Naavi.org

Hindu Business Line today carries an article stating that according to “ITU-APT”, the data protection Bill as envisaged may impede the right of foreign nationals.

The report also holds a threat that foreign jurisdictions may bar use of servers located in India.

This threat has come in the form of a letter written to the TRAI.

ITU-APT Foundation of India claims to be a non-profit, non-political, non partisan industry foundation registered under the Societies Act in India. The parent organization is a Geneva based  international organization having presence in other countries such as USA. The representation appears to have been led by FaceBook/Meta.

While we donot have the copy of the representation, the Business Line report indicates the following views expressed by the Association in the letter.

1. The DPB 2021 does not contain provisions that prevent Government access to data of foreign nationals stored in India.
2. The draft law will hamper user rights and could prevent cloud service providers and other entities from locating their servers in India
3. “Critical Personal Data” (a term that is yet to be defined) cannot leave except in very limited circumstances such as health and emergency services or where the Central Government allows such transfer.
4. The association contends that the draft DPB 2021 currently does not expressly consider the case where personal data may be located in India due to localization requirements but could be subject to the laws of the country in which such data originated. It does not address the possibility of Government access to such data in a way that over rides the protection provided to personal data in other jurisdictions.  This may, in turn, hinder the ability of cloud service providers and other entities to locate their servers in India as foreign jurisdictions may bar them from doing so on account of data security concerns (for instance, due to the inability to get approval from foreign jurisdiction regulators to store data in India owing to concerns such regulators may have about protection of their citizens’ data).

We are not clear if this representation has been made by the parent body directly or the local arm of which Shri Tilak Raj Dua  is the Chairman, Shri Bharat Bhatia is the President.

We would like to however point out that the argument of the organisation is based on incorrect interpretation of the Bill and we would like to explain why we feel that India requires a stronger Data Localization law than what is proposed in DPB 2021 in the light of the risk that has been highlighted due to the Russia-Ukraine conflict.

Russia Ukraine Conflict has exposed a new Risk

We donot want to go into who is correct or who is wrong in the Russia-Ukraine/Nato/US conflict. We donot want to argue whether USA’s destruction of Iraq suspecting nuclear arms was  justified or Russia’s invasion of Ukraine suspecting Bio Weapon factories run under the US patronage (like the Wuhan lab which could have manufactured the Covid virus), is more justified.

We can however focus on the action of many US companies which stopped services not only in Russia but also in India to private companies who had some business commitments to fulfil.

It is the prerogative of these companies to join a war for any cause but when their interests threaten Indian interests, we need to recognize it as a risk. Today we have recognized that there is a “China Risk” in depending on Chinese telecom equipment. But a similar risk appears to have emerged in the services of the US companies. The VISA for example stopped its Card processing services in Russia. What prevents them from bringing similar pressure on India if they are unhappy with the RBI regulation on data localization?

If FaceBook exits from India, there is no problem. It would be a blessing in disguise for the Indian society. But what if Microsoft or Adobe is arm twisted by the US Government to stop their services in India through the backdoors they maintain on their software?

Microsoft , and Apple also have a huge data collected from their “One Drive” feature which is more or less mandatory to be used for users. Google again is another US company which holds data about Indians beyond what is reasonable. If they ever stop access to such data then Indian citizens and Government will feel the real pinch of an Information war.

Is there a guarantee that these companies will not join a war in a fit of anger on India’s Kashmir policy or if Pakistan disintegrates and Baluchistan requests India’s help on humanitarian grounds to be liberated like Bangladesh?.

Like US sending their aircraft carrier during the Indo-Pak war of 1971, what is the guarantee that all windows computers in India stop working and all Adobe PDF documents vanish?

To counter such risks however remote they may be, India needs to take action through its current law namely ITA 2000 as well as the proposed Data Protection Law.

In this background let us see if ITU-APT ‘s objections hold any value.

1. ITU-APT says that DPB 2021 does not contain provisions that prevent Government access to data of foreign national stored in India.

