Ministry of Communications had announced that a new Telecommunication regulation would be introduced in the country along with a revised ITA 2000 and revised PDPB 2019.
Accordingly, the Government has released a draft and public can send comments before October 20, 2022.
Copy of the Bill is available here:
An Explanatory note is available here:
Comments can be sent by e-mail to : naveen.kumar71@gov.in
(Continued from the previous article)
P.S: This series of articles is an attempt to place some issues before the Government of India which promises to bring a new Data Protection Law that is futuristic, comprehensive and Perfect.
Applicability of any law is generally limited to the jurisdiction in which the law making body has the power to legislate. Hence every sovereign Government has the power to make laws within a given jurisdiction.
In some countries there is a federal governance system and there could be multiple sub geographical areas where law can be made independently while the federal law may apply to all such sub units.
For example the Union of India or USA or EU can make federal law applicable to the entire country of India, United States of America or all the EU member countries etc. At the same time individual States of India may have certain powers to make laws for Governance activities listed in the state list or concurrent lists. Similarly the States of USA such as California or New York or Colorado or Connecticut can make laws applicable within the state. So also the individual members of the EU which are countries in their own right can also make laws for their countries.
Some times the Federal laws and State laws may over lap and create compliance confusions. It is for the law makers to avoid such confusions by incorporating suitable explanations in the law.
One distinct take of this law making principle is that India cannot make a law applicable in EU and EU cannot make a law applicable in India. However in certain circumstances, if the activities of a resident of a foreign country could lead to an adverse impact on a local resident, the local Government can add “Extra Territorial Jurisdiction” in its law and say that the law is also applicable for activities outside the jurisdiction of the law making body.
This extension of the jurisdiction has been used in laws like GDPR where it is provided that if the personal data of a EU citizen is processed outside EU for profiling a EU citizen/resident or for carrying on targeted business with the local resident, then GDPR is applicable to such processing.
Some times organizations which are constituted subject to laws in a particular country represent the country and its activities outside the country, need to be monitored by the Government of the resident country of the organization in order to ensure that its citizens (individual or corporate) do not become an embarrassment to the country.
In view of the above, while defining the applicability of law such as the data protection laws, we normally consider
a) What is the type of data and what activity related to such data to which the law is applicable.
b) What type of organizations and their place of constitution to which the law is applicable
c) Whether the law is applicable to organizations constituted and operating outside the law making country and if so under what conditions
While PDPB 2019 followed the GDPR and stated that the law is applicable for “personal data” when collected, or processed in India, it also extended the law on the basis of companies constituted in India for their global operations and for foreign entities who could remotely process the data of Indians for profiling and for targeted business.
In these circumstances, it is necessary for us to remember that all laws are basically applicable within the country of origin of the law and every extension to this basic principle is an exception and should be read with the conditions attached.
Also when we speak of a duty to pass a law as part of Governance responsibilities, the duty is to the citizens of the dominion. Any extension of this to the “Non Citizens” is also an “Extra-territorial application” considering the category of people to whom the law is applicable as a “Territory”. Hence when the law says that data protection law is applicable to “Residents”, it can be made conditional and the remedies available to a resident who is not a citizen could be different from a citizen though such differences could lead to charges of “Discriminations” based on racism.
However, as long as the differences are logical and have a purpose, they can be justified. One example is the Indian law of CAA which gave some different treatment to immigrants based on whether they are Hindus/Sikhs/Jains or not.
Laws may some times overlap not only because of the territorial reasons, or citizenship or residential status but also on the material scope such as ITA 2000 being applicable to both personal data and non personal data while PDPB 2019 is applicable only to personal data.
One of the challenges in designing the New Data Protection Law in India is to consider if we can reduce the potential overlapping of the laws by being clear about the “Applicability of law”.
Most data protection laws often state that the “Notice given to a data subject/Data Principal should be clear and precise”. Similarly the citizens have the right to expect that the law itself is as much clear as possible at least regarding its applicability though on other aspects, interpretation may be inevitable.
The argument made by one of the justices (Justice Chelmeshwar) in the Puttaswamy judgement that ” ..there is no need to define Privacy to create liability on organizations to protect privacy” is not an ideal way to handle law making. It is with such approach that today every day to day operational notification of a company (eg UIDAI tender to appoint an agency for social media monitoring and IRCTC tender to study the monetization prospect) is referred to the Supreme Court besides the notifications issued by ministries, converting the Supreme Court into a sub executive body rather than a separate judicial body.
