news paper is an Advertisement and content starts only from the third or fourth page.

Paid content on TV channels are also more than proportionately covered by Advertising to the extent that consumers feel like paying for the ads more than for the content. Initially TRAI tied to block advertisements in paid channels but the commercial strength of the TV channels over powered the TRAI and brought advertisements even into paid channels.

The “Rule of Proportionality” between content and advertising has been given a go by in the Print and the TV and it is slowly creeping into the web and mobile. We need to preserve this through the forthcoming changes in Cyber Laws that address “Privacy”.

While static ads that take a banner in the bottom or top is mostly tolerated, the so called “Intersticial Ads” that cover the entire page and does not allow the content to be displayed until the ad goes off is an encroachment of the “Privacy” of the content user and has to be condemned.

Similarly the video ads that start playing on a website as soon as the page is loaded without waiting for the user to chose whether he has to run the ad or not eats away the bandwidth that the consumer has bought at a cost for browsing the content and not the ads. Such ads take more than 100% of the band width otherwise required for the content viewing. Since all ISPs are stakeholders in this “Bandwidth bloating game” all of them are happy with such ads. Only the consumer is unhappy.

There is no doubt that content owners justify their right to advertisement because of the contractual consent they may try to obtain by some standard form contract terms hidden some where in the website which may not even be confirmed by the digitally signed means of clicking on the “I Accept” button.

It should therefore be ruled that “Ad Blocking” is a “Fundamental Right” along with the “Privacy Right” and cannot be abrogated by contract which any way most of the times is an implied contract only.

I therefore urge that the Privacy Laws that are being drafted now should define “Advertisements” as an “Intrusion of Privacy” and “Ad Blocking” should not be considered as a “Right” either under Copyright laws or Free speech consideration.

If for some reason, our Supreme Court fails to recognize this, I wish ITA 2000 amendment should recognize this and introduce a clause to recognize that

“Unsolicited Ad serving on web or mobile should be considered as a “Spam” and subject to “Reasonable Restrictions”.

Such reasonable restrictions should include by way of “Rules” that the ad content on a mobile or  a webpage should not exceed 10% of the visible space and the total bandwidth usage by ads should not exceed 15% of the total bandwidth required for the page.

Any excess should be specifically authorized each time by an affirmative consent which should be recorded and made auditable by relevant authorities.

Any contravention should be made punishable by way of civil compensation to the consumer as well as fine just as TRAI does on contravention of unsolicited call blocking norms.

One more regulation that needs to be considered is that

When a service is contracted by a user (eg: when an app is first installed or a Privacy Policy version is frozen on the website), whatever was the advertisement composition, should not be increased after the installation without express consent.

The above suggestions can also be made to TRAI since it has placed the consultation paper for public comment upto September 22, 2017.

Since “Privacy” is a “Right to be Left Alone”, the “Ad Blocking” can be considered as protection of this “Right to be left alone to use the content” without the intrusion of the Advertisements. The honourable Supreme Court should take note of this and if possible, make a suitable observation.

Putting a regulation on Advertisements across all media should mitigate the risk of commercialization of web and mobile services and preserve the “Net Neutrality” principle also.

I hope TRAI will give due thought to the need to put a control on the Advertisements and appropriately draft their rules on Privacy protection. (We shall separately discuss the consultation paper in a subsequent article)

Naavi

California Department of Justice has released a set of guidelines for Mobile Apps developers which act as “privacy Practice Recommendations”. The practices recommended here are expected to help in the compliance of the California Online privacy protection Act (COPPA) Being perhaps the first of such codes, this is a useful document to be adopted by all mobile apps developers as well as other stakeholders such as app platform providers, mobile networks etc.

These principles include making an app’s privacy policy available to consumers on app platform, before they download the app. It is stated that major app platform providers such as Amazon, Apple, Google, HP, Microsoft, RIM< and Facebook have agreed to the principles.

Highlights of the recommendations are:

For App Developers

•Start with a data checklist to review the personally identifiable data your app could collect and use it to make decisions on your privacy practices.
•Avoid or limit collecting personally identifiable data not needed for your app’s basic functionality.
•Develop a privacy policy that is clear, accurate, and conspicuously accessible to users and potential users.
•Use enhanced measures – “special notices” or the combination of a short privacy statement and privacy controls – to draw users’ attention to data practices that may be unexpected and to enable them to make meaningful choices.