Though it is our sovereign right under which any asset any where in India can be accessed in the national security interests, we must draw the attention of ITU-APT to section 37 of the Bill which states

Power of Central Government to exempt certain data processors.

The Central Government may, by notification, exempt from the application of this Act, the processing of personal data of data principals not within the territory of India, pursuant to any contract entered into with any person outside the territory of India, including any company incorporated outside the territory of India, by any data processor or any class of data processors incorporated under Indian law.

This section gives a provision that Government may grant exemption from the Indian law for personal data of foreigners stored in India subject to a notification. Hence all the arguments built by ITU-APT are false and qualifies to be  called a deliberate mis information.

It is not however necessary that India should become a safe haven and any data processed in India which may hold a global humanitarian threat or Indian national security,  should not be touched by the Indian law enforcement  agencies.

For example, if the data pertains to a foreign agency running a Bio Weapon facility anywhere in the world, or related to planning of a terrorist activity anywhere  in the world, it would be the bounden duty of the Indian Government to investigate not withstanding the data being that of a foreign national and being processed in a server belonging to a US entity.

When laws are made, there have to be empowerment for such eventualities along with appropriate checks and balances to ensure against misuse. Presently we are only discussing the basic provisions of the Bill where for empowerment purpose, provision of access under emergent situations must exist. The checks and balances will have to be discussed when the rules are framed by the DPA.

We already have Section 69/69A/69B/70B of ITA 2000 which ITU-APT should study and raise any objections if they have got. Probably they are not even aware of the law called ITA 2000 which is the current data protection law of India and will continue even after DPB 2021 becomes a law.

Hence the objection of ITU-APT on this ground is unfounded.

2. Regarding the hampering of the Cloud service providers, it is a business decision that these service providers may take whether they should have their services in India or not. There will be around 2 years time and India will try to develop its own services for data storage if these cloud service providers want to deny their services.

Even if the cloud service providers are prevented by their respective Governments to store the data originating from their country in India, it is their choice. If the cloud service providers are aware of a technology called “Encryption” or “Pseudonymization”, they can still use Indian servers and manage the local legal requirements. Perhaps ITU-APT does not think that the companies who have a need to store data in a cloud are not aware of such access control measures to address the concerns.

We strongly feel that there is no need for Indian Government to create a safe haven for International data to satisfy the concerns of ITU-APT. We need to take care of our national interests first and the protection of the legal obligations of the cloud service providers to a foreign country has to be subordinated to the Indian interests.

3. Critical personal data was an empowerment that the Government of India built into the law to protect contingent concerns. Now the Russia-Ukraine war and the private sanctions of commercial MNCs on other commercial organizations in India ignoring international law have underscored the need for this provision to be clarified if required.

Government may therefore declare that

“Critical Data” includes personal and non personal data, the incapacitation or destruction of which , shall have debilitating impact on national security, economy, public health or safety.

For the purpose of implementing the cross border restrictions on Critical personal data, all organizations handling such data shall be considered as “Significant Data Fiduciaries” and assure the DPA through a registration agreement to protect the Indian interests at all costs.

4. The ITU-APT has not considered the fact that DPB 2021 basically applies only to data that has its origin in India, It does not affect the personal data of a foreign citizen originating abroad and processed aboard.

If such data is brought to India for processing, then Section 37 exemption as well as the security tools such as Pseudonymization, Encryption and Anonymization can be  used by the Data Exporter to protect the interests of the foreign citizens.

There is no need for India to dilute its laws for the sake of data exporters from other countries who donot want to invest in appropriate security technology.

It therefore appears that the representation  of ITU-APT is devoid of merits and has to be rejected.

I request the TRAI not to initiate any action in this regard. Additionally we urge the Government to tighten the Section 33/34 provisions of DPB 2021 and make it mandatory for a copy of all data transferred out of India henceforth has to be  kept in India. Additionally as recommended by the JPC outside the Bill, all data transferred out of India in the last 3 years need to be brought back to India as a copy.

