Naavi.org

While we in India is still procrastinating on the introduction of a law for protecting information privacy, the world seems to be moving ahead into legislating for “Mental Privacy”.

The “Information Privacy” as defined by the Puttaswamy judgement refers to the right of a person to exercise his choice about how his personal information may be collected, used or disclosed by a third party.

Puttaswamy judgement recognizes that “Privacy” is a state of mind and much more than “Right to Spatial Privacy”. But technology developments are opening up new challenges on defining the boundaries of “Privacy”.

While I am not discussing the boundaries from the perspective of how much privacy intrusion should be allowed to Government or Law Enforcement or even Commercial interests, it is time to look at the more basic level of how technology may be threatening the very basics of “Freedom of Thought”.

Firstly, let us look at medical implants which sit inside our body, and watch how our heart is beating or blood sugar is changing etc. Is this “Privacy Invasion”? …of the exempted category where there is a need to protect life, and there is an explicit consent?

If the implant device owning company like it does in the case of all IoT devices, retain an ability to collect data, store it, analyze it and make money out of such analysis, is there a concern about potential misuse of personal data, possible crimes which may extend to causing death of the individual etc.?

When sports medics analysed the bowling action of Muttiah Muralidharan, were they intruding on his privacy and to gather evidence which could be incriminating against Mr Muralidharan himself?

…are issues that we are already aware of.

The wearable devices like the smart watches and the Alexa kind of “Always listening” devices also pose substantial privacy risks in the normal sense though “Explicit Consents” could be used to manage them.

In the next level, we are getting into the era of Meta Verse with Virtual presence where the potential for privacy invasion causing mental disturbance is extremely high.

Over and above these developments, the questions now coming up are the “Neuro Intrusions” where probes collect brain wave emissions and collect the subject’s thoughts. Probably in the coming days, the same probes may be capable of sending in messages to alter the brain perceptions and make people hallucinate more realistically than ever before.

Does our present legal system address  “Brain Hacking”? is a question we need to ask ourselves.

ITA 2000 attributes an action of a computer to its owner. This has effectively extended the Act to the field of Artificial Intelligence. The definition of “unauthorized access” is however limited to “Computer Devices”.

A Computer is defined in ITA 2000 as

” any electronic, magnetic, optical or other high-speed  data processing device or system which performs logical, arithmetic, and  memory functions by manipulations of electronic, magnetic or optical  impulses, and includes all input, output, processing, storage, computer  software, or communication facilities which are connected or related to the  computer in a computer system or computer network;”

While the legislative intent has to be limited to treating the devices that we today recognize as Computers, Mobiles and other binary processing devices , this definition is difficult to be extended to the “System” of “Human Brain” though the neuro system also  consists of data storage, data transmission, data sensors, data input and output periherals etc. similar to the computer system we know of.

In India, our Supreme Court can assume any kind of power whether written in the constitution or not and this argument has been used in the Puttaswamy judgement by one of the judges (Justice Chelameswar). Hence the Supreme Court has the power to read down the section 2(i) to interpret that the definition of a computer system includes the human brain since it also receives and emits electro magnetic impulses.

Every end point of a nerve is like a pixel in a computing device and has an experience which is communicated by the neurons. The software inside the human brain interprets the experience as “Sight” if it comes from the eye or “Sound” if it comes from the ears and “Touch” if it comes from the skin, “Smell” if it comes from the nose and “Taste” if it comes from the tongue and so on. There are APIs inside our body with specific instructions on how to interpret different sensory perceptions.

We may therefore consider that there is a need to discuss whether the interpretation of “Computer” has to be limited to the “Devices” or should be extended to human brain also. If so, our current law, either the ITA 2000 or the upcoming DPA 2021 can be used also to interpret Mental Privacy as the west is trying to interpret.

We may need more discussions on this subject and we shall continue our discussions in due course.

Naavi

Related Article in vidhilegalpolicy.in

We have moved from Security by Design to Privacy By Design. Now it is time to upgrade to Compliance by Design.

Non Compliance of Data Protection law could lead to a penalty of 4% of Global Turnover.

Mitigation of the 4% Penalty Risk Is the objective of CBD or Compliance by Design strategy.

CBD means compliance to Data Protection law. In India,…. the JPC approved Data Protection Act 2021.

While complacency born out of the Resistance to change stops us from taking compliance steps with the hope that Government will never get the courage to pass the law, Courts have already started interpreting parts of the new proposed bill as “Due Diligence” under Information Technology Act 2000.

If Courts can uphold Right to Forget before the DPA 2021 is passed, nothing prevents a Court from imposing penalties for non compliance of DPA 2021 as part of ITA 2000.

