Nothing is wrong with Section 17(1)(c) and 17(2)

(This is a continuation of the discussion on the seeking of scrapping of DPDPA and DPDPA rules by three petitioners in the Supreme Court)

Let us now continue on our discussion on the petition of Mr Venkatesh Nayak on Sections 17(1) (c) and 17(2) as well as  33(1) and 36 which are sought to be scrapped.

The petition says that Sections 17(1)(c) and 17(2)(a) and 17(2)(b) empowers “Disproportionate surveillance” by granting sweeping exemptions both to State and Non-State instrumentalities”  without any objective scrutiny or statutory responsibility, under garb of crime preventin. It also alleges that the collection can be indiscriminate and can be used for policing using predictive algorithms. The lack of safeguards is allegedely failing the proportionality test. The petitioner states that there is no legitimate reason to exempt state actors from being bound by statutory obligations under the DPDPA. even for research and statistical purposes.

Let us recall what the two sections state.

Section 17(1)(c):  The provisions of Chapter II, except sub-sections (1) and (5) of section 8, and those of Chapter III and section 16 shall not apply where—personal data is processed in the interest of prevention, detection, investigation or prosecution of any offence or contravention of any law for the time being in force in India;

Section 17(2)

The provisions of this Act shall not apply in respect of the processing of personal data—

(a) by such instrumentality of the State as the Central Government may notify, in the interests of sovereignty and integrity of India, security of the State, friendly relations with foreign States, maintenance of public order or preventing incitement to any cognizable offence relating to any of these, and the processing by the Central Government of any personal data that such instrumentality may furnish to it; and

(b) necessary for research, archiving or statistical purposes if the personal data is not to be used to take any decision specific to a Data Principal and such processing is carried on in accordance with such standards as may be prescribed.

It appears that the learned counsels have either not read the sections diligently or  trying to mislead the Court with wrong statements.

Section 17(1)

Firstly, Section 17 (1) does not provide “Sweeping powers”. The powers are restricted to exemptions under Chapter II which relate to consent and other obligataions,  Chapter III which relates to Right and Section which relates to Cross border transfer. Even under Chapter II Sections proviions of  8(1) and Sectio 8(5) are not exempted.

Section 8(1) relates to the appointment of a data processor and Section 8(5) relates to protection of personal data.

The petitioner’s concern  that the data collected for law enforcement would be algorithmically analysed to create biases etc is a pure figment of imagination particularly without the processing being done by private sector data processors or joint data fiduciaries.

Further the purpose related to prevention, detection, investigation or prosecution of any offence or contravention of any law for the time being in force in India is directly pointing to constitutional exceptions under Article 19(2) which even Justice Puttaswamy Judgement has recognized.  Limited exemptions related to exceptions under Constitutions cannot be called “Sweeping exemptions”. If the petitioner is serious, we can also state that they are making sweeping statements to mislead the Court and implying speculative fears which does not exist.

We should also note that the same exemptions of Chapter II except Section 8(1) and 8(5), Chapter III and Section 16 is also available to many other instances by the private sector including notified startups, during mergers and acquisitions and during recovery of bad debts by financial institutions. Does the petitioner also allege that these private sector agencies also enjoy sweeping powers of surveillance?

It appears that the petitioners have failed to understand the exemptions properly.

Section 17(2)

Now let us turn our attention to Section 17(2) which states

The provisions of this Act shall not apply in respect of the processing of personal data—

(a) by such instrumentality of the State as the Central Government may notify, in the interests of sovereignty and integrity of India, security of the State, friendly relations with foreign States, maintenance of public order or preventing incitement to any cognizable offence relating to any of these, and the processing by the Central Government of any personal data that such instrumentality may furnish to it; and

(b) necessary for research, archiving or statistical purposes if the personal data is not to be used to take any decision specific to a Data Principal and such processing is carried on in accordance with such standards as may be prescribed.

Have the petitioners observed that for this exemption, the instrumentalities of the State also have to be “Notified”. It does not include all and sundry instruments of state. Further, such instrumentalities of state should be processing data in the interest  of sovereignty and integrity of India etc..which are exceptions under Article 19(2).

