Naavi.org

The first question that an Indian Company needs to satisfy for itself is whether it is at all exposed to the provisions of the dreaded GDPR and if so whether there is need to respond.

It must be clarified that Indian Companies appreciate the principle of Privacy and the need to protect privacy in data form as a part of the protection of human rights of any global citizen. What is however creating a resentment is the obnoxious level of penalties that GDPR is empowering itself to impose on companies which are actually not established in EU. This is seen as an attempt to build an hegemony in the Data Processing market across the globe.  It is also perceived that the GDPR is trying to re-write the jurisdictional laws as is understood in the “Border less Cyber Society”.

There is a need for the authorities implementing GDPR to abrogate the clause of “percentage of global turnover” in article 83. The financial limits of 10 or 20 million Euros is not an issue but an open ended turnover based penalty is unreasonable and smacks of an arrogance that needs to be challenged. This should however be done by organizations such as NASSCOM which should discuss it with countries such as USA and Australia to form a global forum to protect the interest of the industry bodies.

At present, it is not however completely clear how the GDPR penalty clause will play out in the Indian market.

The GDPR recognizes two main roles for IT Companies namely

1. Data Controller
2. Data Processor

A “Data Controller” is one who has the power to decide on how the “personal Information” will be processed. “Data Processor” is the one who processes the information as determined by the Data Controller. The “Data Processor” is therefore a “Sub Contractor” to the “Data Controller” and does not have the contractual power to act independently.

A similar issue also exists under HIPAA-HITECH Act where the Business Associates (BA) are presently directly under the regulation of HHS in terms of the audits and imposition of penalties.

However, in the case of HIPAA-HITECH Act, the jurisdiction boundaries are well defined and a company which has no legal establishment in USA but works as a Business Associate is more appropriately recognized as a “Sub Contractor” bound only by the Business Associate Contract which may have an indemnity clause to protect the liabilities arising on the Covered Entity or another BA in USA  which has outsourced the business to the Indian Sub Contractor.

The GDPR has however tried to establish its control even over companies established outside EU through some of its provisions which needs a close watch.

Under Article 3 (1),

“GDPR applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.”

Under Article 3(2),

“GDPR applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:

(a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or

(b) the monitoring of their behaviour as far as their behaviour takes place within the Union.”

Under Article 3(3)

“GDPR  applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.”

Article 3(3) obviously applies to countries under some kind of a Treaty or Convention which includes the protection of Privacy of EU citizens.

Article 3(1) applies to Data Controllers or processors who have an establishment in the EU including those who outsource the data processing to another entity outside the EU or use Cloud for certain part of its services.

It is Article 3(2) which tries to include extra-territorial jurisdiction to the regulations and contains two sub clauses.

The first sub clause is directed to Data Controllers or Processors which are not established in the Union but “Offer services of goods and services” to data subjects in the Union.

The second sub clause is directed to Data Controllers or Processors which are not established in the Union but “Monitor the behaviour of EU Citizens to the extent that it takes place within the EU”.

It may be noted that the definition of a “Data Controller” is that he is one “” who determines the purposes and means of the processing of personal data”.

A person who collects the data is not included as a “Data Controller” though he may come under the category of a “Data Processor”.

Indian Companies who have direct IT contracts with EU Companies like Infosys, TCS or Wipro may be “Data Controllers” but most other companies will be “Data Processors” since they may be only sub contractors.

However, most of the Indian Companies may not be  “Offering Services” to EU data subjects though they may be offering services to “EU based companies”. In such cases, it is possible interpret Article 3(2) as not being applicable to such Indian Companies.

This interpretation also goes with the ITA 2000/8 where in defining the due diligence under Section 79, the Government of India has clarified that the obligation of obtaining  “Consent” from data subjects lies with the “person collecting the information from the data subject” and not the company which receives the personal information of data subjects from another company which has collected it.

