Naavi.org

Recently, in the WhatsApp circles, there was news about RBI cautioning the public with “Multi Bank Balance Enquiry Apps”. This was actually an advisory issued earlier on 11th April 2015, in which RBI stated as follows.

“It has come to the notice of the Reserve Bank of India that an app (application) is doing rounds on WhatsApp purportedly to facilitate checking of balance in customers’ bank accounts. The application has an RBI logo with the title ‘All Bank Balance Enquiry No’ and has listed several banks with either a mobile number or call centre number.
The Reserve Bank wishes to clarify that it has not developed any such application. Members of public are, therefore, advised to use the application, if at all, at their own risk.”

This could well be the case of a “Fake App” or a “Fraudulent App” or the case of a  misuse of the RBI trademark.

But in the era of growing FinTech companies, there are many genuine Apps that try to provide money management facilities which includes “Multi Bank Account Access” and hence this could be taken as a general guidance against all such Apps.

Since finance information is one of the most sensitive of the personal information and that today most Bank accounts are linked to Aadhar and Aadhar itself is linked to everything including the PAN card, these “Multi Bank Apps” represent one of the highest concentrations of “Privacy Risks” and call for a special attention on defining the “Data Security Requirements”.

While the RBI advisory above was re-circulated in the Social Media and created some caution, it does not amount to a proper “Information Security Advisory”.  The Watal Committee report addressed the issue of growing security concerns in the digital payment systems along with the need to promote such payments and advised review of the Payment and Settlement Act 2007 (PSSA-2007) under which a “Payment Regulatory Board” (PRB) would supervise the requirements of information security in the digital payment industry.

The Watal Committee also mooted the idea of an “Open access” to the payment systems by non Banking PSPs (Payment System Providers). When guidelines for this do come up, the FinTech companies may be able to have unhindered access to the financial data of individuals. This could blur the difference betweeen Banks which people trust much more today than the PSPs many of which are start ups with quick profits as their goal. Today many of them do have an access to the credit information through CIBIL or other so called “Credit Rating Agencies” which many times work on imperfect data and create adverse issues for individuals. But what the new regulations open up is an access to the core Banking system where FinTech companies may have access to highly sensitive personal information.

In the EU zone, the “Payment Systems Directive” or the PSD addressed the issue of Privacy and Data Security in this domain. Now the PSD2 which is the revised directive has been made applicable with effect from 13th January 2018 along with the GDPR getting into force from 25th May 2018.  The Watal Committee made a brief mention of PSD but did not take into account the PSD2. The Government has recently announced that by around Diwali, a new Data Protection Act could be in place in India and if so, it should incorporate some additional measures of data protection for Personal Financial Data (PFD) in tune with the strict EU standards.

While the IT companies involved in data processing contracts from the EU companies would be required to comply with PSD2 provisions as a contractual data processor, the FinTech companies themselves who may indulge in PSP activities may not take note of PSD2. They are presently bound by Section 43A and Section 79 of ITA 2000/8 and required to comply with the Privacy regulations and implement what may be termed as “Reasonable Security Practices”. However their practices are unlikely to meet the minimum standards of information security that is required in such cases.

Most mobile Apps access financial information by taking an unhindered permission for SMS, E Mail and Calls before the user even downloads the app and examines its dimensions. Since Banks send information about transactions to the SMS and E Mails, the entire financial history of the customer will be available to the App. This is used for creating expense accounts and other reprots which are presented as useful service to the data owner. There is no doubt that the information would be useful, but in the process the risk of critical PFD being shared with the FinTech Company is a source of concern.

When one views the Terms and Privacy policies of these FinTech companies, one may observe many anti-consumer clauses with absolutely no warranty on either the information security or even the quality of service.

It was amusing to observe that one of the Apps which is considered a successful FinTech App, limits its own indemnity to the user to Rs 1000 while trying to get an unlimited indemnity from the user for its benefit with no warranty. However, the website of the Company instead of talking about “Zero Warranty”and “Unlimited Liability”  promises “Bank Grade Security” and “No collection of Sensitive personal information” while the App’s privacy policy and terms donot have the required assurances.