Naavi

The fatal accident that occurred in March 2018  where the Uber Auto driven Volvo crashed and killed a person walking across the street had raked up many issues on the Technology and Law surrounding the development of driverless cars.

Now a detailed coverage of the aftermath of the accident in wired.com gives an analysis of the technology faults as well as the human issues behind the tragedy.

As per the report, it appears that Uber has been discharged of criminal charges of negligence and the human driver behind the wheel Rafaela Vasquez is blamed for not preventing the accident by timely intervention. The trial will continue and the final verdict may take some more time.

From the evidence discussed in the article, it appears that the Uber Software failed to recognize the obstacle and apply brakes. It is also said that the Car (Volvo) had its own emergency braking mechanism which was over ridden by the Uber system and Volvo claims that its system would have perhaps either stopped the Car or atleast prevented the fatality. This could mean that the Uber system was inefficient compared to the possible technical solution as offered by Volvo. This should make Uber vicariously liable for the accident.

However, whether the headlight system of the Car was good enough for the night driving could be a point of debate since it could not light up the victim earlier. Whether this was a fault of the Volvo or of the driver in setting the beam is not clear. This does not seem to have been discussed in the legal proceedings.

The video from the dashcam indicates that the victim suddenly appeared across the speeding car and perhaps it would have been impossible for any ordinary driver to spot the victim in the darkness that was around. Hence the accident could have perhaps happened in many other incidents of human driving under similar circumstances.

However it must be recognized that Uber was negligent for many reasons.

Firstly though the testing was not complete ,the safety of having two persons in the Car one to monitor the driving and the other to assist the driver was withdrawn. This left the driver alone and the “Automation Complacency” factor kicked in.

Secondly the real time monitoring of the driver was not resorted to for the fear of being considered as “Spying”.

Thirdly monitoring  of the driver behaviour through log monitoring was not good enough.

It is interesting to note that the driver refers to herself as the  “Operator”. The driver was not driving her own car and hence she was on duty when she was “Operating”  the automated machine. Hence there was no Privacy issue and no “Spying”. It was the duty of Uber to monitor the automated machine and its operator as a single unit of work which Uber failed to do.

It is unfortunate that Uber instead of taking the blame on itself made the “Operator” a sacrificial goat. The fact that the Victim herself was grossly negligent and by jaywalking across the road on a dark night was a contributory factor the accident, should protect the “Operator” from the charge of negligence.

Hopefully the trial with the Jury will find the “Operator” not guilty and accept that the death of the victim as an essential sacrifice for development of technology. However technology companies need to set their bars of declaring a software “Safe” at a much higher level than what they may be doing now and their liability should continue even after releasing the software. In this case the software was still under testing and hence the liability of Uber should have been recognized without much of an argument.

Though Uber has made a monetary settlement with the victim’s family, it is unfortunate that they have not protected the “Operator” who became the second victim of the accident both legally and financially. She ought to have been provided with a life time financial settlement and legal support to bail herself out of the charge of negligence even with her own lawyers.

This case should establish that any software developer who produces an AI led system should inherently be made vicariously liable both for the victims of malfunctioning as well as the operators who had minimal control on prevention of accidents.

The Cyber Insurance industry would perhaps come to the assistance of the companies to ensure that the cost of technology development ultimately gets distributed.

In the light of this development, the provision of Data Protection Act in India requiring “Algorithmic Transparency”, “Security Certification” and filing of a “Privacy By Design Policy”,  when personal data processing is handled by  automated systems is a welcome step. This will bring better accountability for the companies in at least absorbing the liabilities and preventing unfair liabilities on the user-operators including the employees assigned for testing.

