Header image alt text

Naavi.org

Building a Responsible Cyber Society…Since 1998

I recently received a query about whether there is any case law which supports my view that even when a original memory card or CD is presented to the Court, a section 65B certificate is required.

I would like to elaborate on this query and submit my views.

Case Law and its limitations in an emerging area of technology

I understand that most practicing advocates consider that  “Law Becomes a Law only when a Judge says so”. Hence the arguments in most cases except when it reaches the higher courts, is always on the case laws and not on interpretation of the law.

The Judicial interpretations are important in assigning meaning to the words contained in the written law but it can always be re-interpreted. A lower court’s interpretation can be re-interpreted by a higher court and a smaller bench interpretation can be re-interpreted by a larger bench.

Hence when we base our legal view only on the strength of some case law, we are on a temporary time period when a particular judgement is considered as a precedent.

True Experts on the other hand will/should ignore interpretations based solely on case law and will/should always argue with a fundamental interpretation with relation to the legislative intent and what is necessary to meet the objectives of the legislation.

Yes, this would be an “opinion” of a ” Deemed Expert” who may be not anybody who is  “Certified by any government or judicial authority” or by passing an “Examination” in a University. But nevertheless, it cannot be ignored as our experience in the past under Sec 65B interpretation has proved.

It takes years for the Courts at higher levels to consider a legal issue, mull it over under different circumstances and contexts, hearing arguments of all hue and description and arrive at a near consensus view on a matter of legal interpretation of a law text, when it can be considered as a “Case Law”. In the meantime we should not curb our creative interpretation of the law and fail to challenge the decisions of the Court even if it comes from the highest Court.

In the domain of Information Technology Act 2000 and to the current date, which includes the Section 65B of Indian Evidence Act , I have always followed this principle that we need to dig up the truth from the current law until it is changed and all of us including the Courts at the highest level are in the process of understanding the law and interpreting them.

Some may consider it as not respecting the tradition where the arguments of practicing advocates start and end with ” In so and so vs so and so, the honourable Supreme Court said so and so and there rests my case, my lord”.

Fortunately, not being a practicing advocate gives me the creative freedom to think differently and let the Judges accept my view if they can hear me out fully and with an open mind. No disrespect is meant here for any judicial authority nor any arrogance is intended. It is a belief that “God sees the Truth but waits”.

I consider that Cyber Jurisprudence in Information Technology Law and Section 65B is still developing and hence what I say is an input which needs to be considered as a “School of Thought”. I may differ in certain respects with other seemingly logical views of other practicing advocates more vocal than me and more active in the Judicial Academies or Legal seminars. But I would not budge from my considered view.

My Considered view in respect of whether a Section 65B certification is required for an electronic document is presented in the form of a original memory card or hard disk is presented is an emphatic yes.  The Court has to invite a person of its choice and ask him to view the electronic document and produce a Section 65B copy for the Court to appreciate.

Indian Philosophy shows us the way

The key to appreciate the above point is that an “Electronic Document that is a piece of evidence is not the memory card per se but the stream of binary data, the zeros and ones that are some where inside the memory card in the form of electric charge positive or negative”.

The memory card is the container or a box that contains the zeros and ones that when viewed in a special glass called a computer with appropriate hardware and software provides some human experience such as a sound or a readable document or a video.

The process of conversion of the stream of zeros and ones which is the “Original” evidence into a readable document or a hearable sound or a viewable video is dependent on a hardware-software combination such as a card reader, computer, operating system, monitor, speaker, audio processor, video processor, etc etc. Only when all these function properly in tandem the stream of zeros and ones become a humanly appreciable electronic document which the Judge considers as “Evidence”.

Therefore, while the original evidence such as memory card can be presented as a physical artefact that is an “evidence” and also admitted as an artefact, the question of who will view the binary content in that and say that it contains a letter written by X to Y or a photograph or an audio etc., remains.

If the Judge himself views the electronic document which is dependent on the system used, software used etc, then he becomes the person responsible under Section 65B to state that the computer which rendered the binary stream contained in the memory card rendered in a particular manner and will do so in future also in similar circumstances.

We can however say that the onus of providing the Section 65B certificate shifts from the person producing the memory card to the Court.