It was further interesting to observe that if one tries to make a psychological profiling of the Company, one is further intrigued by the “About Us” page of the Company highlighting the assets of the company which is captured by the following illustration.

The Company boasts of 5 million downloads in the last three years and “Google Best App” award in 2015. As a keen observer of Information security practices, the Privacy concerns across the globe and the emerging data protection regulations in India, US and EU, it is difficult to get convinced that a company that is proud of the number of Beers consumed and its Bar Stools strength can be trusted with the financial information of a consumer.

This comment is not meant only against this company since this could be the typical approach of most of these “FinTech” companies which are managed by  good techies but without matching concern for information security.

When the new Data Protection Commissioner takes charge in India and such companies seek registration as a PSP, I wonder how the privacy policies and terms of use would be scrutinized.

If on the otherhand the new Data Protection Act of India tries to adopt the strict terms of privacy regulations that a EU commission may expect under PSD2 or GDPR, then most of the Indian FinTech Companies will fail the “Test of Consumer Protection”. The Watal Committee report does focus on Consumer interest and even the RBI has many times indicated its concern on consumer interest being sidelined by technology based banking software products.

Unless the FinTech Companies include a mandatory Cyber Insurance package where the user’s are protected against direct and indirect losses arising out a data breach caused by using of the service, the Data Protection Commissioner should consider the security as “Inadequate” and redflag the Apps.

PSD2 or GDPR or even the ITA 2008 would basically work on “Consent”, “Disclosure” followed by other obligations of data protection. However, a “Disclosure” which is incomplete and misleading and a consent based on “Clicking of the Continue” button on an App will hardly suffice the rigid standards of Consent envisaged under any legal principles.

I therefore urge the members of the FinTech Companies to come out of their “Tech Shell” and understand the disservice they are doing to the community by luring public into Apps with little or no security and really introduce some measures which includes a fair insurance coverage for the users of their Apps along with a fair terms, and reasonable security.

I also request RBI that its 2015 advisory should not remain only as a formality and should be followed up by a new regulatory measure by the Payment Services Regulatory Board or the RBI committee which oversees these functions to address the issues of dilution of data security through mobile Apps.

Sooner this happens better it is for Indian public. In the meantime, I also urge the FinTech  industry to introspect and generate a . “Self Regulatory Mechanism” that would protect the integrity of the industry.

In June 2016, RBI formed a committee under the Chairmanship of Mr Sudarshan Sen (SSWG) which had a scope to review the FinTech industry as it is emerging in India. However there is no further news on the activities of this Committee. If it is still active, it should take into account the requirements of protecting the FinTech customers of India in terms of data protection standards equivalent to PSD2 and GDPR through the proposed Indian Data Protection Act or through a notification from RBI which is revising the PSSA-2007 as recommended by the Watal Committee.

Naavi

Section 65B Certification of electronic evidence produced in a Court proceeding in India has been a matter of intense discussion in the circle of Forensic experts, Law Enforcement and of course the Legal fraternity.

Historically, the undersigned was the first person to produce a report under Section 65B of Indian Evidence Act in a Court in India. (Suhas Katti Case in 2004). Subsequently, it has been followed by many other Certificates issued under the banner of Cyber Evidence Archival Center (CEAC)  in the last 12 or more years.

During this time, the undersigned has handled many interesting CEAC certifications including  Web site pages, E Mails, Mobile data, Corporate Computer data, Personal Computer data, YouTube Videos, CCTV Videos, Extracts from Forensic software, Remote Desktop views etc. Some certifications are straight forward web pages as they appear, some are extracted with the use of some forensic software etc. Some electronic documents are text documents that can be easily printed out and some are audio and video files which have to be rendered only in soft copy format.

Every one of these different types of documents,  have been a challenge in terms of meeting the Section 65B requirements. Some times it has been necessary to structure solutions  to extract the electronic documents as per the best understanding of the requirements of Section 65B as perceived by the undersigned .

As a result of such long experience over the past 12 plus years, the undersigned has developed  specific procedures  to present the “Computer Output” as required under Section 65B of Indian Evidence Act.

