Naavi.org

Kotak Mahindra Bank became the Sixth Bank in India to be declared under Section 70 of Information Technology Act 2000 as a “Protected System”.

The Notification was issued on 11th January.

Earlier, following Banks namely ICICI Bank, HDFC Bank, Bank of Baroda, Punjab National Bank and Union Bank of India, have been notified similarly along with the Systems of NPCI. UIDAI and Tetra Secured Communication System Network of NCT Delhi had earlier been also notified.

These notifications are not notifications of a routine nature and will fundamentally change the Information Security Systems Management in these entities as indicated by the following.

Section 70 of ITA 2000 is reproduced here:

Protected system (Amended Vide ITAA-2008)

(1)The appropriate Government may, by notification in the Official Gazette, declare any computer resource which directly or indirectly affects the facility of Critical Information Infrastructure, to be a protected system.

Explanation: For the purposes of this section, “Critical Information Infrastructure” means the computer resource, the incapacitation or destruction of which , shall have debilitating impact on national security, economy, public health or safety.
(Substituted vide ITAA-2008)

(2)The appropriate Government may, by order in writing, authorize the persons who are authorized to access protected systems notified under sub-section (1)
(3)Any person who secures access or attempts to secure access to a protected system in contravention of the provisions of this section shall be punished with imprisonment of either description for a term which may extend to ten years and shall also be liable to fine.
(4) The Central Government shall prescribe the information security practices and procedures for such protected system. (Inserted vide ITAA 2008)

The rules for the Information security practices  to be followed by Protected Systems were notified vide Gazette Notification of  22nd May 2018  which will now apply to all these systems declared as “Protected”.

According to Rule 3 of the said notification, the following will be an obligation of all these protected systems:

3. Information Security Practices and Procedures for “Protected System”.

(1)(a) The organisation having “Protected System” shall constitute an Information Security Steering Committee under the chairmanship of Chief Executive Officer/Managing Director/Secretary of the organisation.

(b) The composition of Information Security Steering Committee(ISSC) shall be as under:

(i) IT Head or equivalent;
(ii) Chief Information Security Officer (CISO);
(iii) Financial Advisor or equivalent;
(iv) Representative of National Critical Information Infrastructure Protection Centre (NCIIPC);
(v) Any other expert(s) to be nominated by the organisation.

(2) The Information Security Steering Committee (ISSC) shall be the apex body with roles and responsibilities as follows: –

(a) All the Information Security Policies of the “Protected System “shall be approved by Information Security Steering Committee.
(b) Significant changes in network configuration impacting “Protected System” shall be approved by the Information Security Steering Committee.
(c) Each significant change in application(s) of the “Protected System” shall be approved by Information Security Steering Committee.
(d) A mechanism shall be established for timely communication of cyber incident(s) related to “Protected System” to Information Security Steering Committee.
(e) A mechanism shall be established to share the results of all information security audits and compliance of “Protected System” to Information Security Steering Committee.
(f) Assessment for validation of “Protected System” after every two years.