We therefore try to define applicability of the New law by defining Privacy, Data, Roles of different stake holders properly. Once an organization or an individual understands clearly that the law is applicable to them, it becomes easy for them to consult experts on how to be compliant. If the stake holders are in doubt about the applicability then they tend to remain non compliant by ignorance or mis-interpretation.
In the new Data Protection Act, one option is just to adopt the current PDPB 2019 provision of Section 2 according to which the law will apply to “Personal Data” of “Natural persons” processed by any type of juridical entities constituted in India (Companies, Government, Partnership firms, associations of persons and also individuals collecting data for business purpose) with exceptions of foreigner’s data processed in India (Erstwhile Section 37).
While this would be a straightforward approach and would suffice with the addition of “Exemption for processing of personal data of foreigners in foreign locations also” on the lines of Section 37, we would like to explore if it is possible to adopt a different approach to define applicability.
In all laws, we define the applicability and then define rights and obligations of the stake holders to whom the law is applicable. What we are trying to explore is whether it is possible to define the rights and obligations first and then all those who have those rights or obligations will automatically be considered as coming under the applicability of the law. This may also re-define the chapter on “Cross Border Restrictions or Data Localization” which becomes exercising of the rights of the data principals rather than a compliance imposition by the law enforcement agency.
This approach is radical and needs deep thinking. We shall debate this both here and also in the IDPS 2022. In the meantime, please do share your thoughts.
Naavi
P.S: These discussions are presently for a debate and is a work in progress awaiting more inputs for further refinement. It is understood that the Government may already have a draft and may completely ignore all these recommendations. However, it is considered that these suggestions will assist in the development of “Jurisprudence” in the field of Data Governance in India and hence these discussions will continue until the Government releases its own version for further debate. Other professionals who are interested in participating in this exercise and particularly the Research and Academic organizations are invited to participate. Since this exercise is too complex to institutionalize, it is being presented at this stage as only the thoughts of Naavi. Views expressed here may be considered as personal views of Naavi and not that of FDPPI or any other organization that Naavi may be associated with.
A report in businessleague.in (To be confirmed independently) suggests that SBI plans to introduce a mandatory customer ID card which will be required for deposit and withdrawal of money from accounts. This will be perhaps in addition to the Debit Card and Credit Card issued by SBI and will function as a “Unique Customer ID Card”. Soon we need not be surprised that every Bank may issue their own Unique Customer ID Card since this move is expected to raise Rs 900 crores to SBI from no where. Other Banks are unlikely to give up such windfall gain if possible.
These “Green Cards” are expected to be priced at Rs 20/- and will be in addition to the annual ledger maintenance charges and specific charges on Cheque book issue, ATM withdrawal etc.
I am not sure if there will be a “Bank Entrance Fee” shortly to be introduced by some innovative Banker since no Bank wants its customers to come into the Bank premises if possible.
SBI has about 45 crores and in one master stroke, SBI plans to raise Rs 900 crores revenue through the issue of “Customer ID Cards”. Compared to the PAT of Rs 30,000 crores the revenue generated by these new cards is about 3%. If this adds to the bottom line, the EPS will go up and correspondingly the share price has to go up by at least Rs 20/- solely on this decision.
There is also another angle to this customer loot. At least 5% of the cards may get lost and renewed each year and hence along with issue of cards to new customers the scheme promises a perennial income to the Bank.
In the process just like the Aadhaar Card, PAN card, Kisan Card, Health Card, etc, customers need to carry one more card namely the SBI Green Card. (may be one such card for each of the Banks where they maintain accounts). Since all Bank accounts are already linked to both PAN cards and Aadhaar cards the new card is a redundant ID card with limited use. At the same time it will pose the risk of identity theft, loss of identity and frauds related to the mis-use.
However this is an innovative “Data Monetization” scheme by SBI which should be appreciated for its ingenuity.
It would be better if RBI clarifies the logic for charging money for this card even if it was required to improve the digital administration in the Bank. This cost should be absorbed by the Bank as part of its administration cost. Hope RBI will look into this.
