Header image alt text

Naavi.org

Building a Responsible Cyber Society…Since 1998

[P.S: This is in continuation of the discussion of the proposed Data Protection Act in India and the public comments invited for the  Justice Srikrishna report.]

The EU law on Privacy under GDPR recognizes the “Right to Forget” which essentially means that the data subject can demand that his personal information should be erased from the records in the custody of the data processor/data controller once the data subject withdraws his consent.

Enabling “Erasure” of data is not as simple as it looks since data has a tendency to multiply and spread in different systems within the processing organization and it is often difficult to even recognize where all the copies of data are present. With need to back up data for reasons of disaster recovery and different versions of data getting created during the course of relationship of a customer with a data processing entity, when a demand for deletion comes up, it is difficult to ensure the complete erasure of data.

Further, since data is related to National Security and Crime control, there is a legal obligation to “Retain Data” in many circumstances. There will therefore be a conflict of interest between the need to erase data on request and the need to retain data for control of criminal activities. Even the need for Governance such as Direct benefit Transfer with the use of Aadhaar requires data to be retained and not erased at the request of only the data subject.

Even when Privacy is considered as a Fundamental Right, the law provides for exemptions for security purpose and hence the “Right to Forget” or “Right of erasure” is a concept which cannot be considered for the Data Protection Act.

[P.S: This is in continuation of the discussion of the proposed Data Protection Act in India and the public comments invited for the  Justice Srikrishna report.]

Many of the issues connected with Privacy arise out of the complaint that “information collected by a Data Controller” is processed in such a manner that the data subject feels that his privacy has been breached. Hence “Consent” is sought and obtained before collection of information. Section 79 of ITA 2000/8 under its rules has already adopted the procedure of disclosure and consent when an “Intermediary” collects personal data from a data subject in India. The fact that “Consent” should be an “Informed consent” is also well appreciated.

However most data subjects never care to read the Privacy statements or Privacy policies when presented to them before a specific use of a service. Many service providers also take blanket permissions ignoring the principles of minimal collection and purposeful use.

In the absence of proper legal requirements, data subjects can only try to take legal action against an entity that breaches the law if they can claim damages. But in most cases, damages cannot immediately be recognized and evaluated and hence “breach” can be recognized but not its consequences. Hence there can be no legal remedy in most cases.

When a data protection law is in place, the regulator can take action for breaches even when no damage is claimed by any data subject. Though this provision is available even now under Section 46 of ITA 2000/8, it is hardly recognized as existing. When the new law comes in, since there will be a recognized regulator called the “Data Protection Officer of India”, it will be his duty to monitor the industry and initiate action when required.

Some data controllers may blame the data processors for the breach and data processors may allege that the data controller did not indicate the responsibilities properly in the SLA. Even now many of the data processors in India coming under GDPR allege that they donot have a proper Business Associate Contract from their vendors specifying the information security requirements. Hence the responsibilities cast on the data processors is vague and goes without compliance.

The new law should ensure that this “Vagueness” is removed, by making it mandatory that the Data Controller who is the person/entity to whom the data subject provides the personal data and  “Consent” to use that data in a particular manner, take full responsibility for any breach and also mandate that any sub processors are bound with specific instructions which are clear. If the sub processor is also within the Indian jurisdiction, it may suffice to make a reference to the legal provision in toto by referring to the Act. But when the Data Controller and Data Processor are in different jurisdictional areas, it is necessary for the Data Controller to specify in a contract the actual responsibilities related to the processing of any data set/s and not leave it vague.

Assuming that this provision is taken care of, we can expect that all controllers will present comprehensive “Consent Requisitions” whenever online consent is required. They may even justify in the requisition the purpose of collection and how the information will be secured etc. However, in the process the consent requisition will be a long online document which no user is likely to read at length and just proceed to click “I Accept” and start availing the service. In some cases the service provider may say that “Continued use of the service is deemed to be a consent of the privacy policy” and provide a hyper link which the user does not care to open and see.