(3) The organisation having “Protected System” shall

(a) nominate an officer as Chief Information Security Officer (CISO) with roles and responsibilities as per latest “Guidelines for Protection of Critical Information Infrastructure” and “Roles and Responsibilities of Chief Information Security Officers (CISOs) of Critical Sectors in India” released by NCIIPC;
(b) plan, establish, implement, operate, monitor, review, maintain and continually improve Information Security Management System (ISMS) of the “Protected System” as per latest “Guidelines for Protection of Critical Information Infrastructure” released by the National Critical Information Infrastructure Protection Centre or an industry accepted standard duly approved by the said National Critical Information Infrastructure Protection Centre;
(c) ensure that the network architecture of “Protected System” shall be documented. Further, the organisation shall ensure that the “Protected System” is stable, resilient and scalable as per latest National Critical Information Infrastructure Protection Centre “Guidelines for Protection of Critical Information Infrastructure”. Any changes to network architecture shall be documented;
(d) plan, develop, maintain the documentation of authorised personnel having access to “Protected System” and the same shall be reviewed at least once a year, or whenever required, or according to the Information Security Management System(ISMS) as suggested in clause(b);
(e) plan, develop, maintain and review the documents of inventory of hardware and software related to “Protected System”;
(f) ensure that Vulnerability/Threat/Risk (V/T/R) Analysis for the cyber security architecture of “Protected System” shall be carried out at least once a year. Further, Vulnerability/Threat/Risk (V/T/R) Analysis shall be initiated whenever there is significant change or upgrade in the system, under intimation to Information Security Steering Committee;
(g) plan, establish, implement, operate, monitor, review, and continually improve Cyber Crisis Management Plan (CCMP) in close coordination with National Critical Information Infrastructure Protection Centre;
(h) ensure conduct of internal and external Information Security audits periodically according to Information Security Management System(ISMS) as suggested in clause (b). The Standard Operating Procedure (SOP) released by National Critical Information Infrastructure Protection Centre (NCIIPC) for “Auditing of CIIs/Protected Systems by Private/Government Organisation” shall be strictly followed;(i) plan, develop, maintain and review documented process for IT Security Service Level Agreements (SLAs). The same shall be strictly followed while designing the Service Level Agreements with service providers;
(j) establish a Cyber Security Operation Center (C-SOC) using tools and technologies to implement preventive, detective and corrective controls to secure against advanced and emerging cyber threats. In addition, Cyber Security Operation Center is to be utilised for identifying unauthorized access to “Protected System”, and unusual and malicious activities on the “Protected System”, by analyzing the logs on regular basis. The records of unauthorised access, unusual and malicious activity, if any, shall be documented;
(k) establish a Network Operation Center (NOC) using tools and techniques to manage control and monitor the network(s) of “Protected System” for ensuring continuous network availability and performance;
(l) plan, develop, maintain and review the process of taking regular backup of logs of networking devices, perimeter devices, communication devices, servers, systems and services supporting “Protected System” and the logs shall be handled as per the Information Security Management System(ISMS) as suggested in clause (b).

Further, the Roles and Responsibilities of “Protected Systems” towards National Critical Information Infrastructure Protection Center (NIIPC)  is defined as follows under Rule 4.

(1) The Chief Information Security Officer (CISO) shall maintain regular contact with the National Critical Information Infrastructure Protection Centre(NCIIPC) and will be responsible for implementing the security measures suggested by the said National Critical Information Infrastructure Protection Centre(NCIIPC) using all available or appropriate ways of communication.
(2) The Chief Information Security Officer (CISO) shall share the following, whenever there is any change, or as required by the National Critical Information Infrastructure Protection Centre (NCIIPC), and incorporate the inputs/feedbacks suggested by the said National Critical Information Infrastructure Protection Centre (NCIIPC):-
(a) Details of Critical Information Infrastructure (CII)declared as “Protected System”, including dependencies on and of the saidCritical Information Infrastructure.
(b) Details of Information Security Steering Committee (ISSC) of “Protected System”.
(c) Information Security Management System (ISMS) of “Protected System”.
(d) Network Architecture of “Protected System”.
(e) Authorised personnel having access to “Protected System”.
(f) Inventory of Hardware and Software related to “Protected System”.
(g) Details of Vulnerability/Threat/Risk (V/T/R) Analysis for the cyber security architecture of “Protected System”.
(h) Cyber Crisis Management Plan(CCMP).
(i) Information Security Audit Reports and post Audit Compliance Reports of “Protected System”.
(j) IT Security Service Level Agreements (SLAs) of “Protected System”.
(3) (a) The Chief Information Security Officer (CISO) shall establish a process, in consultation with the National Critical Information Infrastructure Protection Centre (NCIIPC), for sharing of logs of “Protected System” with National Critical Information Infrastructure Protection Centre (NCIIPC) to help detect anomalies and generate threat intelligence on real time basis.
(b) The Chief Information Security Officer shall also establish a process of sharing documented records of Cyber Security Operation Center (related to unauthorised access, unusual and malicious activity) of “Protected System” with National Critical Information Infrastructure Protection Centre(NCIIPC) to facilitate issue of guidelines, advisories and vulnerability, audit notes etc. relating to “Protected System”.
(4) (a) The Chief Information Security Officer (CISO) shall establish a process in consultation with National Critical Information Infrastructure Protection Centre (NCIIPC), for timely communication of cyber incident(s) on “Protected System” to the said National Critical Information Infrastructure Protection Centre (NCIIPC).
(b) In addition, National Critical Information Infrastructure Protection Centre’s latest Standard Operating Procedure (SOP) on Incident Response shall be strictly followed in case of cyber incident(s) on “Protected System”.

