Naavi.org

We are aware of the subject of “Hypnotism” for a long time. I have been following hypnotism since around 1973 when I first encountered the public shows of Professor Dincoly in Mysore. Subsequently the topic interested me because of its potential in “Age Regression” which was more recently taken up by many TV channels to create a series of episodes involving broadcast of prior birth experiences. After a while public lost interest since they suspected that the shows were stage managed.

I have even obtained a basic certification in hypnotism as a matter of interest.

However, for those who know hypnotism, the fact that an individual gets into a trance and takes suggestions of the hypnotizer to such an extent that physical changes can be seen in the body during hypnosis is accepted and proven.

Just as “Age Regression” into the previous life is a matter of interest, the physical changes that may be induced during hypnosis is also a matter of interest.

The way human brain functions is like a generator of neuro impulses caused by creation of electrical charge like in a battery brought about by what medical persons call “Hormonal changes” which can also be called as “Changes in chemical compositions” within certain body cells. When the electric charge which is built up in a neuron goes beyond a threshold level, the signal is transmitted to the next neuron and the signal gets transmitted. The muscles of the body react to the signals and make changes in their own chemical compositions leading to contractions of muscles that cause movements etc.

When we know for a fact that during hypnotic state the body of a person can be made rigid as steel or his senses can be charged to the levels of smelling sense of a dog etc., it appears that there is enough scientific evidence that hypnotism is real and can induce changes in the body.

One basic theory of hypnotism is that the mind consists of a sub-conscious part which gets activated during the hypnotic trance and suppresses the conscious mind which filters the expressions. This theory explains how lost memory can be brought to surface through hypnotism. In “Narco Analysis”, a person is taken to the hypnotic state through changes brought about by drugs so that the conscious mind that filters the expressions is suppressed and the subject is made to speak truth.

However, the normal theory cannot explain the physical changes that are induced in the body of the subject including suppression of pain and reduction of blood flow through which small operations and tooth extractions can be done without anaesthesia as many hypnotists claim. Also most of the theoreticians used to claim that during the hypnotic state you cannot make a person commit a crime since it is against the normal human’s core attitude.

In recent days these theories are being challenged since we have seen that people in a hypnotic state do commit irrational actions including harming self and others. Hitler is supposed to have used hypnotism to motivate his soldiers and religious fanaticism seem to suggest that it is possible to induce commission of crimes during a hypnotic state.

Now the society is getting further alarming signals through the “Blue Whale” and “Digital Arrest” kind of crimes that “Online hypnotism” is feasible. We also should accept that “Shock and induced panic” is an effective trigger to take a person to a hypnotic state in which he may be persuaded to make payments to the criminals.

To understand this new phenomenon, there is a need to develop a new theory of hypnotism. While I am not an expert in the field, my limited understanding of hypnotism and an attempt to understand the functioning of the human brain suggests that

1.There is a part of the brain called the “fear Center” which when activated becomes hyper active.

2.The activity of the “Fear Center” triggers freezing of the activities of other parts such as “awareness”, “Discretion”,” Self Defence”

3. The fact that some times “Sexual arousal” also dampens the “Discretionary” part of the brain is also well known and hence the saying “Kaamaaturanaam no Bhayam, na Lajja”. Similarly “Anticipatory anxiety” or “Fear” can cause freezing of normal functioning of some parts of the brain which destroys the “Self Defence” capabilities and “Discretion”.

4. Similarly in a state of extreme “Love”, a person may lose his discretion.

While we may leave it to the more serious researchers on how instigation of one part of the brain changes another part let us agree on the fact that “Fear” can induce “Panic” and “Panic” can make people behave irrationally. It is a “Hypnotic Trance” with a difference that negative actions and self damaging can also be triggered.

Let us accept this as a “Hypothesis” now and let the neuro researchers work on validating the same.

If Cyber Crimes can be induced through Cyber Hypnotism whether it is induced through fear, love or otherwise, then the question comes on what is the legal liability for the victim for his actions and of the inducer.

Since brain waves function like binary impulses, the laws of “Binary” documents which is Information Technology Act 2000 can be applied to “Unauthorized Modification of brain waves or reducing the value or utility of information residing inside the brain”. (Derived from Section 43 of ITA 2000).

Also “Authorization” to hypnotize is not an authorization to induce self damage and hence even if the interaction between the victim and the criminal is started on a consensual basis, there is no consent for the misuse. Hence the action of the criminal in inducing a victim to draw funds and transfer is not binding on him . It is an action taken during a state of mind when the person was not in control of his mind. It is like a criminal act in which the criminal gets the victim drunk and get intoxicated and makes him do things that he would not have done otherwise.

The action of the victim under this “Hypnotic State” is like an “Automated inducement” for which the criminal should be considered as responsible. The victim should be considered as immune to such actions.