In Other Words, ITA 2008 recognizes the “Collector of Personal Information from the data subject” as the “Data Controller” (though this terminology is not used) and every body else becomes a “Sub Contractor”. GDPR has knowingly or unknowingly created a class of a “Recipient of Data” who is the first party to interact with the Data subject but may not be a “Data Controller”. The “Recipient” could be a sub contractor of a Data Controller and hence a “Data Processor”. Subsequently, under the directions of the Data Controller, the Recipient may transfer the data to another “Data Processor” who may actually have a contract with the Data Controller and not have direct relationship with the “Recipient”.

Indian Companies which are not receiving personal data from the data subjects and not having an establishment in EU are purely “Data Processors who are not established in EU and not offering services to EU data subjects”. Their liability for GDPR implementation is therefore only through the Contract with the Data Controller who may be an establishment in EU or one who may not have establishment in EU but determines how the data is to be processed.

The “Indian Sub Contractors” are therefore bound by ITA 2000/8 which of course defines reasonable security practice as what is contained in the contract with the data supplier. The Data Controller is therefore well within his rights to state in the contract that the data processor in India has to follow all the security measures indicated under GDPR. He can also put an indemnity obligation that if any loss is caused due to his action or inaction, it should be reimbursed to the extent of a stated limit.

The open ended contract which makes an Indian Company liable to pay a foreign entity may actually be a violation of the FEMA and hence is ultravires the Indian law. The “Turnover based penalty” can therefore not be applied on Indian Companies nor accepted by Indian companies.

As regards websites of Indian Companies or mobile Apps which may be used globally, it is essential for the companies to include a “GDPR Exclusion Clause” on the lines of what is proposed under the privacy policy of Naavi.org which states as under.

QUOTE:

GDPR Exclusion

It is declared that Naavi.org follows the principles of Privacy protection under Information Technology Act 2000 as amended from time to time and where there is a conflict with any other international law or guideline, the provisions of ITA 2000 shall prevail. In particular, Naavi.org does not subject itself to the administrative jurisdiction of GDPR and any data subject who intends to be protected by GDPR and not ITA 2000 shall not use any of the services of this site or its networked sites. Any claims made under non-ITA 2000 statutes or regulations regarding privacy protection or otherwise are unacceptable and may be deemed as maliciously intended.

UNQUOTE

It is also possible to consider that the act of visiting a website established from the shores of India and availing any of its services is like “Virtually visiting Indian shores” and hence does not constitute an “Activity of the Data Subject in the EU”.

Hence I would like Indian Companies on the web and the App developers to review their privacy policies and include a “GDPR Exclusion Clause”  so that they are not unnecessarily becoming liable under GDPR for a stray visitor who may come from EU.

Naavi

The recent Bank of Maharashtra UPI Fraud in which Rs 25 crores were siphoned off from the Bank through UPI payment requests which were honoured by the system though there were no funds in the accounts, as well as the report that a security firm has indicated that at least 7 UPI apps of different Banks are infected with malware has raised the question yet again on the irresponsible manner in which RBI has been conducting itself in pushing insecure digital payment systems down the throats of unsuspecting citizens.

The Government of India knowingly or unknowingly incentivising the digital payment usage for its own reasons, without ensuring the safety of the citizens. Naavi.org has been time and again warning the Government and Mr Modi that without a security blanket of a Cyber Insurance for all, the digital payment initiative is a boon for fraudsters and ultimately the price will be paid by the ordinary citizens in the country.

The Bank of Maharashtra fraud created loss for the Bank only and not its customers since the payments were made without balance in the account. If the Bank had a Cyber Insurance for itself, it should have been covered. This is like the Bank of Muscat fraud in which over Rs 245 crores were siphoned off by international fraudsters from accounts without balances. However this indicates the surfacing of the  inefficiency in our Banking system when they are pushed too fast into the digital process.

Government and RBI should appreciate that transformation has to be managed properly and even a good medicine works only when given in proper doses.

