Naavi.org

While the Data Protection professional circles have been discussing the forthcoming DPA 2021, whether it will be taken up for further discussion in the Parliament or scrapped, the MeitY has sprung a surprise by releasing two documents yesterday the February 21.

They are

1. 1. Background Note for India Data Accessibility and Use Policy
   2. India Data Accessibility and Use Policy

It appears that the Government was waiting for the release of these documents before taking up the DPA 2021 for further discussion to protect the operational interests of the Government entities which will also be required to be compliant with  the new DPA 2021. We are aware that while private companies need to move up in their compliance ladder from the present levels to whatever DPA 2021 expects, Government agencies need to start from the zero level. Hence the challenge before Government institutions and Departments were more than the private sector.

In the light of the above, MeitY has tried to formulate a policy for the Central Government and suggested policy for State Governments in the form of a Framework that can be adopted for Privacy Management. These are likely to be adopted as “Codes of Practice” for Government establishments when the DPA 2021 becomes effective.

This will now have to be incorporated as part of the DPSI or the “Data Protection Standard of India which FDPPI is using for Compliance audits.

The Objectives of the Policy as declared are as follows:

1.Maximising access to and use  of quality public sector data

2. Improving policy making, evaluation and monitoring

3.Enhancing the efficiency of service delivery

4. Facilitating the creation of public digital platforms

5. Protecting the privacy and security of Citizens

6. Streamlining inter-government data sharing

7. Promoting transparency, accountability and ownership in data sharing and release

8. Building digital & data capacity, knowledge & competency of Government officials

9. Promoting data interoperability & Integration to enhance data quality and usability

10. Ensuring greater citizen awareness, participation, and engagement with open data

11. Enabling secure pathways to share detailed data sets for research and development

12. Increasing the availability of high value data sets of national importance

13. Improving overall compliance to data sharing policies and standards.

Though the policy makes reference mainly to “Data Sharing”, it would also be the policy for protecting the Privacy of the Citizens.

One of the immediate requirements for the Government agencies is to develop an inventory of “Data Assets” which may have to include both Personal and Non Personal Data of Citizens and Employees. It has to be a federated government wide searchable data base so that duplication is avoided.

An interesting concept is that there will be a new entity called India Data Office (IDO)  and every Ministry/Department shall have Data Management Units headed by Chief Data Officers (CDO) which will work closely with the IDO.

Given the responsibilities of the CDO which go beyond the Privacy and Personal Data Protection, it may be necessary for each department to separately identify a Data Protection Officer satisfying the requirements of Section 30 of DPA 2021.

The India Data Officer and the Chief Data Officers will together function as India Data Council (IDC) for coordination. In case the State Governments also join this IDC, it will be like the GST Council and cover all data interests of the nation. However since there are some rogue states which donot believe in being part of the  national body, the IDC may remain a Central Government entity.  The State Governments can however replicate the system with a State level IDC and State CDO s .

One of the objectives set by this policy is to promote the “Open Data” concept and by default all data of every Government Ministry/Department/Organization will be considered as open.

The exceptions however may be defined and a negative list of data which shall remain restricted would be separately announced.

By focussing on “Data Sharing”, the policy has also considered the possibility of monetization of data available to the Government and a mechanism for Data Pricing and Data Licensing may be developed.

The Policy promotes “Data Anonymisation” and may assist the departments  with necessary support including tool kits for  data sharing.

In anticipation of the objections from the activists, the policy states that “Any Data sharing shall happen within the legal framework in India, its national policies and legislation as well as the recognized international guidelines” and “All data being shared must ensure compliance to guidelines for legal, security, IPR, Copyrights and Privacy Requirements”.

The policy states that Data shall remain the property of the agency/department/ministry etc and access shall not be in violation of any acts and rules of the Government in force.

The legal framework of this policy will also be aligned with various acts and rules covering data.

We hope the publication of this policy will now clear the path for DPA 2021 being passed.