For App Platform Providers

•Make app privacy policies accessible from the app platform so that they may be reviewed before a user downloads an app.
• Use the platform to educate users on mobile privacy.

For Mobile Ad Networks

•Avoid using out-of-app ads that are delivered by modifying browser settings or placing icons on the mobile desktop.
•Have a privacy policy and provide it to the app developers who will enable the delivery of targeted ads through your network.
•Move away from the use of interchangeable device-specific identifiers and transition to app-speciic or temporary device identifiers.

For Operating System Developers

•Develop global privacy settings that allow users to control the data and device features accessible to apps.

For Mobile Carriers
• Leverage your ongoing relationship with mobile customers to educate them on mobile privacy and particularly on children’s privacy

This is a good starting point for a new regime on privacy protection on the mobile platform. Hopefully it would be adopted at the earliest by responsible apps developers and distributors.

Naavi

Copy of Guidelines

Our honorable Minister of IT Mr Ravi Shankar Prasad has stated that India will create a Global bench mark with its Data Protection Act which is being drafted now.

While we welcome the goal set by the Minister, it is time to discuss how India should approach creating the Global Bench Mark. The proposed Act will be based on the report of the Justice Srikrishna Committee which will actually draft the contours of the Act to which the Government will just add some structure.

Since Justice Srikrishna comes from the judicial background and we are fresh with the 9 member Supreme Court bench decision that “Privacy is a Fundamental Right”, it would be reasonable to speculate that the proposed “Data Protection Act” will operationalize the “Informational Privacy” as discussed in the judgement.

After the judgement, there is already a discussion on whether mobile information is subject to Privacy and whether Police can seize mobiles etc. There is therefore an apprehension that if the law is not properly drafted, there would be serious hindrance on the capability of Police in particular to carry out investigations. Criminals and Suspects will quickly jump to Courts and bring stay and by the time Police are able to get the stay vacated, the electronic evidence might have been irrevocably erased.

The proposed act will note that “Privacy” is equivalent to “Right to Control personal Information in data form” and hence protection of Personal information is the objective of the Data Protection Act.

Will the Act therefore focus only on protecting “Data that contains the personal information”? or will it extend its scope to all types of data including those which constitute say Copyright, Domain Names, Patents?, Will it also extend to corporate information such as financial data, marketing data or HR data? Will it also extend to log records? telephone conversations? …are all matters that this act will perhaps try to address.

This means that the Act should define what is “Data that has to be protected”? and then proceed to classify them into “personal” and “sensitive personal”, “other” etc.

The Act needs to also define who owns “Data” and whether “Data” is a property? and how the Data can be used by who soever owns?

When Data gets aggregated, value gets added and there is always a question whether this value addition belongs to the data subject or the data processor or the data controller who actually instructs the data processor to process the data in a particular manner. Under the Copyright law, the data base administrator gets the copyright on the aggregation part and therefore it recognizes different property rights between the raw data supplier who is the data subject and the entity which adds value which is the data processor or any other entity that uses the raw data .

If Copyright law recognizes copyright on data base creator, then similar principle has to be used in the data protection law also recognizing that the nature of property changes from the data subject to the data processor.

Once we recognize that “Data” is a “Commodity” and different values can be ascribed to it in different stages of its life time, we need to recognize it as a property which can also be traded.

Recently a store in London was reported to be accepting “Personal Data” as payment in exchange for goods. 

The “Data Dollar Store” appears to value the data you present and allow you to trade them. In a way it is a “barter” system . From the initial reports, it appears they may accept some photographs etc as “Personal Data with value”.

Of course if you offer “Digital Money”, perhaps they may not refuse since this also is “Data”… but the concept is interesting particularly for people who can create valuable personal data instances.

