Naavi.org

We in India remember August 15 as our Independence day. We also remember January 26 as our Republic Day.  Similarly October 17 is a day to remember as the day when a legally recognized Digital Society was born in India.

On October 17, 2000, the Information Technology Act 2000 (ITA 2000)  was notified and legal recognition was provided to electronic document, digital signature, electronic contracts.  With this and other provisions of ITA 2000, a new society which uses electronic documents for communication  became legally acceptable to the judicial system in India.

Without ITA 2000, an e-mail or a website or an SMS or a WhatsApp message would not be considered as a document equivalent to a document. An offer and an acceptance in electronic document would not constitute a valid contract. We were virtually living in a “Digital Jungle Raj” before October 17, 2000.

Today, we have our Supreme Court  and Parliament streaming its proceedings in Court, Parliament , Companies conducting Board Meetings and AGM on line, Digital Contracts being matters of routine, Virtual surgeries tackling matters of life and death all with an assurance of legal recognition. WhatsApp have been accepted as valid method of sending Court notices and digital money has become the order of the day. We could now move to another world of Meta Verse and humanoid robots in the coming days. Internet has become more a serious world of business and Governance and not remained only a world of fun.

Today’s Digital India therefore owes its existence to the fundamental legal changes that ITA 2000 brought to our society. Irrespective of the amendments made or to be made October 17 will for ever remain as the day to remember because of the tectonic shift that occurred this day in the year 2000.

Naavi has been therefore conducting events on October 17 trying to focus on the importance of the day. This year India is getting ready for an overhaul of Digital India regulations. The new Telecom Bill has already been up for discussion. The new Personal Data Protection Bill could be open for public comments soon and discussions on substantial amendment of ITA 2000 could follow.

To remember the day, Naavi.org and FDPPI have organized a webinar and brought together Veterans of ITA 2000 to share their thoughts on how ITA 2000 has evolved over the last 22 years and how it is likely to move further.

The webinar would start  at 4.00 pm today (October 17, 2022) on the virtual place, here

Join here

You can all participate in this celebration courtesy FDPPI and its supporting members Klickstart Business Solutions & Services LLP and Maruti Quality Management Services.

Look forward to meeting you to celebrate the Digital Society Day of India 2022.

Naavi

JOIN HERE

In the Privacy domain, the “Employee Privacy” is one aspect of Privacy Management that often has a direct conflict with the Data Protection Compliance regime.

Under GDPR we have seen that Courts and Supervisory authorities have  ruled that even an employee who uses “Customercare@company.com” email for personal communication is entitled to privacy rights.

Recently a case has also been reported from Illinois, the freight comapny BNSF Railway Co has been ordered to pay a compensation of $228 million in a class suit on behalf of its employees.

The  decision  handed Wednesday evening in Chicago federal court, came after the first trial under the Illinois Biometric Information Privacy Act (BIPA), a state law which restricts collection of biometric data like fingerprints or retinal scans.

The plaintiff, on behalf of himself and a class of other truck drivers, claimed he was fingerprinted when he entered BNSF’s railyards to make pickups and deliveries and that BNSF violated Section 15(b) of the BIPA by collecting his biometric data without first giving him written notice and obtaining his informed consent.

This decision could mean that the employees of an organization may enforce Privacy rights on par with the public.

A majority of Data Protection Professionals are themselves employees of an organization and hence they would welcome this development. So would be the Privacy Activists.

However, to be fair to all stake holders we need to question this decision of the Illinois Court (as reported in the media).

Employees are privileged persons within an organization. Law recognizes that any errors  and omissions of an employee may create a vicarious liability on the organization.  Employees work under a long term contract built on trust. They create the security systems within an organization and can collaborate with criminals to harm the organization and its third party customers.

Hence there is a need to enforce from security perspective of the company and its customers a strict regime of surveillance on the activities of the employees.

Hence having CCTVs inside an organization, monitoring the computer activity as well as collecting and using biometrics should be considered as “Legitimate Interest of an Organization” and should not be considered as “Privacy Violation”.

