Naavi.org

According to UNCTAD, 128 of the 194 UN affiliated countries have put in place legislation to secure the protection of data and privacy. 158 countries have in place the E commerce laws and 154 countries have Cyber Crime laws.

While the need for a law in each jurisdiction is essential because the countries are sovereign countries, the existence of multiple laws makes it extremely difficult for the global citizens to follow and comply. This problem is accentuated because the technology has been developing in the direction of breaking down the barriers of communication and data moving freely across the political boundaries.

This issue is more pronounced in the data protection laws since data processing is an important business activity and cross border business engagements are common.

While the commercial aspects of data and its utility has created an interest in Governments opting for “Data Localization”, most laws try to retain extra territorial jurisdictions to impose penalties and bring in impossible conditions into business contracts in the form of “Standard Contractual Clauses” and “Abdication of the local security considerations”.

In this scenario, a data processing company which operates a website and cloud services to collect, process and disclose personal data through the internet faces the challenge of being exposed to multiple data protection laws.

While most laws look similar, the very fact that  democratic countries which genuinely respect the right of privacy and implements laws to protect the right of privacy, dictatorial regimes like China, fake democracies like Pakistan,  religiously fanatic countries in the Muslim world all seem to have laws called “Data Protection Laws”, makes it obvious that that the laws can share the same name but inherently are different.

At the time of compliance this creates a problem since the entire personal data accessed by the organization needs to be properly segregated before the compliance can be achieved.

While in terms of a framework for compliance, the PDPSI or the Personal Data Protection Standard of India promoted by FDPPI (Foundation of Data Protection Professionals in India)  has developed a Unified Framework of compliance by incorporating an appropriate data classification system, the complexities of creating a “Foundation Compliance Framework” and customize it for “Law Specific Modifications” remain because every law looks similar but has some subtle differences.

It is therefore necessary that an attempt should be made by the UN to develop a “Model Law on Data Protection” and persuade its members to bring uniformity to the laws. However UN in recent days has become completely in effective because of the archaic “Veto” system and unless this system is disbanded, UN remains a useless organization.

The EU for its own reasons has tried to unify the laws within 27 countries of the Union but still retains differences in terms of State Laws. US calls itself a federation of 50 states but is allowing each state to pass its own data protection laws rather than forcing adoption of a single data protection law for the entire country.  Many other countries including Canada, UK and Australia may have issues with provincial Governments and independent administrative territories splintering the laws.

It should be appreciated that India even when it adopted the Information Technology Act adopted it as a federal law and with the integration of J&K into the country with the abolition of Article 370, the upcoming data protection law is also being framed as a “National Law”.

In the Past there has been an attempt by some States to intrude into the Central legislative powers under Information Technology Act 2000 through amendments in Police Act or State Stamp Act or other laws. Given even a slight opportunity there are rogue states  who may take  an aggressive stand to promote local laws different from national laws by citing the “Powers of the State to control law and order” to infringe on the Data Protection Laws.

To prevent such a possibility, we need to ensure that PDPB 2019 is made water tight as a single data protection law for the entire country including the Union Territories and no opportunity is given to the States to make any amendments.

It should declare that

“No State Government shall have the power to make laws which may contravene the provisions of the PDPB/A” and any amendment required to be be made for regional considerations shall be made only through the PDPB/A and not through any state law.

Based on how this “Unified Data Protection Law for the entire country” is defined, we may also amend the information technology act to define “Cyber Crime” and create a federal agency for investigation and prosecution of cyber crimes.

Comments are welcome.

Naavi

China has announced a law called “Personal Information Protection Law” (PIPL) on 20th August 2021, coming into effect on 1st November 2021.

The PIPL is having 74 articles divided into 8 chapters as follows:

• General Provisions;
• Personal Information Processing Rules;
• Rules for Cross-Border Provision of Personal Information;
• Individuals’ Rights in Personal Information Processing Activities;
• Obligations of Personal Information Processors;
• Departments Performing Personal Information Protection Functions;
• Legal Liabilities; and
• Miscellaneous Provisions.

Considering the general Governance system in China which is a dictatorial regime, the stakeholders would be concerned about the penalty provisions and the extra territorial implications.

Knowing the political nature of Chinese Governance and its reputation as the biggest global surveillance state, China talking of “Privacy” is like the Satan quoting the Bible.

However, the global privacy community is going through the motions of hailing the “Strict Data protection Laws in China”.

