The war in Ukraine may be between Russia and the NATO interests where Ukraine is a willing sacrificial goat. While we can appreciate the resolve of the Ukrainians to join the war directly, the Latvian Parliament approving their citizens in Ukraine to join the fight, some other foreigners to travel to Ukraine and join the war front are worrying trends.

While companies like Twitter have for long been recognized as their own masters trying to engineer regime changes in countries through fake messages, a new trend that has emerged in the current war is that non-media companies in US have also joined the information warfare by “Denial of Access” to certain services which they are bound by contracts. This is an contractual default under International law though they may cite “Act of war” as a reason.

For example companies like Dell and Apple have stopped their hardware supplies to Russia and some of these are defaults of contracts with parties  in other countries. For example if an Indian aggregator had contracted with a Russian company for an IT service in which some components of Dell was involved, he is now forced to default on the service because Dell is unwilling to fulfil its part of the contract.

A demand was made on ICANN to stop its services which was fortunately rejected.

 Now we are told that VISA and Master has stopped its services to Russia. PayPal has also made similar moves.

These private sector companies through their actions have joined the war front in the information sector. They are acting as mercenaries just like the Afghan tribals.

The demand on ICANN is a red flag which makes the Internet system itself less reliable than before. In case companies like GoDaddy or other hosting companies respond to the call of blockage then the Internet blockade of Russia may partially succeed. Russia itself may not be adversely affected since they have a robust internal network and can also connect to the dark web seamlessly.

I would not be surprised that in future Microsoft does not turn in their backdoors to the US Government or Google does not pass on all the access to Gmail content to NATO.

But there are lessons that we in India have to draw from these developments. Indian Government and the population is very much dependent on US companies for many of the critical IT services including the use of Microsoft products and Adobe products.

Without a proper assurance from these companies, it would be difficult for the country to rely on their services in future.

We therefore need to tighten our laws on the one hand to bind the “Critical service providers” to stand neutral at times of such conflict and in the long run become more and more self dependent. This approach to “Atma Nirbhar Bharat” has to be accelerated to avoid India again succumbing to “Colonisation” in the digital global world.

I recently heard one professional suggesting that “Processing” includes storage and hence VISA can continue to store the information abroad without maintaining a copy in India and claim that the “Processing” is not complete. The Government needs to be aware of such innovative interpretations of law to defeat the data protection regulations in India.

In the light of these developments it is necessary for CERT IN to send an advisory that a new Cyber Security threat has arisen where private sector IT companies are joining hybrid warfare and pose a significant threat to Indian companies and Government dependent on their services.

It is therefore necessary for all Indian companies and the Government entities to gradually develop alternate technological support bases to ensure that moves of VISA kind of organizations donot hurt us.

NASSCOM is in the forefront of supporting VISA and MASTER and demanding that no restrictions are placed on localization of their services. RBI has diluted its data transfer rules to allow “Processing” of financial data outside though the processed data must be kept in India.

I request NASSCOM to provide an assurance to the Indian community that MNC s who are their members donot toe the Biden’s policies to the detriment of Indian interests in future.

The Parliament at the same time must restore the Data Localization aspects in DPA 2021 back to the PDPB 2018 version and require that copies of all personal and non personal data transferred outside India must be kept in India and emergency access be made available to the law enforcement authorities under appropriate procedural controls.

The services related to Internet data storage and transmission provided by any company  in India needs to be declared as “Critical Essential Services” with an empowerment for the  Government  to deal with them like other  “Essential Public Services”.

By opting to take part directly in the information warfare, the US based companies have lost their case on opposing strict data localization in India. It has become a “Data Sovereignty” issue more than ever before.

We donot have any objection for any country to join the war transparently like Lativia. However, companies need to always stay non aligned if they want to work in international space. Companies having activities in India have to support the Indian policies and not the policies of a foreign country. This is the same situation that arose when Hyundai supported Pakistan on Kashmir issue. If they donot see reason, the law should take care that they donot turn rogue. Today we are afraid of dependence on Chinese technology because it is a security risk. A similar risk perception has now arisen on companies like VISA, DELL and APPLE.

As an immediate step, I urge that both NASSCOM and CERT IN to issue a joint notification that activities of IT companies stopping any services to Indian companies on pretexts of war in Ukraine would be considered as an “Unfriendly Act” and flagged accordingly. Such companies must be blacklisted or subject to higher standards of compliance in case of any Government contracts in future. It is necessary for NASSCOM members to bee “NON ALIGNED” in the current situations and toe the policy of the Indian Government.

Naavi

(P.S: The views expressed here are personal.)

One of the issues that has arisen due to the Russia-Ukraine conflict is the collateral damage that is being caused to companies in India because some of the US companies have decided to join the war front by imposing various kinds of sanctions.

India has declared that it remains “Non Aligned” in this conflict and neither US nor Russia has the right to force India to join one of the fronts against its will.

While civilians in Ukraine out of their patriotic fervour are welcome to get themselves enlisted to the military and some foreign Governments such as Lativian Government has allowed its citizens in Ukraine to join the war front, citizens of other countries are not presently under obligation to join the war front as front line soldiers.

Similarly, when we discuss “Information Warfare” being part of the hybrid war, we are considering that the Government which is part of the kinetic war using information for propaganda or even conducting cyber attacks as part of its military operations. These are acceptable as part of the International war fare strategies.

But when civilians or companies try to impose sanctions of their own in support of one of the warring countries, there could be some legal issues of whether they have the protection of the international law for their information war.

For example if Google stops its map services or Dell and Apple stop contracted hardware supplies they are actively joining the war and need to be formally conscripted to the military of one of the warring countries.