The key to the current digital payment system is the organization called NPCI. NPCI today operates the technology platform  through which all the UPI payments go through. It has also taken over the systems which were earlier being managed by IDRBT. It is today the hot bed of digital payment risks in India and there is a need to question if it is adequately equipped to shoulder its responsibilities.

Firstly, NPCI is not constituted to be an “Independent Organization” free from the operation of vested interests in the Banking circles. IBA and 10 prominent Banks are the promoters of NPCI and this is the biggest flaw in the structuring of NPCI. IBA is a body of commercial Banks and the Banks are profit oriented commercial organizations. They have completely lost their vision of public service with which they were started. Hence NPCI also has complete conflict of interest. RBI on its own cannot manage this conflict as it is completely dominated by the IBA when it comes to critical decision making.

Hence the management of NPCI and its decisions is always expected to protect the interests of the commercial Banks and not meant to fulfill the objectives of Secure Banking regulation in India which is the RBI’s role.

I welcome RBI to challenge this statement and prove that I am wrong.

In the Bank of Maharashtra case, NPCI has washed its hands off stating that it was the responsibility of the Bank to reconcile its NPCI transactions with the Core Banking ledgers and it had failed to do so. However, technically when the Core Banking system sent  two messages, “Success” and “Error” and the UPI system failed to recognize that “Success” was that “the transaction reached the Core Banking server and was processed” and “Error” was that “transaction is rejected because there is no balance in the account”, and NPCI servers accept the first message  as if the “transaction was successful”, the problem lies squarely with the NPCI.

If the fraud is adjudged fairly, the legal liability for the fraud should lie more with NPCI rather than Bank of Maharashtra.

RBI and probably NPCI adopts the same principle in managing the ATM transactions. In the case of all transactions with cloned cards, the NPCI managed systems only indicate to the Banks “Transaction Successful” and this is claimed by Banks as that the genuine card only was used in the transaction. Most of the Card frauds are disposed off by the RBI”s Banking Ombudsmen only on the basis of a piece of paper doled out by the NPCI system that “Transaction was successful”.

The same way, now NPCI has responded to the statement from the Core Banking system that the fraudulent “Pull Request” sent through the bank of Maharashtra UPI. NPCI is blind to recognize that “Transaction Successful” only means that technically the handshake was established between the two systems and the session was successfully established. If this was followed by the next message that “There is no balance in the account and hence transaction is rejected”, NPCI cannot say that I have already closed the session and lost the second message. The systems were perhaps wrongly configured and the session was prematurely closed without a “session close” message from the Core Banking system.

My views here are not based on any direct interaction with NPCI and may therefore be incorrect. But the probability of this view being correct are high and I welcome of NPCI has any technical explanation why it interpreted the Core Banking message wrongly.

Further, it was as much the responsibility of NPCI to test the system of UPI integration as that of Bank of Maharashtra and such integration had to be tested not only for the technical aspects but also “Techno Legal Aspects”. NPCI has failed to make its systems techno legally robust.

It is this same negligence which allowed the malware in the HITACHI ATM which resulted in 32 lakh SBI Debit cards being withdrawn and millions more compromised by allowing the malware to worm its way from the ATM to NPCI servers, sit there and send out information to fraudsters without NPCI detecting the presence of the trojan in its systems.

Now that 7 more Bank UPI s are said to have been infected with malware, NPCI has a duty to publicize the names of the Banks so that customers can take a decision to un-install these apps. By withholding the names of the compromised Apps, NPCI is abetting the fraudsters and further endangering the customers. It also violates the RBI regulations that the breach has to be notified by Banks and CERT-IN  notification that  NPCI needs to report it to CERT IN.

In the light of these developments, the AEPS (Aadhar Enabled Payment Systems) which is likely to introduced despite the recent revelations that “Biometric store and Replay attack” is very much possible (Refer to the incident where Axis Bank, E Mudhra was charged or Jio SIM  Cards were fraudulently issued) will increase the fraud risks in digital payment systems. NPCI, RBI and the Government of India will be responsible for any scams that may be perpetrated in this domain in which public may lose money.