The fact that an electronic document residing in Yahoo Group server could be accepted as evidence based on a certificate produced locally by a private person like me was established in the Suhas Katti case in 2004 itself. There was no need for the “hard disk of yahoo group” to be produced in the Court. I suppose this is a universally accepted fact as of now that where there is a Section 65B certificate of a computer output, there is no need for the production of the original electronic document.

In the Basheer case one thing that I did not agree was a reference to the CD in which the offending speech or song was contained as a “Original”. This term has to be correctly defined. The terminology that should have been used here was the “First Container of the stream of electronic data elements that constitute the evidence in question” instead of the “Original CD”.

We should refrain from confusing between the “Stream of zeros and ones” which are “Binary impulses recorded for future reference and interpretation” in some form, and the container in which these are held together for the time being.

Imagine the situation where a laser computer screen is created in front of your eyes in free space where you see the information that you normally see on a computer monitor. The words are now floating in the air and there is no surface on which they seem to lie. This clearly establishes the fact that “binary stream” can exist and actually does exist independent of the “Container”.

Another easy way to understand this is in the concept of the “Soul” and the “Body” in Indian philosophy. Does soul exist independent of the body?.. Indian philosophy agrees that Soul exists independent of the body and that when a person dies, the soul leaves the body and ultimately finds another body in which its past life memories are in tact and if there is a right environment, the erased and reformatted memory of the soul in the past life can be rendered in the new body. The soul perhaps exists in this transitory state until it merges itself with the “Paramatma” which we call “Attaining Moksha” in some forms of philosophy.

Without going deeper into philosophy, we should conclude that

a) “Electronic Document means a stream of binary data arranged in such a manner that under appropriate rendition of the stream through a computer device, it produces the human experience of a readable document or an audio or a video.”

b) A memory card or a hard disk is a device which  holds the stream of binary data and makes it available to be used as a hardware which becomes part of the larger computer system that renders the human experience of a stream of binary data.

I have earlier referred to the Trisha Defamation Case in Chennai AMM Court where I was invited by the Magistrate in a similar circumstance when the CD was already in his hands and there was no need for an external party to certify it in ordinary prudence.

I appreciate the vision of the magistrate D. Arul Raj who correctly interpreted the law that he should not take the responsibility of writing in the judgement, “I viewed the contents of the CD which contained so and so information… which contravenes such and such law…etc”. He decided that he requires a third party to certify it and provide him a Section 65B certificate. In this case, I was the person called upon to do so.

Unfortunately This did not go into a judgement (as I understand) since the complainant later withdrew the complaint.

In my opinion, Cyber Jurisprudence does develop not only from the Judgements, but also from the views that emanate from the experts.

Remember that after Afsan Guru judgement in 2005,  many were quoting that I was not correct in maintaining that Section 65B certificate was mandatory for admissibility. But it took 9 more years of erroneous reading of the law to be upturned by the Basheer judgement in 2014.

In between I continued to hold my view and also argue with experts particularly in the national Police Academy who were listening to me on the one hand and also looking at the Afsan Guru judgement and spotted the discrepancy. Most other experts had not even observed this discrepancy and hence not raised the issue in any forum for a larger debate until the Basheer judgement reflected what I was saying all along.

Similarly, any of the views that I have expressed here may not be today the popular view or a view that is necessarily supported by a judgement. But I am confident that judgements will eventually follow what I have stated here.

May be there will be occasions when I will revise my view or the law itself may change. But presently my view is that

“Even when the original binary stream is presented in the container to the Court, the container has to be opened and the binary stream has to be interpreted with the assistance of hardware and software and hence it is necessary for the Judge to take the assistance of a Section 65B Certifier reliable to it.”

“It can be a Section 79A certified agency if available or other persons on whom the Court reposes confidence.”

Naavi

As we enter the final stages of public consultation on the drafting of the new Data Protection Act of India following the release of the White Paper by the Justice Srikrishna Committee, one aspect of the law that needs attention is the “Right to Know” of an individual which often conflicts with the” Right to Privacy” of another individual.

Right To Know is a different concept

“Right to Know”  is a concept that GDPR also has ignored and there is an opportunity for India to introduce this concept into the discussions of Privacy.

Let me explain with an example why this concept is different from other known concepts including “Right to Information”.

When some body calls us on a phone, the first question we would like to know is “Who is calling?”. If the other person says, sorry, I value my privacy and would not like to reveal my identity or I would like to talk  under a pseudonomous name, the question arises as to whether this is a valid Privacy argument or not.

