Naavi.org

After Mr Trump took over as President of USA, we have been anticipating some changes in the Data Protection regime specially related to HIPAA/HITECH Act and the EU-US Data transfer.

The DOGE activity will sooner or later catch up with the operations of Medicaid and Medicare programs which were the favourites during the Obama regime and this could affect some changes in the HIPAA/HITECH regulations. However, this has not happened and we are waiting for the NPRM to be finalized.

In the meantime, US and EU are under loggerheads politically and this could affect the EU-US data transfer regime which can have an impact on India also.

The trigger for this seems to have been noticed now in a decision to reconstitute the FTC’s five member bench with removal of two Democratic commissioners has left the Commission with two Republican nominees without representation from the minority parties.

The EU has been demanding in the past that US judicial system adopts itself to GDPR regulations and provide two guarantees namely

1. The Law Enforcement agencies shall not have the power to seek the personal information of EU Citizens being processed in USA
2. The EU Data Subjects shall have adequate judicial remedy in USA against the US based Data Controllers/Data Processors.

There was an uneasy truce on this aspect in the previous negotiations leading to the current EU-US Data Transfer Framework. This is likely to be disturbed by the recent developments particularly since the two removed commissioners are Democratic party representatives with a clout in the EU administration.

Soon this is likely to raise a demand for cancellation of the Data Transfer arrangement and consequential business disruptions.

India receives a lot of Data Processing business from EU through US Data Controllers. Now this could be affected if the EU-US data transfer agreement gets suspended or otherwise disrupted. It is interesting that at the same time, Indian DPDPA is also coming into operation. Will the Indian business take advantage of the EU-US differences and establish more direct business with the EU Data Controllers under GDPR is worth watching out.

Indian DPDPA is flexible and provides setting up of notified Data processing centers for processing EU data under a GDPR Contract by an Indian Data Processor with an exemption of DPDPA. (ITA 2000 however is not exempted). Hopefully, innovative data processors in India will take advantage of the notification of DPDPA to increase their business share with EU.

The discussions in Chennai on why Cyber Crimes are increasing in the current days with individuals transforming themselves into a different mental state when on Internet has given thought to a comparison of the “Mental States of Cyber Individuals” with the ways we normally look at “States of Matter”.

We are all aware of three basic states of matter namely the Solid, Liquid and the Gas. We also know that when the energy in the matter increases further, it reaches the state of “Plasma”. When the energy in the matter decreases to zero degree kelvin, the matter reaches the state of the Bose-Einstein Condensate.

These are concepts of physics like the Matter wave theory of de Broglie, Heisenberg Principle of uncertainty and the Quantum principles of “Super positioning” and “Quantum Entanglement” which have all been discussed here in naavi.org at different points of time with reference to data. We have also discussed concepts like “AI enabled Data Analytics” as a “Complex Data” and several concepts of behavioural analysis including Cyber hypnotism and adopted them into the Data Protection scenario. We have used some of these concepts in discussing Neuro Rights and Dark Patterns also.

Now a time has come to discuss another concept of Physics namely “States of Matter” in the context of the “Cyber Space”.

I will dwell with it in my new book “The Raise of the Planet of Cyborgs”, where I will discuss how the “Meta State” of an individual transforms into “Cyber State”, “Meta Verse State”, “Augmented Reality State” as different states of existence. Further there could be new Particles of Data Matter such as the AI enabled Humanoid Robots and the Cyborgs which are like the Bosons and Boson-Einstein condensates which need to be understood.

Look forward to such interesting thoughts in the upcoming book which could be a crazy combination of concepts from Physics, Psychology etc brought into the explanation of Privacy and Data. It could be an interesting journey even for me as the author.

Naavi

HESCOM is the Hubli Electricity Supply Company responsible for managing the electricity supply activities on behalf of the Government of Karnataka including management of electricity connections, metering, collection of usage charges etc.

The organization is headed by an Ex-MLA of Haveri namely Mr Sayeed Azeempeer Khadri. The Managing Director of the Company is Ms Vyshali M.L. IAS, (md@hescom.in). Mr Gaurav Gupta, IAS, (prs.energy@gmail.com) is a senior Director and Dr Vishal R, IAS secyfr-fd@karnataka.gov.in is secretary to Government (Fiscal Reforms). There are many other Directors in the Board responsible for the management of BESCOM.

