Naavi.org

I would like to remind professionals that the next training program on the Data Protection Regulations in India would be conducted by FDPPI-Cyber Law College online as Week end batch. Tentative dates are April 30, May 1,7,8,14.

1. The program is leading to the Certification of FDPPI -“Certified Data Protection Professional-Module I” and is part of the larger “Certified Data Protection Compliance Management System Auditor/Consultant” (CDPCMS Auditor/Consultant). This program includes includes two other modules namely Module on Global Laws (Module G) and another on Audit (Module A).
2. The program is based on the new JPC approved version of the Data Protection Bill. It will be conducted online on Zoom platform.
3. Appropriate reading material would be provided during the course.
4. At the end of the course a multiple choice an online examination of 90 minutes would be available. Those who are successful will get a certification “Certified Data Protection Professional-Module I”.
5. The course content would be as follows

1. 1. Evolution of Privacy Laws in India
   2. Applicability
   3. Obligations of a Data Fiduciary
   4. Rights of Data Principal
   5. Exemptions
   6. Restrictions on Data Transfer outside India
   7. Penalties and Offences
   8. Data Protection Authority
   9. Adjudication and Cyber Appellate Tribunal 
   10. Data Audit
   11. Data Protection Compliance Management System (DPCMS) and Data Protection Compliance Standard of India (DPCSI)

Registration can be done here.

6. The fees for the course is Rs 12,000/- plus GST of Rs 2160/- . Total Rs 14160/-.

7. Those who attended the FDPPI-IACC seminar on April 4th  are entitled to a discount of Rs 2000/- and the fees payable to them would be Rs 10,000/- plus Rs 1800/- (GST). Total Rs 11800/-. (An email has already been sent to all the registered participants of the program)

8. The registrants will also be provided a complimentary “Basic Membership” of  FDPPI which otherwise costs R 4000/-.

9. For further clarifications if any contact Naavi

Naavi

Naavi was adopted by me as a name as an short version of my Kannada name Nagaraja Rao Vijayashankar.

The website naavi.com was launched on 14th December 1998 as a personal website and later converted into a Cyber Law website.

We can extract the first looks of the website from the Wayback machine where the earliest available page is 12th October 1999.

The first looks of the website look interesting though very archaic now.

When I launched my first book in 1999 “Cyber Laws for Every Netizen in India”, the name was published as the name of the author of the book.

While adopting naavi as my popular name, the word “Navi” was avoided because it phonetically could be spoken as in Navi Mumbai and also Navi was a registered trademark of Nokia and otherwise in Japan.

When the film “Avtar” was launched the first clash with phonetic “Naavi” was felt and a trademark application was formally launched.

However naavi.com was cyber squatted and later sold to a company in Australia. But Naavi.org which was hosted as a mirror site for Naavi.com remained in my custody and continued to host my content.

The Trademark registration in India for service marks were not available when the website naavi.com/naavi.org was launched and also the system of Trademark registration is steeped in inefficiency.

Now Sachin Bansal of the Flipkart fame has applied for trademark on Navi and the trademark office would perhaps grant it.

On the other hand I can record that for my trademark application of CEAC, the trade mark officer raised objections on CEAT  and several other marks which had no relation to the trademark category. Similarly the trademark application of  Cyber Law College was objected to and trade mark application of Naavi was not attended to for ages. With my experience I can state that the Trademark registration is only for those with deep pockets who can manage the corruption in the system and not for those who pursue it only as a legal right.

Anyway now it is interesting that Honda has launched a vehicle in the name “Navi” but phonetically the videos speak of “Naavi”.

Sensing  this type of disputes, I had submitted a patent application and launched the service Verify4lookalikes.com which is now hosted under lookalikes.in. The services I envisaged here are now implemented by many others in the world and I could not take the patent application beyond getting the approval of the PCT.

It is too late now for getting disappointed about these failed encounters with Trademarks and Patents and sit back and enjoy that the name “Naavi” reverberates with the sound of the Honda motorcycle.