I am aware that there are legal luminaries who have special expertise in Indian Evidence Act and some of them may hold views different from mine on some aspects of how the section 65B  has to be interpreted.  It is possible that for various reasons, many of them had not focussed on the issue of Section 65B until recently when Supreme Court drew its attention to the mandatory need for Section 65B certification for all electronic evidences presented to the Court. (Refer Basheer Case).

I was however drawn into it right from 2002 when CEAC was formed as a service and has therefore the procedures developed must be considered as an evolution of the system over a long period.  (It is not out of place to mention that I had proposed CEAC to be public private partnership with the the Ministry of IT at that time through the then CCA though it could not be implemented while it continued as a private service.)

At this point of time, Naavi’s approach to Section 65B certification used by CEAC should perhaps be considered as one of the approaches that needs to be accepted as a major school of thought  even if other experts have a different view point. However, we can  say that Jurisprudence on this aspect is still under development and different experts arguing differently and different Courts interpreting differently could be common. Some time in the future, I suppose the honourable Supreme Court will look into many of my articles including this one and give its own interpretation which itself may undergo many iterations over time.

With this humble submission, I would like to present below my view on one hypothetical case based on a reference received by me regarding submission of forensic reports by Forensic Labs and Government owned establishments such as CFSL or other equivalent organizations.

In the reference, there were the following aspects.

1. The evidence consists of a Call Data Record (CDR) extracted from a Mobile Service Provider (MSP). (Perhaps this includes  Tower data record along with the billing and usage records)
2. Mobiles seized from the accused sent to the lab for analysis
3. Hard disks seized from the accused sent to the lab for analysis.

For the sake of discussion, I consider the following hypothetical requirement of the law enforcement.

The accused has used the mobile phone/s to make calls to say other co-accused or to the victim to further commit an offence which may be a Cyber Crime or a Physical Crime. . The CDR was collected from the MSP and handed over to the lab for further analysis. Mobiles and Hard disks were seized from the accused by the Police and sent to the lab. The CDR evidence is to be used along with the forensic analysis of the mobile where there may be contact details, some SMS/WhatsApp messages. It is possible that some of this data might have been deleted and has to be recovered using appropriate recovery software. Some of the recovered data may be fragments needing further interpretation. The Computer hard disk will also have many items related to the mobile and CDR either in active files or deleted and recovered. There could also be a back up of phone data in the computer of the accused whose hard disks have been seized.

The question that was posed in a reference was

a) Who will provide Sec 65B certificate for the CDR

b) Will the Lab provide Section 65B certificate for its report?

I will try to provide my views on these queries to the best of my knowledge and experience.

Though the final report is provided by the Lab, the CDR is handed over to them as an input along with other seized hard disks.

The CDR is an extract from the systems of the MSP and has to be therefore certified under Section 65B by the MSP’s person in charge.

If the MSP admin allows the files to be viewed by an independent expert, then the independent expert may take on record what he has seen, the circumstances under which he saw the documents, record it and add it under his Section 65B certification.

The CDR as presented by the MSP may be in say an excel form which the lab may use as an input and analyze through a CDR analysis software. This may display many results that appear in the screen of the analyst’s computer which he may record and use in his report.

Similarly, the mobile data or hard disk data may be analysed by the analyst using forensic software of different descriptions. The software may discover deleted files and show on the analyst’s screen. Some of these electronic documents as it appears on the analysts’ screen may be captured and used as a part of the analyst’s report.

At the end of this exercise, the analyst will come to some conclusion in his report and answer the queries raised by the investigating officer.

In such a scenario, the question of how Section 65B certification has to be used by the Lab expert is a matter of discussion.

Now in the above case, the report could be considered as a combination of

a) Matter of fact observation when some content is displayed on the screen of the analyst under certain standard conditions.

b) Certain content displayed which may require an “Expert Knowledge” to draw a meaning.

Section 65B is mainly concerned with the presentation of an electronic document lying inside a computer as a “Computer Output” that can be experienced (Read, heard, seen) by the observer, for the purpose of admissibility by a Court.