Naavi
(Continued from the previous article)
P.S: This series of articles is an attempt to place some issues before the Government of India which promises to bring a new Data Protection Law that is futuristic, comprehensive and Perfect.
The honourable Minister of IT, Sri Ashwini Vaishnaw in an interview yesterday has indicated that
a) a new Telecom Bill will be introduced in the next 8-10 days to replace the archaic 1885 laws
b) Drafting of the bill to replace PDPB 2019 is practically complete and will be very soon uploaded for consultation and re-introduced in the Parliament in the budget session (February 2023)
c) Protection of online users will be covered in a new draft of the Information Technology Act with greater accountability among social media platforms for content that is being published.
It appears that both the revised Telecom Bill and Revised PDPB 2019 may be presented in draft from for public comments soon. Revised ITA 2000 is a more complicated exercise and the Government may immediately focus on getting a proper revised version of the Intermediary Guidelines that covers Digital Media.
In our attempt to design a New Data Protection Act (NDPAI) for discussion during the IDPS 2022 (Indian Data Protection Summit 2022) due in November 2022 based on the earlier statements of the MeitY, we had considered the possibility of a new law which combines the Governance and Security of Personal and Non Personal Data.
We had identified eight chapters in the law where chapters on Preliminary, Data Valuation Framework and Miscellaneous issues were common to both Personal and non personal data.
Chapter II was envisaged for creating the statutory law for recognizing the Right to Privacy in non digital environment so that the rest of the law could focus on “Information Privacy”
Chapters on Governance and Protection of Non Personal Data were meant to replace the ITA 2000.
We now await the new draft for Personal Data Protection which the minister has promised to produce soon. If the Government has to collect public comments and introduce it in February 2023, the draft has to be released in October 2022.
We may continue our discussion and suggestions awaiting the draft and synch it with the draft when it is presented.
In this article we shall discuss the definition of the scope of the Act.
The scope of PDPB 2019 was defined under Section 2 and included 4 provisions. As per this section the Act would apply to
(a) the processing of personal data where such data has been collected, stored, disclosed, shared or otherwise processed within the territory of India;
(b) the processing of personal data by any person under Indian law;
(c) the processing of personal data by data fiduciaries or data processors not present within the territory of India, if such processing is—
(i) in connection with any business carried on in India, or any systematic activity of offering goods or services to data principals within the territory of India; or
(ii) in connection with any activity which involves profiling of data principals within the territory of India; and
(d) the processing of non-personal data including anonymised personal data.
The act was indicated as applicable to non personal data but only the following provisions could be attributed as applicable to processing of Non personal Data
i) Reporting of data breach of non personal data to the data protection authority under this Act,
ii) Empowerment to direct any data fiduciary to share non personal anonymised data,
ITA 2000 on the other hand applied to all kinds of data and addressed issues of “Cyber Crimes” both with personal data and non personal data. Hence the scope of ITA 2000 was comprehensive and PDPB 2019 could only carve out some specific aspects of ITA 2000 (eg: Section 43A) and frame a separate law. The overlapping of ITA 2000 on PDPB 2019 and therefore the powers of the CERT IN over the DPAI became a difficult legal problem to sort out.
We may presume that the Government realized this conflict between ITA 2000 and PDPB 2019 and took the bold decision to withdraw the PDPB 2019 despite the embarrassment that the withdrawal caused to the country in the international circles.
Now it remains to be seen if the Government vindicates its objective of withdrawal by framing a law which segregates the “Governance of Personal Data and Non personal Data” effectively between the new personal data protection act and new information technology act or under a combined act.
The “Protection of Data” from unauthorized access, modification or access (CIA principle) applies both to personal data and non personal data and hence can be considered as a common requirement for both personal data protection and non personal data protection. Additionally the data principals (owners of personal data) were recognized to have some “Rights” such as Right to Access, Right to Correction, Right to Portability, Right to Forget, Right not to be subjected to personal data processing without a legal basis, Right to withdraw consent, Right to Grievance redressal, Right to minimal collection, Right to minimal retention, Right to information about processing before collection, (Notice).