Where is the exemption to “Non State Instrumentalities” as mentioned in Ground Y of thepetition (page 30) and where is any definition of a “Non State Instrumentality”?

The objection under Ground Y desrves a summary rejection.

For the purpose of research,archiving or statistical purpose, the exemption is limited to instances where the data is  not used to take any decisions specific to a data principal. Further such data has to be  processed subject to standards that have been prescribed under Rule 5 -second schedule.

Hence under both Sections 17(1) and 17(2) there are enough safeguards to prevent misuse of data collected under these exemptions.

Why Law Enforcement Agencies need a free hand 

I would like to further reiterate, that the statement in page 31 of Venkatesh nayak petition para AA that “There is no legitimate reason to exempt the state actors ” for security purposes is a complete nonsense. It is the duty of a Government to secure the citizens and Right to Security  is a fundamental right of citizens that the Government must protect. There is no right to criminals to use Privacy as an excuse to hide their  activities and for the petitioners to support such criminals by raising objections to laws that help mitigate crime risk to the society.

Hence the grounds for considering Sections 17(1) and 17(2) as unconstitutional is not tenable.

Section 33(1)

Sectin 33(1) states

“If the Board determines on conclusion of an inquiry that breach of the provisions of this Act or the rules made thereunder by a person is significant, it may, after giving the person an opportunity of being heard, impose such monetary penalty specified in the Schedule.”

We donot know what the petitioners want if there is non compliance. Is it wrong for the law to specify a penalty?

Petitioners  harp on the use  of the word “Significant Data Breach”. This actually restricts the powers of the Board that for insignifiant data breaches, Board should not use the penalty provisions indiscriminately.

Naavi.org has suggested methods including the “Valuation of Data” as a measure of the harm caused and  the decision if any is appealable.

Hence the objection deserves summary rejection .

Section 36

Section 36 states

” The Central Government may, for the purposes of this Act, require the Board and any Data Fiduciary or intermediary to furnish such information as it may call for”

Again the petitioners simply speculate that the section is arbitrary. The Central Government is the administrator of the law and would require many types of information both from the Board as well as the Data Fiduciaries.  Claiming that this is “Arbitrary”, “Excessive”, “amenable for abuse”  etc is a play of words that has no relevance to the real concerns of the public.”

In summary the petition lacks genuine grounds for challenging either Section 44(3) or Section 17(1) or 1792) or 33 or 36.

Let us watch further developments in this  regard.

Naavi

Posted in Privacy | Leave a comment

Public Interest Litigation cannot be discussed without the real public having been given an opportunity to represent

(This is a continuation of the discussion on the seeking of scrapping of DPDPA and DPDPA rules by three petitioners in the Supreme Court)

I refer to the PIL filed in the Supreme Court recently with prayers for scrapping of the DPDPA 2023 as an act and DPDPA Rules.

The petitions are being filed by persons who claim to be representing public interest. However all the past activities of the persons filing the petition are connected to opposing some moves or the other of the Government.

We therefore take objection to them being considered as “Representatives of the Public”. The real public are often no where  in the litigations like these. The Government cannot be considered as the representative of the public in such cases since they are one of the parties who has drafted the law. Hence it is incorrect to leave the entire responsibility of representing the public with the Government.

Some times, the Government will only defend the process of law making and does not have commitment to the cause of the  law. It may enter into compromises with the petitioners either because the peitioner lawyers are more aggressive or because the Government lawyer may not be able to look at the issue from all angles.

Hence it is our desire that no PIL should be taken note of without giving an opportunity for the “Real Public” to particiapte.

In one of the recent cases related to Digital Arrest, Supreme Court had appointed an Amicus Curiae and asked any body who wanted to express views to send it to her/him .

Long time back (around the year 2001), Mumbai high court had taken note of an  article  in naavi.org (case was related to Cyber Cafe regulation and prevention of obscenity) as a public view and published it as part of the Court documents and invited views from public.