I have observed that on 7th March 2025, I have received SMS from CP-HESCOM about bills payable on the following two accounts.

1. 2427142 in the name of Nasibsab A Lokapuri for Rs 238/-
2. 2424310 in the name of of F.N. Lokapuri for Rs 208/-

While I had ignored the SMS, I now find that FINTECH companies like CRED have been listing the dues for automatic payment through my accounts with them. I could have ended up making such payments without verification had I not been alert.

I can presume that CRED had my permission to read my SMS and could have picked up the information. However, I donot find any reason why HESCOM should have listed my phone number with the electricity accounts of some body in Hubli while I reside in Bangalore.

I have demanded that HESCOM provide me the details of how they accessed my mobile number and how did they associate my mobile number with two of the Hubli’s electricity meters.

It is clear that HESCOM has violated my privacy and the principles of DPDPA 2023.

I have sought explanation from MD of HESCOM and has not received any reply for 24 hours. I will raise the issue with other senior Directors also if I donot receive any reply by tomorrow.

I am also apprehensive that this indicates a possible scam to create fake electricity meter account to collect “Electricity Subsidy” under the Grihajyothi guarantee of the State Government under fake meters .

I am not sure at this point of time if my other identities such as Aadhaar has also been used in the account in which case it would appear that I am financially supporting the two Lokapuris of Hubli with its own consequences.

HESCOM is responsible for any adverse impact of this wrongful linking of my mobile account with unknown meters in Hubli and also for any scams that may be running under the Grihajyothi scheme.

I therefore demand that the officials of HESCOM in Hubli send me full details of who are these two persons and why is their meters are being billed to my mobile number? and whether there are any other identity documents of mine associated with the accounts.

I am now sending copy of this public notice and disclaimer that I have no association with the Nabisab or F.N Lokapuri to whom the bills relate to both through the web and also through email .This may be considered as an official notice to HESCOM.

Naavi

Yesterday there was an event in Chennai organized by CYSI in which FDPPI was also a partner. It was a well attended program at Anna University Centenary Library auditorium and graced by two Judges namely honourable Justice N Ananda Venkatesan and honourable Justice (Rtd) Mr P. N. Prakash.

The topic for discussion was “Is Cyber Security more essential for Humans or for Information”? Most of the speakers anticipated that we will discuss about the how the law addresses the need to secure a cyber crime victim and how technology addresses “Security” in terms of “Data” being secured and not the person to be secured.

Every body including the speakers were expecting a discussion on how to balance the security efforts between protecting the Privacy of the person behind data and the security of the data itself in the CIA concept. But it was interesting to note that the entire discussion was diverted into a fundamental discussion on the philosophy of Cyber space. It was perhaps unintended but nevertheless very interesting and probably will be a watershed moment in such discussions in India.

It has always been one of the starting points of our discussions on how “Data Security” is not “Securing Data” per-se but securing the person behind “Data”. In this regard we discuss how law like ITA 2000 which is focussed on Cyber Crime prevention is invokable when there is a cause of action for an individual having suffered a loss on account of some contravention of ITA 2000 where as a law like DPDPA is more concerned on how an organization protects “Personal Data”.

The discussion in Chennai took an unexpected turn after the Chief Guest honourable Justice Mr Anand Venkatesan raised the fundamental philosophical thought of whether “Cyber Space” is a distinct “Space” different from the “meta Space” we live on and whether a person transfers himself into the Cyber Space when he is in front of the screen. He highlighted how the society is evolving in the use of Internet and why it is necessary for us to think differently when we address Cyber Security.

The introduction of this new thought by Justice Anand was a refreshing revelation of how the society is thinking of this concept whether “Cyber Space” as defined by Mr William Gibson in Neuromancer needs to be re-visited in the context of “Cyber Security”.

Naavi has in the past discussed this in the context of “Digital Contracts” and whether “Jurisdictional issues” in E Commerce transactions can be settled on the basis of whether the visitor of a E-Commerce website travels from his physical location to the location of the Website owner when he enters into a transaction on the website.

To some extent this has been answered by the ITA 2000 by stating that the “location” from which a message is deemed to have been sent is the “Usual Place of Residence” of the sender irrespective of the physical place from which the message was sent.(Section 13 of ITA 2000).

While discussing the status of “Netizens” I have also discussed the concepts of “CiNezens” as a hybrid category of persons who are “Citizens” of a sovereign state while also being “netizens” of a “borderless state”.