Similarly, when I receive an e-mail from some body who says he is Jignesh420@gmail.com, I have the right to know whether he is really somebody I know or not. I donot trust the display name since I know that Google does not do a KYC before allocating the user name. I therefore donot know if the e-mail is a “Spam”, is an attempt to “Impersonate” or is an attempt to commit a fraud on me. If I want to know more about the person, I need to know his IP address.

However, Google in its misdirected concept of Privacy hides the IP address with a proxy address from Google which cannot be deciphered without the intervention of law and takes too much of time and effort and often bribing of the law enforcement personnel just to send a notice to Gmail administration.

I therefore ask a question to the law makers,

Do I not have a right to know the true IP address of the person who has sent me an e-mail?

If Privacy activists want the IP address to be hidden in the email while it is in transit, I demand that Google should introduce a procedure by which every recipient of an e-mail should be able to raise a one click query to know the IP address from which an E-Mail has been sent to him and Google should automatically provide the information.

Similarly, any ISP should also provide the last mile resolution of the IP address to any person who can prove that he has been in receipt of a communication from such IP address.

This is what I consider as the “Right to Know” and it extends to the Facebook and Twitter accounts as well as social media such as the Whats App.

If “Right to Know” is upheld as a Right of an individual, it does not conflict with the right to privacy of an individual except that such right stops at the door steps of the rights of the receiver of a communication. On the other hand it provides a new right to the recipient of an electronic communication just like the “Right to Speech” co-exists with the Right of Privacy in law.

This “Right to Know the IP address” extends to other instances such as

a) Right to Know the identity of a Domain Name Registrant

b) Right to know the identity of the owner of a Telephone number or Mobile Number from which the recipient has received at least one call or is reasonably suspected to have been used for the commission of an offence.

…. and may be for other instances as well to be  defined just like the multiple parameters we may use for classifying “Sensitive Personal Information” under the law.

Aadhaar has recently introduced a link on its site to provide information on Aadhaar usage history of a person which is a great measure towards transparency. But the information provided is on the basis of a transaction code that cannot make any sense to the Aadhaar user. It has to provide the name of the entity that made the query either directly on the website itself or through a link for which there can be a second OTP authentication. This falls under the “Right to Know”.

The procedure for extracting the information in the above cases must be simple and nothing more than

a) Identification of the person who is making the request with something like the digital signature or Aadhaar

b) Statement of the suspected contravention of law or proof of being a recipient of an attempted communication

c) A commitment not to misuse the information for any purpose other than the stated purpose with an undertaking to be liable for consequences of misuse

I request Justice Srikrishna Committee to consider this suggestion and incorporate it into its recommendations.

(Comments Invited)

Naavi

The 4 judges who held an unprecedented press conference which many agreed has tarnished the image of Judiciary in India stated that their “Irreconcilable disagreement with the CJI” was based on the allocation of cases to different benches which was arbitrary and overlooked the “Seniority” of the judges. Since the judges have appealed to the nation to “Protect Democracy”, I as a citizen need to make out some points.

The Justice Loya death case appears to be the most disturbing case as far as the advocates such as Indira Jaisingh and Dushyant Dave are concerned and since Justice Gogoi seems to agree, we can accept that the four judges want this case to be heard before them and not under some other “Junior” judge.

It is another issue why these judges want this case only before them and donot trust the other judge. One interpretation of this is that by admitting the case, they could have embarrassed Mr Amit Shah to say that there is potentially a “Murder” charge being investigated by the Court which could consider him as a “Suspect” and when the CJI frustrated this plan, they lost their cool and held the press conference.

Additionally, it appears that the other most sensitive case now before the Supreme Court is the Aadhaar case where the “Constitutional Validity” of the system is in question. The intention of the Supreme Court was some what evident when during an earlier hearing, the Government brought an argument that “Privacy is not a fundamental right”, it jumped to constitute a 9 member bench under the previous CJI Justice Kehar and quickly brought out a 547 page judgement for a single line order “Privacy is a fundamental right under article 21 of the Indian constitution”. This defeated the argument of the Government and strengthened the argument for scrapping aadhaar. if done, the opposition can use it for embarrassing the Government much more than the GST issue.

