The 5th issue (first of 2022) of the Data Protection Journal of India has been released.
Last year FDPPI started the Data Protection Journal of India as a quarterly journal. The journal has now completed one year of its existence.
The latest issue released today discusses the changes between PDPB 2019 and the JPC corrected version of DPA 2021 which if passed in the budget session would be perhaps called DPA 2022.
I hope readers would enjoy the information contained in the journal.
Naavi
As the world rallies around the International Privacy Day with activities of creating awareness about Privacy, India awaits the beginning of the budget session in the next couple of days with the hope that the long awaited Data Protection Act is passed by the Parliament.
The Personal Data Protection Bill has been in the Parliament in different versions since 2006. The new versions post Supreme Court decision of 2017 and the Justice Srikrishna Committee report in the form of PDPB 2018 and PDPB 2019 is now back in an updated version as Data Protection Act (DPA 2021).
Data Privacy legislation is a complex legislation that has a huge impact on the industry as well as the functioning of the Government. Privacy activists always like to have a law that allows for little freedom to Government or the Business to make any use of personal data either for national security nor for business considerations.
The recent decisions of the EDPB in directing the Europol to delete substantial parts of the surveillance data held by them and further passing adverse order on the EU Parliament itself for allowing data transfer from EU to US, indicate a tendency of the regulators to get carried away with their own thought process of “Privacy Above All”.
But it is necessary for all Privacy enthusiasts including the regulators to retain their feet on the ground and remember that no legislation can ignore that the law has to maintain harmony between different rights such as Right to freedom of information, Right to security. Individuals whose privacy needs to be protected have to accommodate the existence of other citizens who are concerned about the security of the state and also the right of the business to exist and grow.
Several of the observers in India were critical of the constitution of the selection committee of the DPA in the earlier version of the Bill. They felt that there is a need for a completely independent authority who can take on the Government if required. However, the developments with the EDPB appears to indicate that “Unlimited power with the DPA” is a danger by itself and if the powers are not balanced, there is a danger of the DPA becoming an Anti India institution.
Fortunately the DPA 2021 tries to understand this need of the society and tries to balance the needs of the different stake holders.
Let us therefore enjoy a balanced view of Privacy as is projected by the DPA 2021.
Naavi
We the Indians often forget our own history but remember the colonial history. This is true as much of the story of Indian independence as the story of India’ journey to the era of Privacy Protection and Data Protection.
Today most of us recognize as the “Republic Day” when the Constitution was adopted in 1950 and we remember January 28 as the International Privacy Day.
We must recognize that the “Right to Privacy” which was upheld as the fundamental right by the Supreme Court of India on 24th August 2021 is extracted out of the Right to Life and Liberty under Article 21 of the Constitution. The Supreme Court did not pass a new law recognizing the right to privacy. It just re-iterated that the right is already there and we did not know it. (Remember the Advertisement of Amazon Pay!).
Hence January 26 should be rightfully recognized as the Indian Privacy Day though the International Privacy Day is celebrated on January 28. This will at least establish that India did not wake up to Privacy only after GDPR but had recognized the concept at the beginning of our democratic life itself.
If however we want to celebrate the concept of “Data Protection” or “Information Privacy”, perhaps October 17, 2000 (Date when ITA 2000 was notified) is the right day . On this day Electronic documents got legal recognition and the recognition that Privacy protection extends to protection of personal information came with the passage of the Information Technology Act 2000.
On this day, we started recognising that personal information in electronic form needs to be secured for protecting the privacy of an individual. The law stated that failure could result in penalties under Section 43, imposed by the Adjudicating officer who is the regulatory authority.
Again since the focus of ITA 2000 was more on Cyber Crimes, we did not recognize it as a Data Protection Law.
Even when the amendments were passed in 2008 and made effective on 27th October 2009 with the introduction of Section 43A and 72A, we failed to recognize that the Data Protection Act had become operative in India.