We welcome the approach of this policy to get ready before the DPA 2021 becomes a law. The policy will require a whole “Data Governance System” to be set up with the IDC,  IDO, CDOs and DPOs at the Central Government level and also paving the way for State Governments to adopt a similar module. Interesting developments to watch.

Naavi

If this system works, we will be able to control a good part of cyber crimes. This will put brakes on crimes involving transfer of proceeds in INR.

Next we need to ban Cryptocurrency to tackle the crimes at the next level.

Naavi

Yesterday Economic Times carried a report quoting anonymous sources within the Government of India that the Government may shelve the current version of the Bill and go for a fresh legislation.

Today some of the other  publications such as the Quint and The Print have picked up the story and re-published the same.

As a result of these reports there is a sudden feeling in the Industry that the Government of India may withdraw the Bill just like they withdrew the Farm Bills. In many professional circles, it is considered that the Government has no commitment to pass the law.

It is difficult for us to vouch for the Government since the Government is always a combination of good intentioned persons with commitment and others who for their own reasons support some “Special Interests”.

It is our considered opinion that the Economic Times article under the by-line of Surabhi Agarwal is a fake planted story .

We may however discuss some of the objections to the Bill that were  prevailing earlier when the JPC presented its report and whether the objections cited in the ET article were present at that time.

When the JPC presented its final recommendations there were a few opposition members of the JPC who submitted dissent notes. Some of the comments made by them are briefly given below.

1.Manish Tiwari:

The Bill suffers from a design flaw in that it creates two parallel universes, one for the private sector where it would apply with full rigor and one for the Government where it is riddled with exemptions. I reject the bill in the current form in its entirety.

2.Derek Obrien and Mahua Moitra

We oppose the inclusion of the non personal data within the legislation. The Bill provides overbroad exemptions to the Government of India without proper safeguards. We propose amendments …

3. Gaurav Gogoi

I am in broad agreement with most of the conclusions …However I hold certain reservations …on lack of attention paid to harms arising out of surveillance, Exemption to the Central Government, regulation of non personal data, setting up of state level DPAs etc.

4.Ritesh Pandey

I am in complete agreement with the recommendations, barring three sections..Section 3(8) (Definition of Child), Section 35 and Section 42(2) (Composition of the DPA selection Committee).

5.Jairam Ramesh

I am in unqualified agreement with all but two recommendations…. Section 35 and Section 12 (a)(i) …suggested removal of “Public Order” under Section 35 and addition of the word “Proportionate” in the clause that exempts consent for Government functions.

6.Vivek K Tankha

Though I am in broad agreement with the recommendations of the JCP, deeper contemplation puts me in doubt in respect of two recommendations…. Section 12 and Section 35.

7.Dr Amar Patnaik

The Bill does not address the concerns on narrowing down the applicability of the provisions of Section 35 , separate DPA for States, abolishing of Section 87(new) on the power of the Government to issue directions to the DPA

As could be seen from the above, except Mr Manish Tiwari who recommended the scrapping of the Bill all others suggested only a few amendments. Most of the concerns expressed by the members were on the powers of the Government under Section 35. The concerns on the constitution of the DPA and independence of DPA was also related to the dilution of the power of the Government in the administration of the Act.

The views of the political opponents of the Government can be understood since  the Act also covers the Government agencies, if an opposition friendly DPA is formed, the DPA would be a great instrument to question the Government from time to time. It would be  politically imprudent and foolish for any Government to provide such a power to an authority outside the Government. Hence we should also appreciate the right of the Government to reject such an extreme suggestion.

The Government has adopted a conciliatory position regarding expanding the DPA selection committee and adding the concept of “Proportionality” under Section 35. Also it is a common practice across the Globe to provide such exemptions to the Government and the Courts in the respective countries lay down the boundaries of “Proportionality”. The objections on Section 35 therefore can be set aside as the necessary political rhetoric.

Leaving these politically motivated suggestions, there are some good suggestions including the delinking of the “Non Personal Data” some of which can still be accommodated during the clause by clause discussion of the amendments.

The ET report however brings out a new theory that the Act is detrimental to the industry and more particularly the Start Ups.