We feel that publications in www.naavi.org are to  be considered as public views and even without a formal intervention petition, should be considered as knoweldge to be  incorproated in the trial.

Supreme Court should insist that the Attorney General files an affidavit where he confirms that his views incorproate views published by experts in the field on the Internet which are considered relevant for the case.

While these are suggestions for the Supreme Court for future, at present Naavi has raised a petition under www.change.org with the title” I am the real public in India and I donot support scrapping of DPDPA and DPDPA Rules”

We may have many suggestions for resolution of the concerns of the petitioners without scrapping of the law and the rules. Our suggestions may also be directed towards the Government if required which the Government will not consider by its own.

Hence we shall through these columns  in www.naavi.org shall present our views meant to resolve the dispute in “Real Public Interest”.

We hope Supreme Court takes note of our articles here before considering the “Pseudo Public Interest representatives” who  may be present in the  Court  and carry out a high decible campaging with support of vested media interests.

We request readers to support the petition and follow the discussions in these pages which presently rests with the article “Whose Privacy are the Petitioners of DPDPA Challenge Brigade are protecting?“. This discussion will continue and more articles will be placed here for you to respond.

  The petition can be accessed here.

Naavi

 

Posted in Privacy | Leave a comment

Whose Privacy are the Petitioners of DPDPA Challenge Brigade are protecting?

(This is a continuation of the discussion on the seeking of scrapping of DPDPA and DPDPA rules by three petitioners in the Supreme Court)

The petitions filed in Supreme  Court against DPDPA 2023 mainly revolves around Section 44(3) and thee conflict with RTI Act. Petition of Mr Venkatesh Nayak restricts its prayer to the declaration of declaringSection 44(3) as Ultravires the Articles 14,19 and 21 of the Constitution.  Additionally it argues that Sections 17(1)(c),17(2) , 33(1) and 36 as well as Rule 23(2) as ultra-vires the constitution.

In this context let us see whose Personal data is at stake in an RTI application. Is it the personal data of the official who was involved in any of the decisions or Is it the personal data of the public whose personal data is sought to be disclosed in the reply.

We also should verify if there are already grounds in RTI act itself where the provision of information can be rejected even before invoking Section 44(3) of DPDPA 2023.

Let us look at the personal information involved of the official. The official is a public servant and once he is appointed for a public post, the information becomes a matter “Made public” and hence is not covered under Section 44(3) of the Act. This is a matter of interpretation of “Personal Data” which should exclude data that is made public as a “Business Contact”. The official’s name and designation is similar to “Business Contact” and hence is outside the scope of DPDPA.

However, the personal information of the beneficiaries of a Government project which is part of the information sought need to be considered as subject to Privacy Rights.

This can be anonymized before release in which case there is no violation of DPDPA.

Hence if the Government considers that no personal information is disclosed under Section 8(1)(j) other than in Anonymized form, the dispute would vanish.

This can be done through a reading down on both 8(1)(j) of RTI act and Sec 44(3) of DPDPA stating that disclosure of information of public during a RTI disclosure shall be consistent with the DPDPA under Section 7(d) and  17(2) (b) .

Under Section 17(2)(b) there is an additional restriction that says that the processing does not include making a decision that affects the data principal. Hence if the objective of the RTI activist is to stop any benefits under any scheme then the affected Data Principals have to be made parties to a legal request of their information and the department has to send notices to all the beneficiaries that a request has been made about their personal data. Since this would in most cases involve a disporportionate effort, the denial of information is justified under Section 8/9 of the RTI act itself.

In protecting the RTI of the activist, Judiciary cannot deny the Right to privacy of persons who are pawns in the dispute between the RTI activist and the Government.  If the petitioners are comfortable with Wection 9 of RTI act which enables disclosure of information which could result in infringement of Copyright, there is no logic why they should be excessively concerned about the amendment to 8(1)(j) which protects the information property rights of a data principal who is a beneficiary of a Government scheme.