What may be required is an assurance based on a higher level of information security so that the employee information collected for a specific purpose of employment is not misused. Using the information to monitor employee behaviour from the perspective of security is however an exception.

Some Data Protection laws like the PDPB 2019 did provide “Exemptions” from Consent for employee monitoring activities required for performance assessment and fraud prevention.

The Illinois case could be one coming under such a requirement where the company wanted only authorized persons to enter the goods yard. Similarly the GDPR case in which an employee misusing the corporate email account for personal use had specifically violated the terms of contract. In such cases there should be no enforceable right to privacy.

It is for this reason that we advocate that “Employee Privacy” should not be equated to “Privacy of Non Employees”. Employees should be informed enough to provide their consent and understand the need for security to give up the  special privileges that comes with the Privacy.

If this right of the employer is not recognized, then employees may tomorrow claim that they will work under pseudonymous ID or even anonymous ID and receive their salaries through Bitcoins and in principle they will have a case to justify.

We must therefore consider that “Employees of an organization are privileged persons and in respect of the personal data shared by them with the company in their capacity as employees should be exempt from provisions of prior Consent (except at the time of onboarding), Rights of Portability, Right to forget. They may continue to enjoy Right to access and  Right to Correction.

Comments and views are welcome.

Naavi

Economic Times carries an interesting article on the “Shape of Things to Come” as the MeitY continues to work on the modified PDPB 2019, stating that “Reworked Personal Data Bill may relax rules on data localization”

The article quotes the MoS, IT, Mr Rajeev Chandrashekar as saying

“Cross-border flow of data will, … be permitted as long as the government is able to access the data legally and such data of citizens is safe even if it is stored in cloud architecture“

The interpretation of ET is that the Government may  change the provision regarding the “Critical Information” being necessarily stored in India.

The PDPB 2019 had already diluted the PDPB 2018 provision of cross border data transfer and removed the need for keeping even a copy of the personal data transferred out of India as long as it is not  “Sensitive”. Sensitive personal data was also freely transferable subject to a copy being retained in India and necessary consent from the data principal. No data has so far been declared as “Critical Data”.

Hence there is nothing to dilute the PDPB 2019 version in this regard as it is already diluted to the core.

As against this GDPR has been strengthening its Data Localization policy and recently even the US bent down to EU and agreed to change its Judicial System to accommodate the interest of EU GDPR. It has agreed to set up a Judicial authority that can be approached by the EU Citizens whose data is processed in USA. It can be expected that this special court will even recognize the supremacy of the EU jurisdiction over such data processed in USA.

Rajeev Chandrashekar has at present not made a statement that indicates such abject surrender of the country’s interest to foreign powers and allow a “Data Colonisation” by EU through GDPR.

If we restrict our interpretation to the words that have been quoted, it only means that the Cloud Operators need to satisfy that Indian Law Enforcement will not be denied access to data when required with the pretext that they are not subject to Indian Privacy laws.  This point is also coming up directly for discussion in the Supreme Court in the Whats App Privacy Policy case and Government cannot take different stands in the draft law and the Court.

EDPB wants Indian Data importers to commit through their contractual agreement that they will not let Indian law enforcement to enforce their rights whether they are the Police or ED or CBI. Most Indian Companies have been quietly signing off contracts with their business vendors to ensure that their businesses are preserved.

In other words, most of the Indian companies are being forced to be more loyal to EU than India. Neither Press nor the Government is aware of this development.

I challenge the MeitY to conduct a survey of data processing contracts entered into by the Indian data processors in the last 3 months and check if they have agreed to revise their SLA s to meet the EDPB guidelines. This will reveal how Indian Companies are quietly ceding data territory to foreign powers for the business they are signing. Most companies are also signing off on indemnities for data breach liabilities far in excess of their own financial capabilities pushing India to “Potential Insolvency”.

If hackers target foreign companies having data processing contracts with India and huge data breaches happen, it would be many Indian companies who will have to foot the bill.