There is a possibility that China may continue its “Surveillance Culture” and cyber warfare and use the law to protect its own companies engaged in secret activities to ensure that international demand on any information related to issues such as the Covid Virus related research etc cannot be demanded by US or the UNO.

There are many Indian companies who have foolishly placed their assets in China and will have to live with working with the dictatorial regime and its inconsistent policy formulations. Just as the Indians in Afghanistan who are today struggling to be physically evacuated, many of the top industrialists of India who have built up assets in China will some day be running for evacuation of their data out of China.

Naavi.org has to keep on record its total distrust on China and the expectation that PIPL being used as an instrument of protecting Chinese dictatorial interests more than protecting the “Right of Privacy” of the citizens of China.

However, from the professional view point, we can continue to study the text of the PIPL assuming that the Government of China will be honest and reliable.

If we look at the extra territorial impact of the PIPL, the law is applicable when a company outside China conducts processing activities of information of natural persons who are within China

• for the purpose of providing products or services to natural persons in China;
• to analyze/evaluate the behavior of natural persons in China; or
• other circumstances prescribed by laws and administrative regulations.

Naturally, Companies having processing activities within China of personal information of natural persons would be liable.

Hence all Indian companies who are having establishments within China will have to put up with the strict Chinese regulations if they have any physical presence in China.

Like in GDPR, the PIPL will require a representative to be appointed in China if a foreign company is engaged in the collection of personal information from China.

The legal basis for processing is covered by the following:

• consent by data subjects;
• necessity for concluding or performing contracts to which the data subject is a party, or necessity for implementation of human resources management in accordance with legally-adopted labor rules and systems and legally-concluded collective contracts;
• necessity for performing legal duties or legal obligations;
• to respond to public health emergencies, or necessity for protection of natural persons’ life, health, and property safety under emergency circumstances;
• processing, within the reasonable scope, of personal information for conducting news reports, public opinion supervision, and other acts for the public interest;
• processing, within the reasonable scope and in accordance with the PIPL, of personal information that has been made public by data subjects or through other lawful means; and
• other circumstances as stipulated by laws and administrative regulations.

Since one of the permitted legal basis is  “Performance of legal duties and legal obligations” ,  India should consider introducing  a clause in our law (May be in out Cyber Security law such as ITA 2000) to the effect that

“All organizations established in India including organizations which have managerial and financial control of organizations constituted under laws of other countries shall be liable to provide access to data related to their activities outside India for purposes such as National Security,..etc”.

Data Localization

All personal information collected and generated in China by Critical information infrastructure operators (“CIIOs”) and organizations processing personal information reaching a certain amount designated by the authority are required to store such information in China.

As regards the cross border transfer, PIPL states that apart from the consent Cross-border transfers of personal information can only be made for legitimate purposes such as business needs, and the transferor is obligated to take the necessary measures to ensure that the processing activities of the overseas recipient satisfies the protection standards set forth in the PIPL.

The law does include “Rights” of data subjects just like GDPR though the credibility of such provisions may be questioned.

The rights include

• Right to know and to decide relating to their personal information;
• Right to restrict or prohibit the processing of their personal information;
• Right to consult and copy their personal information from the processors;
• Right to portability of their personal information;
• Right to correct and delete their personal information; and
• Rright to request the processors to explain the processing rules.

It is interesting to note that there is a provision that the close relatives of a natural person can exercise these rights for their own legitimate and justifiable interests after the natural person is deceased, unless the deceased has made other arrangements when she or he were alive.

It is understood that the processor’s obligations include  appropriate internal management systems and security measures for compliance but appointment of DPO may not be mandatory except for organizations involved in large scale processing.

Penalties

Violations of the PIPL may lead to an administrative fine of up to RMB 50 million or 5% of the processor’s turnover in the last year (it is unclear if this is local or global).

Other penalties include order for rectification, warning, confiscation of illegal gains, suspension or cessation of service, cessation of operation for rectification, and revocation of operating permits or business licenses. The person-in-charge or other directly liable individuals may also be individually liable and fined or prohibited from acting as directors, supervisors, senior managers or personal information protection officers.

If the processing activity violates the rights or interests of a large number of individuals, a public interest action may be initiated by the People’s Procuratorate (i.e., the authority responsible for criminal prosecution), consumer protection organizations or other organization designated by the cyberspace administration.

(P.S: We await the English version of the draft for detailed study.)