Naavi

Cyber Law College is conducting the next program on Data Protection Laws in India for FDPPI Certification, starting from April 2nd. Details are as follows:

1. The program is leading to the Certification of FDPPI -“Certified Data Protection Professional-Module I” and is part of the larger “Certified Data Protection Compliance Management System Auditor/Consultant” (CDPCMS Auditor/Consultant). This program includes includes two other modules namely Module on Global Laws (Module G) and another on Audit (Module A).
2. The program is based on the new JPC approved version of the Data Protection Bill. It will be conducted online on Zoom platform.
3. Appropriate reading material would be provided during the course.
4. At the end of the course a multiple choice an online examination of 90 minutes would be available. Those who are successful will get a certification “Certified Data Protection Professional-Module I”.
5. The course content would be as follows:

1. 1. Evolution of Privacy Laws in India
   2. Applicability
   3. Obligations of a Data Fiduciary
   4. Rights of Data Principal
   5. Exemptions
   6. Restrictions on Data Transfer outside India
   7. Penalties and Offences
   8. Data Protection Authority
   9. Adjudication and Cyber Appellate Tribunal 
   10. Data Audit

Registration can be done here.

6. The fees for the course is Rs 12,000/- plus GST of Rs 2160/- . Total Rs 14160/-.

7. Those who attended the FDPPI-IACC seminar on April 4th  are entitled to a discount of Rs 2000/- and the fees payable to them would be Rs 10,000/- plus Rs 1800/- (GST). Total Rs 11800/-. (An email has already been sent to all the registered participants of the program)

8. The registrants will also be provided a complimentary “Basic Membership” of  FDPPI which otherwise costs R 4000/-.

9. For further clarifications if any contact Naavi

Naavi

The war in Ukraine may be between Russia and the NATO interests where Ukraine is a willing sacrificial goat. While we can appreciate the resolve of the Ukrainians to join the war directly, the Latvian Parliament approving their citizens in Ukraine to join the fight, some other foreigners to travel to Ukraine and join the war front are worrying trends.

While companies like Twitter have for long been recognized as their own masters trying to engineer regime changes in countries through fake messages, a new trend that has emerged in the current war is that non-media companies in US have also joined the information warfare by “Denial of Access” to certain services which they are bound by contracts. This is an contractual default under International law though they may cite “Act of war” as a reason.

For example companies like Dell and Apple have stopped their hardware supplies to Russia and some of these are defaults of contracts with parties  in other countries. For example if an Indian aggregator had contracted with a Russian company for an IT service in which some components of Dell was involved, he is now forced to default on the service because Dell is unwilling to fulfil its part of the contract.

A demand was made on ICANN to stop its services which was fortunately rejected.

 Now we are told that VISA and Master has stopped its services to Russia. PayPal has also made similar moves.

These private sector companies through their actions have joined the war front in the information sector. They are acting as mercenaries just like the Afghan tribals.

The demand on ICANN is a red flag which makes the Internet system itself less reliable than before. In case companies like GoDaddy or other hosting companies respond to the call of blockage then the Internet blockade of Russia may partially succeed. Russia itself may not be adversely affected since they have a robust internal network and can also connect to the dark web seamlessly.

I would not be surprised that in future Microsoft does not turn in their backdoors to the US Government or Google does not pass on all the access to Gmail content to NATO.

But there are lessons that we in India have to draw from these developments. Indian Government and the population is very much dependent on US companies for many of the critical IT services including the use of Microsoft products and Adobe products.

Without a proper assurance from these companies, it would be difficult for the country to rely on their services in future.

We therefore need to tighten our laws on the one hand to bind the “Critical service providers” to stand neutral at times of such conflict and in the long run become more and more self dependent. This approach to “Atma Nirbhar Bharat” has to be accelerated to avoid India again succumbing to “Colonisation” in the digital global world.

I recently heard one professional suggesting that “Processing” includes storage and hence VISA can continue to store the information abroad without maintaining a copy in India and claim that the “Processing” is not complete. The Government needs to be aware of such innovative interpretations of law to defeat the data protection regulations in India.