Personal Data Protection recognized these “Rights” as an interpretation of the “Right to Privacy” extended in the form of “Information Privacy” where the “Ability to chose how the personal data of an individual could be collected and used is regulated. But ITA 2000 did not mention the “Right to Security of a Citizen” except through definition of “Cyber Crimes and Contraventions” and prescribing penalties. Each of the punishable offences or contraventions could be considered as a “Right of a Citizen against misuse of Non personal data” though the clarity was absent. Prevention of Cyber Crimes were looked at more as an obligation of the law enforcement duty of the Government rather than “Protection of the Right of Security of a Citizen of the Country”.
I feel that we now have an opportunity to define the “Duty of the Government” to provide Cyber Security by guaranteeing the “Right to Security” along with “Right of Privacy” in a single legislation.
In the NDPAI-Shape of Things to Come, we are therefore suggesting that “Rights” be defined of the Citizens of the Country in such a manner that any mis-use of personal or non personal data shall be protected. This obligation is only to the citizens of the country. Rights of “Other Residents of the country” including foreigners on transit for travel or employment must be defined separately and exclusions temporary or permanent must be added to illegal migrants, terrorists, convicted criminals and accused criminals subject to checks and balances as permitted in the constitution.
The current definition of “Scope” of the PDPB 2019 revolves around “Data” whether it is personal or non personal whether it is processed by an Indian organization or foreign organization and whether it is processed in India or outside India.
Even the GDPR defines the scope in terms of a mix of Material scope, Territorial scope and subject matter scope. In this mix, people forget the subject matter scope which says that the regulation is “relating to the protection of natural persons” . Everything else including the regulation of what is called “Personal Data” is incidental to the protection of the natural person.
In view of the lack of focus, we normally consider that the basic purpose of GDPR is to “Protect Personal Data” and derive many of our compliance requirements ignoring that the core objective of GDPR is to protect “Natural Persons” and the scope is limited by international jurisdiction to “Protection of Natural Persons who are the citizens of EU”. Extra territorial jurisdiction is only in “Hot pursuit” of the protection of the rights of the citizens.
GDPR does make reference to “Residents of EU” and try to protect them under GDPR. This is more an obligation in recognition of human rights on a global scale and not necessarily as a duty under the EU Constitution.
India can chose to also protect certain rights to legal residents of the country as a part of its global obligations. But instead of mixing up these rights with the rights of citizens, it is better to define it exclusively.
Hence we need the NDPAI to recognize
a) Rights of living natural persons who are recognized citizens of India
b) Rights of living natural persons who are recognized citizens of a sovereign country recognized by India under authorized residence in the territory of India
c) Rights of deceased natural persons who were recognized citizens of India
d) Rights of deceased natural persons who were recognized citizens of a sovereign country recognized by India under authorized residence in the territory of India
We therefore suggest consideration of defining the scope of the NDPAI with reference to protection of rights of natural persons on the basis of their citizenship and define the territorial scope, material scope etc with the core objective of protecting the rights of the Citizens. This would meet the constitutional obligation which the Supreme Court also highlighted in the Puttaswamy judgement. Definition of Rights in this context will automatically fix the scope of the law.
We may recognize that the term “Data Principal” in a personal data protection context may refer to persons with a right on a personal data set which includes “Guardians” of minors or Data Fiduciaries/Consent managers with contractual right to manage and monetize.
In the context of non personal data, data is owned by an organization or an individual and any mis-use affects another individual or an organization indirectly as a victim of cyber crime. The individual victim of a cyber crime always has an involvement of his personal identity being in some way compromised. Hence Cyber Crimes against individuals can always be considered as crimes under Personal Data Protection Act.
Since “Corporate entities” are not protected with a “Right of Privacy”, their right to protection is in the form of right to carry on business without disruption etc. The Non personal data protection act needs to protect such entities who are not “Natural Persons”.
Similarly deceased persons may not have all the rights of a Citizen and hence must be covered separately. So also are “Residents who are not Citizens” whose rights are to be considered separately.
In the case of Non personal data, we can define a term “Data Guardians” who are custodians of data and are the “Data Fiduciaries” in that context. In our earlier article on the roles, we discussed the role of a data fiduciary as “Data Manager” taking into account the possibility of profiling and monetization. May be the term “Data Guardian” is a better proposition which covers the Data Controller, Data Fiduciary, the Consent Manager and Data Processors.