Let us not wait for some body to teach us with a penalty. Let us develop our own Code of Practice… to be compliant before we are forced to.

FDPPI< the dada of data protection in India has organized a one day seminar on “Compliance View of DPA 2021” at Chennai on April 23rd, 2021, in association with Madras Management Association and in partnership with ISACA, IACC and CySi.

Contact any of these organizations to participate in the program and enrich yourself with the Law, Technology, opportunities and means of compliance embedded in DPA 2021.

Naavi

India is planning to pass a law on Privacy and Data Protection and the Bill titled Data Protection Act 2021 (DPA 2021) which is pending in the Parliament. The copy of this Bill originated in 2018 following the Srikrishna Committee report and was later modified as Personal Data Protection Bill 2019 (PDPB 2019)  and a Joint Parliamentary Committee (JPC) has deliberated on the bill for more than two years, held consultations with many stakeholders and has now revised the PDPB 2019. The revised version now referred to as DPA 2021 is ready for final debate in the Parliament and being passed into a law.

Like all laws that have a significant impact on the society, DPA 2021 has also been facing opposition from a section of the industry. As a result,  the mainstream industry has been presented with a skewed view of the proposed law and creating uncertainty in the minds of the industry professionals on whether the law  will be passed and whether it is desirable or not. This has resulted in many organizations delaying the implementation of their compliance program.

We need to  realize that  DPA 2021 is  a continuation and expansion of the currently applicable law namely, Information Technology Act 2000 (ITA 2000) and forms the part of the “Due Diligence” under Section 43A of the ITA 2000. Several Courts have taken cognizance of the Bill and incorporated the provisions in their decisions. Prudent Companies therefore think that the time for compliance has already come and the time upto the actual passage of the Bill and further implementation time that may be provided there in is a cushion against being held liable to the potential penalties envisaged in the Act for non compliance.

FDPPI (Foundation of Data Protection Professionals in India) is an organization that  is  dedicated to the cause of “Data Protection” in India and building a Data Protection Compliance Eco system in India. FDPPI since 2018 has been engaged in outreach programs to build awareness of the Privacy and Data Protection concepts and also the development of professionals who are certified in the relevant skills to provide consultancy to organisations and conduct audits of the “Data Protection Compliance Management Systems”.  FDPPI is today the apex organization in India dedicated to the establishment of the Data Protection compliant environment in India.

During the pandemic times, FDPPI conducted nearly 100 online events on Data Protection regulations and related issues which has already created wide awareness of the forthcoming laws.

As a part of the activities in the post-pandemic scenario, FDPPI is now conducting a series of physical programs in different parts of the country in association with multiple organizations to spread the awareness of the regulation from the compliance perspective.

In this series, FDPPI conducted one program in Bangalore in association with Indo American  Chamber of Commerce (IACC) on 04^th March, 2022. On April 23^rd 2022, FDPPI is conducting a program in Chennai in association with Madras Management Association, ISACA Chennai Chapter, Cyber Society of India and IACC.

During these programs, we discuss the compliance measures that are required to be followed by the industry steering clear of the controversies. The discussions cover the overview of the law as presented in DPA 2021, the Technology and Business Challenges that the law presents, the Professional opportunities created for Data Protection Officers and Data Auditors and also the Compliance framework exclusively designed for compliance of the law.

FDPPI presently has developed a Compliance framework called “Data Protection Compliance Management Standard of India (DPCMS)” which is focussed on the compliance of DPA 2021 incorporating the best principles of other international frameworks. This is an indigenous approach designed to be a Unified Framework for Indian companies to be compliant with all Personal Data Protection laws and includes some aspects of compliance of Non-Personal Data protection which is part of DPA 2021.

The framework includes innovative and globally unique concepts such as “Data Valuation”, “Distributed Implementation Responsibility”, “ Generation of Data Trust Score” etc. It is flexible enough to be customized and adopted by different industry segments.

Recognizing the difficulties that arise when implementing one law applying  equally to all industries and entities of all sizes, FDPPI is now in the process of developing different “Sector Specific Compliance Code of Practice” which meet the requirements of law under Section 50 of DPA 2021. The Data Protection Authority of India (when operative) can approve such codes of practice after due consideration whether they meet the requirements of the law. This should substantially ease compliance and encourage increased voluntary compliance in the industry. FDPPI has a vision to create tailor made Compliance frameworks for different industry segments with  the participation of  industry representatives.  This is a “First in the World” approach to the customization of data protection law compliance to different sectors and would help in reducing the pain of compliance.

FDPPI however is a Not-for-Profit organization and its bandwidth to conduct the outreach programs in different locations is dependent on the partner organizations. Presently we are working with organizations like IACC and ISACA which have presence in multiple locations. However we are looking for other  suitable partners who are interested in associating with FDPPI for this “National Data Protection Compliance Movement” where we disseminate knowledge, motivate companies to start compliance initiatives and develop sector specific codes of practice.