In the light of these developments it is necessary for CERT IN to send an advisory that a new Cyber Security threat has arisen where private sector IT companies are joining hybrid warfare and pose a significant threat to Indian companies and Government dependent on their services.

It is therefore necessary for all Indian companies and the Government entities to gradually develop alternate technological support bases to ensure that moves of VISA kind of organizations donot hurt us.

NASSCOM is in the forefront of supporting VISA and MASTER and demanding that no restrictions are placed on localization of their services. RBI has diluted its data transfer rules to allow “Processing” of financial data outside though the processed data must be kept in India.

I request NASSCOM to provide an assurance to the Indian community that MNC s who are their members donot toe the Biden’s policies to the detriment of Indian interests in future.

The Parliament at the same time must restore the Data Localization aspects in DPA 2021 back to the PDPB 2018 version and require that copies of all personal and non personal data transferred outside India must be kept in India and emergency access be made available to the law enforcement authorities under appropriate procedural controls.

The services related to Internet data storage and transmission provided by any company  in India needs to be declared as “Critical Essential Services” with an empowerment for the  Government  to deal with them like other  “Essential Public Services”.

By opting to take part directly in the information warfare, the US based companies have lost their case on opposing strict data localization in India. It has become a “Data Sovereignty” issue more than ever before.

We donot have any objection for any country to join the war transparently like Lativia. However, companies need to always stay non aligned if they want to work in international space. Companies having activities in India have to support the Indian policies and not the policies of a foreign country. This is the same situation that arose when Hyundai supported Pakistan on Kashmir issue. If they donot see reason, the law should take care that they donot turn rogue. Today we are afraid of dependence on Chinese technology because it is a security risk. A similar risk perception has now arisen on companies like VISA, DELL and APPLE.

As an immediate step, I urge that both NASSCOM and CERT IN to issue a joint notification that activities of IT companies stopping any services to Indian companies on pretexts of war in Ukraine would be considered as an “Unfriendly Act” and flagged accordingly. Such companies must be blacklisted or subject to higher standards of compliance in case of any Government contracts in future. It is necessary for NASSCOM members to bee “NON ALIGNED” in the current situations and toe the policy of the Indian Government.

Naavi

(P.S: The views expressed here are personal.)

One of the issues that has arisen due to the Russia-Ukraine conflict is the collateral damage that is being caused to companies in India because some of the US companies have decided to join the war front by imposing various kinds of sanctions.

India has declared that it remains “Non Aligned” in this conflict and neither US nor Russia has the right to force India to join one of the fronts against its will.

While civilians in Ukraine out of their patriotic fervour are welcome to get themselves enlisted to the military and some foreign Governments such as Lativian Government has allowed its citizens in Ukraine to join the war front, citizens of other countries are not presently under obligation to join the war front as front line soldiers.

Similarly, when we discuss “Information Warfare” being part of the hybrid war, we are considering that the Government which is part of the kinetic war using information for propaganda or even conducting cyber attacks as part of its military operations. These are acceptable as part of the International war fare strategies.

But when civilians or companies try to impose sanctions of their own in support of one of the warring countries, there could be some legal issues of whether they have the protection of the international law for their information war.

For example if Google stops its map services or Dell and Apple stop contracted hardware supplies they are actively joining the war and need to be formally conscripted to the military of one of the warring countries.

We now have situations where an Indian company which has a contract to execute involving components from US companies being stopped on their tracks with the sanctions imposed by the Commercial companies. It is difficult to say if this is supported by any contractual clauses since US itself today is not at war (legally) and hence the “Acts of War” clause for disruption of service cannot be invoked.

While it is difficult for Indian companies to raise this as a dispute because of the continuing relations with the component suppliers, it is time for the Indian Government to consider the concept of “Deemed Conscription”  of a company into military if it actively takes sides in such a war. If this is not ratified by their respective Governments like Laivian Government has done, then the actions of the individuals and the companies imposing sanctions of their own  become illegal and qualify for penal action in the respective countries.