Within this category of Data Guardian, different classes as “Personal Data Guardian” and “Non personal data guardian” can be identified.
In this approach we can define the applicability of the Data Protection regulation in terms of the end stake holder who is either a Data Principal or a Data Guardian and what rights of these stake holders are protected.
Data Principal is given protection of his Right to Privacy and the subordinate rights such as Right to access etc. Data Guardian has the obligation to meet the compliance requirements. Right to Security is applicable both to the Data Principal and the Data Guardian if they are citizens of India or established under the Indian law or otherwise carrying on activity in India as a resident.
We may therefore re-write the Section 2 of the PDPB 2019 appropriately. The exact drafting of this “Scope Section” will be attempted in a follow up article.
Open for debate… Send your views. Those who are willing may contribute a video recording (not exceeding 5 minutes) on how do we define the scope of the New Data Protection Act of India, for being carried in IDPS 2022 (Expert View Section)
Naavi
P.S: These discussions are presently for a debate and is a work in progress awaiting more inputs for further refinement. It is understood that the Government may already have a draft and may completely ignore all these recommendations. However, it is considered that these suggestions will assist in the development of “Jurisprudence” in the field of Data Governance in India and hence these discussions will continue until the Government releases its own version for further debate. Other professionals who are interested in participating in this exercise and particularly the Research and Academic organizations are invited to participate. Since this exercise is too complex to institutionalize, it is being presented at this stage as only the thoughts of Naavi. Views expressed here may be considered as personal views of Naavi and not that of FDPPI or any other organization that Naavi may be associated with.
(Continued from the previous article)
P.S: This series of articles is an attempt to place some issues before the Government of India which promises to bring a new Data Protection Law that is futuristic, comprehensive and Perfect.
We have been discussing the need for Protection of Privacy Rights to be augmented to protection of Neuro Rights (The series of articles published in this site are also collated at www.neurorights.in).
So far the discussions have been related to the “Brain Computer interface” through electro magnetic radiation that would bring chemical changes in the brain cells leading to specified neuron activity.
The human brain is said to function with “Brain Waves” which are electro magnetic waves which function in a certain frequency range (or wave length range which is in inverse proportion to frequency) as below.
Externally there are radio waves, Cellular mobile waves and other frequency waves that we come across in the atmosphere. These waves are at a higher wavelength.
5G spectrum which we often hear are in the frequency range of 1GH to 6 GH. (One megahertz (MHz) equals 1,000,000 Hz. One gigahertz is equal to 1,000 megahertz (MHz) or 1,000,000,000 Hz or 109 hertz. In wavelength terms, 1GH is approximately 0.299 metres).
We have heard that radiation from mobiles, mobile towers as well as microwave ovens do affect human brains. Though human body system is tuned to receive certain signals and ignore certain signals the fact that “electro magnetic” is the nature of human brain activity and also the activity of other devices including computers.
The “Brain-Computer interfaces” involving electrodes fixed on top of human skull or chips inside the human skull have gone past animal experimental state and are in advanced state of adoption in our common life. Binaural beats used in music technology is an example on hand.
Current demand for Neuro Rights protection is based on the possibility of manipulation of human brain with implants and other external stimuli which are perceivable by human sensory organs.
Now a new requirement seems to be emerging with scientific developments which indicate the possibility of manipulation of human brain activity without implants and outside the human sensory organs. In other words certain waves which are not heard by our ears or seen by our eyes can be used to manipulate brain activity.
The Privacy concepts such as “Right of Free Choice”, “Expression through a written consent” etc loses meaning when some body can make a human think as per his wish. This is not in the realm of hypnotism or other known forms of psychology through external stimulation. This is a completely new method of intervention of human brain that escapes regulation in any of our known laws.
A serious thought is therefore required to discuss whether our proposed new data protection law should incorporate “Neuro Right Protection” . This will be a point of discussion that may come up during the IDPS 2022.
In our suggestions we added “Neuro Privacy” as a category to be addressed by this new law along with other three forms of privacy namely the Physical privacy (non interference in physical terms), Mental Privacy (Right to be mentally left alone) and Information privacy (Right to manage the use of personal information).