We even missed the 11th April 2011 when more detailed “Reasonable Security Practice” under Section 43A was released containing a summary of what we recognize today as DPA 2021 did we realize that India’s Data Protection day had arrived.
But it is never late to realize the truth. Just as it took us 75 years to realize that Netaji Subhash Chandra Bose has a legitimate claim to be called the first Prime Minister of India, January 26 has the claim to be called the Indian Privacy Day and 17th October has the claim to be called the first Data Protection Day of India.
Hopefully this truth will start sinking in with the professionals now.
Naavi
Recently when the JPC submitted its report on PDPB 2019 dissent notes were presented by a few members of the committee belonging to opposition parties . Some of these were related to “Excessive powers” to the law enforcement and “Lack of parliamentary oversight”.
Two recent incidents in EU directly reflect the views of the EU community on these issues and are interesting for us to take note since they may come in for discussion during the Parliamentary debate on DPA.
While it is difficult to accept the views of the EU society on both these counts, it is nevertheless interesting to take note of these issues.
First is the decision of the EDPS passing an order on the Europol to delete vast amount of data held for criminal investigation purpose. Second is the reprimand issued on the EU Parliament itself for violations of GDPR.
No doubt the EDPS appears to be a hero in his own right but whether these actions are good for the society in the long run is difficult to say.
The EDPS involved is Mr Wojciech Wiewiórowski who was appointed on 5th December 2019 for a term of 5 years. Earlier he has serverd as Assistant European Data Protection Supervisor from 2014 to 2019.
He is certainly a highly learned person with vast experience in the field of Data Protection and served as the Polish Data Protection Commissioner since 2010 till he moved to the EDPS.
In the first instance the EDPS accused Europol of becoming a counterpart of the NSA in 
USA and clandestinely spy on the citizens in a mass surveillance effort.
It is said that Europol has accumulated quadrillions of bytes of sensitive data (about 4 petabytes equivalent to 3 million CDROMs).
The data has been collected from various sources including criminal records, extracted from encrypted phones and other sources. The EDPS has ordered that the data shall not be held for more than 6 months and Europol shall take steps to delete the rest of the data within one year.
Technology has been used for everything from Artificial Intelligence, Robots, 3D printing, Crypto currencies, Web 3.0 and so on. But when law enforcement wants to use technology there is objection from many quarters. This discrimination on use of technology for national security is not good for the society.
In another decision, the EDPS has issued an order reprimanding the EU Parliament for allowing transfer of data to Google and Stripe against the Schemed II principle.
Though no fine was imposed, a reprimand has been issued and an order to make changes to the notice and address other issues pointed out.
For some this may seem as a heroic commitment to privacy where the EDPS has taken on its own appointee (like the Bhasmasura syndrome referred to in another context). But if we consider the long term implications of both these decisions, it appears that the EDPS is indirectly endangering the global security by assuming itself power over and above the European Parliament and Law Enforcement and is diluting the counter terrorism efforts of the Europol.
Naavi.org had raised the red flag in June 2018 on “Whether GDPR will convert the entire Internet into Deep web” by carrying Privacy beyond its natural limitations. It appears that this prophesy is now coming to haunt us. On the one hand the “Meta Verse” mafia has joined hands with the Crypto Currency mafia in an attempt at creating a Web 3.0 which is an attempt to create a nation beyond all nations. At the same time, people on the right side of the law like the EDPS are showing holier than thou attitude on privacy to dilute security to the extent that criminals and terrorists will thrive.
This fight between the Privacy activists and National Security agencies in EU is not an internal issue of Europe. If the Europol is not able to gather enough intelligence required to identify terror activities, then terrorists operating from within Europe may not only attack EU but also other global citizens. We in India are therefore concerned about the stance taken by EDPS on the Law Enforcement issue in particular and wish that the Europol is not weakened by the over enthusiasm of the EDPS.
