Naavi.org

Indian IT industry has a high stake in the outsourced business from US and EU, UK markets. A good part of this outsourced business involves processing of “Personal Data” of data subjects of the respective country. As regards US, India has many processors who process health data and are accustomed to complying with HIPAA and HITECH Act. India has its own ITA 2000/8 which also imposes protection of both personal data and sensitive personal data. Now the EU has upped the stake in privacy protection by pushing the GDPR (General Data Protection Regulation) that replaces the Data Protection Act which has been in place for the last two decades. UK is now under transition where it is out of EU but is yet to adopt the regulatory mechanisms in its own name. However, UK is also expected to adopt GDPR in toto.

The Challenge for Indian data processors is that GDPR regulation requires them to appoint a “Representative” in any one of the EU countries if they have a stake in the processing of data related to EU residents. This makes them directly exposed to the risks on non -compliance in addition to the clauses that may be found in the Business Associate Contract where the data processor agrees to an indemnity clause with the data controller to compensate him for any losses caused to him on account of any data breach.

What is important for Indian Companies to realize is that the penalties  payable under the GDPR by the data controller may be humongous since the GDPR speaks of upto 20 million Euros or 4% of the world wide turnover which ever is higher. If the Indian companies blindly agree to complying with the GDPR along with an open indemnity clause, they will be signing their death warrants.

The Boards of Indian Companies exposed to GDPR risk should therefore disclose in their financial statements what precautions they are taking to protect the interest of the share holders. The first thing that a share holder would like to know is whether the Company has an exposure to GDPR and if so whether an impact assessment has been made. If so, the share holders would like to know if the Company has obtained Cyber insurance against losses arising out of any data breach and whether the quantum of such insurance is adequate. If not, the Company needs to justify to its share holders why they think they are insulated from this risk.

Additionally, it is necessary for the Indian Companies to

a) Identify if they are exposed to GDPR risk and if so where and how the GDPR data exists in their data environment, who have access to them and how are they secured.

b) A risk assessment should be undertaken to identify the risks of data breach

c) Policies and procedures should be put in place to ensure compliance

d) Accountability for the compliance requirement should be documented through an appropriate technical and other measures.

e) A proper testing and audit environment should be available to check from time to time if the compliance measures are holding and any corrections are required.

The deadline for implementation of GDPR is 25th May 2018. However, if any EU Company is processing data with an Indian Company, then it would be interested in freezing their compliance documentation much before May 2018 since if the Indian Company is unable to meet the stringent standards, the EU company needs to find an alternate supplier and build the technical bridges that are required for the transfer of business. It would therefore be reasonable for such companies to start their negotiations today if they have not already started.

At the same time, it is also prudent for the Indian companies to introspect their systems and procedures and be ready to face any questions that the EU client may raise. It should be able to face an audit from the customers if the stakes are high.

GDPR Audit will therefore be required to be undertaken by  Indian Companies who have any relationship with an EU Company with the likelyhood of undertaking data processing involving EU data.

GDPR requires “Privacy By Design” which may mean that the EU Client may require some process changes in data processing which may impact the cost of processing and also involve some time for implementation. If the data processor has himself sub contracted any of its processes, there is a need to ensure that the compliance requirements are also implemented at the sub contractor’s level which is another huge responsibility. In most cases the data processors may have to take up the currently sub contracted work in house. This will again change the cost profile of the service.

In most cases of sub contracting it will be inevitable to introduce “Deidentification” or “Pseudonomisation” of data with attendant technical issues. This would be yet another reason for cost escalations and data breaches due to failure of technical controls.

In view of these implications beyond the technical aspects of preserving the Confidentiality, Integrity and Availability, the Information Security professionals of Indian Companies need to immediately start internal discussions with the top management for rolling out the process of GDPR compliance.

The very first step in GDPR compliance is the designation of a senior person as the “Data Protection Officer” who may have to take up the next step of creating “Awareness” firstly among the top management so that further implementation steps can be undertaken.

I would urge all Indian Companies to start a review to see if they cross these two steps before actual implementation challenges can be identified for further action.

During the next month or so, most of the large IT Companies will have their shareholder’s meetings and financial audits by the audit firms. I urge shareholders to raise questions in the AGM about the action taken by the Company for meeting the GDPR non compliance risk and for all CA firms involved in financial auditing to ensure that suitable qualifications are made to the disclosures as may be required on account of the GDPR risk not having been identified and adequately covered.

Naavi

Recently a judgements from Hyderabad under ITA 2000/8 has raised interesting debates in Cyber Law Circles which make a good case study for academic purpose.

Presently we are commenting on the basis of the following two news reports

Times of India Report : Navy Man gets 2 years imprisonment 

Indian Express Report : Sentence under Section 66A.

We shall try to get the copy of the judgement for further clarification.