There is no doubt that any new law requiring compliance of the industry result in some compliance efforts including additional cost. Cyber Security itself is a burden on the companies. However, it is the duty of the Government to enact laws that mandate security and this “Personal Data Protection law” is one such.

As regards the importance of “Right to Privacy”, it is for the Human Rights Activists to determine whether India needs to protect this right or not. If some are suggesting scrapping of the current draft, they are people who donot want the law to be effective for a few more years.

We may remember that JPC has recommended 2 years for introduction, and provided 3 more years for Start Ups using the Sand Box scheme to adopt to the law. If 5 years is not sufficient for a Start Up to adopt, then they donot deserve any sympathy. I am sure that ET is firing this salvo on the shoulders of the Start Ups and no genuine start up would like to admit that 5 years is too short a time to adopt to the new law that too after the world has transformed in 2018 itself when  GDPR became a law.

The objection raised by ET is therefore unsustainable and must be considered as a conspiracy along with the Print and Quint to destabilize the introduction of the law.

I would appreciate if people come out openly that they donot want Privacy because they want to continue the present practice of exploiting the personal data without accountability.

Instead of being honest and directly expressing their wish to be in a “NO PRIVACY PROTECTION REGIME”, raising fake objections on the provisions of the Bill is to be condemned.

I would also like to re-iterate that there is nothing such as “Perfect Bill” and when a Bill tries to address conflicting interests of Privacy, Security and Business promotion, there has to be give and take by each of the stake holders. Law cannot be made one sided even if it is on the side of the individual.

Lest we forget, all fundamental rights exist if the nation exists and hence reasonable exemptions are an integral part of the fundamental rights whether it is article 19 or 21 or even 25.

We therefore should condemn the attempt of motivated journalists to plant false stories not withstanding the support they may get from NASSCOM which is an industry association.

Behind this conspiracy there could be a larger conspiracy that if the Government withdraws the Bill, certain activists will approach the Supreme Court with a “Contempt of Court” petition stating that Government is not honouring the direction of the Supreme Court and has to be dismissed. The Government should be alert to such a possibility.

Naavi

Also read:

Having a strong national data protection bill will safeguard interests of the Indian Companies- US headquartered Ankura Consulting Group

Economic Times carried a report today that there is one section of the officials who think that the JPC version of the Data Protection Act 2021  may be shelved and a new Bill may be drafted.

The copy of the ET article is available here

It has been the suggestion of some of the dissenting members of the JPC that the Bill as proposed need to be shelved completely. This view is now being justified by this story which tries to attribute the story to some sources within the Government.

So far objections were being raised in the name of “Privacy Activists” who did not agree with Section 35 of the proposed Act which gave certain powers to the Government to exempt some agencies under certain specific conditions clearly permitted under the Constitution of India

Then objections were raised on the “Data Localization” aspect which was non existent.

The present set of objections appear to come in the name of Start Up companies who have specific exemptions under Section 40 of the proposed Act.

The report states that the objection is about the structure of the Data Protection Authority which is labelled as “Very Bureaucratic”. Earlier an objection had been raised that the selection panel which would recommend members of this Committee consisted only of the Cabinet Secretary, IT Secretary and Law Secretary and hence it was meant to create a pliable committee of favourites of the Government.  Now that the new provision has expanded the selection board to include academicians from IIT and IIM etc, the earlier objection lost the steam and hence a new term “Very Bureaucratic” has been raised.

We may recall that the supervisory authorities in the EU Countries who oversee GDPR implementation is led by a single Supervisory authority as if it is a single member board. This leads to many atrocious decisions where as the Indian system has 7 members as full time members with representation from different sections of competence.

The term “Bureaucratic” means that the system is not a Person centric like in EU. If the Indian DPA was like the EU supervisory authority the same critics would have criticised it even more. Perhaps what these critics want is to create a “Mini NASSCOM” within DPA so that the vested business interests are represented in the day to day decision making.

Such a structure would not work since the DPA has to take into account the interests of the individuals as well as the Government besides the business.