I have warned time and again that Mr Modi’s Government may have to pay a price for their not instituting a “Mandatory Cyber Insurance” that covers the public for all such digital payment frauds. I hope they listen to this friendly advise or face the risk of a huge reputation loss in the next elections.

PayTM has shown the way by providing cyber insurance cover for its customers and this should be mandatory for all Banks (RBI stated as much in its Internet Banking Guidelines issued in June 2001 but promptly rejected by most Banks for cost considerations).

NPCI cannot absolve itself of its responsibilities for the digital payment frauds since it is an intermediary in all the transactions. It can have its indemnity with the Banks but litigation where NPCI is a party as “Accused” for “Facilitating the fraud by negligence” cannot be avoided.

Last but not the least…. Dear Mr Urjit Patel, What happenned to the “Limited Liability Circular” of August 11, 2016? …Your team is still looking into public comments?… Or Is RBI lying in the RTI application? unable to say…”Sorry, our Bankers are not willing to accept the terms of the circular and hence we will keep quiet untill every body forgets the issue”

Naavi

Related Articles

Mobile apps of 7 Indian banks infected with malware, says study

Bug in UPI app costs Bank of Maharashtra Rs 25 cr in one of India’s biggest financial frauds

Bank of Maharashtra’s UPI app bug: Old world fraud using new age toys

Bank of Maharashtra accounts lost Rs25 crore due to UPI bug, says NPCI

Bank of Maharashtra reports another UPI breach; bank loses Rs 1.42 crore: report

NPCI and iSpirt say glitches in a bank’s UPI app caused fraudulent transactions

Bank of Maharashtra fraud: Accused committed similar crime earlier in Pune, say cops

[P.S: NPCI has in a personal clarification from one of the top management persons,  reiterated that the fault in the case of Bank of Maharashtra fraud does not lie with NPCI. This implies that either the Core Banking software of Bank of Maharashtra is to blame or configuration of the Core Banking software was faulty. The Core Banking software of Bank of Maharashtra has been implemented by TCS which can clarify. Further details of how the communication between the Core Banking system and UPI system  could have lead to erroneous results is awaited and will be published when received. As regards the report about 7 UPI apps being infected with malware, NPCI has stated that the report itself is faulty…..Naavi]

Indian IT industry has a high stake in the outsourced business from US and EU, UK markets. A good part of this outsourced business involves processing of “Personal Data” of data subjects of the respective country. As regards US, India has many processors who process health data and are accustomed to complying with HIPAA and HITECH Act. India has its own ITA 2000/8 which also imposes protection of both personal data and sensitive personal data. Now the EU has upped the stake in privacy protection by pushing the GDPR (General Data Protection Regulation) that replaces the Data Protection Act which has been in place for the last two decades. UK is now under transition where it is out of EU but is yet to adopt the regulatory mechanisms in its own name. However, UK is also expected to adopt GDPR in toto.

The Challenge for Indian data processors is that GDPR regulation requires them to appoint a “Representative” in any one of the EU countries if they have a stake in the processing of data related to EU residents. This makes them directly exposed to the risks on non -compliance in addition to the clauses that may be found in the Business Associate Contract where the data processor agrees to an indemnity clause with the data controller to compensate him for any losses caused to him on account of any data breach.

What is important for Indian Companies to realize is that the penalties  payable under the GDPR by the data controller may be humongous since the GDPR speaks of upto 20 million Euros or 4% of the world wide turnover which ever is higher. If the Indian companies blindly agree to complying with the GDPR along with an open indemnity clause, they will be signing their death warrants.

The Boards of Indian Companies exposed to GDPR risk should therefore disclose in their financial statements what precautions they are taking to protect the interest of the share holders. The first thing that a share holder would like to know is whether the Company has an exposure to GDPR and if so whether an impact assessment has been made. If so, the share holders would like to know if the Company has obtained Cyber insurance against losses arising out of any data breach and whether the quantum of such insurance is adequate. If not, the Company needs to justify to its share holders why they think they are insulated from this risk.