Naavi

[Discussions here are part of the Naavi’s Theory of Data]

Data Governance in an organization requires identification of what is data, how data can be created or collected,  what is its value, who is the custodian, who is the owner, who will have access?, What are the permitted uses?, What are the permitted ways of modification that creates new data assets, how the data can be shared or how it can be destroyed.

A detailed discussion of these are part of Naavi’s discourse on the Theory of Data for an academic discussion at some other time.

We have already discussed the concept of “Nuclear theory of Data” in the context of personal data in the following articles.

1.Fission and Fusion of data elements

2.Atomic structure of Data

In the recently released Draft India Data Accessibility and Use policy, the Government has set an objective to draw up an inventory of data assets in each of the Ministries and Departments and in this context, I would like to place a discussion on how do we classify “Non Personal Data” in a similar atomic model.

The “Atomic Model” of data envisages that

1. 1. There is a core element of identity of the data
   2. There are peripheral associate elements that give depth and width to data

In the Personal data context, the Name is like the proton but does not constitute a stable atom on its own. If it is associated with another stabilization element such as say the Aadhaar number or PAN card or Social Security number which gives a “Unique Identity” atleast within a large enough universe (Eg: Aadhaar is a unique identity in India but may not be considered so in another country). This combination of the Name and one or more unique identity factors form the nucleus. But Nucleus alone does not give the property of the atom. We need a set of electrons that revolve around like the other information such as the email address or mobile number etc which together give shape to the data set as a stable atom. When two such atoms combine together there can be a molecule and when more molecules get bonded, we may get a compound or a complex organic molecule.

In the non personal data, (NPD) defining a data set requires identification of a core identity element for the data set and then the associated information. NPD does not have the name of an individual to whom the data relates. But it could have an “event” or an “Object” to which the data relates. For example, data about a company or about a market research or about a cricket match are “NPDs but related to a core activity or object”. This core object is the defining sub atomic particle of the NPD element.

The depth and width of the element is determined by how may neutron like core elemental particles and how many electron type peripheral particles are associated.

A NPD data set can be a PDF document or a video or an entire data base. A document about a cricket match or a video about the same cricket match can eb considered as two distinct data sets. They can be combined with information on  several cricket matches in a data base in which case the data base is an NPD set.

When an inventory is being created, we need to identify and define the data set, give it an identity tag so that it can be accessed by users. In such an inventory, the data set has to exist in some stable form such as a video clip of atleast a few seconds for the data to have any meaning. The PDF document and the Video clip can be considered as stable data sets. They can be included in a data base an access may be defined either to specific stable elements or to a larger document depending on the requirement.

When a search facility need to be created, the search term has to be for a stable data element. For example, while we can do a text search for “sta” and index it, the more useful search term would be “stable”. Similarly the “Searchable component” of a data set could be such a term that can be useful to the person trying to locate the document.

These concepts need to be debated and refined further to enable “Data Governance” around “Non Personal Data Sets” generated, created, collected, used, disclosed and destroyed by an organization whether it is a Government department or a Private Company.

Industry representatives may comment if this concept has any relation to the way they define a data set under their control for Data Protection requirements under GDPR or other similar laws.

Naavi

Reference Articles:

Atomic model of Data
Fission and Fusion of Data

Theory of Dynamic personal data

The new theory of data

Hindu Business Line today carries an article stating that according to “ITU-APT”, the data protection Bill as envisaged may impede the right of foreign nationals.

The report also holds a threat that foreign jurisdictions may bar use of servers located in India.

This threat has come in the form of a letter written to the TRAI.

ITU-APT Foundation of India claims to be a non-profit, non-political, non partisan industry foundation registered under the Societies Act in India. The parent organization is a Geneva based  international organization having presence in other countries such as USA. The representation appears to have been led by FaceBook/Meta.

While we donot have the copy of the representation, the Business Line report indicates the following views expressed by the Association in the letter.