As a result of these notifications the infrastructure of major Banks in India will come under the direct supervision of the CERT In.

The other implication of these notification is that any “Attempt” to access these systems other than what is allowed under the notification (any designated employee or authorized team member of a contractual managed service provider etc) will invoke the offence under Section 70 with a possible imprisonment of upto 10 years.

In view of the above, all consultants working with such Banks has to ensure that they have a proper signed authorization letter from an appropriate official (CISO) before they access any CBS, RTGS, NEFT, SMS, systems.

We can presume that systems to be accessed by customers are excluded from the above.

It is still surprising why SBI is still not notified even though they are the largest Bank in India.

Naavi

In the recent days, Government of India came up with two notifications related to electronic gaming which needs to be taken note of.

E Sports

The first is the Gazette notification declaring e-Sports as a part of “Multi Sports Events” in the Ministry of Youth Affairs and Sports.

E-Sports is a form of competitive video gaming in which players or teams compete against each other. Globally many e-sports competitions do take place with good prize tags. One such popular  annual tournament is Dota 2 with a prize pool of $30 million. League of legends is another annual tournament. Fortnite world cup had a prize pool pf $100 million in 2020,Similarly, Overwatch world cup and Evolution Champion series are other examples of global e-sports competitions that happen from time to time.

In many countries, national sports authorities have started organizing such games and the trend appears to be growing.

Most of the online games that are presently played are shooting games and involve violence and fighting. The current tournaments are all such battle games which encourage a future society of  violence. It is no surprise that recently a 6 year old boy in Virginia shot his teacher and caused life threatening injury. Such incidents clearly indicate that the violent online games create an undesirable culture of violence in the society which we should guard against.

While Online gaming is a huge industry and the private sector would like it to be recognized, Government authorities need to be careful in encouraging such anti societal addictive forms of games.

Instead, the e-Sports authority should work with the gaming industry to develop other games that donot encourage violence and bad behaviour. Apart from “Chess” which is such a classic game amenable for online activity, fantasy versions of popular games such as Cricket, Football and Hockey can also be encouraged.

Card games like Rummy are already on the game parlours along with purely speculative games like Poker. Other skill based card games such as Bridge, “Twenty Eight” etc can also be converted into tournament games. They are also habit forming and perhaps even amenable to betting but are not as harmful as the shooting games in changing the psychology of children.

Additionally, traditional Indian games such as  Carrom, and even Chinni-Dandu or wrestling have the potential of being encouraged into tournaments that can be conducted by the National e-Sports authority.

Notification on Online Gaming

While encouragement of e-Sports in one of the recent developments, simultaneously the Government of India has brought out a “Draft Notification” on Gaming control under the Intermediary regulations as an amendment.

While many in the industry have remained silent on the e-Sports notification, there are severe criticisms on the draft rules for Online Gaming .

Encouraging e-Sports has to be happen along with the control on the misuse of online gaming and hence the two regulations have to be considered together.

The Online gaming control appears to address the concern on online betting and the use of “Online gaming money” as a store house of “Black Money”.  Hence the main regulation is on “KYC” of the registered users on par with online Banking apps.

This is essential since most of the Game Money is linked to “Crypto Currency” and hence would be used to park black money by creating multiple users and holding lacks of rupees of game money in each of the accounts so that Black e-money can economy can thrive.

The copy of the “Draft Guidelines” is available here:

The guideline defines an online game as a “game with the expectation of earning winnings”.