This concept also went into the background since the discussion “Cyber Laws is for Netizens” and can be distinct including punishments such as “Banishing from Cyber Space” did not get the traction as rules of the physical space went on to claim the “Cyber Space” as their own extended jurisdiction like the sea or the airspace around the geographical space. It became a fait accompli that “Implementation of all Cyber Laws” was not for the “Cyber Space” but for the “Residents of the Physical Space using Internet”. Hence though Internet had no geographical boundaries, Internet laws created jurisdictional boundaries artificially.

Now Justice Anand pointed out the “Psychological” perception of an Internet user and how he immerses himself in a Cyber Transaction and forgets the world around him even without an AR device or a Meta Verse interaction.

While discussing the “Blue Whale” game and finding a rationale for the victim’s behaviour, I have often referred to the concept of “Cyber hypnotism”. I have also alluded to the same principle to rationalize the recent “Digital Arrest” cases also.

While discussing “Artificial Intelligence Regulation”, I have also discussed the thought that AI is just a software and the Section 11 of ITA 2000 attributes it to an individual and therefore all legal consequences that may be attributed to an AI can be attributed to the human behind the AI and consequently, there is no need to discuss if AI is a “Juridical Person” or not.

While preparing for the event at Chennai I however reflected on how the society is evolving from the days when there were no computers to current day where Computers and mobiles are the life. As this evolution took shape, Internet ushered in a concept of “Cyber Space” as a “Binary Transaction space” independent of the “Internet and the device space”. The “Information” became distinct from the device in which it was stored, transmitted or experienced by the humans”. This “Disassociation” of the “Information” from the device has also been discussed by me while discussing Section 65B/63 concept justifying the need for human intervention in the form of “Certification”. This concept syncs with the concept of “Matter wave theory” of de Broglie the Physicist and concept of “Maya” by Adi Shankaracharya.

While it was easy to answer the question raised in the panel discussion “Is Cyber Security for humans or for information” in once sentence that even “Information Security” is for the benefit of the humans only, the actual discussions have opened up the “Deemed Cyber Space” concept where a person behaves as if he is in a different world when he is on the Internet. The issues arising out of such “Deemed Cyber Space” will be more relevant in the “Meta Verse” scenario where individuals transform themselves into “Avatars” and interact on the Cyber space.

This thought of a “Deemed Cyber Space” arising the instant a person enters the Internet space such as Face Book or Instagram gives me a new logical explanation of how “Cyber Hypnotism” takes place in the case of “Digital Arrest” instances.

This concept has been discussed by us in another concept when we argued for “Neuro Rights” legislation where we have discussed how by recognizing “Neuro signals” as equivalent o “Binary Signals” (Which they actually are), we can extend the ITA 2000 to the manipulation of human thoughts with the use of technology. This thought can be further explored as the creation of the “Deemed Cyber Space”. I will try to explain this concept in greater details some times later.

Yet another thought I got during the preparation of this topic was whether we the current day humans as a society are a dying species and we need to accept the ” Cinezens” as part of the current society and prepare ourselves to accept Cyborgs and Super Intelligent AI embedded humanoid robots as part of the society. The end result of this is that the human race as we know today will become second class citizens shortly and extinct over time and the world will be ruled by the Cyborgs and humanoid robots. The Cyborgs will be the masters and the humanoid robots will be their servants. By 2026, Mr Elon Musk is expected to send a humanoid robot to Mars and when this humanoid robot meets the aliens in a few decades hence, perhaps it will represent the primitive natives of the the then evolving “Planet of the Cyborgs” which Earth will be.

I am not sure that the audience were able to meet their expectations of the half day seminar or the discussions went tangentially away from the expected topic. However I was pleased with the vindication of some of my 25 year old concepts and opening up of some new thoughts for discussion in the future.

Naavi

It is a common practice in business that a successful “Brand” tries to monetize its brand value by extending it to other products of the brand owner. The brand owner may operate multiple entities in different locations which will all be part of the same entity.

Some times, the brand is also shared with others under a “Franchise” scheme with a different legal entity. Franchise contracts may be of different types. Some franchisers place complete restrictions on the way the business is presented in terms of the decor so that all franchise outlets of a particular brand look similar to the customer.