One of the debates that has ensued post the judgement is that the conviction includes “Section 66A” which the Supreme Court quashed on 24th March ,2015 , in what is popularly called the Shreya Singhal Case.

Most specialists are shocked at how the Court can pass a sentence on a section which has been termed by the Supreme Court as “Anti Constitutional” and quashed.

Does it indicate that the lower Court was ignorant? Did the investigating officer mislead the Court? are some of the questions that are making rounds.

The facts of the case indicate that the incident happened in 2010. At that time the victim was a minor and Section 66A was still valid. The object of crime was an online Chat dated 27th February 2010 where the accused was supposed to have lured the girl to an online relationship. The conviction is said to be under Sections 67, 67-B, IPC 509 besides Section 66A.

The accused has now preferred to file an appeal and the final word on the judgement will be known later.

As regards the Court giving a judgement against the Supreme Court view, it appears that the Judge has gone with the view that the Shreya Singhal judgement did not have any “Retrospective” effect and the cause of action in the current case arose in 2010 when Section 66A was very much valid. In our opinion, this is a correct reading of the Shreya Singhal judgement and the Judge must be credited for his brave decision against the popular sentiment.

If it is argued that at the time of judgement Section 66A had been scrapped and hence this should have been taken into account by the judge, the case also arises that at this point of time, the victim was no longer a “Minor” and 67B  was not applicable, though Section 67 was still applicable.

Further the presentation of admissible evidence should have been done under Section 65B (IEA) certification though this loses significance if the accused admitted the offence.

But the judgement has really raised an important point that we need to look at an offence in the light of the date on which the cause of action arose and the laws present at that time unless there is a compelling law that brings retrospective or prospective effect to the provisions. October 17, 2000 was when Section 67 of ITA 2000 and Section 65B of IEA became effective and October 27, 2009 was the day when Section 67A, 67B, and 66A became effective and March 24  2015 was the day whn Section 66A was quashed. These dates have to be kept in mind by Police and Courts to apply the different provisions of law as contained in ITA 2000.

The second point of debate that has come up in the case is that the accused was a Navy personnel. The victim was the daughter of a Navy personnel and the crime was committed on board a Navy vessel. In this case the question of whether the jurisdiction for trial should have been with the Military Court is a point to discuss.  Probably the victim was not on board the Navy vessel and was in the Civil area. (Or was she residing in a Cantonment area?).

Had the Navy Court taken cognizance of the matter and started a trial, it would have been difficult for the Hyderabad Court to proceed with the trial as it would have become a fit case for “Double Jeopardy”. By not initiating action, the Navy has allowed the proceedings in the Hyderabad Court to continue.

I understand that Madras High Court in a case in 2009 had refused to transfer a criminal case to the Army Court. (Refer here). This was however a case of physical crime of murder in the civil society and stood on a different ground. In that case the person was on leave and the claim for transfer was based on Section 475 of Cr Pc which states as under:

Quote:

475. Delivery to commanding officers of persons liable to be tried by Court- martial.
(1) The Central Government may make rules consistent with this Code and the Army Act, 1950 (46 of 1950 ), the Navy Act, 1957 (62 of 1957 ), and the Air Force Act, 1950 (45 of 1950 ), and any other law, relating to the Armed Forces of the Union, for the time being in force, as to cases in which persons subject to military, naval or air force law, or such other law, shall be tried by a Court to which this Code applies or by a Court- martial; and when any person is brought before a Magistrate and charged with an offence for which he is liable to be tried either by a Court to which this Code applies or by a Court- martial, such Magistrate shall have regard to such rules, and shall in proper cases deliver him, together with a statement of the offence of which he is accused, to the commanding officer of the unit to which he belongs, or to the commanding officer of the nearest military, naval or air force station, as the case may be, for the purpose of being tried by a Court- martial. Explanation.- In this section-
(a) ” unit” includes a regiment, corps, ship, detachment, group, battalion or company,
(b) ” Court- martial” includes any tribunal with the powers similar to those of a Court- martial constituted under the relevant law applicable to the Armed Forces of the Union.
(2) Every Magistrate shall, on receiving a written application for that purpose by the commanding officer of any unit or body of soldiers, sailors or airmen stationed or employed at any such place, use his utmost endeavours to apprehend and secure any person accused of such offence.
(3) A High Court may, if it thinks fit, direct that a prisoner detained in any jail situate within the State be brought before a Court- martial for trial or to be examined touching any matter pending before the Court- martial.

Unquote:

According to this section, the Magistrate “Shall” transfer the case to the commanding officer, though the word “in Proper cases” is subject to interpretations. The Madras High Court used this interpretation to refuse transfer of the trial to the Military Court.