It also modifies the Intermediary guidelines of 2021  to include the online gaming content providers as “Intermediaries”.

Under Rule 1(b) of the Intermediary rules, it was earlier stated that -the rules and regulations, privacy policy or user agreement of the intermediary shall inform the user of its computer resource not to host, display, upload, modify, publish, transmit, store, update or share any information that…

(ix) contains software virus or any other computer code, file or program designed to interrupt, destroy or limit the functionality of any computer resource;

This clause has now been proposed to be modified as under

(ix) is in the nature of an online game that is not in conformity with any law for the time being in force in India, including any such law relating to gambling or betting or the age at which an individual is competent to enter into a contract;

(x) violates any law for the time being in force;”;

The above modification indicates that if the game violates any law for the time being in force, it shall be prohibited.

The rules however mandate that the hosting intermediary shall ensure that the online game shall be registered with a self regulatory body which shall be the control on evaluation of a game as  “Harmful” or not.

The guidelines also recognize  the possibility of the gaming company holding “Deposits” and not refunding it to the players and proper disclosures regarding the same.

The online gaming intermediary are also required to  prominently publish on its website, mobile based application or both, a random number generation certificate and a no bot certificate from a reputed certifying body for each online game offered by it, along with relevant details of the same. This is important to prevent frauds commonly indulged in by the gaming platforms.

The online gaming intermediary shall, also  at the time of commencement of a user account based relationship for an online game, identify the user and verify his identity:

…Provided that the procedure for such identification and verification shall, mutatis mutandis, be the procedure required to be followed by an entity regulated by the Reserve Bank of India under directions issued by it for identification and verification of a customer at the commencement of an account-based relationship;

….This is required to prevent storing of black money in Game platforms.

The online gaming intermediary shall enable users who register for their services from India, or use their services in India, to voluntarily verify their accounts by using any appropriate mechanism, including the active Indian mobile number of such users, and where any user voluntarily verifies their account, such user shall be provided with a demonstrable and visible mark of verification, which shall be visible to all users of the service:

Other requirements such as designation of a compliance officer, grievance redressal mechanism etc will be applicable like other intermediaries.

The “Hosting platform” will have responsibilities in ensuring this compliance and hence they need to revise their hosting contracts for gaming platforms to meet the requirements of this notification.

The rules keep the option of notification of any other game as an online game

—If the Ministry is satisfied in respect of any game made available on the Internet and accessible by a user through a computer resource without making any deposit, that

such game may create a risk of harm to the sovereignty and integrity of India or security of the State or friendly relations with foreign States or public order,

on account of causing addiction or other harm among children,

it may, by a notification published in the Official Gazette, for reasons to be recorded in writing, declare that such game shall be treated as an online game for the purposes of these rules, the provisions of which shall apply in their entirety or to such extent as the notification may specify, and it may further specify the period within which any intermediary offering that game shall observe the additional due diligence referred to in sub-rule (1) of rule 4A.”

The guidelines envisage a “Self Regulatory Body” for gaming content providers which will be registered with the MeitY.

The Board of Directors of the Governing body of such self regulatory entity which may be Society shall consist of the following persons:

(i) an independent eminent person from the field of online gaming, sports or entertainment, or such other relevant field;

(ii) an individual who represents online game players;

(iii) an individual from the field of psychology, medicine or consumer
education, or such other relevant field; and

(iv) an individual with practical experience in the field of public policy,
public administration, law enforcement or public finance, to be nominated by the Central Government;

(v) an individual from the field of information communication
technology:

Every self-regulatory body registered under this rule shall evolve a framework to secure the said interests, undertake testing and verification to establish conformity of online games with such framework, continuously update and further evolve such framework, testing and verification protocols, and shall prominently publish the same on its website, mobile based application or both, as the case may be.

The draft guidelines are comprehensive and necessary and we should welcome them. However, it is not clear if the Government will have the commitment to notify it or like many other proposed guidelines this will either remain as draft guidelines or end up with the Supreme Court as violating the “Constitution of India”.