“Interpretation” and drawing conclusions which are not obvious from the visible computer outputs (presented either as a print out or soft copy) is a subject matter of an expert in the domain. The matter of fact part of the report also requires certain expertise but the level of expertise required for interpreting the data may be higher or it may be completely an expertise outside the computer domain.

For better clarity, let us take an illustration where a lab analyst extracts an image of a wounded person from the computer and renders it as a computer output in his Section 65B Certified report. Another expert say a doctor views the photograph and opines that this wound appears to have been caused by such and such a weapon etc…

Here there are clearly,  two experts … First, the computer expert who discovered the image from a pile of deleted images and the second expert who had nothing to do with Sec 65B Certified report but is an expert in another domain.

Some times, the division of roles of the “Observer” who extracts the information and the “expert” who interprets the document may not be so clear. It may be the same person who uses a forensic tool to extract fragments of a file containing log records and uses his computer expertise to interpret that the log record extracts mean certain things.

The Forensic lab analyst  has such dual role and hence his report has this dual characteristic of being a report both as an observer of a “matter of fact” and as an expert “Who interprets the fact”.

Another illustration that explains this situation is as follows.

Let us say there is a photographer who takes photographs. If it is a digital photograph, he can give a “matter of fact section 65B certification” stating this is a faithful reproduction of a photograph which I took using such and such camera on such and such date and time at such and such place. This  is the typical certificate  where the certifier does not express any opinion on who is there in the photograph, what is happening, Is it a marriage? or Is it a quarrel? etc.

Let us now say that the photograph is a video in which two persons are speaking in French. Let’s say the photographer fortunately knows French language and can interpret what the two are talking. He therefore produces a report in which the video is enclosed and states that the two persons were planning a terrorist attack. His certificate is now more than a Matter of fact certificate and includes his own expert view based on his language expertise.

The report that normally a Forensic lab person gives has this dual element of expertise, where in the first place, there is a simple expertise of using some tool and making some electronic documents appear on the screen which is then printed with a CTRL+P command and in the second place, involving  a “Forensic Expertise” where he adds his “Opinion” into the report.

A Good lab report has to be structured in such a manner that these two aspects are clearly brought out in the report itself so that the Court can use the “Matter of Fact” report and discard the expert report if it deems fit. Alternatively Court may accept the matter of fact part of the report but approach another expert for interpretation to substitute the expert opinion part of the report.  This means that the report may be taken as evidence in part and rejected in part. It may also be possible that the defense may accept the report of the “matter of fact part” but challenge only the “Expert opinion” part.

It is a moot point at this point of time if the reports provided by CFSL or other organizations which normally provide such forensic certificates have a system of structuring their reports as described above. It is possible that they simply enclose the evidentiary objects examined and directly go to give its point by point reply to the investigating officers, queries on the evidence.

Once we understand this nature of the Lab report, we can address the issue of whether Section 65B certificate is required for the lab report or not.

If the Analyst has reproduced any extracts of electronic documents as part of his report and relied on such extracts, then Section 65B certificate is required.

If the Analyst does not use any electronic document as part of his report and only gives out his views in isolation, then he need not provide Section 65B certificate.

In such a case he can be cross examined as a witness and further information can be sought.

In the case of a self evident/self sufficient “Matter of Fact Certificate”, the parties/Court may decide not to put the analyst as a witness and examine him, since there is no dispute on the matter of fact part of the report.

In most of the practical cases, a forensic lab will have electronic documents discovered by them based on which they provide their opinion. Hence their reports will have elements of both a “Matter of Fact Certification” and a “Forensic Expert Opinion”.  Hence Section 65B certification as well as presentation as a witness may be required.

Where there is a case when there is a web page which has been certified by an independent observer like CEAC as it appears to the public on the web with only simple tools such as a standard computer, running on  a standard operating system and a standard browser application, the Section 65B certificate may be accepted without the need for cross examination of the certifier (unless the defense wants to challenge the witness and probably allege fabrication of evidence).

In such cases, the parties may accept the computer output for admissibility and argue on the content as they require. Eg: One may say that the words used are defamatory and obscene and the other may say it is not. The judge has to take the call.