The reference to “inclusion of Social media intermediaries” as a point of objection indicates that this set of objections are engineered by the Face Book,  Google and Twitter kind of companies who are expected to be held accountable for their activities.

The colonial mindset of the report is indicated by the reference to an EDPB report on Section 35 of the  Indian Data Protection law.

We are aware that EDPB expects that all non EU countries surrender their sovereign rights to exercise control over data protection activities within their jurisdiction even if they could hurt the sovereignty and integrity of the country in which the data is processed. It expects the whole world to protect the EU interests and EU to be the conscience keeper of the world as regards Privacy.

The  ET report also refers to the “Wide ranging access to personal data sought by the Government, Inclusion of Non Personal Data and absence of a time line of implementation.”

It must be stated that the JPC report has a suggested time line and inclusion of Non Personal Data is only an “Empowerment” which could be relegated to the background. The powers of the Government for national security is not a concern of the IT companies who reportedly have raised the objections unless they want to be the mouth piece anti nationals and support the fake news industry like what some social media has been for some time.

It is unfortunate that NASSCOM and DSCI have let themselves to be projected as the leaders of this campaign to scuttle the law and wants to send another representation to the Government at this stage. NASSCOM and DSCI should appreciate that they are Indian agencies and have to consider the Indian national interest  as paramount.

It is ironic that at one time, it was NASSCOM which was pressing for a Data Protection Law in India so that the EU business of Indian companies was not affected and this brought in the 2008 amendments to ITA 2000 which are operative today under Section 43A and 72A. Now the same NASSCOM wants the law to be deferred.

The sections 43A and 72A of ITA 2000 protect both personal data and sensitive personal data and if Adjudication officers exercise their Suo Moto powers under Section 46 of ITA 2000, the regulator for data protection is already available in India along with the CERT-In which is available for handling data breach. Hence the current laws are adequate to cover most of the aspects of Data Protection as envisaged under DPA 2021 and the industry is raising unsustainable objections against DPA 2021 without understanding that it is an improvement over ITA 2000/8.

The Industry under the leadership of NASSCOM is taking a dangerous stance against “National Security” . The long term consequences of such a stance are inimical to the existence of India as a nation. The Board of NASSCOM and DSCI need to rethink on their stance against DPA 2021.

The EU is threatening Indian business that the transfer of business would be affected if India does not surrender its sovereignty in data protection and this is an attempt to treat India as if it is the colony of these EU countries. It was the same argument which was advanced by NASSCOM when it batted for the changes in ITA 2000 which were incorporated in ITA 2008 amendments.

This attempt of EU with the assistance of local supporters has to be resisted. Mr P P Choudhary the Chairman of JPC has already given a fitting reply to their objections and I wish the Government will brush aside the objections of NASSCOM and go ahead with the implementation of the Act as proposed. There is two year time for implementation and the DPAI can take measures to ensure that the industry feels comfortable. The Act can also be amended some time after three years incorporating the experience of its implementation for at least one year. The Government and the DPAI have the flexibility to defer the penalties or chose to impose only nominal penalties in the beginning so that industry can feel smoothly get into the new regime.

I once again reiterate that the Government should show conviction and push the passage of this Bill in the current session ignoring the eternal objections that will never cease.

Naavi

One of the new requirements that has been brought into the Data Protection Audit in India through the DPA 2021 is the need for “Algorithmic Transparency”. Additionally all devices both software and hardware,  that process data needs to carry a security certification from an accredited lab.

The Data Protection Standard of India (DPSI) has been suitably modified to incorporate these requirements.

At the same time, the DPIA and Harm Audit concepts need to be upgraded to include the audit against any possible “Bias” of an automated decision making involved in data processing.

In order to provide a service for third party “Bias Audit”, Ujvala is developing a new line of activity for “Independent third party Bias Audit” of algorithms as may be considered adequate under DPA 2021.

This audit would not be at the Code level and therefore does not involve any IPR risks.

Ujvala is in the process of finalizing technology partners for this line of activity.