1. The DPB 2021 does not contain provisions that prevent Government access to data of foreign nationals stored in India.
2. The draft law will hamper user rights and could prevent cloud service providers and other entities from locating their servers in India
3. “Critical Personal Data” (a term that is yet to be defined) cannot leave except in very limited circumstances such as health and emergency services or where the Central Government allows such transfer.
4. The association contends that the draft DPB 2021 currently does not expressly consider the case where personal data may be located in India due to localization requirements but could be subject to the laws of the country in which such data originated. It does not address the possibility of Government access to such data in a way that over rides the protection provided to personal data in other jurisdictions.  This may, in turn, hinder the ability of cloud service providers and other entities to locate their servers in India as foreign jurisdictions may bar them from doing so on account of data security concerns (for instance, due to the inability to get approval from foreign jurisdiction regulators to store data in India owing to concerns such regulators may have about protection of their citizens’ data).

We are not clear if this representation has been made by the parent body directly or the local arm of which Shri Tilak Raj Dua  is the Chairman, Shri Bharat Bhatia is the President.

We would like to however point out that the argument of the organisation is based on incorrect interpretation of the Bill and we would like to explain why we feel that India requires a stronger Data Localization law than what is proposed in DPB 2021 in the light of the risk that has been highlighted due to the Russia-Ukraine conflict.

Russia Ukraine Conflict has exposed a new Risk

We donot want to go into who is correct or who is wrong in the Russia-Ukraine/Nato/US conflict. We donot want to argue whether USA’s destruction of Iraq suspecting nuclear arms was  justified or Russia’s invasion of Ukraine suspecting Bio Weapon factories run under the US patronage (like the Wuhan lab which could have manufactured the Covid virus), is more justified.

We can however focus on the action of many US companies which stopped services not only in Russia but also in India to private companies who had some business commitments to fulfil.

It is the prerogative of these companies to join a war for any cause but when their interests threaten Indian interests, we need to recognize it as a risk. Today we have recognized that there is a “China Risk” in depending on Chinese telecom equipment. But a similar risk appears to have emerged in the services of the US companies. The VISA for example stopped its Card processing services in Russia. What prevents them from bringing similar pressure on India if they are unhappy with the RBI regulation on data localization?

If FaceBook exits from India, there is no problem. It would be a blessing in disguise for the Indian society. But what if Microsoft or Adobe is arm twisted by the US Government to stop their services in India through the backdoors they maintain on their software?

Microsoft , and Apple also have a huge data collected from their “One Drive” feature which is more or less mandatory to be used for users. Google again is another US company which holds data about Indians beyond what is reasonable. If they ever stop access to such data then Indian citizens and Government will feel the real pinch of an Information war.

Is there a guarantee that these companies will not join a war in a fit of anger on India’s Kashmir policy or if Pakistan disintegrates and Baluchistan requests India’s help on humanitarian grounds to be liberated like Bangladesh?.

Like US sending their aircraft carrier during the Indo-Pak war of 1971, what is the guarantee that all windows computers in India stop working and all Adobe PDF documents vanish?

To counter such risks however remote they may be, India needs to take action through its current law namely ITA 2000 as well as the proposed Data Protection Law.

In this background let us see if ITU-APT ‘s objections hold any value.

1. ITU-APT says that DPB 2021 does not contain provisions that prevent Government access to data of foreign national stored in India.

Though it is our sovereign right under which any asset any where in India can be accessed in the national security interests, we must draw the attention of ITU-APT to section 37 of the Bill which states

Power of Central Government to exempt certain data processors.

The Central Government may, by notification, exempt from the application of this Act, the processing of personal data of data principals not within the territory of India, pursuant to any contract entered into with any person outside the territory of India, including any company incorporated outside the territory of India, by any data processor or any class of data processors incorporated under Indian law.

This section gives a provision that Government may grant exemption from the Indian law for personal data of foreigners stored in India subject to a notification. Hence all the arguments built by ITU-APT are false and qualifies to be  called a deliberate mis information.

It is not however necessary that India should become a safe haven and any data processed in India which may hold a global humanitarian threat or Indian national security,  should not be touched by the Indian law enforcement  agencies.

For example, if the data pertains to a foreign agency running a Bio Weapon facility anywhere in the world, or related to planning of a terrorist activity anywhere  in the world, it would be the bounden duty of the Indian Government to investigate not withstanding the data being that of a foreign national and being processed in a server belonging to a US entity.