Such actions may also qualify as conducting “Warfare” in other neutral countries. Hence Dell stopping supply of computers under a contract and frustrating an Indian company from executing its contract is like bringing the war into foreign soil.

We can understand that the Corporate executives in these companies may not think deeply but the call for ICANN to stop its domain server for Russia (reported to have been rejected by ICANN) is an indication that “Critical IT Services” may become instruments of war fare without appropriate international legal justification.

Tomorrow if Microsoft jumps into war and stops all Windows servers or Gmail stops all its email services, or VISA stops all its card processing services, the activities of other nations can be crippled.

At a time when we are thinking of a new Data Protection Law in India it is necessary for us to see if we have sufficient legal backing to defend such actions even if it is purely speculative at this point of time.

I therefore call upon the Government of India to undertake such measures as are necessary to ensure that Indian companies are not held to ransom for settlement of international disputes of which we are not a party.

This could be achieved through declaring  “Essential IT Services” such as internet transmission, hosting etc  as “Critical Data”, imposing “Data Localization” and other security measures to ensure that we are not at the mercy of these companies in future.

Naavi

The developments in the Russia-Ukraine conflict have taken a dangerous turn where many private sector companies who are “Multi National Companies” providing services across the globe have started joining the “Information War Front”. Accordingly the Google, Twitter etc are taking steps to attack Russia by withdrawing their services. Now a call has been made to the ICANN to stop all Russian domain names.

While one can appreciate the anger of individuals and their reflection in such suggestions, the move has extremely adverse consequences in eroding the faith of citizens of one country on any service provided by a foreign country.

We were all aware of and complaining that the Social Media Companies like Twitter were manipulating the narrative against the Government. But companies like Google were not earlier in any activity which could be called anti national. In fact a large number of Government agencies use Gmail as their email services placing their trust on them. Similarly companies like Apple, Microsoft, Amazon etc are considered international companies which could be trusted by both India as well as Paksitan.

Unfortunately the current developments where the private companies have joined the Information war fare which is part of the “Hybrid warfare” has changed the global outlook on the MNCs. It is clear that these companies cannot be relied upon at times of crisis and any increased dependence on them is a huge national risk.

The Atma Nirbhar approach to business is therefore essential to avoid this dependency.

In discussing the Data Protection Act, there has been a demand for Data Localization because of the “Data Sovereignty” and the need of Law enforcement to access data related to criminal investigation, terrorism, money laundering etc. The tech companies had convinced the Government to dilute the provisions of the Data Localization from the PDPB 2018 version and even the latest JPC version allows free transfer of data outside India. Companies like VISA process their data outside India and are reluctant to bring back even the processed data into India as required by the RBI guidelines.

These issues now have a new meaning. A doubt occurs in our minds  about…What would be the guarantee that VISA will not stop all processing of Indians or Gmail will  not freeze all gmail accounts if there is a conflict between India and US? What if Microsoft wants to stop all Windows computers in India  for whatever reason that may seem legitimate to them?

These services are not like Twitter and Facebook which are not essential services. Now the seeds of doubt have been placed in the minds of Indians and every other country that dependence on Internet itself is an existential risk for the country. This is not an issue of Cyber Security or even the Cyber Warfare between two State powers. This is an issue of trust in business and it has been lost substantially with the rash decision of some of the tech companies.

This has changed the world business order and it is unlikely that we will be able to fully restore order to the pre-Ukraine war state.

Now is the time that we start building more and more self dependence at the country level and the pre-globalization principles of trade and commerce have to be restored.

Unless the private companies who have jumped to the war front quickly retrace their steps the reversal of globalization process will start now. The best policy for them now is to be “Non Aligned” so that they walk through the next few days without taking decisions that cannot be justified in the long run.

However the Government of India has no option but to speed up finding replacements for Microsoft/Android operating system, the Google maps and Gmail, the VISA and Master card network etc. We may even need to develop an alternate internet network within India so that ICANN cannot threaten the existence of our communication for whatever reason.

Naavi