However, under the Uniform Code of Military Justice -UCMJ (Refer here)   if the offender is an active service member, the UCMJ applies. If the Crime violates both the State Civilian Law and Military law, it may be tried by either or both. But the two Courts need to coordinate and avoid “Double Jeopardy”.

In the Telengana Case, this point was completely missed though this being a “Cyber Crime”, the “Crime is deemed to have been committed at a place from which the offending message was sent, namely the Navy vessel”. Hence the place of crime was a military space and the offender was a military personnel. Even the principle of natural justice indicated that the trial should have proceeded in the military Court since the complainant was also a Navy person (victim being a minor).

Since in the case,

a) Jurisdiction of the Civil Court is itself questionable

b) Evidence was in admissible due to lack of Section 65B certification (assuming that the admission is not sufficient)

the judgement requires a review.

Naavi

(P.S: I am waiting for further information on this case as well as Supreme Court judgements on Section 475 of CrPc based on which supplementary discussions can be continued by experts)

Related Article:

USI of India:

This article says that defence of Double Jeopardy is not available. Needs to be explored further by experts.

This is in continuation of the previous article “Is a WhatsApp Notice valid in law?… A Case for Cyber Notice service“.

The copy of the order of Mr Khemka is now available and reproduced here. Some key observations in the order are discussed here.

First point of observation is that the order states that the mobile number of the respondent to whom the WhatsApp notice was ordered to be sent was provided by the petitioner. The Financial Commissioner did not have first hand knowledge of the mobile number. It was the advocate of the petitioner who stated that he had spoken to the respondent and informed him about the summons and he had refused to provide his address.

Based on this averment, the Financial Commissioner ordered that an “Image” of the summons be sent through WhatsApp by the respondent and the same shall be treated as proper mode of service. It was also ordered that the petitioner would  produce proof of electronic delivery through WhatsApp messenger by taking a print out and duly authenticate the print out by affixing his signature.

It appears that the Financial Commissioner ignored the fact that “Electronic Documents” need to be authenticated with digital signatures and print outs of electronic documents need to be authenticated with Section 65B certificate to be admissible as evidence.

The order  therefore appears to be not in conformity with the laws applicable to electronic documents under ITA 2000/8. The Financial Commissioner may assume certain powers to define the procedures for the proceedings in his Court. But whether it extends to ignoring provisions of ITA 2000/8 is a moot point.

The Financial Commissioner has  quoted a Supreme Court Order in the case M/s. SIL Import, USA v. M/s. Exim Aides Silk Exporters, Bangalore, (AIR 1999 SC 1609) to substantiate his stand that technology advancement has to be adopted by Courts. We fully agree that certain flexibility to adopt technology through creative interpretation of legacy law is acceptable and desirable but such interpretations should be used to fill gaps in the law and not to openly flout other laws.

The decision arrived by the Financial Commissioner here does not appear to have been based on proper appreciation of ITA 2000/8 and can create a bad precedent which may spread misunderstanding of the WhatsApp system and its validity under Indian law.

The Supreme Court case used as a support for this decision  referred to the validity of  a “Fax”  message as a valid notice regarding dishonour of a cheque just before the time available for notice was to expire. The Supreme Court allowed the use of Fax as a valid mode of transmission of a notice. The circumstances of this case was not directly applicable to the current case before the Financial Commissioner.

The technology of Facsimile transmission is not a transmission of an “Electronic Document” and is not covered under ITA 2000/8. Fax message is to be treated as a transmission of an analog message over telephonic network covered under the Telegraph Act and hence ITA 2000/8 may not be applicable to it. Also this Supreme Court decision was a “Pre-ITA 2000” decision and requires to be reviewed even if in today’s context, a Facsimile messages may be sent as a digital transmission.

Hence relying on this decision by Mr Khemka as the Financial Commissioner for a transmission of an electronic document which falls well within ITA 2000/8 is debatable.

In our opinion, WhatsApp messaging or SMS can be considered as an electronic document and would be valid as equivalent to a paper document. But it would be considered as an “Unsigned” paper document if it is not digitally signed with the use of a digital signature certificate issued by a licensed certifying authority. If it has to be admitted as evidence, collateral information has to be added with suitable meta data and definitely a Section 65B certified document.

In the subject case, WhatsApp message was being used as a substitute for a Court summons and additionally, it was not even sent from the Court’s phone number or e-mail. The Court delegated the sending of the notice to the petitioner who had a vested interest in the notice. The Court also does not seem to have made any effort to check if the averment made by the petitioner that the respondent is indeed a owner of the said mobile number and he was using the WhatsApp account (which has its own distinct code) to which the message was ordered to be sent. Hence it is difficult to presume that the summons can be considered as not having been properly issued by the Court..

The order can therefore be considered as a decision that can be challenged and overturned.