When laws are made, there have to be empowerment for such eventualities along with appropriate checks and balances to ensure against misuse. Presently we are only discussing the basic provisions of the Bill where for empowerment purpose, provision of access under emergent situations must exist. The checks and balances will have to be discussed when the rules are framed by the DPA.

We already have Section 69/69A/69B/70B of ITA 2000 which ITU-APT should study and raise any objections if they have got. Probably they are not even aware of the law called ITA 2000 which is the current data protection law of India and will continue even after DPB 2021 becomes a law.

Hence the objection of ITU-APT on this ground is unfounded.

2. Regarding the hampering of the Cloud service providers, it is a business decision that these service providers may take whether they should have their services in India or not. There will be around 2 years time and India will try to develop its own services for data storage if these cloud service providers want to deny their services.

Even if the cloud service providers are prevented by their respective Governments to store the data originating from their country in India, it is their choice. If the cloud service providers are aware of a technology called “Encryption” or “Pseudonymization”, they can still use Indian servers and manage the local legal requirements. Perhaps ITU-APT does not think that the companies who have a need to store data in a cloud are not aware of such access control measures to address the concerns.

We strongly feel that there is no need for Indian Government to create a safe haven for International data to satisfy the concerns of ITU-APT. We need to take care of our national interests first and the protection of the legal obligations of the cloud service providers to a foreign country has to be subordinated to the Indian interests.

3. Critical personal data was an empowerment that the Government of India built into the law to protect contingent concerns. Now the Russia-Ukraine war and the private sanctions of commercial MNCs on other commercial organizations in India ignoring international law have underscored the need for this provision to be clarified if required.

Government may therefore declare that

“Critical Data” includes personal and non personal data, the incapacitation or destruction of which , shall have debilitating impact on national security, economy, public health or safety.

For the purpose of implementing the cross border restrictions on Critical personal data, all organizations handling such data shall be considered as “Significant Data Fiduciaries” and assure the DPA through a registration agreement to protect the Indian interests at all costs.

4. The ITU-APT has not considered the fact that DPB 2021 basically applies only to data that has its origin in India, It does not affect the personal data of a foreign citizen originating abroad and processed aboard.

If such data is brought to India for processing, then Section 37 exemption as well as the security tools such as Pseudonymization, Encryption and Anonymization can be  used by the Data Exporter to protect the interests of the foreign citizens.

There is no need for India to dilute its laws for the sake of data exporters from other countries who donot want to invest in appropriate security technology.

It therefore appears that the representation  of ITU-APT is devoid of merits and has to be rejected.

I request the TRAI not to initiate any action in this regard. Additionally we urge the Government to tighten the Section 33/34 provisions of DPB 2021 and make it mandatory for a copy of all data transferred out of India henceforth has to be  kept in India. Additionally as recommended by the JPC outside the Bill, all data transferred out of India in the last 3 years need to be brought back to India as a copy.

Naavi

The fatal accident that occurred in March 2018  where the Uber Auto driven Volvo crashed and killed a person walking across the street had raked up many issues on the Technology and Law surrounding the development of driverless cars.

Now a detailed coverage of the aftermath of the accident in wired.com gives an analysis of the technology faults as well as the human issues behind the tragedy.

As per the report, it appears that Uber has been discharged of criminal charges of negligence and the human driver behind the wheel Rafaela Vasquez is blamed for not preventing the accident by timely intervention. The trial will continue and the final verdict may take some more time.

From the evidence discussed in the article, it appears that the Uber Software failed to recognize the obstacle and apply brakes. It is also said that the Car (Volvo) had its own emergency braking mechanism which was over ridden by the Uber system and Volvo claims that its system would have perhaps either stopped the Car or atleast prevented the fatality. This could mean that the Uber system was inefficient compared to the possible technical solution as offered by Volvo. This should make Uber vicariously liable for the accident.

However, whether the headlight system of the Car was good enough for the night driving could be a point of debate since it could not light up the victim earlier. Whether this was a fault of the Volvo or of the driver in setting the beam is not clear. This does not seem to have been discussed in the legal proceedings.