This is a jurisprudence of Cyber Crime we need to discuss…Open to comments

Naavi

The Government of India has announced that it would launch a Cab aggregation platform where the drivers can directly register themselves free of charge and avoid the exploitation of Uber/Ola. This is certainly a good move and needs to be encouraged.

However we need to also ensure that the system should be made to function successfully and for the benefit of the people and not only for the benefit of the drivers. The reason why Indians took to Uber and Ola is that earlier, we had to have endless arguments with the auto drivers who always asked “Give me something more than what the meter shows”. The meter itself was often manipulated and yet no auto driver ever went out without having a big argument.

Most of us feel that the reason why we chose Uber/Ola is that we donot have to argue with the price.

Even today in Chennai or Bangalore, Uber car price is often competitive with the Auto driver’s demand. This malaise is spreading even to Uber/Ola drivers who refuse to ply to specific destinations and also insist that they be paid directly.

Hence it is not necessary that Sahkar Taxi will only be a blessing. It may bring back the arguments with the drivers who may say the price has not been revised and hence extra amount has to be paid.

Further there is a doubt whether the app will function efficiently and not gobble up multiple payments or whether the cab operators will cooperate. Managing the functional efficiency and security will always be under cloud. Since there is no corporate interest in managing the app, it is doubtful if NIC will be able to manage the app efficiently.

Despite these doubts, I do think it is worth giving a try to this new project and hopefully it will succeed.

I however have one suggestion. While the Government will fix a charge based on distance, whether the cab is electric or otherwise and the price of petrol etc., they should give an option to drivers to provide discounts based on their preferences and integrate it with the app. For example, I am an auto driver in Area 1 and want to go to my house which is in Area 2, I should have an option to set discounts to Area 2 which will enable me get a priority booking. This technical facility is not available presently with Uber/Ola also and can be a separate service by itself.

If this scheme has to succeed, the State Governments also have to cooperate. They should not increase the road tax to fund their own schemes and put the burden on the drivers.

Naavi

Data protection laws such as GDPR or DPO excites professionals who are in the look out for new career opportunities. In particular, the title Data Protection Officer (DPO) is a coveted position which many IT professionals seek. The Legal professionals who normally look at a new law from the perspective of litigation opportunities are also trying to compete with the IT professionals for being a DPO.

We keep getting enquiries from corporate professionals whether they need to be a legal professionals to be a DPO or is it sufficient to acquire a “Certification”. Similarly lawyers working as litigation support executives or “Compliance officers” often question why they are ignored for the position of DPO and feel bad when a technical person who does not know what is the difference between “Consent and Legitimate use” or “Contract and MOU” or “Mediation and Adjudication” is made the DPO and is expected to represent the organization with the DPB on the one hand and the Data Principals on the other hand.

While GDPR being a more prescriptive law than DPDPA, states in greater detail the requirements of a DPO, DPDPA is a law that specifies certain principles and expects the “Data Fiduciaries” to find their own ways to navigate the law.

In GDPR, Articles 37, 38 and 39 talk about the requirements of a DPO.

While DPDPA makes the requirement of DPO mandatory for a Significant Data Fiduciary (SDF), GDPR specifies that where the scope of activities require largescale and systematic monitoring of data subjects or involves special categories of data ( otherwise recognized as sensitive data such as racial or ethnic data, political opinions, religious beliefs, genetic or biometric data, sexual information etc). In a way the requirement of DPO in DPDPA is similar to GDPR except that DPDPA classifies such organizations that require a DPO as a Significant Data Fiduciary rather than the other way round.

DPDPA does not define “Sensitive personal Data” and leaves it to the discretion of the Fiduciary to decide the risks that may be caused by their processing to the rights of a data principal etc.

GDPR prescribes that the DPO shall be designated on the basis of professional qualities and in particular, expert knowledge of data protection law and practices and the abilities to fulfil the tasks referred. DPDPA places faith on the Fiduciary to exercise “Due Diligence” to select the right person with the right knowledge for the post.

The tasks required to be fulfilled by the DPO under GDPR is indicated under Article 39 and makes the DPO the master of the situation in the Company. He is expected to monitor the compliance inform the employees and organizations about developments, provide advice and also act as the contact person for outsiders including the supervisory authority and the data subjects.

The organization is expected to provide the necessary support to the DPO to enable him discharge his responsibilities and enable him act independently. He is also protected by the provision that “he or she shall not be dismissed or penalized for performing his tasks and he shall report to the highest management level”.

GDPR also has a intriguing provision that the DPO shall be bound by “secrecy or confidentiality concerning the performance of his tasks in accordance with Union or Member State law”. What is intriguing is that the “Confidentiality” is stated as if it is in the interest of the State more than the interest of the Company itself. If it was not in the State’s interest, there was no need to add this as part of GDPR articles and could have been left to the organization to take necessary NDA. Probably this is a drafting error which often creeps in when the law tries to be more descriptive than required. India has tried to avoid this problem by not being too prescriptive.