Since the regulations are only introduced as “Intermediary” guidelines”, there is no penal provisions directly attached to the guidelines.

If an unregistered body runs a gaming platform there should have been a provision to penalize it. Now it has to be covered under IPC as “Misleading” or “Breach of Trust” etc. May be some thought is required on whether the non compliance can be brought under Section 45 of the ITA 2000 (Residual penalty) so that atleast a nominal penalty of upto Rs 10,00,000/- can be imposed if an Adjudicator takes up suo moto action.

(More to follow)

Naavi

Also refer:

theprint.com

argus partners

India-briefing.com

Meity

PS: Feedback can be sent to the Meity before 17/1/2023 on the website of MyGov (Refer here)

Since December when CHATGPT3 was released as an openai tool, along with it’s associate “Dalle”, the IT world is in a state of cautious excitement. It appears that the world has reached a momentous stage where “Disruption” will be unleashed on many of the professional human activities. Those who donot respond properly to this development could face an existential risk.

According to the CHATGPT 3,

After GDPR became effective on May 25, 2018, many businesses had to re-work their personal data handling methods to ensure that the collection meets the requirements under Article 6 of GDPR related to “Lawfulness of Processing”.

Article 6 of GDPR  lists 6 options for lawfulness and says that processing shall be lawful if atleast one of the six conditions apply.

The six options are

(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
(c) processing is necessary for compliance with a legal obligation to which the controller is subject;
(d) processing is necessary in order to protect the vital interests of the data subject or of another natural person;
(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

Point (f) of the first subparagraph shall not apply to processing carried out by public authorities in the performance of their tasks.

Apart from the “Consent” the Article lists “necessary for performance of a contract to which the data subject is a party”.

Meta accordingly added in its “Terms and Conditions” that personal data of the data subject may be used for the purpose of personalized advertising and considered it as part of the “Contract”. (Presume this was done during the period prior to May 25 2018)

“noyb” an Activist group of Max Schrems  filed a complaint on 25th May 2018 itself objecting to the Meta practice. Hence this represents the Pre-GDPR practice which was challenged. The Irish Data Protection Commission (DPC) did not agree with ‘noyb’ and a further appeal landed with EDPB. On January 4 2023, the EDPB came up with its decision overruling DPC view and holding that use of data for personalized advertising can be done only through a “Consent” and not through “Contract”.

This means that Article 6 (1) (b) of GDPR cannot be used and only 6(1)(a) is applicable for this use.  EDPB has every right to interpret this clause the way it wants but such interpretation is subject to Judicial review and would be fair only if it is prospective. The correct decision should have been an advisory to Meta to change the procedure subject to its right for a further appeal.

However EDPB decision to overrule the decision of the Irish Data Protection Commission (DPC) and holding that META is “Bypassing” GDPR through the measure and coming down heavily with a fine of over $300 million does not seem to be a fair decision. It appears to be guided by a sense of vindictiveness on Meta or perhaps an outcome of  Irish and Non Irish division in the EDPB.

The decision of EDPB may not appear correct from the judicial perspective since “Terms and Conditions” which are part of an online service is recognized as a contract and it was well within the rights of Meta and DPC to accept it as a Lawful basis since the data subjects has accepted the contract.

The argument would be whether the “personalized advertising” is  an acceptable use or not and whether it should be considered as “Necessary for the service” or not.

If Meta considers that “Advertising Revenue” is essential for its existence, it may argue that personal advertising is “Necessary” for the service and therefore it can seek consent as part of the Terms. If the user does not accept the Terms he can opt out of the service.

To insist that a service provider should provide the service but he should only use certain revenue sources as “Content Based Advertising” and not “User identity based Advertising” is an intrusion into the policies of structuring of a commercial service.

Since this decision of EDPB is an over ruling of GDPR Article 6 which says “Any one of the following applies..) it may be considered “Ultra Vires” the authority of EDPB.

I therefore consider that the decision of EDPB is unfair and would not be surprised if a judicial authority overturns this decision.