Besides the opposition wanted to preserve their “Benami” properties which Modi was threatening to identify by making it mandatory to link property registration with Aadhaar. I feel this was more critical than the Justice Loya’s case.

The opposition felt that if the bench hearing Aadhaar can be managed by pliable jduges, they could get Aadhaar scrapped and it would be the biggest coup before 2019 elections.
Unfortunately, it appears that Justice Dipak Mishra is again frustrating them by denying an opportunity for these judges to be on the bench which can scrap Aadhaar. CJI perhaps feels that these judges may have a conflict of interest with their relationship with Mr D Raja, Mrs Indira Jaisingh, Mr Dushyant Dave etc., as regards the Aadhaar case and hence cannot be on the bench hearing any case in which there would be a strong anti-Government sentiment.

We must appreciate the vision of the CJI in this regard.

If these judges with conflict are not involved in the Aadhaar case, it would be better since the case can be decided purely on merits and not on preconceived notions of the senior judges.

Aadhaar is therefore the key to what appears to be an unprecedented move of the 4 senior judges to take on the CJI to the extent that media already started talking of his possible impeachment. They are now disappointed that the coup attempt has failed at least for the time being.

In one of the online surveys 69% respondents held them wrong and in a way “Impeached them in public perception”. This is the people’s verdict they wanted during the press conference and they should respect it.

I anticipate that out of the four at least one of them may decide to resign to uphold the principles that he wanted to demonstrate by the uprising to protect democracy. Will it be Mr Chelameshwar? or some body else?… we need to wait and observe.

Naavi

(This is a continuation of the previous article)

3.  A lot of discussion centered around the issue of “Consent” and “Informed Consent”. The issues were about the need for and effect of consents as an instrument of Privacy protection. There were also suggestions that consents should be applicable by processors also, consents should be standardized and simplified etc. The fact that India consists of illiterate users with multiple language use also was highlighted. The difficulties of handling “Employee Records” when the companies want to change the processors was also raised.

Comments:

It is true that “Consent” has been the main instrument with which Privacy protection is being handled worldwide. The focus has been that there has to be a proper Privacy Notice, there has to be an “Informed Consent”, the opt-out  should be the default option etc.

Consent Fatigue

At the same time the issue of “Consent fatigue” where by users are required to go through multiple consent forms several times during the day which makes them click on consents as a routine manner is unavoidable. If we continue to deal with “Consents” then we need to find a way to address the “Consent fatigue” issue.

Though the “Click Wrap Consents” donot have a strict legal validity in India, they still constitute a means of finalizing “Contracts” online which would be considered as “Implied Contracts”. Implied contracts have the short coming of being “Voidable” in respect of onerous fine print clauses and would not help either the consumer or the service provider at times of crisis.

In India, at present Section 43A of ITA 2008 provides “Contractual Consent” as the prime method of defining “Reasonable Security”. Hence when an employer obtains a valid contract with the employee at the time of employment which includes the right to process personal information, it can be considered as a “Consent” that can enable the employer to over ride the privacy obligations. Companies with multi national employees also are subject to the same law through many corporate seem to fear international regulations and consider their local rights as non existing.

The system of “Consent” cannot be changed. It will continue. However efforts to make it better in terms of making the user understand the nuances before he clicks the acceptance button and highlighting the onerous clauses to make them effective even in a deemed, standard form , implied contract should continue.

One of the suggestions made was to have a few standard form of consents which are colour coded so that the user knows exactly whether he is giving consent to a “Green Clause” with less amount of personal information being made available to “Red clause” with more information disclosure and risk were suggested.

These suggestions are also dependent on classification of data which includes special form of data which are derived from the data supplied by the data subject and converted into a more value added form. There are data such as “Psychometric data” or “Genetic data” which could be derived with effort from the Data collector. Assigning rights on them and restricting data aggregation and use of value  created out of aggregation is a challenge.

Some suggested that we need to even recognize “Community Data” and protect them.

Ease of Doing Business

It is essential for us to understand that in designing the new law, we cannot go overboard with all minute concerns real and imaginary. We need to look at creating a law that is possible to be understood and implemented. “Compliance” should be facilitated so that industry does not look at this as a “Hurdle” and the “Ease of Doing business in India” does not deteriorate.