Has information security auditors factored in this incidence of “Foreign Data breach Risk” on Indian Companies?

In my opinion these are questions which every body is afraid to ask.

We therefore conclude that

“Given the security situation in the Country, there is no way India can give into the desires of the EU GDPR to convert India into a Data Colony of EU. This is a national security issue and MeitY has to work within this framework of National Security”.

In the last two months, we have written the following 23 articles indicating what should be the “Shape of Things to Come”.

In these articles we have tried to comment on what “right” has to be protected? how we should define “data”? how we should classify “critical personal data” and how we should approach the “Data Localization” issue.

One of the suggestions made is that Data Protection by law should protect the Right to Security of a citizen of India, retain the need for consent and maintenance of copy of all personal data, processing and storing of Critical Personal data only in India etc.

We have also suggested defining of Critical personal data as

Critical Personal Data means such personal data, deprivation, incapacitation or destruction of which would cause significant harm to an individual and includes biometric data or genetic data or unique official identifiers and personal data under the control of such entities or computer resources whose activities if incapacitated or impaired may have debilitating impact on national security, economy, public health or safety.

I wish MeitY tries  to take into account the views expressed in the series of articles presented at Naavi.org before finalizing its recommendations.

We are waiting for the draft to be released by the Government to make a section by section comment and take on record the areas where there could be need for changes.

Naavi

To
The Honourable Chief Minister of Karnataka
Bengaluru

Dear Sir,

One of your recent decisions make me wonder …”If a person is running a Mandi and allows farmers to display his wares and bring together buyers and sellers, does he become a farmer?”

Kindly clarify.

Why Do I think so?

The Karnataka Transport Department has issued an order stating that Uber, Ola Auto service has to be stopped because they are charging a minimum of Rs 100/- as against the Government fixed minimum of Rs 30/-

Mr Sriramulu the Minister has threatened that he has ordered his officials to seize autos plying in defiance of the order. This gives a free hand to the police to stop every auto and demand information from the auto driver and  increase his collections.

I would like to categorically state that your move to block Uber/Ola auto is not in the interest of the public nor in the interest of Auto drivers. It will make only a marginal dent to the Cab aggregators unless you are arm twisting them for contributions to BJP for fighting  the BBMP elections.

I am a staunch supporter of BJP and Mr Modi but is compelled to call out the decision of the transport department as not in the interest of the citizens of Bengaluru of which I am also a part.

I request you to kindly give a thought to the basic nature of business  which the “Aggregators” are in. The” business of aggregation” cannot be equated to the business itself which it integrates. Karnataka Government has already made this mistake when they last made a law to treat Uber and Ola as “Taxi Operators”. I had pointe out at that time itself that this was a wrong decision. unfortunately, the companies instead of fighting it legally went for some compromised solution and accepted the classification.

Now is a time for correcting this bad decision if your Government can think in terms of understanding the business.

The business chain always consists of different layers of service from producers to consumers. There are farm brokers, transporters, Mandi Merchants, Wholesalers, Retailers etc all of whom have a role to play. As long as they collect remuneration commensurate with the value addition they bring to the business, each is entitled to their profits.

Cab aggregators fall into this category of “Intermediaries” whose job is to bring together the cab operators with the consumers on an online platform and make it easy for the service to be consumed.

They work for their service charges and the benefit for the produce (In this case the transport service by a car or an auto given to  the consumer) goes to the producer (Driver/auto or car owner).  The aggregator also acts as the collector of money on behalf of the driver and passes it onto the driver.  (Ideally, the receipt of money can be split straight away on  and credited to the driver’s account if required).

If the Cab aggregator is cheating on the driver and exploiting him with excessive commission, it has to be checked. But a reasonable commission should be allowed. (I consider 15% as reasonable and not 30% which the Uber/Ola are now charging).

The system brings transparency to the collection system and all cab/auto owners would be happy that the drivers cannot cheat them on the total collection of the day.