Naavi

The Technology Craze has hit a new ceiling in the form of “Metaverse” which is an attempt to create a “Digital Game” and give it “Legal approval”.

In pursuance of this craze, it has been reported that the first meta verse wedding has taken place in India when one Mr Abhijeet Goel, a tech entrepreneur married Dr Sansriti, a dentist. Abhijeet is located in Bhopal.  The wedding is reported to have taken place on Youg Metaverse, a made in India metaverse platform. The wedding was held on 5th February 2022 between 8.00 pm and 9.00 pm. The digital avatars of the couple appeared to have participated in the wedding process.

The following link provides more information about the way the metaverse wedding took place.

Link: Article in Rediff.com

You can see parts of the wedding videos here.

It appears that the wedding was hosted as a 3D platform and probably we should treat it as a version of the Meta Verse similar to the secondlife.com, as compared to the Meta Verse instances which may require a special VR goggles to participate.

500 registered participants attended the wedding set in a beach environment.

From the sketchy reports available at present, it appears that the wedding was held in the physical space in front of limited family members at a proper muhurtham. Subsequently it appears that the marriage game has been hosted on the Yug Metaverse platform where the registered participants were able to create their own avatars and interact with each other.

It was therefore like a webcasting of the reception to which you could attend virtually. The couple were also present in their “Virtual Avatar” to  receive the greetings.

Naavi had discussed the implications of “Cyber Marriage” way back in 2005.

The article “Should Cyber Marriages be Banned”

 was published on May 1, 2005 discussing the legal implications of Cyber Marriages. This article was prompted at that time by a Cyber Crime complaint in Chennai. One person had filed a complaint with the Police that he was married to a lady through Internet and the family of the girl was preventing the girl to move to the bride’s home. The marriage was claimed to have been consummated in a Chat room”.

At that time it was pointed out that if a marriage can be consummated by a “Contract”, it is possible to consummate such marriages and it was not desirable. Hindu marriage however is not a contract marriage and requires “Saptapadi” as an essential part of the marriage though “Tying the Mangala Sutra” or “Opening of the Antarpata” is considered as also specific events during the marriage to determine the completion of marriage.

Considering the possibility of “Chat room “conversations being treated as “Marriages” and girls being subject to harassment, it was suggested that a specific amendment could be made to Section 1(4) of ITA 2000 to place “Contract Marriage” outside the scope of recognition under ITA 2000.

P.S: I have suggested the same kind of amendment to Section 1(4) to de-recognize Crypto currencies as valid electronic documents. This would be the simplest way of banning Crypto Currencies. (See the article: Regulate Bitcoins through ITA 2000 notifications under Section 1(4) and 69/69A/69B)

The Abhijeet marriage is not really a “Cyber Marriage” and hence there should be no legal issue about the validity of the marriage.

However, in future, some other persons may be tempted to use a pure Meta Verse marriage by two digital avatars present in different places tying a virtual Mangala sutra and claiming marriage.

It is found that UTAH has an official online wedding scheme .

The UTAH online wedding requires email request to be sent to the registrar with identity documents and selfies with a payment of a license fee of US $145 (for international couples and $ 70 for local couples).

We are aware that there have been several instances of Cyber Crimes being committed on secondlife.com like platforms where the digital avatar commits a crime against another digital avatar or the platform owner and the matter has been referred to the physical Courts for resolution.

(Please note that the website zone-h.org continues to be blocked by Meity for reasons that has been discussed in detail in the past on this website. It is time MeitY reviews this decision and removes the block. Even the Supreme Court is at fault in causing this blocking of Zone-h.org)

The Virtual marriages including Meta Verse marriages as well as UTAH online marriages tomorrow come up in family courts for divorce and settlements. Then the Courts will be scrambling for identifying the legal basis for marriage, divorce and property related issues.

It is therefore necessary for us to make necessary laws to regulate the Meta Verse marriages soon to avoid problems in future.

Naavi

Related Articles:

What has happened to the Zone-H.org case?

Now Government has to lift the ban on Zone H.org

E2labs project Ethan Dissected…