What Section 44(3) has done is to remove the burden on the PIO to decide under Section 8(2) of RTI act that “public interest in disclosure outweighs the harm to the protected interests.”. This could however be a part of a judicial review and the RTI applicant who is denied information can proceed to challenge the demial in a Court of law.

If necessary, he can appeal on the decision to the CPIO and the State/Central Commission. Hence denial of any information under Section 44(3) amendment does not infringe any right fundamental or otherwise, linked to Article 14,19,21 or otherwise. It only diverts one stream of information which the PIO considers primafacie to infringe on the privacy of a citizen to a higher standard of scrutiny.

As indicated earlier, the above view does not apply to the identity of the officials who are discharging their duties in an official capacity.

If there is any information of the official beyond the identity which can be used for alleging corruption etc., then his own privacy rights should naturally be applicable along with the intention of the  RTI being treated as “llitigation”.

Hence the petition of Mr Venkatesh Nayak and others on Section 44(3) can be resolved with a clarification and reading down of the section that it does not apply to the disclosure of the names of the decision makers but only applies to the information of the public.

We shall discuss 17(1)(c), 17(2), 33(1) and 36 as well as Rule 23(2) separately in our subsequent articles.

We need to debate if we donot have our right to get DPDPA and DPDPA Rules retained in public interest as much as the few petitioners want it to be scrapped. The Supreme Court has to settle once for all how it can decide on the applications of a few advocates claiming to be representing public interest and not involve the larger public to express their objections. Who is representing the “Real Public Interest”  should be considered before entertaining the applications of the select few who always oppose the Government. If the background of the petitioners are checked, it would be clear that they only oppose the Government and it is not clear if their intentions are positive to the Country. The real public interest is therefore not represented by them as much as what Naavi or FDPPI represents.

I recall that in one of the old (around the year 2000) cases in Mumbai High Court on Cyber Cafe regulations, the Mumbai High Court had published an article of Naavi.org (at that time naavi.com) along  with some other information and had invited the public to send their views.  Without any intervention the Court had involved the “Real Public” to particiapte in the decision. Supreme Court should follow similar principles and should not allow the few petitioners to hijak the “Right to Represent the public”.

I am a member of the public and I donot consider the petitioners to be representing my View.

(Please send in your comments if any)

Naavi

 

 

Posted in Privacy | Leave a comment

CIO Prime features Naavi

CIO Prime has featured me as the most influential visionary leaders of the year.

Reflecting on the past in the light of this article I recall

1) First book on Cyber Laws in India in 1999 before the law was passed.

2). Creation of www.naavi.org (initially as naavi.com) as a Cyber Law Portal

3) Introduction of first Virtual education through Cyber Law College

4) Introduction of Cyber Law Courses in KLE Law College, SDM Law College, JSS Law College, BMS Law College, St joseph Law College as well as NLSUI, NALSAR

5) Introduction of Cyber Law for Engineers at PESIT, Bangalore

6) Handling the Cyber Evidence Archival Center and presentation of India’s first Section 65B certificate in the case of State of Tamil nadu Vs Suhas Katti

7) Handling of S. Umashankar Vs ICICI Bank case through adjudication, Cyber Appellate Tribunal, TDSAT and Madras High  Court through 14 years of litigation.

8) Formation of FDPPI

9) Creation of Certificate programs for Data Protection Professionals in 2019

10) Book on “Guardians of Privacy..”

11) Introduction of course on Data Protection at NALSAR

12) Introduction of Data Protection to management students in IIM Udaipur

13) Concept of Naavi’s Theory of Data

14) Introduction of DGPSI (Data Governance and Protection Standard of India)  as a framework for compliance of DPDPA

15) Concept of Data Valuation Standard of India

16) Introduction of DGPSI-AI as a framework for AI regulation

17) Introduction of DGPSI-GDPR taking the Made in India framework to the global scene

18) Introduction of DGPSI-DP to push for voluntary DPDPA Compliance by Data Processors

19) Receipt of the Dena Bank award of public excellence

20) Receipt of the Life time achievement award for Cyber Jurisprudence

21) Receipt of the life time achievement award for Privacy.