Value Addition to Data

Also the possibility of the Data collector doing an analysis and creating additional processed data which is more valuable cannot be completely taken out of the rights of the processor. Even if the basic data belongs to the data subject, the derived data has an element of value addition by the Data collector which needs to be rewarded.

Some examples of such derived data pointed out by the participants included “Energy Consumption Data” and “Psychometric data” which may be extreme cases of artificial intelligence usage which are more for fiction writers of the future rather than the law makers of today. If “Data Analytics” is a key area of business in future, then it is possible that data can be used in multitude ways by technologists and law can only be set in generic terms to cover the “Identifiability” of data as a parameter of regulation.

The classification of “Identified” and “Identifiable with available data” and “Identifiable with further data that may be derived or available through instances such as mergers and acquisitions etc” need to be addressed. However, the level to which Artificial Intelaigence can go in future is not known to us today and hence some loss of privacy has to be factored into the legislation today. This can be introduced in the form of differential penalties when data is breached depending on the level of security that the Data controller demonstrates as having been used before the data was lost.

Data Trust as an intermediary

Considering these difficulties, there were multiple suggestions which came back to the central point of what we have suggested earlier as a “Data Trust”. These intermediaries can be instruments of effective collection and use of consents. They can also monitor the Data controllers and impose discipline in the industry. The concept has already been discussed earlier and hence it is not repeated here. But if it is accepted, there would be an instrument of managing “Data” as a “Property of the data subject” which is licensed to the Data Controller through the Data Trust. The Data Controller who makes revenue out of the data has to bear the cost of this infrastructure by sharing some of his spoils with the Data Trusts so that the consumer does not end up incurring higher direct costs. But the Consumer may be able to get better data security in respect of his Privacy information.

Many participants discussed the concept of “Co-regulation” where the Data controllers would participate in the last mile control of data security. The law may also end up not being too prescriptive and leave it for the Data Controllers and Processors to “Secure” and in case of failure, “Pay a penalty”.

Recognizing the importance of monitoring the activity of the Data controllers, some suggested that there should be public accountability and auditability of data controllers etc. Most of these are impractical and  from the security point of view are not recommended also. The processing infrastructure in most cases cannot be publicised and hence the only recourse is to get proper warranties and punish negligence adequately to ensure that Data Controllers maintain the security of data.

In such a regime, it is preferable that instead of regulating hundreds of Data Controllers, if we have  fewer “Data Trusts” it would be better from the point of view of management and regulation. Thus, the concept of Data Trusts present multiple advantages that need to be recognized by the law makers… is our suggestion.

Privacy Vs Law Enforcement Requirements

Naavi also pointed out that in many instances, Privacy Protection is used as a protection against law enforcement detection. Hence there is a pressure on law makers to include stringent prescriptions and not yield to any exemptions to be given to law enforcement. This is not ideal according to us. Privacy Protection is as much for honest citizens who consider law enforcement as their protectors and hence law should take this into consideration.

Data Tagging

In suggesting protection for data when it moves from one data controller to a data processor and subsequently to many sub contractors, a discussion ensued on whether it is possible for data to be tagged in such a manner that it can be traced wherever it moves so that it can be erased when necessary and updated when required. Many participants felt that this is technologically feasible and must be implemented through law.  However, the undersigned is of the opinion that “Personal Data” collected by a Data collector does not always remain as a single document that can be tagged when it is moved further. The collected data contains many data elements and sub data elements which may be split, distributed and re assembled elsewhere in a different context. Hence putting a traceable and auditable tag on personal information is not technically feasible and hence cannot be mandated. Instead mandating the legal responsibility to protect through sub contractor’s contracts is the only feasible option which can be put into the law either in the main law or through sectoral laws or regulations. This is already being done as a standard industry practice.

Cyber Security obligations

Repeated requests were made to mandate “Cyber Security” as part of the data protection laws. It would be introduced  as an obligation of the Data Collector (or the Data Trust) and certainly there is no case for a prescriptive information security policy being part of the main legislation. This is part of HIPAA legislated in 1996 and is relevant for sectoral laws and not for the umbrella law.

Foreign Data Subject

Discussions were had on “Data of Non Nationals” whether it should be covered or not. This is an important issue which should be part of the scope definition. When the personal data of any body including a non national comes into the hands of an Indian Data Controller or Data Collector there will be a contractual agreement between the data subject and the data collector. This should define the data protection obligations and should provide primacy to the Indian law by default. In our opinion any demand that such individuals directly dealing with Indian data collectors refusing to abide by Indian law is forcing the Indian data collectors to follow an alien law instead of the local law. This is not recommended for acceptance.