Additionally, it is necessary for the Indian Companies to

a) Identify if they are exposed to GDPR risk and if so where and how the GDPR data exists in their data environment, who have access to them and how are they secured.

b) A risk assessment should be undertaken to identify the risks of data breach

c) Policies and procedures should be put in place to ensure compliance

d) Accountability for the compliance requirement should be documented through an appropriate technical and other measures.

e) A proper testing and audit environment should be available to check from time to time if the compliance measures are holding and any corrections are required.

The deadline for implementation of GDPR is 25th May 2018. However, if any EU Company is processing data with an Indian Company, then it would be interested in freezing their compliance documentation much before May 2018 since if the Indian Company is unable to meet the stringent standards, the EU company needs to find an alternate supplier and build the technical bridges that are required for the transfer of business. It would therefore be reasonable for such companies to start their negotiations today if they have not already started.

At the same time, it is also prudent for the Indian companies to introspect their systems and procedures and be ready to face any questions that the EU client may raise. It should be able to face an audit from the customers if the stakes are high.

GDPR Audit will therefore be required to be undertaken by  Indian Companies who have any relationship with an EU Company with the likelyhood of undertaking data processing involving EU data.

GDPR requires “Privacy By Design” which may mean that the EU Client may require some process changes in data processing which may impact the cost of processing and also involve some time for implementation. If the data processor has himself sub contracted any of its processes, there is a need to ensure that the compliance requirements are also implemented at the sub contractor’s level which is another huge responsibility. In most cases the data processors may have to take up the currently sub contracted work in house. This will again change the cost profile of the service.

In most cases of sub contracting it will be inevitable to introduce “Deidentification” or “Pseudonomisation” of data with attendant technical issues. This would be yet another reason for cost escalations and data breaches due to failure of technical controls.

In view of these implications beyond the technical aspects of preserving the Confidentiality, Integrity and Availability, the Information Security professionals of Indian Companies need to immediately start internal discussions with the top management for rolling out the process of GDPR compliance.

The very first step in GDPR compliance is the designation of a senior person as the “Data Protection Officer” who may have to take up the next step of creating “Awareness” firstly among the top management so that further implementation steps can be undertaken.

I would urge all Indian Companies to start a review to see if they cross these two steps before actual implementation challenges can be identified for further action.

During the next month or so, most of the large IT Companies will have their shareholder’s meetings and financial audits by the audit firms. I urge shareholders to raise questions in the AGM about the action taken by the Company for meeting the GDPR non compliance risk and for all CA firms involved in financial auditing to ensure that suitable qualifications are made to the disclosures as may be required on account of the GDPR risk not having been identified and adequately covered.

Naavi

Recently a judgements from Hyderabad under ITA 2000/8 has raised interesting debates in Cyber Law Circles which make a good case study for academic purpose.

Presently we are commenting on the basis of the following two news reports

Times of India Report : Navy Man gets 2 years imprisonment 

Indian Express Report : Sentence under Section 66A.

We shall try to get the copy of the judgement for further clarification.

One of the debates that has ensued post the judgement is that the conviction includes “Section 66A” which the Supreme Court quashed on 24th March ,2015 , in what is popularly called the Shreya Singhal Case.

Most specialists are shocked at how the Court can pass a sentence on a section which has been termed by the Supreme Court as “Anti Constitutional” and quashed.

Does it indicate that the lower Court was ignorant? Did the investigating officer mislead the Court? are some of the questions that are making rounds.

The facts of the case indicate that the incident happened in 2010. At that time the victim was a minor and Section 66A was still valid. The object of crime was an online Chat dated 27th February 2010 where the accused was supposed to have lured the girl to an online relationship. The conviction is said to be under Sections 67, 67-B, IPC 509 besides Section 66A.