Naavi

A Financial Commissioner (FC) Court in Haryana, considered as a quasi judicial body headed by the IAS officer Ashok Khemka has created what can be considered as a “Double Edged Precedent” by sending a “Summons” through WhtsAPP. (I suppose thsi Ashok Khemka is the same person who made news by his fight against Mr Robert Vadra).

As per details available here the order was passed since the petitioner in a partition case did not have the address of the respondent since he had shifted out to Kathmandu but as per the records of the Commission, the person had spoken over phone but not revealed his address.

Mr Khemka seems to have observed that “An E Mail address or a mobile phone number is also the address of a person in the present times” and ordered that the summons may be sent by a WhatsApp message and a “Printout” of the delivery report on WhatsApp shall be considered as a proof of delivery.

At first glance this is a progressive thought and Mr Khemka should be congratulated in thinking creatively.

But it must be observed that the Court  did not make an attempt to get the registered billing address of the SIM card from the mobile service provider which would have solved its immediate problem and also provided validity to the ownership of the device as belonging to the respondent.

Naavi has been pioneering the principle that “Cyber Notice” is more relevant than other forms of notice  and even set up the service under “Cyber-notice.com” to provide legally valid notices in Cyber Space.

Mr Khemka’s Order is welcome as it shows the preparedness of the judicial authorities to think positively about the use of technology for legal notices. However, it is necessary that the notices are served in a manner that it cannot be legally questioned unless the notice is only a matter of special privilege granted to the litigant and the Court would be prepared to hear the case ex-parte if he does not show up.

A notice otherwise has to meet the legal requirements of the land and a mere serving of the notice on the WhatsApp and taking the colour of the right tick on the message as a “Delivery Receipt” is fraught with dangerous undesirable consequences.

While on the one hand, some Courts are challenging “Talaq” over Whats App and some are questioning the legal validity of WhatsApp itself, for one other Court to give legitimacy to WhatsApp notice is a huge contradiction.

Under the principles established by Naavi at Cyber-Notice.com or ceac.in, electronic notices are served but with a trusted third party taking up the responsibility for creating documentary records which add weightage to the evidence created for delivery with a Section 65 B Certification.

In the Khemka’s order, there is an assumption that a person spoke from a mobile number who was by voice identified as so and so and that phone number was considered as his address. Then the notice itself was sent to an intermediary called WhatsApp which redirected the message to an App supposedly installed in the same mobile number and relied on the colour coding of the delivery information that is displayed on the mobile.

What if the voice recognition of the person is not made? What if the WhatsApp application is actually installed on a device other than what is indicated or accessed only from a web application?, What if the delivery system does not function reliably? are questions that needs to be answered if the notice is to be considered as acceptable.

If CEAC.IN or Cyber-Notice.com had handled this notice delivery, it would have created supplementary records and provided a Section 65B certification for the process. With the evidence so created, the delivery would have been considered much more acceptable in law than it will be by the Court registrar sending a WhatsApp message to a number believed to be controlled by the respondent.

Naavi

It is reported that former Supreme Court Judge, honourable Justice Shiva Kirti Singh will be the next chair person for the Telecom Disputes Settlement & Appellate Tribunal (TDSAT).

The appointment is for a period of 3 years and he takes over the position which was vacant since last June.

TDSAT has become relevant for Cyber Law and Cyber Crime watchers since it is now also the “Appelalte Tribunal” under Information Technology Act 2000/8 and will be hearing all the appeals against the orders of the Adjudicating Officers.

The report in Economic Times reporting the appointment highlights the high profile disputes before the TDSAT between Jio and Airtel etc. Obviously, the attention of TDSAT will be on such high profile and high stake complaints. Against such complaints, the appeals that are being transferred from CyAT to TDSAT will be too insignificant for  TDSAT to even glance at. There is every likelyhood of Cyber Crime victims getting a lower priority in resolution of their disputes.  It is precisely for this reason that Naavi.org has been uncomfortable with the designation of TDSAT as the Appellate Tribunal under ITA 2000/8.

We have also highlighted that the Cyber Appellate Tribunal (CyAT, now called Appellate Tribunal or AT under ITA 2008) was headed by a Chair person at the level of High Court and below and it made sense that the appeal from CyAT went to a High Court. Now TDSAT is headed by a Chair person at the level of the Supreme Court and it makes it difficult how the appeals can be heard by the High Court which consists of Judges who are perhaps junior in stature.

The Judiciary is very conscious of their hierarchy and protocols and hence the move of the Finance Minister in merging CyAT with TDSAT is considered as leading to many practical issues which ultimately affects the Cyber Crime Victims adversely.

This is all the more reason for the Cyber Crime victims to seriously look at the proposition of Cyber Disputes Mediation and Arbitration (CDMAC) put forth by Naavi. (Refer www.cdmac.in)

Naavi