Such online consents may not be treated as proper  “Informed Consent” because it is not digitally signed and also because the likelihood of it having been read and understood before it is consented to is low. Since India does not recognize the Click Wrap contract  the acceptance of consent by the click of the button has no legal sanctity. The consent therefore only becomes an “Implied Consent of a dotted line contract”, where the fine point details could be considered voidable at the option of the customer.

Even when such consents are treated as contractually acceptable, the data subject may not be able to decypher the intricacies of the contract and take an informed decision. When multiple parties require multiple types of consents and multiple times, there would be inevitably the “consent fatigue” that makes him simply click without a second thought.

Hence the current system of each data controller taking individual consent each time a data is required for a specific purpose is not practically efficient.

One of the ways by which we can overcome this is to treat personal data as a property of value to the data subject and every usage as “Licensed Use” with some kind of rewards to be available to the data subject which is proportionate to the benefits that the data user may enjoy. In this concept the data subject actually sells the right to use his personal data for a consideration. However to manage this system, the data subject needs professional assistance and hence there is a role for an intermediary “Who Collects consents and data, keeps it with himself and releases it on specific request to a user as a personal Data manager of the data subject”.

The “Data Manager” being a professional agency knows the value of the personal data to different service providers and maximize the returns to the data subject. It is not necessary that the reward to the data subject is in the form of direct money. It could be in the form of reward points that are exchanged for some valuable service.

Further, the “Data Manager” as an intermediary can act like the “Personal Data Locker” and offer services such as anonymization and pseudonomization as well as providing limited set data devoid of key identifiers. He can ensure that value addition in the form of data mining and Big data analytics can be conducted without compromising the privacy of the data subject.

In order to provide an opportunity for such intermediary business, Personal property should be recognized as the property of the individual and he should have the right to license it for a price. The proposed data protection act should also recognize and define the role of the “Data Manager” as a business in which the data subject transfers the right to manage his personal data exclusively to one such agency. This role is different from that of the “Data Controller” and “Data Processor” as is used in laws such as GDPR. He should deal with the Data Controllers and ensures that they adhere to the principles such as minimal collection, purposeful use, adequate security, removal on completion etc. When he approves disclosure of personal data of his clients, he can ensure that adequate value is returned to the data subject however small it is.

The Data manager will subsume the role of the Data Controller to the extent that the data subject provides his consent only to the Data manager and all that the data controller gets is a “proxy identity”. The linking between the proxy identity and the real identity is in the hands of the Data Manager and the principles enunciated in our earlier discussions on “Regulated Anonymity” can be used so that only responsible data controllers will get the real identity based premium personal data. Others can get a lower valued proxy identity data. Some others may use limited data set and others the de-identified data. Thus the Data Manager can effectively classify and package data offerings and create value where as today the data subject does not get any value for his personal data which he shares with various service providers.

This type of parallel thinking can be incorporated in the Indian Data Protection Act so that it does not become simply a rehash of the GDPR or other international data protection legislation.

Naavi

At a time when India is debating a new law on Data Protection, an interesting question has been raised  before the Supreme Court about the “Right of Privacy” and whether it extends beyond death. The recent judgement of a 9 member bench of Supreme Court referred to as “Puttaswamy Judgement” was hailed as a “Land mark” judgement because it held that “Privacy is a Fundamental Right”.

At Naavi.org, we have discussed the Privacy Judgement in detail. In conclusion, we discussed the need for a proper definition of Privacy before we worry about how to protect privacy. (Refer: “The Privacy Judgement… Conclusion.. Need for Definition of Privacy” )

According to us, it was a failure of the Puttaswamy judgement that it did not define Privacy as a Right and only went about beating around the bush on the “Protection of the unknown and undefined right called Privacy”.

How can we protect a Right without defining the Right itself?

It is not prudent to make a law for protecting a concept which itself is not properly understood and defined. If we attempt to do it, then it will provide endless scope for litigation and will not help honest citizens.

Criminals will however take full advantage of such ambiguous law and ensure that they thrive at the cost of honest citizens.

The mistake committed by the 9 member bench to declare Privacy as a Fundamental Right without a definition of Privacy has now opened the question as to whether the “Right of Privacy” extends after the death of a person.