The DPDPA makes four simple provisions that the DPO shall represent the Significant Data Fiduciary under the Act, be based in India, be responsible to the Board and be a point of contact to the data principal.

GDPR does not state locational requirement and allows one DPO for multiple units of a group and he “May be a staff member”. DPDPA specifies that the DPO should be located in India. It is silent about the possibility of one DPO for multiple group activities.

Since DPDPA specifies a “Independent” role for a Data Auditor and does not use the word “Independent” for the DPO, it is presumed that he should be an employee. It is also presumed that every legal entity which is a “Significant Data Fiduciary” will require to appoint a DPO.

Both GDPR and DPDPA recognize that the DPO needs to report to the Board. The Rules appear to suggest that the DPO is only a person who needs to be a contact person for the Data Principals but the need to “Represent” the company and “responsible to the Board” indicate that a DPO has more responsibilities than what is apparent.

While GDPR restricts the corporate freedom of the Controller to dismiss the DPO if required, considering the possibility of malicious damage that a DPO can cause to an organization, DPDPA does not provide any extra constitutional privileges to the DPO.

In the light of the many changes that a DPO is expected to take into account in India, the “Certification” requirement of an Indian DPO is not fulfilled adequately by creating expertise in GDPR. Hence international certifications are considered inadequate. At present the only certification that is structured for an Indian DPO is the C.DPO.DA. program conducted by FDPPI. GDPR does not recognize a separate role for a “Data Auditor” which is required in India.

Look for such certification if you want to be considered “Qualified” to be an Indian DPO or a Data Auditor.

Naavi

India is awaiting the notification of the DPDPA Rules after taking into consideration the public comments. According to some indications the Government may release the notification some time in the beginning of April 2025.

Many companies are waiting for the notification to start their compliance activities but it must be remembered that the first set of rules to come into effect are the rules related to the setting up of the Data Protection Board(DPB). The rules will only enable setting up a “Search committee” which is an action point to the MeitY. Once the two Search Committees are in place, one under the Chairmanship of the Cabinet Secretary will go into the selection of the Chairman and the other will go into the selection of the members. We expect that the Government may start with a Board with atleast 2 members in addition to the Chairman.

It will be only after the DPB comes into existence that necessary infrastructure such as setting up a secretariat, a Website, etc may be undertaken.

It is possible that MeitY may quickly set up,

1. Committee to specify restrictions on transfer of personal data from India to outside India for processing or from outside India for processing in India.
2. Officer/s to be designated under Section 17(2) to determine what data can be processed by the State or an Instrumentality of the State in the interest of sovereignty and integrity of India or security of State etc to whom the provisions of the Act shall not apply.
3. Persons authorized under different laws which empowers the State or an instrumentality of the state is empowered to process data for performance of any function under the law or for disclosure of information for fulfilling any obligation under the law.
4. Officer of MeitY designated for carrying out assessment for notifying any Data Fiduciary or Class of Data Fiduciaries as Significant Data Fiduciaries.
5. Any other Official specifically designated to provide clarifications on the Act and the Rules

Once these measures are undertaken, there will be a digital office of the DPB supported by the members of the Board and a group of employees as well as one or more committees and officers who will constitute a “National DPDPA Governance Body” .

In this context it is interesting to compare this with the framework of regulatory functionaries set up under GDPR.

Under GDPR every member state has set up a “Supervisory Authority” (SA) and the EU has also set up a EDPB (European Data Protection Board) with all the supervisory authorities being members of the EDPB.

While the SA s are entrusted with the responsibility of monitoring and supervising the implementation of GDPR in their respective Member States, EDPB will be supervising the consistency in application of GDPR and other larger policy issues.

EDPB publishes guidelines from time to time on various issues related to GDPR implementation including clarifications on GDPR obligations, Rights of Data Subjects, Data Breach Notification, Cross Border Transfers etc. These supplement the recitals published as part of the GDPR which itself is reasonably elaborate compared to DPDPA.

The SA will have the following tasks under Article 57 of GDPR.

1. Monitor and enforce the application of this Regulation;
2. Promote public awareness
3. Advise, the government, and other institutions and bodies on legislative and administrative measures
4. Promote the awareness of controllers and processors of their obligations under this Regulation;
5. Provide information to any data subject concerning the exercise of their rights
6. Handle complaints lodged by a data subject,
7. Cooperate with, other supervisory authorities
8. Conduct investigations on the application of this Regulation,
9. Monitor relevant developments,
10. Adopt standard contractual clauses r
11. Establish and maintain a list in relation to the requirement for data protection impact assessment
12. Give advice on the processing operations
13. Encourage the drawing up of codes of conduct
14. Encourage the establishment of data protection certification mechanisms and of data protection seals and marks
15. Carry out a periodic review of certifications issued
16. Draft and publish the requirements for accreditation of a body for monitoring codes of conduct
17. Conduct the accreditation of a body for monitoring codes of conduct
18. Authorise contractual clauses and provisions
19. Approve binding corporate rules
20. Contribute to the activities of the Board;
21. Keep internal records of infringements of this Regulation and of measures taken and
22. Fulfil any other tasks related to the protection of personal data.