The video from the dashcam indicates that the victim suddenly appeared across the speeding car and perhaps it would have been impossible for any ordinary driver to spot the victim in the darkness that was around. Hence the accident could have perhaps happened in many other incidents of human driving under similar circumstances.

However it must be recognized that Uber was negligent for many reasons.

Firstly though the testing was not complete ,the safety of having two persons in the Car one to monitor the driving and the other to assist the driver was withdrawn. This left the driver alone and the “Automation Complacency” factor kicked in.

Secondly the real time monitoring of the driver was not resorted to for the fear of being considered as “Spying”.

Thirdly monitoring  of the driver behaviour through log monitoring was not good enough.

It is interesting to note that the driver refers to herself as the  “Operator”. The driver was not driving her own car and hence she was on duty when she was “Operating”  the automated machine. Hence there was no Privacy issue and no “Spying”. It was the duty of Uber to monitor the automated machine and its operator as a single unit of work which Uber failed to do.

It is unfortunate that Uber instead of taking the blame on itself made the “Operator” a sacrificial goat. The fact that the Victim herself was grossly negligent and by jaywalking across the road on a dark night was a contributory factor the accident, should protect the “Operator” from the charge of negligence.

Hopefully the trial with the Jury will find the “Operator” not guilty and accept that the death of the victim as an essential sacrifice for development of technology. However technology companies need to set their bars of declaring a software “Safe” at a much higher level than what they may be doing now and their liability should continue even after releasing the software. In this case the software was still under testing and hence the liability of Uber should have been recognized without much of an argument.

Though Uber has made a monetary settlement with the victim’s family, it is unfortunate that they have not protected the “Operator” who became the second victim of the accident both legally and financially. She ought to have been provided with a life time financial settlement and legal support to bail herself out of the charge of negligence even with her own lawyers.

This case should establish that any software developer who produces an AI led system should inherently be made vicariously liable both for the victims of malfunctioning as well as the operators who had minimal control on prevention of accidents.

The Cyber Insurance industry would perhaps come to the assistance of the companies to ensure that the cost of technology development ultimately gets distributed.

In the light of this development, the provision of Data Protection Act in India requiring “Algorithmic Transparency”, “Security Certification” and filing of a “Privacy By Design Policy”,  when personal data processing is handled by  automated systems is a welcome step. This will bring better accountability for the companies in at least absorbing the liabilities and preventing unfair liabilities on the user-operators including the employees assigned for testing.

Naavi

Cyber Law College is conducting the next program on Data Protection Laws in India for FDPPI Certification, starting from April 2nd. Details are as follows:

1. The program is leading to the Certification of FDPPI -“Certified Data Protection Professional-Module I” and is part of the larger “Certified Data Protection Compliance Management System Auditor/Consultant” (CDPCMS Auditor/Consultant). This program includes includes two other modules namely Module on Global Laws (Module G) and another on Audit (Module A).
2. The program is based on the new JPC approved version of the Data Protection Bill. It will be conducted online on Zoom platform.
3. Appropriate reading material would be provided during the course.
4. At the end of the course a multiple choice an online examination of 90 minutes would be available. Those who are successful will get a certification “Certified Data Protection Professional-Module I”.
5. The course content would be as follows:

1. 1. Evolution of Privacy Laws in India
   2. Applicability
   3. Obligations of a Data Fiduciary
   4. Rights of Data Principal
   5. Exemptions
   6. Restrictions on Data Transfer outside India
   7. Penalties and Offences
   8. Data Protection Authority
   9. Adjudication and Cyber Appellate Tribunal 
   10. Data Audit

Registration can be done here.

6. The fees for the course is Rs 12,000/- plus GST of Rs 2160/- . Total Rs 14160/-.

7. Those who attended the FDPPI-IACC seminar on April 4th  are entitled to a discount of Rs 2000/- and the fees payable to them would be Rs 10,000/- plus Rs 1800/- (GST). Total Rs 11800/-. (An email has already been sent to all the registered participants of the program)

8. The registrants will also be provided a complimentary “Basic Membership” of  FDPPI which otherwise costs R 4000/-.

9. For further clarifications if any contact Naavi

Naavi