I hope this lacuna will be corrected in the Data Protection Law that the Government is trying to develop.

Background

It must be recognized that the current issue, namely “Whether the Right of Privacy extends beyond death” has arisen because there is a need to access and verify finger print data of late J.Jayalalitha,  available with UIDAI as well as the Jail authorities in Karnataka to decide on an allegation that her finger print was affixed on a document when she was in a state of health where she was either already dead or was unconscious.

There was a reasonable ground to believe foul play since during the entire period of her hospitalization, access to her was not permitted to any body other than a small group of people. Even prominent political leaders including Mr Rahul Gandhi and Venkiah Naidu came to the hospital and returned without even looking at the patient.

The prima facie perception which the citizens carried at that time was that the hospital and the Sasikala faction of AIADMK were in collusion and did not declare the true condition of her health. Even the current dispensation of the TN Government did not know her true state of health.

During such a state of doubtful health, she was supposed to have affixed her thumb impression on one of the documents which has now been questioned.  It was a reasonable doubt in the minds of the public that the thumb impression was not willingly placed by a person in understanding of the document on which it was placed and hence it was a “Forgery” and a “Fraud”. The fraud is on the citizens of India both those who like/d or dislike/d Ms Jayalalitha.

Now the honourable Supreme Court has intervened on a petition before the High Court and stayed a request for verification of the genuineness of the thumb impression.

Unfortunately, by granting a stay, The Supreme Court has intervened in a case where Criminal Conspiracy has to be investigated and the only persons who could benefit from this stay are people who want to hide the actual events that surrounded the mysterious death.

Even the UIDAI has wrongly taken a view that it cannot submit the copy of the thumb impression to help in the judicial process and in the process supporting an attempt to protect the secrecy of the doubtful death rather than bringing out the truth.

By trying to protect this questionable request not to grant access to the finger print and proceed with the investigation whether it was genuine or not under the garbs of a discussion of Privacy the Supreme Court will be further muddying the waters to an extent that people will question the integrity of the Supreme Court. Let us not forget that some of the Judges who will sit in judgement in this case may be persons who could have acted as Jayalalitha’s advocates in her days in power.

What is Right to Privacy

It is necessary for us to first define the “Right of Privacy”. As a fundamental right, Privacy can only be a Right that a Citizen can exercise against the democratic state committed to a constitution. If one “Fundamental Right” is considered the “Right that extends beyond death”, every other Fundamental Right can also extend beyond death.

If we define Privacy as a “Right to Life and Liberty” there is no logic in extending it to a dead person who does not have life or liberty.

Privacy cannot be equated to “Right of Secrecy”.

In a situation where the person has died, “The right to privacy of the dead person” cannot be extended as “Right to secrecy of the people around not to provide truthful information” or “Right to protect the deceased from loss of reputation”.

There is no doubt that the Supreme Court has powers to give any judgement and no body can  question their wisdom if they say Privacy extends beyond death. They may even quote some international practices and justify whatever they decide.

But if they do, it cannot be seen as anything other than an attempt to protect the secrets surrounding the death of Ms Jayalalitha and to protect those who could be implicated for causing her wrongful death and compounding it with fabrication of documents with her alleged finger print. Hence whatever judgement they come to will be seen with a sense of suspicion and distrust.

The feeling that ” I have a sense of Privacy” is a “State of Mind” and not a “State of Physical location”.

Let’s think……

When a person is in the Mumbai local, does he have a sense of loss of privacy because of the proximity of the next person? When a person is all alone in a deserted street in the night, does he enjoy our right of privacy?….

If a human desires to have other people around him in certain circumstances and does not mind them being too close physically, Privacy cannot be a matter that is determined by the physical proximity of the person or Right to access his body or private physical space.

Right to “Peaceful state of mind” is a creation of the person himself and not that of the environment. Hence Privacy cannot be equated to anything physical but can only be a state of mind of a person. If a person feels that he is alone, he will have a sense of privacy even in a crowd. If not, he will not feel “Privacy” even if he is in a graveyard.