We defined neuro privacy as
(c) “Neuro Privacy” means the choice of an individual to determine to what extent the individual may share his neuro space with others
Perhaps for the purpose of the Act this would suffice. But when it comes to “Reasonable Security to Protect the Neuro Privacy” or “Neuro Privacy by default”, the rules need to address how the neuro intervention devices are regulated.
In one of the recent researches it is contended that “Micro waves” are being sent from drones in an US experimental site and the target population are experiencing mental harassment due to the experiment since they seem to be hearing things. Patents are being claimed for “Microwave Voice to skull technology”.
This patent describes it as an
“invention relates to a hearing system for human beings in which high frequency electromagnetic energy is projected through the air to the head of a human being and the electromagnetic energy is modulated to create signals that can be discerned by the human being regardless of the hearing ability of the person.”
The patent applicant claims
” I have discovered that a pulsed signal on a radio frequency carrier of about 1,000 megahertz (1000 MHz) is effective in creating intelligible signals inside the head of a person if this electromagnetic (EM) energy is projected through the air to the head of the person”
Just as inputs to computer can be given in the form of key strokes or voice commands, in future, Brain-Computer interfaces may operate with sound waves instead of through a remote computing device.
It is this sort of developments that need “Neuro Rights” to be defined now though we may need time on making rules to regulate the protection of Neuro Rights.
Psychiatrists seem to be ignoring the possibility of human brain activity manipulation through sound waves and dismissing the claims of some people in the alleged experimental area as a kind of neurosis.
Watch out for IDPS 2022 where we may take this discussion further… Provided there are speakers who can share their thoughts.
Naavi
Reference
News Report..Video below
FDPPI is an organization of the data protection professionals and by the data protection professionals. The organization is supported by the aggregation of activities of its members. For practical reasons some members are designated as “Supporting Members” so that they act as divisions of FDPPI for generation of revenue through their activities. But all other members are like flesh and blood of the organization. If they are active, FDPPI is active.
This concept extends to the conduct of IDPS 2022 the flagship event of FDPPI. We would like to make this event the flagship event of the Data Protection Community in India of which FDPPI is a part.
The event is being conducted as a 3 day virtual event between 11th, 12th and 13th November 2022 between 2.00 pm and 8.00 pm (IST) or 8.30 am GMT to 2.30 pm GMT.
During this time and day, the event would be live. During these 18 hours we can accommodate perhaps 6-8 keynotes and another 6-8 panel discussions. This means that we can listen to around 30 -35 speakers and share their thoughts with the audience.
The canvas of discussion is “Privacy and Data Protection” and the theme is “Shape of Things to Come”. We therefore need to discuss the current laws in India and elsewhere, the technology of protecting Privacy and data, the Governance of Data for protection and monetization and many other related issues.
We are fully aware that the number of available speakers and the amount of knowledge they can contribute are much more than what we can present in 3 days. We cannot accommodate them all despite our best intentions.
We are also aware that this is a dilemma that is faced by every organizer of such programs world over. There are too many deserving speakers who ought to be heard. But either the organizers cannot reach out to them or the speakers are not available at the required time and place for the event. This often results in losing an opportunity to hear the experts and some times disappointing speakers who are eager to share their knowledge.
FDPPI therefore has opened it’s doors for speaking opportunities during the IDPS 2022 to the community so that IDPS 2022 is to be an event of the Data Protection Professionals by the data protection professionals and for the data protection professionals.
We therefore invite data protection professionals who would like to contribute their thoughts to the “Shape of things to come” in the domain of Privacy and Data Protection in the IDPS 2022 to send us recorded video clips preferably of less than 5 minutes. These recorded videos would be broadcast on the IDPS 2022 platform during the time 6.00 am (IST) to 12.00 noon (IST). This will ensure that the content would be available for the US-Australia time zone as an extension of the live sessions which are more suitable for the India-Gulf-EU time zones.
The video may be kindly recorded if possible with the background setting of the image provided above. Naavi would be available for checking the topic of discussion as well as for a participative recording of the views as a conversation if it is preferred.
The end objective of this exercise is to ensure that IDPS 2022 becomes an event of the community of data protection professionals.
We hope that we will also be able to show case the professionals who would otherwise miss participation in the event. For the upcoming speakers this is an opportunity to be present on this platform.
I request all professionals to make this concept a success.
Naavi