At the same time the consumer is happy that he need not bargain with the driver which is the biggest headache which all Bengaluru Consumers are aware and were relived of with the introduction of Uber/Ola services.

The auto drivers who were demanding their own price in excess of the meter may be unhappy that they now have to ply according to the fixed rates . But many honourable auto drivers would be happy with the system which gives them a fair return without the botheration of waiting for a customer and demanding double the meter, refuse plying to a stated destination, get abuses constantly. They can operate intermittently from their home, respond only to calls on the App, switch off the App when they want to spend time with their family and have a good work-life balance.

The most important aspect of this service is that consumers need not go out into the street to look for the auto, wait and keep waving at the moving autos. In case there is any luggage to carry, there is to send an errand boy to go and fetch an auto to take them to the railway station.

I am sure that you and your family must have experienced these difficulties when you were younger and before you became the Chief Minister.

The current decision will now put Bangalore consumers of auto service back to the 70’s and 80’s and make it extremely difficult to commute. Senior citizens living alone are the most affected since they cannot get the autos to their doors.

You are therefore snatching away this door step auto service.

Now coming to the allegation of collection of Rs 100 instead of Rs 30. If only Rs 30 is charged, then do you expect the aggregator to charge no fees?

If you think the commission of Rs 70 is unreasonable and it ought to be not more than Rs 20, I may agree with you just as the 30% commission charged by Uber/Ola is considered double the reasonable figure of 15%.

You have the right to regulate this and through the transparent system of money flow that occurs ensure that the aggregators follow the rule of 15% commission with a minimum of Rs 20/-. You can also either disallow the “Surge charges” or more appropriately allow it with a higher rate of commission of say 25% at level 1 and 30% at level 2 depending on a criteria to determine the level 1 and level 2 situations. If the available supply is too low and below a critical level, surge commission can be made even higher.

Instead of regulating the pricing in such a manner that the driver gets a reasonable return on his efforts and the consumer gets a reasonable price, you are denying them of the service itself.

This will be creating a backlash on your Government and the first signs should be in the BBMP elections when BJP is going to lose heavily.

I therefore urge you to immediately suspend the decision of the Transport ministry and form a “Pricing Committee” for aggregators to fix a more appropriate price structure as indicated above.

The Government now have access to the Open Network for Digital Commerce (ONDC) as an available platform where all the auto drivers can register themselves and ONDC can fix a fair commission for itself and give an outlet for the autos. This will also bring down the competitors Uber and Ola to a more reasonable price structure. If required I thinks you can also use MYn which otherwise would be a disastrous failure. You can also request philanthropic organizations like Tata Neu to start cab aggregation platform (If you donot insist that they will be considered Taxi operators but only Intermediaries under ITA 2000), they and many more technology companies may oblige. Even Amazon would be happy to start a channel for autos.

If you take a decision in this direction, it will bring revolution to the Bengaluru transport system.

I think Mr Tejasvi Surya brought a problem to your attention but your solution was worse than the problem. Even Mr Tejasvi Surya should accept the proposal made above and you can show your statesmanship in retracting the 2014 order of equating the Aggregation business to Taxi business which was bad in law.

If the order is properly challenged by the operators in a Court of law they have a fair chance of winning in their argument as it is discriminatory on the city transport system and spares all other types of intermediary service providers being taxed like the end producer.

Please think over and act wisely to preserve the BJP electoral chances in the coming elections.

Naavi

Karnataka Government has repeatedly taken wrong decisions related to the Uber/Ola service. In 2014, I had written about this in the following article.

Government Fails to understand Uber Business Model

Time has come again to point out once again that Karnataka Government is taking another bad decision in trying to declare Uber-Ola aggregation service illegal.

See report here

We the senior citizens of Bangalore are aware of how the Autos in Bangalore have operated from times immemorial with hard bargaining. No auto trip ever ended without a serious argument at  the end of the journey with the driver demanding more and we refusing to pay more than the meter.  Those were the days when Taxis were never in contention for the middle class.