Coming back to our discussion on Data Protection Act, there are some practical problems that the authors of the law will encounter. Since the Supreme Court has not really defined “Privacy” but went on a wild discussion on what one eats or where one travels etc is all “Privacy”, the Zomatos and Make My Trips will be dealing with “Privacy Sensitive Information”. If therefore Government makes any law that tells how such companies need to collect information and deal with it, such a law may be questioned as a violation of a Fundamental Right not being saved by the exceptions of national security etc.

We realize that if we take this extreme view, then there can be no e-commerce without some form of personal data being shared with the service provider. Currently, accepted privacy principle is that one can collect personal information as long as it is necessary to provide the service offered and a “Consent” is provided by the data subject in the form of a “Deemed Contract”. The only discussion is on the quality of disclosure and ethics of the collector in collecting only the minimal required information and using it only for the purpose it is required.

But can the Government make a law stating that “The Fundamental Right of Privacy can be infringed by any individual if he has taken a consent in the form of undigitally signed web/mobile based acceptance forming a deemed contract in which the data subject’s rights are agreed to be infringed”. Will it be a “Contract for a consideration that is legally untenable”?

If we take a stand that this is a globally accepted principle and there is nothing wrong in the data subject entering into a contract with another person saying that he can make use of the personal data and he is not pressing his fundamental right, then we are automatically accepting that “Data is a commodity that can be transferred for consideration”.

Will Justice Srikrishna committee be having sufficient courage to say that “Personal Data” is a “Property of the Data Subject” and he can sell it for a price which includes agreement to use the services offered by a service provider?. If they do, then Government will not have any problem with its Aadhaar per-se or mandatory linking of Aadhaar with PAN or mobile number etc.

But If they do, they may be standing against the spirit of the 9 member Supreme Court judgement.

If the Srikrishna committee hesitates and continues to carry over the uncertainty on the definition of Privacy from the Judgement to the committee’s findings, the problem gets transferred to the Meity in drafting the law.

The Government can simply define the law as a “Law to protect the Confidentiality, Integrity and Availability” of Information and make it more as Cyber Security law than anything else. It will of course create the office of the Data Commissioner. It  may also introduce licensing of data processing and other regulations and in the process may make the life of E Commerce entities such as the Zomatos and Make My Trips miserable.

In the end, the law will be an extension of ITA 2008 and will not add much to the domain of “Privacy Protection”.

In all probability, this is what is going to happen and we will continue to keep worrying about the definition of Privacy and  without understanding its nature try to protect it in data form.

Considering the futility of such an exercise, I would like the Government to accept that given the wide definition of “Privacy Right” as ascribed by the Supreme Court, it is not possible to make a law that protects the unknown and omnipresent. 

Instead, the Government may focus on how the Citizens can be compensated when a “Data Breach” occurs and go onto define “Data Breach” and its consequences.

The definition of “Data” can apply to any information in electronic form and “Breach” is defined as any action which is a violation of a contractual agreement.

If we take this approach we need not define what is “Data that is Personal Information”, “Data that is Sensitive personal information” and “Data that is neither a personal information or a sensitive personal information.”.

If the  Supreme Court can use a strategy to define the “Privacy Right” without defining “Privacy”, Government may be able to create a “Data Protection Law” without treading on the difficulty of defining “Data which is Personal information that forms part of the Privacy Rights”.

The existing law in ITA 2000/8 and the rules there under, are sufficient to carry on the market activities since it already provides a definition of personal Information as well as Sensitive personal information in addition to the larger set called “Data”.

The new law can state that any person can enter into a contract with his data as a commodity and bring the data protection requirements under the Indian Contract Act read along with ITA 2000/8.

The new law can also enable and empower any business that may be set up to buy, sell, process or exchange data under a contractual agreement with the data subject or a personal data custodian to whom the data subject has transferred his personal data.

This will define the “Data Trading” concept and provide clarity to companies in Data Analytics and Big Data activities. It will also prevent the IoT industry from being stumped with the new Privacy debate since any information collected by the IoT device is likely to be considered as “Personal Data”. Though IoT data is linked to the device ID, along with the purchase and installation information, it is linked to the personal data of the owner and his location and hence will become a part of the “Privacy Right”. The CCTV captures will also be legally protected if a person walks into a mall and is being photographed by the CCTV system in exchange of the benefit of walking through the premises.