In the Suhas Katti case, I had produced an extract from a web page which the advocates argued whether it was obscene or not. I had no role in deciding whether it was obscene content. Similarly, I had recorded the IP address visible in the header information of the message and given my limited expert view with the use of a “Whois query tool” to say this IP address appears to belong to BSNL, Mumbai. This was a low level forensic expertise. I was however examined in this case as an “Expert” and cross examined but there was no disagreement on the evidence produced. The only objection raised by the defense was that I was not a Government employee and the Court felt that expert can be a private person.

I have presented the detailed view point above to indicate that the Section 65B certificate is meant for replacing the need for the Judge to interpret the “Original Binary Content of an electronic document” and enable him/her take a view on the electronic document on the basis of a print out or soft copy of what the binary content means when rendered on the screen of a computer  as a “Computer Output”. This is with the limited objective that the electronic evidence can be admitted and trial can proceed. (Readers may kindly read my earlier articles on the subject also links to which is provided below)

The Forensic labs therefore learn to structure their reports appropriately to indicate that part of the report is simply to render the “electronic document” as a computer output as is visible to a low level expert while in some cases, the report continues with an expert view where the “Opinion” of the observer is added as an “Expert”.

What I have presented here as a requirement for Forensic labs should also apply to a “Digital Evidence Examiner” accredited under Section 79A of the ITA 2008 and summoned by the Court for its assistance.

Comments are welcome.

Naavi

Related Articles

1. Basheer Case Judgement and Section 65B of Indian Evidence Act…Cyber Jurisprudence develops

2. Section 65B of Indian Evidence Act on Electronic Evidence Explained

3. Clarification on Section 65B… Who should sign the Certificate?

4. The Role of “Notified Digital Evidence Examiners”

ISMG India carried a report on the Prepaid Instruments recently which has been reproduced here.

Refer for more details here:

Naavi said in this context :

While MeitY has prescribed guidelines, security practitioners have offered other ideas. “The current authentication methods are highly OTP-dependent – whether passwords, aadhaar or e-sign – and don’t ensure complete secured transactions, as they are vulnerable,” says cyber law expert Naavi Vijayashankar of Cyber Law College and Ujvala Consultants. “New authentication systems must be built that circumvent risks with the current form of aadhaar-based authentication.”

“… that while common security measures include passwords and multifactor authentication, issuers must remember the focus of any business, and therefore its information security policy, is protecting the user from consequences of unauthorized access or denial of access.”

“….that practitioners consider risk assessment from multiple perspectives, including securing information from unauthorized access, data integrity and denial of access; protecting organizations from liabilities due to a security breach that could result corporate executives being charged civil and criminal liabilities; and protecting users from adverse consequences of a breach via cyber insurance .”

“…breach reporting is important and the central monitoring authority should possess such information to understand industry-wide risks.”

Naavi

The news about WIPRO retrenching some employees has caused a slight stir in the minds of many aspiring Engineering graduates about the future of their employment prospects. Though the number of retrenchments in WIPRO is by itself not a large number compared to the strength of its work force, it does give an indication of the direction in which the IT job market seems to be moving.

It is possible that this trickle may gather momentum and other companies also start shuffling their work force creating a crisis in the IT workforce and large scale unemployment of computer savvy workforce.

There is a need for Cyber Space watchers to recognize that when techies start losing jobs, the possibilities of at least some of them getting into deviant habits are very much real since they have the necessary skill sets to create “Cyber trouble”. Some who run short of cash for their genuine needs may turn to providing online support to the cyber underworld in the form of writing malware codes or spamming or acting as virus droppers.  Some may use the time to reignite their previous jealousies and personal vengeance on others which may manifest in more of crimes like hacking of face book profiles, defamation and even “Glassdoor Attacks”.

In general, the Cyber Crime incidence in India may increase if the job losses occur in IT industry. This is more so since some of the job losses will be in the mid level workers with experience and financial commitments as they are replaced with the low cost freshers.

Some of these job losses are also triggered by the “Protectionist” attitude that is growing in the US and other markets. Consequent to the Visa restrictions imposed by USA  and possibly more to follow if the trend spreads to Europe. Mr Trump has been clear in his approach that he wants Indian IT companies to create more jobs in USA rather than exporting manpower from India and this certainly means that the growth prospects for Indians working in USA will dwindle.