Naavi

Reference:

twobirds.com

The GH Raisoni Law College is organizing its 16^th KSHAN Moot Court which will be held on the 4^th and 5^th of September, 2021 on a virtual platform.

As a part of the FDPPI’s activities under the P& Y Program to involve the youth of the country into the activities of FDPPI, FDPPI is collaborating with the GH Raisoni Law College, Nagpur in the conduct of the above Moot Court Competition. This is the 16^th National Appellate Moot Court Competition -2021 is being organized by students of G.H. Raisoni Law College, Nagpur and G.H. Raisoni University’s School of Law. All India Reporter (AIR), and FDPPI- are collaborating in the conduct of this program.

Dr Mahendra Limaye, one of our esteemed members has been the brain behind the P& Y Program and the organization of this event.

As a part of the collaboration, FDPPI would be extending valuable educational opportunities to the Winners and the First and Second Runner’s up as rewards.

We look forward to involvement in more of such programs in association with law colleges.

About KSHAN

KSHAN is a National Level, inter-college moot court competition organized by the student bodies of the Law Schools under the Raisoni Group of Institutions. They conduct a nationally known Trial and Appellate Moot Court on Criminal Law. This year’s edition of KSHAN is the only Appellate Moot Court that has a special focus on Criminal Writ Petition and Data Privacy.

About AIR

AIR (All India Reporter) is a publication house known for its presence in all three media information transmission forms: Print, CD-ROM and Web base. It has a journal that reports on all benchmark judgements given by various courts around India. It was established in 1914 and has its head office in Nagpur.

The problem statement of the competition is available here. 

FDPPI has announced the following rewards. 

1. Winner: Free Certification Course-Admission, Video lessons and Examination for Module I and Module G and Basic Membership of FDPPI : Valued at Rs 25,000/-

2. First Runner up: Free Certification Course-Admission, Video lessons and Examination for Module I and Basic Membership of FDPPI: Valued at Rs 14,000

3.Second Runner up: Free Certification Course-Admission, Video lessons and Examination for Module I: Valued at Rs 10,000/-

Naavi

FDPPI pioneered the Indian Data Protection Summit in 2020 and conducted a three day virtual summit on November 19th, 20th and 21st.

This year again on November 19th, 20th and 21st, FDPPI will have a virtual summit Indian Data Protection Summit 2021 or IDPS 2021.

FDPPI will invite speakers and sponsors for the program.

A Program committee would be preparing the schedule for the event and will be shared here.

Any suggestions in this regard may be sent to FDPPI/Naavi.

A new line of argument is surfacing in India in support of the Currency of the Criminals and Terrorists namely the “Bitcoins” and Crypto currencies”. …that “The space has become too large to ignore”

Well, whether it is the Taliban in Afghanistan or Crypto currency in India, if we follow  “Procrastination” as a policy of Governance, the menace will only become larger  and the monster will become stronger.

Had US and India collaborated and ensured that the Afghanistan is not left in the lurch, we would not have seen Talibanis sitting in Kabul today and taking over the arms and other assets of the Afghan army. With this tackling Talibanis is only becoming more difficult than otherwise. While USA is not directly affected by this development, India is going to face an adverse impact of the raise of Taliban in Afghanistan.

Similarly the Government is unable to take a decision for passing the “Banning of Crypto Currencies bill” because the Finance Ministry is either confused or is under the influence of the Crypto Mafia.

Today any action in Afghanistan has to be tempered because we may have our people stuck in there and cannot be endangered. Similarly, the more time we take for banning the private Crypto Currencies in India, greater will be the problem later since many innocent investors would get stuck with the holdings.

Just as USA believed that Taliban has changed (though many believe that USA was only pretending to believe), Indian Government seems to believe that Bitcoins are technology innovations to be supported and are harmless. What if it is digital black money? What if it is used for terror funding?, What if it is used for extracting ransom?, it is still dear to our politicians because they can take bribes in Bitcoins and stash it away in foreign countries by a click of a button.

It is a shame that US plunged Afghanistan into this turmoil and it will be an equal shame for the Modi Government to plunge the Indian Economy into a turmoil by letting Crypto Currencies become a replacement currency for Indian rupees.