Additionally innovative companies may set up business to de-identify a data set and create value there on before they are actually sold for a profit which they can share with the data subject at the time of re-identification.

Some company may also set up a “Regulated Anonymity” system where it will absorb the identity and provide a proxy ID to the user with which he can do all transactions on the internet. The business can even run an  “Identity Gateway” where the identity such as Aadhaar or PAN etc can be pseudonomized without adversely affecting any service or security requirements of the Government while at the same time protecting the critical identity data from unknown threats.

It is to be recognized however that these intermediaries are still vulnerable to an Equifax type of attack on their systems which could compromise the customer data if they donot implement appropriate security measures.

In such a eco-system, the so called “Data Protection Law” may change its objective from “Protecting Data” to “Protecting the Citizens from  the consequences of a Data Breach” where Data breach is defined as an unauthorized data access in contravention of the data sharing contract.

Such consequences will of course expand on what ITA 2008 now says as “Intermediary Responsibilities”, “Civil Liabilities” and “Cyber Crimes” but with a better implementation mechanism.

The new law can additionally define a system of “Leasing of Personal Data” different from “Selling of Personal Data” to meet temporary requirements. This would automatically incorporate a right some where nearing the “Right to Data Erasure” as referred to in GDPR since data leased cannot be used beyond the lease period. It will automatically terminate the rights of the data processor and shift the onus on him to get the contract renewed much better than the current “Opt-In” system.

The new law can also talk of “Fundamental Duties” of a citizen as a “Data Subject” and uphold his fundamental rights to decide how he can use his personal data including monetizing the personal data as if it is a property that belongs to him. If there after a challenge is mounted on the law in the Supreme Court and it  has to take objection to this law, they have to object to the provision that defines the fundamental duty and fundamental right of a citizen to deal with his own data property. Hence the law may be protected against a legal challenge.

In this context, it would be better to call this law not as “Data Protection Law of India” but as “Data Breach Protection Law of India”.

Naavi

[P.S: This is in continuation of the discussion of the proposed Data Protection Act in India and the public comments invited for the  Justice Srikrishna report.]

The Justice Srikrishna Committee (SKC) has propounded 7 key principles of the Data Protection Act and proceeded to provide several questions in its report seeking public comments.

The Seven key principles under which the proposed Data Protection law would be based are as follows.

1.Technology agnosticism– The law must be technology agnostic. It must be flexible to take into account changing technologies and standards of compliance.

2.Holistic application– The law must apply to both private sector entities and government. Differential obligations may be carved out in the law for certain legitimate state aims.

3.Informed consent– Consent is an expression of human autonomy. For such expression to be genuine, it must be informed and meaningful. The law must ensure that consent meets the aforementioned criteria.

4.Data minimisation– Data that is processed ought to be minimal and necessary for the purposes for which such data is sought and other compatible purposes beneficial for the data subject.

5.Controller  accountability–  The  data  controller  shall  be  held  accountable  for  any processing of data, whether by itself or entities with whom it may have shared the data for processing.

6.Structured enforcement– Enforcement of the data protection framework must be by a high-powered statutory authority with sufficient capacity. This must coexist with appropriately decentralised enforcement mechanisms.

7.Deterrent  penalties–  Penalties  on  wrongful  processing  must  be  adequate  to  ensure deterrence.

The above principles may determine the broad contours under which the SKC may work out a draft of the Data Protection Act of India (DPAI). In the background  the Supreme Court’s views on Aadhaar as an instrument of Governance and a potential tool of breach of Privacy will be weighing in the minds of those who will work on the drafts.

One of the first counters to be raised therefore is “Whether these principles need to be expanded? or Modified?”

It is in this context that we raise the first supplementary principle to be added to the list.

“The proposed Data protection Act should be amenable for compliance by all stakeholders with pleasure and appreciation of the purpose. It should not attempt to enforce the law compliance by pain… except to the inevitable minimum required pain that accompanies all changes.”

The second principle which follows the first is that the proposed law should confine itself to the limitations that is inherent in such a legislation. The law is proposed as “Data Protection Act of India” but is it the right defining of the proposed law? or should it be considered differently? is a question to ponder.