In this context we can recognize that just as frustration of youth in the Kashmir Valley can be the reason for them turning into “Stone Pelters”, the frustration if it grows in the Cyber Workforce in India could create a situation where Indian techies may start turning into “Cyber Stone Pelters”.  Hence keeping such skilled workforce from not falling prey to negative thoughts and keeping up a positive motivation is the challenge before us.

Both from the point of view of maintaining the IT prosperity in India and not creating a fertile ground for Cyber Criminal workforce to increase, we  have a need to find solutions to reduce the impact of IT job losses that may hit the Indian IT companies in the next few months.

The  one obvious thought is that the situation indicates that  India’s IT development will be more dependent on the outsourced business than it has ever been in the past.  If Indian IT companies have to reduce their work force in USA or cannot expand its present workforce working onsite, to meet the future growth, the only solution left for them is to replace the current work force or the future potential with a “Virtual Workforce”.

But Mr Trump may be pushing the US IT companies to increase jobs in the IT industry which may force them to bring pressure on Indian IT companies to recruit more locals in US to replace the Indian workforce presently working onsite. Additionally, jobs in the IT industry is also being affected adversely by the  increasing levels of “Automation” which also may eat up some jobs and we need to address this issue as well. Hence there is a challenge for replacing the current workforce of Indians working in US with a virtual workforce without losing the business.

We therefore need to find innovative solutions to ensure that there is no job loss despite the new developments in US, Europe or elsewhere.

The problem that Indian IT companies are facing now have been partially created by the policies of the IT companies in the past giving more emphasis to “Body Shopping” rather than “Skills Marketing”. The industry has today built its business model on “Number of Billable Heads” rather than “Measurable Outputs”. It is now time for Indian companies to start changing the narrative of their business offerings from “We offer so many heads at xx dollars per hour” to “We offer the solution at a cost of xxx dollars per month”.

I therefore call upon the IT industry to start a new generation of BPOs where the concept of “head count based billing” is given a go by and only “measurable service units based billing” is adopted.

This apart, there is a need for Government to provide some additional incentives for the BPO industries to be more competitive on the basis of “Solution Offerings”. The proposed new Data Protection Act of India will be one policy decision where the Government action will affect the industry either positively or negatively and hence it has to tread carefully when the new law is introduced.

Naavi

Indian Corporate world exposed to any form of data processing involving a member of the European Union including the countries which have exited recently (Like Britain) or those who may exit in due course (Say France?) are keenly watching the impact of the General Data Protection Regime (GDPR) which has come into force as a replacement of the well known “Data Protection Act” of these countries.  GDPR has been enacted as a “Regulation” and will be applicable from 25th May 2018. We are therefore in the transition period where the Companies in EU as well as those who are in India and processing the personal data of EU citizens either with a direct interaction with EU based companies or with US companies working in EU are re writing their data processing contracts to be in line with the GDPR.

25th May 2018 is not too far considering the criticality of the task and the need to check and double check whether the companies are on the right track.

Indian Companies get exposed to GDPR firstly through their data processing contracts and secondly through their own activities. The data processing contracts are expected to have performance requirements meeting the standards of GDPR and also an indemnity to compensate the vendor company for losses arising out of non compliance. If the Indian Company is directly operating in EU then it is directly exposed to the compliance requirements through its office in the EU.

Additionally, we expect that India will have its own Data Protection Act by 25th May 2018 which will impose responsibilities similar to GDPR and will also endorse the need to uphold the contractual obligations as if it is a legal obligation in India. This provision already exists in ITA 2000/8 and with or without a reiteration in the new proposed Indian Data Protection Act, the agreement with an international vendor to comply with GDPR becomes a statutory obligation under ITA 2000/8 also.

It is in this context that we need to take a serious look at two of the Articles of GDPR and understand how GDPR may apply to Indian Companies.

The first article that we need to observe closely is Article 3, which is on Territorial Scope of GDPR.

The Article states as follows.