Some of the experts are creating confusion in the minds of the Finance Ministry that we need to have a Crypto Rupee before banning Bitcoins. This is only a tactic for delaying the decision since a Government Controlled Crypto Currency will not command the premium that Bitcoin commands since Crypto Rupee would be accountable for tax purposes. Hence any intelligent Crypto currency owner will not convert his current crypto stocks to Crypto rupee and would rather convert it through the virtual havala route into a foreign currency. None of the black wealth currently in the form of Bitcoins etc will therefore come to the open because Indian Government comes up with its own Crypto Rupee.

Sooner the Government realizes the dangers of delaying action against the Crypto Currencies, it is better for the country.

Dear Mr Modi and Mrs Nirmala Sitharaman, Procrastination in handling the Crypto Currency bill will not pay and you will come to regret your decision to delay. I will be there to point it out again and again until you wake up from your slumber.

Naavi

The demand for “Transparency” in processing of personal data is part of every data protection laws. As an associated concept, most data protection laws also mandate that there  shall be no automated decision making.

As the technology develops, many organizations use AI/ML algorithms that are opaque about how data is processed within the algorithm. The algorithms may also be property of third party service providers which data controllers may use.

Some of the service providers who provide their service under the SaaS model operate as “Joint Controllers” and not as “Processors” since they would not like to share the “Means of Processing” with the Data Controllers. They commit on the end result and hold the processing in confidence as their trade secret or protected intellectual property.

Many data protection laws allow for masking of information from normal disclosure requirements for reasons of protection of trade secrets.

In this environment, there are a few thoughts that are emerging about “Algorithmic transparency”.

Algorithmic transparency is the principle that the factors that influence the decisions made by algorithms should be visible, or transparent, to the people who use, regulate, and are affected by systems that employ those algorithms.

Under this principle, the inputs to the algorithm and the algorithm’s use itself must be known, and they need not be fair.  The organizations that use algorithms must be also accountable for the decisions made by those algorithms, even though the decisions are being made by a machine, and not by a human being.

The concept of “Algorithmic accountability” raises a question about the protection of trade secrets  involved in development of such algorithms which may be the core element of many start ups.

Recently, a study by Saasbhoomi.com has come up with a finding that Indian Saas ecosystem has the potential to create $ 1 trillion in value and nearly half a million jobs by  2030 

If however the Saas ecosystem has to realize its full potential, it has to wade through the challenges posed by the emerging concept of “Algorithmic Transparency” in privacy laws.

Though most data protection regulations do respect the presence of “Trade Secrets” in business and accommodate some flexibility in application of transparency norms, the issue may gather momentum in the coming days through Privacy Activism.

The old Canadian Privacy law PIPEDA already spoke of the need for Algorithmic transparency and indicated in its model code that Transparency  in the context of Privacy requires  algorithmic transparency. It said that Consumers would now have the right to require an organization to explain how an automated decision-making system made a prediction, recommendation or decision.

Even in UK where there is a competitive privacy activism against GDPR, there are discussions on Algorithmic transparency. One of the recent articles in blog of the Center for Data Ethics and Innovation  recommended that the government should place a mandatory transparency obligation on all public sector organisations using algorithms when making significant decisions affecting individuals requiring the proactive publication of information about the algorithms.  It will not be long before activists take up the idea and start pushing the concept in the private sector also.

If innovation has to be nurtured, there needs to be an appropriate regulation which does not mandate disclosure of what the Saas developers would consider as their proprietary information.

If however  the Saas developers tend to ignore the privacy regulations, there will be ground for the Privacy activists to push hard for algorithmic transparency.  This could lead to a new round of conflicts between the IPR supporters and the Privacy supporters. Considering the attitude of some of the supervisory authorities in EU and the EUCJ itself, it will not be surprising if some of the Supervisory authorities may start ruling in favour of algorithmic transparency.

We hope that the upcoming Indian data protection law recognizes the need for encouraging innovation by supporting some level of confidentiality of the trade secrets which include the way algorithms process personal data.

If there is a need for balancing of the demand for algorithmic transparency with the disclosure of automated processing, the Indian authorities may consider using the Sandbox system and demand that the information about the processing of personal data by algorithms may be escrowed in confidence  with the Data Protection Authority and protected by the Copyright laws.  In the recent days Indian Patent authorities have been liberal in interpreting the “Software” for patent and have provided patent for essentially software operations. Some algorithm creators may use Patent to protect their innovations and if so it may satisfy the privacy activists. Probably the sandbox system will come to assist the patent applicants during the time the patent application remains in contention before approval.

Naavi