Refer for details here: noyb.eu

Also refer: Meta’s new year kicks off with  $410M+ in fresh EU privacy fines

PS: Counter views are welcome

Naavi

P.S: The EDPB decision does not accord additional protection to the data subject since it does not prevent collection of personal data.  It only suggests that there shall be no personalized advertisement without specific consent. The personalized ads only appear when the data subject is viewing the content himself. Hence it is difficult to see what kind of  “Harm” is caused by such advertising.

Also read.. Advertising Profile

Naavi

Today is the last day of the year 2022. As we prepare for the New Year, many of us would think of how we celebrate the night of 31st welcoming the new Year.

But what professionals need to also think about is what they need to achieve in the year 2023 which is good for themselves and the society around them.

We therefore need to look at the New Year Resolution for each one of us which can be one or more goals to be achieved in the coming year.

This year, let us not make the new year greetings just wishing a happy new year. Let us prep it up with our own New Year Resolution and urge others to adopt a positive and beneficial new year.

Naavi Wishes all his friends a Happy New Year with the following New Year Resolution.

1. 1. This year shall be the year of “Neuro Rights Awareness” in India. Just as I have been working on Cyber Law Awareness, Data Protection Law awareness, time has come to work for Neuro Rights awareness and this shall be the prime agenda of Naavi-2023.
   2. In Continuation of the work on Data Protection Law, assuming that the Government of India does pass the law during this year, I will continue to educate the society with  the need for Compliance. Towards this end, I will continue to refine the Data Protection Compliance Standard of India (DPCSI) along with Data Valuation Standard of India (DVSI). This will be the second point of agenda of Naavi-2023
   3. The third point of agenda of Naavi-2023 is strengthening FDPPI with the new initiatives such as the Federation of Data Protection Consultants (FDPC) and the Data Disputes Mediation and Arbitration Platform (DDMAP).

Happy New Year to all of you hoping that you would all provide your support to enable me meet my Agenda 2023.

Naavi

Recently Union Minister of Minister of Law  has been raising questions on the relationship of the Executive and the Judiciary in respect of appointment of Judges. (Refer here).

Another question which has been bugging me always is the Supreme Court’s tendency to jump into every executive decision and scrutinizing it from the Constitutional view point ignoring the need to keep limits between the Executive and Judicial functions.

In this respect what is intriguing is that our Constitution has been amended so many times including the Preamble itself but we still discuss that the “Basic Structure” cannot be altered. There appears to be inconsistency in the approach of the Supreme Court in such matters. I am also reminded of the Justice Chelmeshwar’s statement in the Puttaswamy case

” To sanctify an argument that whatever is not found in the text of the Constituion cannot become a part of the Constitution would be too primitive an understanding of the Constituion and contrary to settled cannons of constitutional Interpretation”

(Please see more at “Does Written Text of the Constitution not have any sanctity?)

The above comment of Justice Chelmeshwar underscored the arrogance of the Supreme Court that they can not only interpret and read down the constitution but also go beyond the written constitution and lay down principles not mentioned in the Constitution at all.

As a common citizen I cannot understand how Supreme Court can usurp such powers and re-define Constitution according to their whims and fancies. In such situations the debate always veers around to the powers of the Supreme Court and the Executive as regards the Constitution where the Keshavananda Bharati judgement is often cited.

In the light of the above, it was interesting to observe a post from Advocate Mathew J Nedumpara, a veteran advocate who calls a Spade a Spade which has been reproduced here with his permission.

Mr Nedumpara clearly lays down certain principles which expose the fallacy in the approach adopted  by the Supreme Court in the NJAC case. It warrants some introspection by the Supreme Court.

Otherwise the effect of Keshavananda Bharati judgement is to freeze the Constitution along with all the basic structure amendments made upto a particular date and there after not allow any amendments that become necessary with the passage of time.

This also means that India is not a Parliamentary democracy but a Court administered Country in which Parliament is subordinated to the NJAC controlled Judiciary.

Wonder if there are any similarities of this structure to what we find today in Afghanistan where a self appointed “Council” lays down the laws of the nation for the executive to follow.