The accused has now preferred to file an appeal and the final word on the judgement will be known later.

As regards the Court giving a judgement against the Supreme Court view, it appears that the Judge has gone with the view that the Shreya Singhal judgement did not have any “Retrospective” effect and the cause of action in the current case arose in 2010 when Section 66A was very much valid. In our opinion, this is a correct reading of the Shreya Singhal judgement and the Judge must be credited for his brave decision against the popular sentiment.

If it is argued that at the time of judgement Section 66A had been scrapped and hence this should have been taken into account by the judge, the case also arises that at this point of time, the victim was no longer a “Minor” and 67B  was not applicable, though Section 67 was still applicable.

Further the presentation of admissible evidence should have been done under Section 65B (IEA) certification though this loses significance if the accused admitted the offence.

But the judgement has really raised an important point that we need to look at an offence in the light of the date on which the cause of action arose and the laws present at that time unless there is a compelling law that brings retrospective or prospective effect to the provisions. October 17, 2000 was when Section 67 of ITA 2000 and Section 65B of IEA became effective and October 27, 2009 was the day when Section 67A, 67B, and 66A became effective and March 24  2015 was the day whn Section 66A was quashed. These dates have to be kept in mind by Police and Courts to apply the different provisions of law as contained in ITA 2000.

The second point of debate that has come up in the case is that the accused was a Navy personnel. The victim was the daughter of a Navy personnel and the crime was committed on board a Navy vessel. In this case the question of whether the jurisdiction for trial should have been with the Military Court is a point to discuss.  Probably the victim was not on board the Navy vessel and was in the Civil area. (Or was she residing in a Cantonment area?).

Had the Navy Court taken cognizance of the matter and started a trial, it would have been difficult for the Hyderabad Court to proceed with the trial as it would have become a fit case for “Double Jeopardy”. By not initiating action, the Navy has allowed the proceedings in the Hyderabad Court to continue.

I understand that Madras High Court in a case in 2009 had refused to transfer a criminal case to the Army Court. (Refer here). This was however a case of physical crime of murder in the civil society and stood on a different ground. In that case the person was on leave and the claim for transfer was based on Section 475 of Cr Pc which states as under:

Quote:

475. Delivery to commanding officers of persons liable to be tried by Court- martial.
(1) The Central Government may make rules consistent with this Code and the Army Act, 1950 (46 of 1950 ), the Navy Act, 1957 (62 of 1957 ), and the Air Force Act, 1950 (45 of 1950 ), and any other law, relating to the Armed Forces of the Union, for the time being in force, as to cases in which persons subject to military, naval or air force law, or such other law, shall be tried by a Court to which this Code applies or by a Court- martial; and when any person is brought before a Magistrate and charged with an offence for which he is liable to be tried either by a Court to which this Code applies or by a Court- martial, such Magistrate shall have regard to such rules, and shall in proper cases deliver him, together with a statement of the offence of which he is accused, to the commanding officer of the unit to which he belongs, or to the commanding officer of the nearest military, naval or air force station, as the case may be, for the purpose of being tried by a Court- martial. Explanation.- In this section-
(a) ” unit” includes a regiment, corps, ship, detachment, group, battalion or company,
(b) ” Court- martial” includes any tribunal with the powers similar to those of a Court- martial constituted under the relevant law applicable to the Armed Forces of the Union.
(2) Every Magistrate shall, on receiving a written application for that purpose by the commanding officer of any unit or body of soldiers, sailors or airmen stationed or employed at any such place, use his utmost endeavours to apprehend and secure any person accused of such offence.
(3) A High Court may, if it thinks fit, direct that a prisoner detained in any jail situate within the State be brought before a Court- martial for trial or to be examined touching any matter pending before the Court- martial.

Unquote:

According to this section, the Magistrate “Shall” transfer the case to the commanding officer, though the word “in Proper cases” is subject to interpretations. The Madras High Court used this interpretation to refuse transfer of the trial to the Military Court.