Article 3: Territorial scope

1. This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.

2. This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:

(a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or

(b) the monitoring of their behaviour as far as their behaviour takes place within the Union.

3. This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.

The first clause of this article is relatively straight forward.  This states that “In the context of activities of an establishment” which involves processing of personal data, the regulations are applicable whether the processing itself takes place in the EU or not.  This means that even when the data is outsourced or the establishment itself maintains a processing center outside EU, it is still under the scope of this regulation. Such an organization is therefore exposed to the possibility of imposition penalties that the GDPR envisages which as we know extends upto 4% of global turnover of the company.

Such companies will therefore impose clauses in their outsourcing contracts which will require the sub contractors indemnify the company for any losses caused by them due to the non compliance of GDPR. The contracts will be deemed to also impose the responsibilities of a “Data Controller” as envisaged in the GDPR on the Indian Sub Contractor whether it is explicitly stated or implicitly meant.

Considering the huge liabilities envisaged in the GDPR, an open indemnity may be a proposition that will drive any Indian Company including the bigger and the biggest of them to insolvency if any major data breach occurs that results in imposition of penalties under GDPR.

Indian Companies need to therefore check what are the compliance requirements and how they should plan to implement them. They should also check if there are any exemptions and how they need to handle the conflicting aspects of Indian law under which they operate such as the existing ITA 2000/8 or the proposed Indian Data Protection Act. Additionally, they need to obtain appropriate Cyber Insurance that will add to their costs by at least 1 to 1.5% of the potential liability. Since the potential liability is indifferent to the value of the contract the cost of insurance in terms of the revenue generated by the contract can be many times more than 1.5% of the contract benefits.

Hence the Indian companies need to take the impact of GDPR seriously before taking up EU contracts. If the risk is not worth it, smaller companies need to withdraw from the contracts that impose indemnity against GDPR liabilities. Larger companies like Infosys or Wipro or TCS need to fight it out with the vendors for at least covering the Cyber Insurance costs.

Additionally, according to Article 3(2), any Indian Company which offers goods or services to a data subject in EU or monitors their behaviour is directly liable under GDPR as a “Data Controller”.

“Offering” goods and services may occur if the Company maintains a website through which online services are offered which can be availed by EU citizens. “Monitoring” of behaviour may also occur in such cases and also by companies which are engaged in data mining on a global scale. If such companies have not taken the precaution of including the “GDPR Exclusion Clause” as proposed by Naavi in their web site policies and contracts, then they are open to being held accountable under GDPR.

Assuming that such companies have no office in EU nor any representative (Required to be designated under (Article 27), still action can be brought in India either under the existing ITA 2000/8 or under the proposed Indian Data Protection Act and hence the risk of GDPR penalties may have to be addressed even by them.

In case of non compliance of an Indian Company it  would be liable for the consequences and is also answerable to its share holders.

Such Indian companies may process the data within India or outside India. If they are storing the data within India or even otherwise, they would be exposed to the possibility of an Indian law enforcement authority issuing/executing a search warrant for seizure of the data which may amount to “Disclosure”. In certain cases, Judicial authorities may order disclosure of some data which interalia involves disclosure of personal data belonging to the EU citizen.

In such cases, we need to also observe the impact of Article 48 which states as under.

Article 48: Transfers or disclosures not authorised by Union law

Any judgment of a court or tribunal and any decision of an administrative authority of a third country requiring a controller or processor to transfer or disclose personal data may only be recognised or enforceable in any manner if based on an international agreement, such as a mutual legal assistance treaty, in force between the requesting third country and the Union or a Member State, without prejudice to other grounds for transfer pursuant to this Chapter.

What this Article implies is that a company subject to Indian law will be in conflict with the jurisdiction of the Indian Courts  because of  a contract  it might have signed with its business partner who is bound by the EU regulation.

It may be noted that this Article is not simply a choice of “Jurisdiction” in a contractual agreement. On the otherhand it renders the Indian Courts impotent.

This Article also introduces a confusion since the general principle of Privacy does provide right to the law enforcement agency and Judiciary to intrude on certain circumstances.