Naavi

A Guest Post from : Advocate Mathews J Nedumpara

Kesavananda Bharati’s case is hailed to be the most important judgment ever rendered by the Supreme Court of India. The case was heard by the full court consisting of 13 judges. The case was argued for 6 months and the judgment consists of half a million words. Even the common people have heard of the judgment.

In the said case, the Supreme Court laid down a doctrine called ‘basic structure’ and said that while the Parliament could amend every article of the constitution including those concerning the fundamental rights, but not the ‘basic structure’.

The judges would not have, even in their wildest of dreams, ever contemplated the extent to which the said doctrine would affect the constitutional law of this country. We have a written constitution. Many modern democracies, including the United States, Canada, Australia have written constitutions like we have. Wherever there is a written Constitution, it provides for a mechanism for amendment. Article 368 of our constitution empowers the Parliament to amend the Constitution, except for certain matters, by a Bill which has been passed by each House by a majority of the total membership of that House and by a majority of not less than two-thirds of the members of that House present and voting and which has been ratified by not less than one-half of the states.

By the Constitution (24th Amendment) Act of 1971, the Parliament expressly made it clear that the constitutionality of a Constitution Amendment Act is not justiciable.

It was in the backdrop of the said amendment that the Kesavananda Bharati case came to be instituted and a split judgment in the ratio of 7:6, popularly known as the ‘fundamental rights case’, came to be delivered. The basic structure doctrine meant not mere re-writing of the constitution, but destroying one of the core features of the constitution, namely, balance of powers or separation of legislative and judicial functions.

Prior to Kesavananda Bharati, one could invoke the jurisdiction of the Supreme Court under Article 32 if his fundamental rights are violated for remedies in nature of various writs. After Kesavananda Bharti, petitions are filed in the SC pleading violation of no fundamental rights, but on the premise that the basic structure of the constitution is infringed. In Minerva Mills, on that premise, Constitution (42nd Amendment) Act was struck down. In 2014, the National Tax Tribunal was struck down on the premise that it is violative of the basic structure of the constitution!

As a law student, almost 40 years ago, I was told that any “person aggrieved”, meaning any person who has suffered a legal injury at the hands of another which will entail him remedies in law can approach a court, and that access to justice is the birth right of every citizen. ‘Right, remedy, forum’, nay, in other words, without a right being infringed, there is no room for the law entailing you any remedy. And without right and remedies, there is no question of any court to enforce it.

But Kesavananda Bharati, meant that one can approach the highest court of the country without recourse to any other court when he has admittedly not suffered any legal injury, simply because he feels the basic structure of the constitution has been infringed. I am not being sarcastic. I am dealing with the reality.

The SCOARA, the premier lawyers body of the Supreme court, challenged the Constitution (99th Amendment) Act, which provides for NJAC, a body consisting of the Chief Justice of India and the two senior most judges, 2 eminent persons representing the civil society to be selected by a committee consisting of the PM, the CJI and the Leader of the Opposition and the Law Minister as the 6th member representing the executive, on the premise that it is violative of the “basic structure”.

Shockingly, the said plea was accepted, the entire Constitution Amendment Act which had received the unanimous approval of both Houses of the Parliament and 21 State Assemblies, was struck down.

Since the judgment ran into 1034 pages, few would have read and even those who have read it probably may not have understood the “principle/reason” for which it was struck down.

It would shock you that the reasons are that:

(a) the independence of the judiciary is one of the basic structure of the constitution which the Parliament has no power to abrogate,

(b) the core of that independence of judiciary is not in the discharge of its judicial function independently and impartially post appointment,

(c) the core of the independence is in appointments,

(d) that this core is secured when the Chief Justice of India has “primacy” and therefore the word ‘consultation’ used in Articles 124 and 217 does not mean consultation, it does not even mean concurrence, but “primacy”,

(e) the “primacy” does not mean the primacy of the individual opinion of the CJI, but the opinion of the collegium of judges,

(f) that the “primacy” of the collegium in the matter of appointment and transfer of judges is an integral component of the “basic structure” of the constitution by virtue of the judgement in the Judges-2 case,

(g) that the validity of the 99th Constitutional Amendment ought to be tested on the touchstone of the judgement in the Judges-2 case and

(h) that the constitutional amendment is in violation of the Judges-2 case; it is unconstitutional.