There would be many more achievements that could have been missed in the  above list.

Nothing gives me more satisfaction than creating DGPSI as a framework for Compliance which is blossoming into multiple dimensions such as DGPSI-AI, DGPSI-HR,DGPSI-DP, DGPSI-GDPR etc.

Hope the list expands further in the days to come.

There are two projects CEAC Drop Box and Online Dispute Resolution (ODR Global) which still hold huge promises yet to be realized.  Hope these dreams come true in the coming year along with a major initiative in DPDPA which should be unveiled shortly.

Reminded of the words of Nehru duing our independence ..”Miles to go before I sleep, Miles to go before I sleep”..

Naavi

Posted in Privacy | Leave a comment

Petitions against DPDPA are “Disproportionate”, Disproportionate” and “Disproportionate”

(This is a continuation of the discussion on the seeking of scrapping of DPDPA and DPDPA rules by three petitioners in the Supreme Court)

The recent challenge mounted on DPDPA 2023 in the Supreme Court by a few PIL advocates relies heavily on the argument that Section 44(3) of the Act which amends Section 8(1)(j) of RTI Act 2005 fails the “proportionality test” that the need to protect “Privacy” restricts the “need to share information in public interest”.

However the petitions cumulatively pray that the entire DPDPA 2023 be scrapped and Entire DPDPA Rules 2023 be scrapped.

Where is proportionality in this prayer?

Had the petitioners come with a fair request, petitioners would have asked for a Reading down of Section 8(1)(j) of RTI Act read with Section 44(3) of DPDPA 2023.

The prayers leading to scrapping of the Act and the Rules is therefore “disproportionate” to the requirement even as suggested by the petitioners.

The fears of “Surveillance Regime” and “Blanket Ban on release of information required for public good” is a “Disproportionate Speculation” of the prediction of a catostrophe not supported by any valid reasons.

The expectation that the Parliament that had created the law under Section 8(1)(j) when there was no DPDPA 2023 should not review and revise the provision when a new law comes in is a “Disproportionate Expectation” that law makers do not have  the right to make course corrections to the law.

Hence the petitions and the prayer constitue disproportionate speculation of fear disproportionate expectation and disproportionate prayer”.

We trust that the Supreme Court first recognizes that the petitoners have not come with a clean hand and are seeking a disproportionae solution to an imaginary problem.

We shall demonstrate in the coming articles of how there can be acceptable solutions that will meet reasonable speculation and reasonable fear of misuse.

Naavi

Posted in Privacy | Leave a comment

New Aadhaar App to assist Age Verification for DPDPA

The UIDAI has launched a new Aadhaar App which according to the Secretary of MeitY , can be used for age verification under DPDPA. Necessary amendments have been made to SWIK rules or the  Aadhaar authentication for goog governance  (Social welfare, Innovation, Knowldege) rules 2020 to enable private entities to provide service by using adhar authentication on secure basis.

This was expected and is a welcome move to resolve the difficulty of “Verifiable Consent” envisaged under DPDPA.

The new Aadhaar app is an official mobile application developed by UIDAI that enables digital, offline, and consent‑based Aadhaar verification. Unlike earlier apps, it allows users to verify their identity using Face Authentication or QR scanning without revealing their Aadhaar number. It offers features such as selective data sharing via QR codes, biometric lock/unlock, authentication history, and management of up to five family Aadhaar profiles. The app supports use cases like hotel check-ins, hospital visits, age verification, and gig worker verification

The new Aadhaar app offers several advantages over older verification methods.

  • Eliminates the need for physical Aadhaar cards.
  • Enhances privacy through masked and offline verification.
  • Faster identity verification for daily services.
  • Reduces risk of Aadhaar data misuse.
  • Works even in low or no‑internet environments.
  • Government‑backed and officially launched by UIDAI.
  • Several personal information updates can be completed using the app without visiting an Aadhar kendra.

Naavi

Reference:

The Hindu

About the new App at cleartax

Posted in Privacy | Leave a comment