In the event of a foreign data subject coming through a foreign data collector/Controller who entrusts the data for processing to an Indian data processor, the obligations need to be set into a Business Associate/Sub Contractor contract and other things should be subordinate to the contractual obligation. This is the law in India under Section 4#A of ITA 2000 and must be respected.

Certification

One aspect that did not come up for full discussion was whether there would be any certification bodies that would certify the Data Protection in different agencies like the standards certifying bodies.

It is known that most data breaches have occurred in bodies that have been certified under PCI DSS or ISO 27001 etc. The presence of such certificates make the management complacent and reduce their vigilance. Instead the responsibility should remain with the management and they may be permitted to use any standards to achieve the objectives of securing the privacy data. It should be the choice of individual organizations to chose any standards external or internal, resort to certification or otherwise. The Data Protection Authority may however have their own standards for auditing and they may use any auditing firm including PWC as they so desire as long as the assessment is on the basis of the law as defined and not on other considerations.

Privacy After Death

A point was raised by the undersigned on whether Privacy Right should persist after death. Though not discussed in the general forum, it was pointed out by the undersigned that “Privacy” as a “Right to Life and Liberty” has no meaning after the death and Privacy of an X individual cannot be enforced as a right of Y. If a person has a deemed Privacy issue, it should be handled as a “Defamation” or “Attempted Defamation” issue rather than the Privacy issue. Hence the protection obligations should cease after the death of the individual.

Naavi’s Detailed Comments

A copy of the written response to the questionnaire from Naavi was submitted to the Committee. It  has incorporate the points mentioned here. The final version which may be submitted before 31st January 2018 will also be posted on naavi.org whether they are considered by the committee or not.

Post Script:

We close the recollection of the Public consultation exercise at Bangalore on 13th January 2018 in Bangalore here. We might not have recollected all aspects of the discussion. Omission f any is not intentional. I invite other participants to add their comments if any.

We shall continue to submit our own thoughts on the subject here in the coming days as well.

Naavi

Links to all the three parts of this report of the consultation are available here

Part I

 Part II

Part III

(This is a continuation of the previous article)

2. One of the questions that arose during the discussions was on the “Data Breach Notification requirements” under the proposed act.

There was one concern of the industry that “Data Breach” reporting to the data subjects should not be mandated and even if required it should not be as immediate as notification to some industry authority etc.

This is a standard response from industry whenever data breach notification is suggested in any data protection act. Industry wants to protect its reputation by sweeping the data breach notification under the carpet. While most industry players would jump at Aadhaar leakage when reported, they would not like a breach in a Bank coming out in the open. Hence the demand that they should be exempted from notification of data breach to their customers.

Some industry players also brought out the issue of a need for time to determine whether a “Suspected data breach” is actually a “Data breach”, whether a “Data breach” is not exactly a data breach but only a “Denial of Service attack” etc and argued that industry should not be forced to report a data breach before it is confirmed.

However the industry agrees that most data breaches need to be confirmed with an audit  and many times the recognition of data breach itself takes months and after the recognition, the completion of the internal audit takes several more months. If therefore the industry demand in this respect is to be accepted, then data breach will never become public for more than an year.

Industry is however not averse to sharing some potential breach information with an industry organisation because they know that the industry organziation can be manipulated and hide the information of the data breach. For example, many wannacry attacks on ATMs of Banks were never reported by Banks and public never came to know of them. Even a major cyber attack on a Bank after the Swift system hacking in Bangladesh, was pushed under the carpet. Given an option even the UIDAI would like not to publicise the data breach reports on UIDAI because it hurts the reputation of the system.

The strong opposition to data breach notification to the data subjects itself indicates that it is a very effective deterrent that industry would not ignore. Hence it is absolutely essential that this data breach notification must be incorporated in the law as a mandate. The time limit in other international regulations is around 30 to 60 days and it would be necessary to make a provision for “Public Notification”  before 30 days.

In case there is difficulty in confirming the data breach because of the need for an audit etc.,  the notice can say that the investigation is under progress and the notice is a “Provisional Notice”.