However, under the Uniform Code of Military Justice -UCMJ (Refer here)   if the offender is an active service member, the UCMJ applies. If the Crime violates both the State Civilian Law and Military law, it may be tried by either or both. But the two Courts need to coordinate and avoid “Double Jeopardy”.

In the Telengana Case, this point was completely missed though this being a “Cyber Crime”, the “Crime is deemed to have been committed at a place from which the offending message was sent, namely the Navy vessel”. Hence the place of crime was a military space and the offender was a military personnel. Even the principle of natural justice indicated that the trial should have proceeded in the military Court since the complainant was also a Navy person (victim being a minor).

Since in the case,

a) Jurisdiction of the Civil Court is itself questionable

b) Evidence was in admissible due to lack of Section 65B certification (assuming that the admission is not sufficient)

the judgement requires a review.

Naavi

(P.S: I am waiting for further information on this case as well as Supreme Court judgements on Section 475 of CrPc based on which supplementary discussions can be continued by experts)

Related Article:

USI of India:

This article says that defence of Double Jeopardy is not available. Needs to be explored further by experts.

This is in continuation of the previous article “Is a WhatsApp Notice valid in law?… A Case for Cyber Notice service“.

The copy of the order of Mr Khemka is now available and reproduced here. Some key observations in the order are discussed here.

First point of observation is that the order states that the mobile number of the respondent to whom the WhatsApp notice was ordered to be sent was provided by the petitioner. The Financial Commissioner did not have first hand knowledge of the mobile number. It was the advocate of the petitioner who stated that he had spoken to the respondent and informed him about the summons and he had refused to provide his address.

Based on this averment, the Financial Commissioner ordered that an “Image” of the summons be sent through WhatsApp by the respondent and the same shall be treated as proper mode of service. It was also ordered that the petitioner would  produce proof of electronic delivery through WhatsApp messenger by taking a print out and duly authenticate the print out by affixing his signature.

It appears that the Financial Commissioner ignored the fact that “Electronic Documents” need to be authenticated with digital signatures and print outs of electronic documents need to be authenticated with Section 65B certificate to be admissible as evidence.

The order  therefore appears to be not in conformity with the laws applicable to electronic documents under ITA 2000/8. The Financial Commissioner may assume certain powers to define the procedures for the proceedings in his Court. But whether it extends to ignoring provisions of ITA 2000/8 is a moot point.

The Financial Commissioner has  quoted a Supreme Court Order in the case M/s. SIL Import, USA v. M/s. Exim Aides Silk Exporters, Bangalore, (AIR 1999 SC 1609) to substantiate his stand that technology advancement has to be adopted by Courts. We fully agree that certain flexibility to adopt technology through creative interpretation of legacy law is acceptable and desirable but such interpretations should be used to fill gaps in the law and not to openly flout other laws.

The decision arrived by the Financial Commissioner here does not appear to have been based on proper appreciation of ITA 2000/8 and can create a bad precedent which may spread misunderstanding of the WhatsApp system and its validity under Indian law.

The Supreme Court case used as a support for this decision  referred to the validity of  a “Fax”  message as a valid notice regarding dishonour of a cheque just before the time available for notice was to expire. The Supreme Court allowed the use of Fax as a valid mode of transmission of a notice. The circumstances of this case was not directly applicable to the current case before the Financial Commissioner.

The technology of Facsimile transmission is not a transmission of an “Electronic Document” and is not covered under ITA 2000/8. Fax message is to be treated as a transmission of an analog message over telephonic network covered under the Telegraph Act and hence ITA 2000/8 may not be applicable to it. Also this Supreme Court decision was a “Pre-ITA 2000” decision and requires to be reviewed even if in today’s context, a Facsimile messages may be sent as a digital transmission.

Hence relying on this decision by Mr Khemka as the Financial Commissioner for a transmission of an electronic document which falls well within ITA 2000/8 is debatable.