A serious global debate is required to be undertaken in this regard by all the security agencies. Perhaps NIA should take the lead to discuss with the NSA, Europol and other similar agencies to ensure that Europol is not rendered impotent.
A time has come for the Indian Government that while passing the Indian act, it should be ensured that the security concerns are not ignored. After all Right to security is as much a fundamental right as Right to privacy whether the Supreme Court agrees or not.
Naavi
We are all aware that insurance companies are aggressive in marketing their policies and are in the forefront of misusing the provisions of law regarding infringing the privacy of individuals. Bigger the company, bigger are the violations.
I recently had an occasion to observe that HDFC life issued a life policy for me though I was not eligible and to make it possible for them to issue the policy they included the name of my son on whose life I had no intention of insuring. But HDFC life created the policy in such a manner that the proposal was from my son though the payment was made out of my account.
Assuming that this is an error that can be ignored though it has caused my investible resources to get stuck for some time now, immediately on receipt of the policy document, I returned it to the Mumbai office of HDFC Life asking for immediate cancellation and followed up several times through email. But HDFC life maintained a stoic silence until a representative of mine physically visited their branch in Bangalore to find out. He was informed that my email address was not registered and hence they were not responding. If I had made the payment, sent a courier and followed up with the email, it was improper for them not to try contacting me. Only when the other joint holder sent the same request they responded only with a request not to cancel.
They are also insisting that the joint holder of the policy has to visit their branch to finalize the cancellation. While issuing the policy there was no need to visit but now they are insisting on this formality, though both the holders
I have now reported the issue to the CEO of HDFC Life as well as IRDAI and waiting for the response.
I have now requested HDFC Life to let me know what process they follow when they receive a courier package containing a policy followed up with a request for cancellation. How can this request remain responded for the technical reason that the email address is not registered though the name and other details are visible in the returned policy.
This would be a classic contravention of the Data Protection Act 2021 which could result in penalty of upto Rs 10 lakhs. If on receipt of such complaint the audit or inspection shows that there is no proper process, then the penalty can be upto 4% of the total worldwide turnover of HDFC life.
The persons handling support@hdfclife.com or service@hdfclife.com need to realize that a request of the type I made is indicating a risk of a penalty that could run into crores of rupees and should log it as an “Incident”. Such incidents are auditable by the Data Protection Authority.
It is clear that HDFC life may not have a DPO at this point of time, but whoever takes up the mantle will have a huge task of repairing the lax attitude of the support/service handlers.
Naavi
It is well known that pensioners are dependent on Banks for disbursal of their pensions. Once the pension is approved by the relevant Government department, the instructions are passed on to the Bank and periodical payments are initiated by the Bank. The pensioner is entirely dependent on the Bank for crediting what is due.
An instance has come to the light where the Dombivli branch of State bank of India has suddenly sent a message to a lady pensioner of advanced age that since 1st February 2011 there was an excess payment of payment in the account (average about 15%) and a total amount of around Rs 502000/- has become recoverable. The Bank has gone ahead to block the SB account of the account holder and left the pensioner in the lurch.
A question has to be raised here about whether the payment made by the Bank and credited in excess to the account holder is recoverable?.
According to Banking law applicable for wrong advice of credit, if the customer has altered his position genuinely on the basis of the advise of the Bank, the amount even if excess cannot be arbitrarily recovered. In the case of payment of pension, it is a full and final settlement by the paying authority and it is legally unfair to recover. If there was an error then the excess has to be recovered from who ever was responsible for the excess payment and the Bank has the right to absorb the loss if it deems fit.
I am bringing this incident to public knowledge here so that the authorities responsible for payment of pension in the Central Government may take suitable steps to advise State Bank of India, Dombivli branch to take appropriate corrective action in respect of the complaint which is with them.
In case the authorities want more details, Naavi.org would be providing the same.
We wish SBI and the Central Government responds to this issue immediately.
Naavi