Come, Let’s together  bring about a Data Protection Revolution in the country.

(Press note issued by Mumbai High Court for not providing timely hearing of Adjudication case)

The Adjudication system in ITA 2000 was one of the commendable features of Cyber Law in India trying to provide a fast track settlement of cases under ITA 2000. Unfortunately, many IT Secretaries donot take up adjudication cases. Some take up the cases and come  out with questionable decisions. The intention of the law to get a decision within 6 months often remains a dream.

The undersigned was fortunate to lead the first adjudication case in Chennai in 2008 which took 2 years but was held briskly. Mr PWC Davidar was the adjudicator at that time and he was highly professional in his approach. However in the case against PNB, the Bank’s advocate played all tricks of delaying and the case got held up to such an extent that the case is yet to be decided. In Mumbai,  one of the earlier IT secretaries, Rajesh Aggarwal  was a very active Adjudicator who decided many cases in his tenure.

It now appears that all adjudicators have lost interest in such cases and it is very difficult to suggest cyber crime victims to approach the Adjudication.

The Cyber Judicial system has irrevocably failed.

In such a scenario, we must  appreciate the efforts of Advocate Dr Mahendra Limaye who has approached the Mumbai High Court (Nagpur Bench) and got a notice issued to the Maharashtra adjudicator for not providing timely hearing.

A press note issued by the High Court in this regard is reproduced below.

“In a writ petition No.5058/2021 filed by Shikshak Sahakari Bank Ltd. Nagpur against 1) Govt of India through Department of Electronics and Information technology and 2) Adjudicating Officer Maharashtra, which was heard today by Hon. High Court’s Division bench consisting of Hon. Justice Atul Chandurkar and Justice Mrs. M.S. Jawalkar, a notice was issued to both the parties.

The petitioner has prayed for directions to be issued to Information Technology Secretary Maharashtra who is designated as Adjudicating Officer for timely conduction of Civil matters as mandated under Information technology Act.

It was contended by Adv. Dr. Mahendra Limaye, the lawyer for petitioner that complaint filed by petitioner bank since April 2019 has not been heard till date and many such matters are pending before Adjudicating Officer since more than 4 years. As per provisions of The Information Technology (Qualification and Experience of the Adjudicating Officers and manner of Holding Enquiry) Rules,2003, Section 4 – Scope and Manner of Holding enquiries at subsection (k) states that, “As far as possible, every application shall be heard and decided in four months and the whole matter in six months” but the respondent no.2 has not initiated and concluded the complaint filed before him on 20 April 2019, i.e. almost 35 months have been passed but no meaningful enquiry/hearing is conducted by the A.O. This amounts to non-following the due procedure established by respondent no.1 and also gross injustice to the petitioner who is also repository of public money being a Cooperative Bank.

The cyber crimes are increasing every passing day and there needs effective Civil as well as Criminal remedial measures for the same to provide justice to the victims. The statutory provisions of effectively providing the justice between 4 to 6 months, as far as possible, from reporting of the complaint is getting defeated by such inefficient judicial system which needs to be directed for speedier disposal of the matters.

Hon Court has issued directions for issuance of notices to the respondents.

Advocate Dr. Mahendra Limaye represented petitioner Shikshak Sahakari Bank Ltd. Nagpur.”

I hope this will prompt other Adjudicators  also to speed up their cases now.

We congratulate Dr Limaye for drawing the attention of the Judiciary on the lethargy of the State Government and the IT Secretary of Maharashtra.

Naavi

As India continues to dither on the passing of the Indian version of Data Protection law, our neighbour, Sri Lanka has gone ahead and passed its “Personal Data Protection Act 2022”. 

It is interesting to note the comment made by Justice Minister Ali Sabry that

“There is nothing called perfect legislation..we cannot sit and wait for tomorrow to do the legislation….Will accommodate amendments if there are serious concerns”. 

This appears to be a direct comment on the Indian approach to the legislation which is one of procrastination and lack of commitment. (Refer this article).

It is clear that even in Sri Lanka there is the same kind of opposition to the Act as in India but the Government has shown the resolve to go ahead with the legislation.

Indian law may be better in terms of the protection of privacy but still the Government seems to lack the will to pass the law. It is possible that the commercial lobbies in India are strong and have the  support of the political opposition to the Government and hence the Government is hesitant to pass the law.

Indian Parliament needs to take a lesson from Sri Lanka in this regard.

P.S: we are watching for the final published version to make further comments

Naavi

Copy of the final version of the Act is here