As we can observe, this is a comprehensive list of responsibilities assigned to the SA. Correspondingly powers are also vested with them including for carrying out investigations, obtaining access to any premises of a controller or processor including any data processing equipment etc besides the power to issue directives and impose penalties.

In comparison, in India the powers of the DPB is limited and most of the above policy decisions have to be taken by the MeitY and the Committees or Officers designated for the purpose.

The powers of the Indian DPB will be restricted to the following.

(a) on receipt of an intimation of personal data breach, to direct any urgent remedial or mitigation measures in the event of a personal data breach, and to inquire into such personal data breach and impose penalty as provided in this Act;

(b) on a complaint made by a Data Principal on a Data Fiduciary or a Consent Manager, or on a reference made to it by the Central Government or a State Government, or in compliance of the directions of any court, to inquire into such breach and impose penalty as provided in this Act;

(c) on receipt of an intimation of breach of any condition of registration of a Consent Manager, to inquire into such breach and impose penalty as provided in this Act; and

(d) on a reference made by the Central Government on a breach by an “Intermediary”, to inquire into such breach and impose penalty as provided in this Act.

The DPB in India will therefore essentially be an “Adjudication Body” to inquire and impose penalties.

While the DPB will have the general powers to conduct Inquiries without being bound by the Civil Procedure code and under the principles of natural justice, it cannot take into custody any equipment or prevent access to any premises.

The DPB can take the assistance of the Police when required for its investigation.

The decisions of DPB may be appealed to the TDSAT and thereafter to the Supreme Court.

While GDPR mentions that there is a right to remedy for the Data Subjects, such compensation has to be claimed from the competent Courts. In DPB there is no mention of the compensation to the Data principal but remedies are available under ITA 2000.

Since the power of DPB is limited to adjudication, most of the policy related clarifications need to come from the MeitY itself through the officers designated for the purpose.

Since any clarification arising from the MeitY will have the force of law, every advisory may be considered a legal prescription and may be questioned in a Court of Law.

Given the nature of litigations in India, we can expect that as and when any circular comes out of MeitY, a battery of lawyers will be trying to find some loophole under which it can be challenged.

To prevent such frivolous litigations, DPDPA Rules has left many issues for interpretation by the industry itself. Since every Data Fiduciary is a “Trustee” and is responsible to take care of the interest of the Data Principal, the legal responsibility to interpret the law lies with the data fiduciary himself.

All Data Fiduciaries need to therefore have adequate documentation and consultation to justify whatever stand they take about their compliance measures.

Naavi

FDPPI is launching its Virtual Faculty led program on C.DPO.DA. in April as a week end course of 18 hours spread over 6 week end days from April 12th. All of you are by now aware of the event and some of you have already registered for the event.

FDPPI in its unique trend of education, has also invited those who are registered for the recorded virtual courses to join this faculty led course without further payment.

Most of you are also aware of the two books “Guardians of Privacy…A Comprehensive handbook on DPDPA 2023 and DGPSI” and “DGPSI, The perfect prescription for DPDPA Compliance”.

However, FDPPI wants all those who sport C.DPO.DA. Certificate to pass an online exam which is a challenge even for experts.

Any body who considers themselves as an Expert in Privacy and wants to be a DPO or Data Auditor and those who have already obtained certificates from other organizations are free to challenge the exam without going through the FDPPI training program.

However, since we value the “Knowledge” more than “Information”, we encourage people to attend the training program and then take the exam and the fee structure therefore is fixed accordingly. (Check for details in www.fdppi.in)

I consider this program as a “Training of the Trainer” program so that all those who want to undertake training on their own for people to prepare for DPDPA Compliance can use this opportunity to discuss with other experts and fine tune their own thoughts.

Hence we request all professionals whether they intend taking this course or not to indicated to me what do they expect in a course of this nature…

The program is for 18 hours and expected to cover the Law related to DPDPA, The implementation challenges, The Governance measures, Audit framework and Compliance maturity Assessment.

We will be glad to conduct the program as per your curriculum.

We will be glad to invite three of the respondents who provide valuable suggestions to a virtual panel discussion during the program so that they can benefit the participants with their wisdom.

Yes… We do what others donot do.. We are different…for a purpose…

(Check for details at www.fdppi.in)

Naavi