When the honourable 9 member bench of the Supreme Court (Puttaswamy Judgement) declared in a hurry that “Privacy is a Fundamental Right under the Constitution of India”, there was no time to deliberate and come to a conclusion on “What is Privacy”. The order did not specify the definition but said Privacy is a fundamental right. So the task before the Data Protection Act legislators include defining what they propose to protect.

A question naturally arises therefore that if the 9 eminent jurists could not define the enigmatic concept of “Privacy”, should the Data Protection Act of India attempt to do it?

Data protection legislation may not be the right law to define Privacy. It should be through a different law under the overall domain of  “Democratic Rights of an Indian Citizen under our constitution”.

On the other hand the Data Protection law can effectively define the “Security to be accorded to Data” of a particular type. “A Data Protection Act” should confine itself to protection of “Data” which may be personal data, sensitive personal data, or even corporate data. Calling an Act as “Data Protection Act” and confining it only to being an “Individual Information Privacy Protection Act” is not warranted.

However, India already has a law called “Information Technology Act” which has several provisions that fall in the category of “Data Protection”. It also has provisions that are meant to protect “Information Privacy” because of Sections 72A and 43A. Sections 43 and 66 along with several other sections such as Section 67C, Section 79, etc define responsibilities of individual information privacy protection. Sections like 69, 69A and 69B also provide the “Reasonable Exemptions”.

Now whatever the new Data Protection Act proposes will be in partial modification of ITA 2000/8 and will introduce a conflict with ITA 2000/8 and perhaps also on the UIDAI act.

The new Data Protection law should therefore decide if it steers clear of the existing ITA 2000/8 or trample upon its provisions and replace them with a new set of the same provisions under a different legal provision.

We should not forget that there is a “Health Care Data Privacy Act” which is also on the drawing board and has already been partially rolled out in the form of EHR guidelines (though the industry has largely ignored it).

One of the other principles that the proposed law should declare for itself is therefore the following:

The Proposed Data Protection Act shall work in harmony with the current established laws in the country such as Information Technology Act 2000Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act,

The Key principles should therefore be increased from 7 to 9.

The main purpose of the suggestion is that we need a legislation that the stakeholders will absorb as a necessary legislation that is good for our society and hence all of us have a duty to comply with it.

Unlike the GDPR which tries to impose its will through  obnoxious penal provisions, Indian Data Protection Act or Information Privacy Protection Act, or Individual/Personal Information Privacy Protection Act, as it may be called should not bank upon its ability to control the market with its penal provisions. By stating that the penalty can be 4% of global turnover or 20 million Euros, GDPR is showing its muscle. India can counter this by saying that the penalty may be 5% of global turnover and INR 2 billion and make it applicable to any entity in the world. With such a provision we can also make the international community raise eyebrows and recognize our existence.

But is this the way law should be imposed? by threatening to wipe out a company in case of non compliance? and leave it to the mercy of the adjudicator to determine the final penalty and if possible use his discretion as a leverage to ask for favours from the accused?

Penalty should be a deterrent but it should not be so huge that the accused either declares bankruptcy immediately or thinks of bribing his way out. It is in this context that we say law should promote compliance not with pain but with pleasure.

Data Controller is also a stake holder

In the data protection law, the drafting people should also decide who is the stake holder/ or stake holders?. Is the stake holder solely the individual and others like the Data Controller or Data Processor only targets for imposing a penalty if they donot comply? ..when what they need to comply itself is unclear?

We must accept that a Company registered in India is as much an entity that needs Government protection as the individual who is a citizen of India. Hence the law of privacy cannot go over board and look at punishing the Data Controller severely as the EU law tries to do. Of course we donot trust the Companies as also the Government when it comes to Privacy protection and hence the need for the law. Law some times tries to provide protection to the Government separately (eg UIDAI) but imposes hefty fines on the private sector for the same offence. This may not be fair.

What follows therefore is that whatever law which is now being proposed, it should be equally applicable to a Company or the Government or an individual.

Secondly, if Individual’s data needs protection, corporate’s data also needs protection. If one is called “Privacy”, the other may be called “Data Protection”.