Where possible, the recipe of the service is also controlled by the franchisor though the execution still remains with the franchisee. This is expected to provide confidence to customers that the service would also be similar across all franchisee outlets of a brand. There could however be situations where the franchisee may have a set of services which are additional to that of the brand owner. The franchisee may or may not properly disclose whether the additional services are within the brand or outside the brand.

In the DPDPA scenario this popular marketing concept provides its own complications if the franchisee collects personal data of customers, stores it, processes it, shares it with the brand owner, transfers it across borders etc. Often data breaches occur at the franchisee unit and the questions of liability under DPDPA also may come under question.

Since franchisee units are owned by a different legal entity, the role of the franchisee unit may be that of a “Data Fiduciary” in respect of personal information collected. The customer however provides his information and permissions to use based on the perception that he is providing it to the brand owner.

Currently DPDPA recognizes the role of entities as “Data Fiduciaries” when the purpose and means of processing of personal data is determined by an entity. When more than one entity is involved in determining the purpose and means, all may be called “Data Fiduciaries”.

DGPSI, the framework of compliance has coined a term “Joint Data Fiduciaries” for such contexts though the term is not used in DPDPA 2023 or its rules at present.

However in cases where the Franchisee has complete control on the services or part of the services, the brand owner will be lending his name but not determine the purpose or means of processing.

In such cases the franchisee should ensure that there is a separation of services within the brand and outside the brand so that there is no “Consumer Confusion” which is a trademark violation.

However, if the disclosure is not adequately highlighted, the consumer may consume the services only as a part of the services from the brand owner. When consumer complaints arise in such cases, it will be natural for the consumer to raise the complaint against the brand owner and not on the entity that delivers the branded service.

This raises a huge responsibility/liability for the brand owner since the service contract may not cover all the liabilities that are associated with non compliance of DPDPA 2023 either because the ‘Faulty contract” is the responsibility of the franchisor or because the resources of the franchisee may be inadequate.

In terms of “Risk Management”, in such cases the franchisor holds “Unknown Risks” for the activities of the franchisee.

DGPSI considers that such cases need to be covered both by contract as well as the prominent disclosures (like in a dotted line contract with a dominant party). To address such situations DGPSI recognizes the franchisor as a “Super Data Fiduciary” as he is a “Data Fiduciary” of “Data Fiduciaries”.

Surprisingly, this situation arises in more situations than we recognise, whether it is the Telecom Marketing agent or the Insurance marketing agent or a Bank marketing agent calling on you as a representative of the service provider and not disclosing that he represents a vendor. It also applies to hospitals with independent doctors as consultants, Taxi service aggregators, or the Hotels under common brand name such as OYO, Fab etc.

This interpretation comes out of the unique DGPSI framework of compliance which is rightfully called the “Crown Jewel” of DPDPA Compliance frameworks.

It will take some time for other frameworks and even the rules under DPDPA 2023 to add the word “Super Data Fiduciary” into its lingo. But at present It is the endeavour of Naavi to develop “Jurisprudence on DPDPA” through the DGPSI framework.

When such franchisors evaluate themselves for “Significant Data fiduciary” status, they should consider both the volume of data processed by all franchisees and also the “Risk of the Unknown” and self determine that they are “Significant Data Fiduciaries”. When an officer is appointed by MeitY to issue clarifications, it is better MeitY refers to DGPSI for determining the status of an entity as “Significant Data Fiduciary” or not.

Naavi

It is a constant complaint of some Privacy observers that the Government of India has exempted itself from DPDPA 2023 unfairly. However, we have been pointing out that the exemptions that the Government agencies enjoy under Section 17(2) states that the provisions of this act shall not apply in respect of processing of personal data

“only by such instrumentalities of State as the Central Government may notify and in the interest of sovereignty and integrity of state, friendly relations with foreign states, maintenance of public order or preventing incitement to any cognizable offence relating to any of these (Meaning related to sovereignty, integrity of state etc) which are part of Article 19(2).”

Hence to avail such exemption, an appropriate notification may be necessary and not all instrumentalities of state can claim an exemption.

However in this context we have received a well written report developed by Ms Mohini Trivedy. Mohini Trivedy is a final year law student of B.A. LLB, (Hons) at Vivekananda Institute of Professional Studies (GGSIPU), New Delhi as a part of her Internship work at FDPPI.

Copy of the report will be published here shortly.

Naavi