GDPR does permit some exemptions under the “Right of a Data Subject” for reasons such as national security, criminal investigation etc. So it appears difficult to comprehend that  Judiciary has no right even after a trial having been conducted and arriving at a judgement.

We therefore need to interpret this  Article as applicable only if the data has to be released by an organization which is under the jurisdiction of the Eu Courts and not companies which are under the jurisdiction of the Indian Judiciary whether they process EU data or not.

Probably the confusion could have been avoided if the Article had specified that it is not applicable to data processors who are established outside the Union or that it was not in derogation of the rights of the Judiciary of the country in which the data controller operates.

The option now before the Indian authorities to reduce confusion is to introduce an appropriate clause in the proposed Indian Data Protection Act which is on the lines of Article 23 where the member nations are permitted to introduce laws that may impose restrictions on the rights of data subjects in cases of National Security, Defence, Public security etc.

Naavi advocates that a provision be made in the Indian Data Protection Act that

“No international agency can launch any legal action against an Indian company except through the Indian Data Commissioner.

This would be a protective umbrella for Indian companies to be protected from frivolous threats from outside India.

This is not to advocate that Indian companies need not follow privacy protection. In fact GDPR does have good provisions for Privacy protection which is good to be implemented even by Indian companies. However, it is desirable that the Indian Data Protection Commissioner takes the responsibility for disciplining the Indian Companies rather than a EU Data Commissioner. Hence it is necessary to provide a statutory protection for penal action to be restricted through the Indian Data Commissioner’s office only.

I request the MeiTy to take this into account while drafting the new law.

Naavi

In a first decision from the Adjudicator of West Bengal, an order has been passed against an estranged husband who spied on his wife’s phone using “Team Viewer” software.

See Report 

According to the report, the husband had installed a “Team Viewer” software on his wife’s phone and extracted certain Chats which were produced in a divorce suit to prove her disloyalty.

The Adjudicator, (IT Secretary Mr Talleen Kumar) has considered this as a violation of the wife’s privacy and ordered payment of Rs 50000/- as penalty.

Firstly, we congratulate Mr Tallen Kumar for his first decision as Adjudicator of West Bengal. I am aware that there are other cases pending before him they would also perhaps see the light of the day.

At this point of time it is difficult to say that the husband will be too unhappy with the verdict since his case in the matrimonial court may continue. Being a matrimonial Court,  the question of whether the evidence produced for proving the disloyalty of the wife remains valid may be separately debated.

If appealed, this could be the first fresh case to be referred to TDSAT in its role as the new Cyber Appellate Tribunal under ITA 2000/8 and would test TDSAT on how it handles a Cyber Case. However, this does not appear to be a fit case for appeal and hence it may not have the privilege of being referred to TDSAT.

The other point that is to be noted is that “Team Viewer” software normally requires a confirmation from the destination computer for access. However, there is a feature called “Unattended Access” which if activated would provide access to the destination computer without popping up a consent screen each time.

One of the news papers has referred to the Team Viewer software as a “Virus”, and this should set the software manufacturers (Team Viewer GmbH) thinking of how to prevent their genuine and useful software be tarred with the image of a “Virus”.

This leads to the question of how to make a software “Cyber Law Compliant” and should be a lesson to all the software manufacturers.

Naavi

Copy of the Judgement

[According to the West Bengal Government website, as of 4/4/2017, Mr Tallen Kumar was indicated as Principal Secretary, Paschimanchal Unnayan affairs Deptt,  and Dr. Krishna Gupta, was the Principal Secretary of the department of IT & Electronics.  Probably Mr Kumar might have been transferred after delivering this award. The judgement seems to have surfaced in the last two days, almost 2 weeks after Mr Tallen Kumar ceased to be the Adjudicator. No date appears on the copy of the judgement except the date 26/11/2014 which obviously is the date of complaint. ]

P.S: According to one reaction to this article, Team Viewer was not used. My note above is based on Telegraph report and I am awaiting further information on this.. But the award confirms the use of Team Viewer and also a cloud storage facility syncdroid.org. Probably it was not the Unattended access of Team viewer that was used but the back up on syncdroid to get the information that is held as unauthorized access. … Naavi