Some persons also raised the issue of “Cost of Data breach notification” to the data subjects. The notification can be made

a) Through advertisement

b) Through notice in the website of the Data Controller

c) Through a notification in the Data Protection Authority website

c) Through e-mail

In order to further reduce the cost of “Advertisement”, a suggestion was made that  to the effect that Data Protection Authority can create a broadcast platform.  A mention can however be made that such services are already available at www.cyber-notice.com along with Section 65B certification. Industry is yet to recognize the potential of the service and perhaps a need for mandatory data breach notification would make the industry realize the need for such services. 

(Will be continued)

Naavi

Links to all the three parts of this report of the consultation are available here

Part I

 Part II

Part III

During the discussion on the Data Protection white paper in Bangalore on 13th instant by three members of the Expert Committee led by the Chairman Justice B.N.Srikrishna, several interesting issues came up for discussion. While it is difficult to recall all the points discussed, I am trying to capture some of the interesting points raised along with my comments here.

The comments made here are not that of the expert committee members and should not be construed as views either accepted or rejected by the committee at this point of time. Justice Srikrishna was however a great listener and tried to probe the persons raising questions to understand the issue as much as possible. The ministry representatives have made suitable notes and they are likely to be discussed by the committee later and taken into account before a bill is recommended.

  1. One of the suggestions made was that the law should be people oriented and principle based.

Comment: In India, we still does not have a law on Privacy protection. Except for the fact that we know Supreme Court considers Privacy as a fundamental right of a person under Article 21 of our constitution under “Right to life and personal liberty”, we donot have a definition of what is “Privacy”.

The first question that the Indian Data Protection Act (IDPA) has to address therefore is whether we have one section in which we define what is Privacy. i.e. Do we incorporate a clause in the definitions, stating “Privacy means…..”.

The problem however is that the nine member bench of the Supreme Court itself did not take up the responsibility of defining what is “Privacy” and some of the judges in their respective individual orders (not forming part of the final signed collective operative order under the judgement of 24th August 2017 which we refer to today as the Puttawamy Privacy judgement) made different comments stating different aspects of our life as elements of “Privacy”.

This law therefore cannot take upon itself the responsibility of defining what is “Privacy”.

Currently, Information Technology Act 2000 (ITA 2000) has a definition of “Personal Information” and “Sensitive Personal Information” and has prescriptions of how it has to be protected by Body corporates,(under Section 43A) , how it has to be collected and protected by intermediaries (Section 79 of ITA 2000), what compensation may be available for wrongful loss arising therefrom (Section 43,66, 72A), how long the data has to be preserved (Section 67C), how the data can be intercepted and collected by Government agencies for national security reasons (Sections 69,79A, ,70B) etc,. All these are essential ingredients of a Data Protection Act in respect of “Data in electronic form”.

Will IDPA also address these issues?.. If so, will it be overlapping with ITA 2000/8 provisions? is one of the decisions that the committee needs to arrive at.

The IDPA as is being envisaged is addressing to what is referred to in the Puttaswamy judgement as “Information Privacy”. This definition is dependent on the definition of “Privacy” and a judgmental decision on “Which information addresses to Privacy”. For example, will an IMEI number be considered as “Personal Information”? if so, is it simply “Personal information” (PI) or is it “Sensitive personal Information” (SPI)? . Is an IP address a PI?, Is E Mail address a PI?. except for “Biometric” or “Password” there may not be a consensus of what is to be included or excluded from the definition of PI and where the line of demarcation has to be drawn between PI and SPI and whether the classification has to be even further refined as PI-Level I, PI-Level 11, SPI-Level I, SPI Level II etc needs to be decided.

In such an uncertain environment, the law cannot be “Prescriptive” at all. It has to be necessarily “Principle based”.

Now, if ITA 2000/8 already has a “Principle based”- “Due diligence” and “Reasonable Security Practice” already defined, what does the new IDPA do in repeating the same things in a different statute?

In this context, a question arises whether it is a good idea to simply make amendments to ITA 2008 to meet the objectives of the proposed IDPA.

If required, a new chapter can be added to ITA 2008 called “Chapter on Data Protection” and incorporate the requirements of registration of data controller etc., which are not adequately covered in ITA 2000/8.

 (Will be continued)

Naavi

Links to all the three parts of this report of the consultation are available here

Part I

 Part II

Part III