The advent of Uber/Ola as app aggregators brought relief to this BP raising arguments with the auto drivers and many switched to travelling by taxis which were cheaper than the “Pay Double” demand of the auto drivers.

Karnataka Government then interfered and declared Uber/Ola as “Taxi Operators” and made the technology service more complicated and expensive. The JDS as a political party also contributed to this move besides the greed for more tax collection.

In the recent days, the “Surge Pricing” by Uber/Ola had made the  taxi service once again unaffordable. Our trips from South Bangalore to Airport which used to cost Rs 700/- now have reached Rs 1200/-. The discredit for this inflation has to go to the ill-advised move of the Government.

Now as people started to switch from Uber cars to Uber autos as an alternative to non availability and higher cost of cars, the Government has again poked its nose to ban Uber/Ola autos.

The ostensible reason is that there are complaints about a minimum charge of Rs 100/- as against Rs 30/- fixed by the Government. The solution to this is not banning the Uber/Ola autos but to understand and rectify the issue.

For Consumers if they want to travel a short distance, they need to stand by the road and run behind autos …and beg them to come to their  destination. Even if they agree no auto comes for a short distance on meter. Will the Karnataka Government control this?

On the other hand what happened in the aggregation was depending on the destination, the willing auto would respond and come to the door step. This avoided the need to wait at road ends, send an errand boy to fetch the auto to the door step and the endless argument on how much above the meter one has to pay.

Many times the lack of argument itself is a premium for the service.

The Uber/Ola is an add on service which is optional. A consumer still has the right to stand at the street corner, locate an auto for short distance at a minimum rate of R 30/-.

If he choses the Uber/Ola, he is exercising his choice for a higher grade of service and transparently making a payment.

What needs to be regulated is that Uber/Ola does not appropriate the premium entirely and ensure that the auto driver is equally benefitted.

If more consumers chose the app aggregator, more autos opt for registration, and many respectable persons who run autos can operate independently out of the control of the Autoriksha associations which have the potential to become political groups as we have seen in Chennai.

Think of a house which is 100 meters from the main road and old people or people with luggage to catch autos. Will they prefer bargaining for Rs 30/- or be prepared to pay Rs 100?

Technically also, we should reverse the Government decision to consider App aggregators as Taxi Service and consider them only a “Technology Service”.  Treat them fairly , let them make money out of their service, let them not exploit the drivers and leave the discretion to use or not use the service to the consumers.

I wish the Government order is either withdrawn or a stay is brought on its operation.

We can discuss the regulation where by the practice of the aggregator charging 30% or more of the trip money is reduced to a maximum of 15%. This will increase the revenue of the taxi and auto operators. In the initial days, the charges for Autos was actual meter charges plus Rs 10/- as service fee. If Rs 10/- is too low, it can be raised to Rs 20/-.

If surge pricing is allowed, 75% of the surge should be payable to the driver.

Over and above these regulations, it can be also mandated that charge beyond a limit should be credited as “Cash back coupons” that can be encashed like loyalty coupons within the next 3 months. Some of these may lapse but otherwise it may guarantee further business to the aggregator and hence the scheme should be acceptable.

At present therefore, I urge the Karnataka Government to withdraw the order on banning Uber/Ola auto, which is anti-consumer and will not  be liked by the citizens of Bangalore who have to vote for BJP in the upcoming BBMP election when there is no Modi factor influencing the voting decision.

For the medium and long term we can discuss what kind of monitoring can be brought in to reduce the exploitation of the drivers by the app aggregators

Government should encourage competing app like Myn or encourage Tata Neu to start a new vertical or use the ONDC platform  and recommend drivers to register with them. If these apps donot turn rogue like Uber/Ola and agree to follow the regulations such as

1. Sharing 85% of fare with drivers for normal charge
2. Sharing 75% of surge pricing with drivers
3. Submitting to an audit by a regulatory agency and committing to a regime of penalties

then there will be a win-win situation for the citizens and the drivers.

I request honourable MP Mr Tejasvi Surya to consider these suggestions.

Naavi