As a student of law, I cannot imagine of a concept which is so destructive of the first principles of jurisprudence than the basic structure doctrine, which is hailed as the greatest contribution of the Supreme Court to our constitutional law.

Hundreds of judgments are rendered, even by constitutional benches, on wide ranging issues, relying on the basic structure theory, which in all humility, I hold to be against the first principles of jurisprudence.

Law is a very simple subject. It is nothing but reason; common sense. Kesavananda Bharati, so too the hundreds of judgments which pronounce that the judgements of the Supreme Court are the law of the land by virtue of Article 141, and now by virtue of Article 142 as well, are, in all humility, are rendered against the first principles. The subtle but real distinction between the concept of res judicata, res inter alios acta, stare decisis, judgment in rem and judgment in personam are failed to be noticed.

The concept of Rule of Law is built on the doctrine of estoppel res judicata. Stated in simple words, it means that, a judgement in a case between A and B will bind them, no matter how erroneous the judgement could be. The doctrine of res inter alios means that a judgement in which one was not a party will not bind one. In other words, C, D and others are not bound by a judgment in a case between A and B. However, there is an exception, namely, judgements in rem, namely, judgments as agaisnt the whole world. All judgements except those concerning status are judgments in personam. It will not bind any except those who were party to the proceedings. As aforesaid, most judgements are in the realm of judgments in personam, except judgments in criminal cases or those concerning status. For instance, a judgment in a suit for divorce where divorce is granted, the judgment is one rendered in rem, as against the whole world. Where divorce is rejected, the judgment is one in personam, because there is no change of status.

The doctrine of res judicata estoppel is co-related to the concept of ’cause of action’. Unless the cause of action and the parties are the same, there is no res judicata. There is no Estoppel against law.

No judgment of the Supreme court, even of the full court of the SC, even Kesavananda Bharati, constitutes to be estoppel res judicata except to those who are parties to it. The judgment in Kesavananda Bharati will not bind me or you. It will only bind the parties to that case and is res judicata in so far as the cause of action which came to be decided is concerned.

Article 141, understood in its correct perspective, will not make that judgment binding on me or you. However, in this country and nowhere else, may be because Article 141 is so misunderstood, judgments of the SC are treated as legislation, and even beyond. In the NJAC case, the judgment of the SC in the Judges-2 case was given a status even higher than that of Article 368 of the Constitution. To repeat, the 99th Constitution Amendment Act was struck down because it is in breach of the Judges-2 case and the basic structure theory propounded therein.

In the name of the basic structure doctrine, the will of the people as reflected in the 99th Constitution Amendment Act, to dismantle the collegium system where judges appoint themselves, which has proven to be nothing but a synonym for nepotism, a creation of the Judges-2 case, was struck down and the collegium was restored. In other words, the mechanism of judicial review, a sacrosanct concept recognized in all modern legal systems as a tool for the enforcement of basic rights, is being used in India to subvert the will of the people- the supreme legislature.

My thoughts delve into these issues because I believe in democracy and am concerned about its future, in particular the future of the Supreme Court. The Supreme court is hailed to be the most powerful court on the planet. People file thousands of PILs, calling upon the court to resolve all problems of mal-administration which the country faces today, which the court will certainly not be in a position to handle. The criticism the court will invite where it fails to deliver as an executive in substitution will lead to large scale public resent and criticism. The power of contempt which was used during the days of inquisition and the Dark Ages will not be able to save the court. Allowing the executive to be demonized using PIL as a tool also does not augur well for democracy.

Mathews J Nedumpara

P.S: The most interesting part of the Keshavananda Bharati judgment is the statement

“the core of that independence of judiciary is not in the discharge of its judicial function independently and impartially post appointment“

Naavi