In our opinion, WhatsApp messaging or SMS can be considered as an electronic document and would be valid as equivalent to a paper document. But it would be considered as an “Unsigned” paper document if it is not digitally signed with the use of a digital signature certificate issued by a licensed certifying authority. If it has to be admitted as evidence, collateral information has to be added with suitable meta data and definitely a Section 65B certified document.

In the subject case, WhatsApp message was being used as a substitute for a Court summons and additionally, it was not even sent from the Court’s phone number or e-mail. The Court delegated the sending of the notice to the petitioner who had a vested interest in the notice. The Court also does not seem to have made any effort to check if the averment made by the petitioner that the respondent is indeed a owner of the said mobile number and he was using the WhatsApp account (which has its own distinct code) to which the message was ordered to be sent. Hence it is difficult to presume that the summons can be considered as not having been properly issued by the Court..

The order can therefore be considered as a decision that can be challenged and overturned.

Naavi

A Financial Commissioner (FC) Court in Haryana, considered as a quasi judicial body headed by the IAS officer Ashok Khemka has created what can be considered as a “Double Edged Precedent” by sending a “Summons” through WhtsAPP. (I suppose thsi Ashok Khemka is the same person who made news by his fight against Mr Robert Vadra).

As per details available here the order was passed since the petitioner in a partition case did not have the address of the respondent since he had shifted out to Kathmandu but as per the records of the Commission, the person had spoken over phone but not revealed his address.

Mr Khemka seems to have observed that “An E Mail address or a mobile phone number is also the address of a person in the present times” and ordered that the summons may be sent by a WhatsApp message and a “Printout” of the delivery report on WhatsApp shall be considered as a proof of delivery.

At first glance this is a progressive thought and Mr Khemka should be congratulated in thinking creatively.

But it must be observed that the Court  did not make an attempt to get the registered billing address of the SIM card from the mobile service provider which would have solved its immediate problem and also provided validity to the ownership of the device as belonging to the respondent.

Naavi has been pioneering the principle that “Cyber Notice” is more relevant than other forms of notice  and even set up the service under “Cyber-notice.com” to provide legally valid notices in Cyber Space.

Mr Khemka’s Order is welcome as it shows the preparedness of the judicial authorities to think positively about the use of technology for legal notices. However, it is necessary that the notices are served in a manner that it cannot be legally questioned unless the notice is only a matter of special privilege granted to the litigant and the Court would be prepared to hear the case ex-parte if he does not show up.

A notice otherwise has to meet the legal requirements of the land and a mere serving of the notice on the WhatsApp and taking the colour of the right tick on the message as a “Delivery Receipt” is fraught with dangerous undesirable consequences.

While on the one hand, some Courts are challenging “Talaq” over Whats App and some are questioning the legal validity of WhatsApp itself, for one other Court to give legitimacy to WhatsApp notice is a huge contradiction.

Under the principles established by Naavi at Cyber-Notice.com or ceac.in, electronic notices are served but with a trusted third party taking up the responsibility for creating documentary records which add weightage to the evidence created for delivery with a Section 65 B Certification.

In the Khemka’s order, there is an assumption that a person spoke from a mobile number who was by voice identified as so and so and that phone number was considered as his address. Then the notice itself was sent to an intermediary called WhatsApp which redirected the message to an App supposedly installed in the same mobile number and relied on the colour coding of the delivery information that is displayed on the mobile.

What if the voice recognition of the person is not made? What if the WhatsApp application is actually installed on a device other than what is indicated or accessed only from a web application?, What if the delivery system does not function reliably? are questions that needs to be answered if the notice is to be considered as acceptable.

If CEAC.IN or Cyber-Notice.com had handled this notice delivery, it would have created supplementary records and provided a Section 65B certification for the process. With the evidence so created, the delivery would have been considered much more acceptable in law than it will be by the Court registrar sending a WhatsApp message to a number believed to be controlled by the respondent.

Naavi