Hence if we call this new law as “Personal Information Privacy Protection Act”, then it can confine itself to protecting individuals against invasion of privacy that may arise because such information is not protected by a corporate or Government.

If we call this a “Data Protection Act”, then it should extend to Corporate data as well. Since ITA 2000/8 is already covering this aspect, there is no need to cover security of corporate data through this Act. On the same logic, if this law has to be a comprehensive law on Personal Data Protection, then Section 43A and 72A needs to be removed from ITA 2000/8.

If Section 43A and 72A are to be retained and the new law has to extend to privacy protection, then the law should clearly explain that the new provision is in addition to the earlier provisions in ITA 2000/8 and not in derogation of the earlier provisions present in ITA 2000/8.

If this precaution is not taken into account, we will end up with the argument which was presented by an advocate in an adjudication proceeding in Karnataka and accepted by the then adjudicator that “Introduction of Section 43A applicable for body corporate in ITA 2008 automatically changes the meaning of Section 43 and confines its jurisdiction to individuals only”. Though the undersigned did not subscribe to this view at that time and does not even now, if law is not clear, it enables such manipulation by clever advocates to the detriment of the society.

I therefore urge the SKC to declare that

what they are proposing is not in derogation of any of the existing laws and in particular the provisions contained in ITA 2000/8 on data protection in general and personal data protection in particular.

Jurisdictional Umbrella

It is more or less imperative that the law will define that it is applicable to the processing of data of an individual citizen of India by any person including a Company incorporated in India or otherwise or by Government in India or otherwise.

However, this will naturally lead to a conflict in implementation when the law is breached by a foreign company or a Government. Similarly a foreign Company or a Government may also try to impose its own law (eg GDPR) on an Indian company and claim penalties which may be significant and also involve foreign exchange outflow.

The Proposed law provides an opportunity to ensure that this conflict between different laws applicable to a single company in India is resolved without the company (registered in India and therefore expecting the Indian Government to protect it’s legitimate interests) having to face several international regulatory organizations at a given time.

Typically an organization handling data processing may have personal data from persons of different nationality. Each   now trying to impose its own laws and also extend extra territorial jurisdiction just like what GDPR has done in respect of information that belongs to its citizens. It has therefore become necessary for companies (Data Controllers or Data Processors) to tag every piece of personal information with the citizenship of the individual and try to apply appropriate laws. In one case it may involve “Right to Forget” and in another case there may be an “Obligation to retain”. In such cases, the Companies will be unable to comply with conviction if they donot have a data classification system that tags the information to the country of citizenship. (Hopefully there will be no dual citizenship problem).

This data protection law should recognize this problem of the business community and try to provide a solution.

The solution we suggest is two fold.

  1. Every consent should incorporate a specific clause which states that “This personal data shall be protected as per provisions of personal data protection applicable to ….. country. 
  2. The adjudication and imposition of penalties if any shall be determined as per the personal data protection regulations applicable to India and the Indian Data Protection Authority shall have the final authority in sanctioning any penalty in respect of any individual who is a citizen of India, any corporate or other organization registered and subject to Indian laws.

The jurisdiction clause is proposed as a mandatory part of the consent which itself should be mandatory.

This provision also means that if any EU entity imposes a penalty on an Indian Company, the Indian Data Protection Authority shall intervene to accept or reject the penalty claims.

In order to make the provisions of the new law fair, the law can offer reciprocal arrangements of similar nature to foreign jurisdictions and state

“Where penalties are imposed under the Personal Data Protection Act of India on a person who is either not a citizen of India or is a company registered outside India, then the Indian Data Protection Authority shall provide an opportunity to the Data Protection authority (if any) of the country to which the said company/individual belongs to implead on behalf of the said entity.”

Since some of these suggestions could interfere with international obligations, these may need to be properly drafted. The suggested intent is that no Indian Company will be directly made liable to any foreign authority whether by a contractual agreement or otherwise without a sanction of the Indian authorities. If this umbrella of protection is not created, GDPR will be an instrument that will create colonies in India and allow European companies control Indian Corporate entities.

Naavi

(Discussions will continue)