Being a “Mental State”, Privacy can only be an experience of a “Living Person” and not a dead person. The Right to protect the information about a dead person can only be a “Right to be protected against defamation after death” and not a “Right to protect Privacy”. Right to be protected against defamation is fine but in the current case, it is not the reputation of Jayalalitha at stake and it is the reputation of the people who were around her at that time which is at stake. This cannot and should not be linked to the Right to Privacy of Jayalalitha living or dead.

It would therefore be appropriate if the stay is vacated forthwith and the UIDAI also directed to assist the judicial process.

I would like to point out that if the Supreme Court makes an exception to this case because they may consider that Ms Jayalalitha dead or alive is a special person, then in every other property case where a dead person’s finger print has been affixed on a document after his death, the perpetrators of the crime will claim protection under “Privacy”. There are many past cases where forensics have proved that such property documents were fraudulent and in future there will be no scope for preventing such frauds.

I hope  Supreme Court will be intelligent and honest enough to understand the consequences of holding the Right of Privacy as subsisting after the death of a person and come to the right decision.

Naavi

Justice B.N. Srikishna Committee constituted on 31st July 2017 to draft a “Privacy Act” for India has come out with a white paper for pubic comments. The 243 page report is now in public domain and seeks public response to every angle of the proposed legislation.

The white paper draws heavily from the GDPR as could be expected and has made frequent references to the Supreme Court judgement on Privacy in the Puttaswamy case.

The deadline for submission of comments is 31st December 2017. Presently the web link suggested for online submission returns a 404 error and hopefully it would be corrected soon.

Written responses can be sent to : In case you wish to submit written comments/feedback, same may be sent to: Shri Rakesh Maheshwari, Scientist G & Group Co-ordinator, Cyber laws, Ministry of Electronics and Information Technology (MeitY),Electronics Niketan, 6, CGO Complex, Lodhi Road, New Delhi- 110003.

Naavi.org will be analysing the suggestions made and provide its comments and suggestions on the website in due course.

Public are welcome to send their responses for the comments.

Naavi

Presently lot of discussions are happening in India on “Free Speech” and “Internet Censorship”. In this context I would like the community to be reminded of the case of Zone-H.org which was blocked in India following a defamation case filed under Section 66A by a Hyderabad company called E2 Labs.

The Government of India has been defending its decision to block Zone-H.org behind a decision of the Delhi High Court.

It was a fact that the complaint was filed with a request for an interim order to block the site which was granted in good faith by the Court until the case could be heard in detail. However the system was managed in such a manner that the respondent living abroad received an e-mail notice to appear in the Court with a notice of less than 24 hours. Obviously this was not possible and also that the respondent did not feel necessary to spend his money and time to respond. In the process the interim order remained unchallenged and became permanent. ( The developments have been summarised by Zone-H.org in this article)

During the discussions Naavi.org had brought to the notice of the Government of India that there was a prima facie need for the CERT IN to implede in the case and put across its point of view to the Court since there was an apparent accusation that the petitioner had committed some offences including the misuse of Government department’s name for promotion and fund raising as well as that there was a hacking of Government websites to create grounds for the petitioner to canvass business. These were serious charges which any sensible Government would have pursued. But the Government decided to ignore these charges and indirectly assisted the complainant in getting the Zone-H.org site blocked. Had these facts/accusations been brought to the attention of the Court, it is possible that the Court would not have given the interim order in favour of the petitioner.

Now that a new PIL has come before the Supreme Court in which the Constitutional Validity of Section 66A of ITA 2008 is being questioned, the Zone-H.org case will come for an automatic review.

The Zone-H.org case was perhaps the first case in which Section 66A was invoked for “Defamation” and hence the current PIL and this case are related. Since the respondent (Zone-H.org) is unlikely to raise this issue, it is unclear how the issue can come before the Court now unless the Supreme Court takes a Suo-Moto decision to consider that Zone-H.org blocking case is relevant to the current set of cases such as Aseem Trivedi etc and provide its considered view.