We now have situations where an Indian company which has a contract to execute involving components from US companies being stopped on their tracks with the sanctions imposed by the Commercial companies. It is difficult to say if this is supported by any contractual clauses since US itself today is not at war (legally) and hence the “Acts of War” clause for disruption of service cannot be invoked.

While it is difficult for Indian companies to raise this as a dispute because of the continuing relations with the component suppliers, it is time for the Indian Government to consider the concept of “Deemed Conscription”  of a company into military if it actively takes sides in such a war. If this is not ratified by their respective Governments like Laivian Government has done, then the actions of the individuals and the companies imposing sanctions of their own  become illegal and qualify for penal action in the respective countries.

Such actions may also qualify as conducting “Warfare” in other neutral countries. Hence Dell stopping supply of computers under a contract and frustrating an Indian company from executing its contract is like bringing the war into foreign soil.

We can understand that the Corporate executives in these companies may not think deeply but the call for ICANN to stop its domain server for Russia (reported to have been rejected by ICANN) is an indication that “Critical IT Services” may become instruments of war fare without appropriate international legal justification.

Tomorrow if Microsoft jumps into war and stops all Windows servers or Gmail stops all its email services, or VISA stops all its card processing services, the activities of other nations can be crippled.

At a time when we are thinking of a new Data Protection Law in India it is necessary for us to see if we have sufficient legal backing to defend such actions even if it is purely speculative at this point of time.

I therefore call upon the Government of India to undertake such measures as are necessary to ensure that Indian companies are not held to ransom for settlement of international disputes of which we are not a party.

This could be achieved through declaring  “Essential IT Services” such as internet transmission, hosting etc  as “Critical Data”, imposing “Data Localization” and other security measures to ensure that we are not at the mercy of these companies in future.

Naavi

The developments in the Russia-Ukraine conflict have taken a dangerous turn where many private sector companies who are “Multi National Companies” providing services across the globe have started joining the “Information War Front”. Accordingly the Google, Twitter etc are taking steps to attack Russia by withdrawing their services. Now a call has been made to the ICANN to stop all Russian domain names.

While one can appreciate the anger of individuals and their reflection in such suggestions, the move has extremely adverse consequences in eroding the faith of citizens of one country on any service provided by a foreign country.

We were all aware of and complaining that the Social Media Companies like Twitter were manipulating the narrative against the Government. But companies like Google were not earlier in any activity which could be called anti national. In fact a large number of Government agencies use Gmail as their email services placing their trust on them. Similarly companies like Apple, Microsoft, Amazon etc are considered international companies which could be trusted by both India as well as Paksitan.

Unfortunately the current developments where the private companies have joined the Information war fare which is part of the “Hybrid warfare” has changed the global outlook on the MNCs. It is clear that these companies cannot be relied upon at times of crisis and any increased dependence on them is a huge national risk.

The Atma Nirbhar approach to business is therefore essential to avoid this dependency.

In discussing the Data Protection Act, there has been a demand for Data Localization because of the “Data Sovereignty” and the need of Law enforcement to access data related to criminal investigation, terrorism, money laundering etc. The tech companies had convinced the Government to dilute the provisions of the Data Localization from the PDPB 2018 version and even the latest JPC version allows free transfer of data outside India. Companies like VISA process their data outside India and are reluctant to bring back even the processed data into India as required by the RBI guidelines.

These issues now have a new meaning. A doubt occurs in our minds  about…What would be the guarantee that VISA will not stop all processing of Indians or Gmail will  not freeze all gmail accounts if there is a conflict between India and US? What if Microsoft wants to stop all Windows computers in India  for whatever reason that may seem legitimate to them?

These services are not like Twitter and Facebook which are not essential services. Now the seeds of doubt have been placed in the minds of Indians and every other country that dependence on Internet itself is an existential risk for the country. This is not an issue of Cyber Security or even the Cyber Warfare between two State powers. This is an issue of trust in business and it has been lost substantially with the rash decision of some of the tech companies.

This has changed the world business order and it is unlikely that we will be able to fully restore order to the pre-Ukraine war state.

Now is the time that we start building more and more self dependence at the country level and the pre-globalization principles of trade and commerce have to be restored.

Unless the private companies who have jumped to the war front quickly retrace their steps the reversal of globalization process will start now. The best policy for them now is to be “Non Aligned” so that they walk through the next few days without taking decisions that cannot be justified in the long run.

However the Government of India has no option but to speed up finding replacements for Microsoft/Android operating system, the Google maps and Gmail, the VISA and Master card network etc. We may even need to develop an alternate internet network within India so that ICANN cannot threaten the existence of our communication for whatever reason.

Naavi

The Economic Times carried an article today that “Global IT bodies express concern over data protection Bill”

The Indian Express went ahead to say “US bodies push back on data protection bill, seek new working group”

These media reports are not reflective of the general views prevailing in the industry and many of the industry experts who spoke in a webinar on Data Protection organized by ASSOCHAM yesterday expressed their eagerness to see the law being passed.

Does the Industry want to over ride the Parliament?

It is  interesting to note that in the ASSOCHAM webinar, representatives from Google, Meta, Amazon etc were all present and none expressed very strong disapproval that the Bill has to be rejected. However, the Indian Express report is very clear that

A senior executive working with a big tech company said…. that “The JPC report has to be rejected and a new working group with trade and industry bodies have to be formed to discuss the issues”

Should Government be forced to commit Contempt of Court?

It is clear that some sections of the media are amplifying minor concerns to force the Government to withdraw the Bill and postpone the law by a few more years. This appears to be an attempt to scuttle the bill and force the Government into committing Contempt of Court.

During the proceedings on the Aadhaar and Privacy in the Supreme Court, in 2017, the Government of India has committed itself and has  been directed by the Supreme Court that a robust privacy protection law should be passed at the earliest.  If there is further delay then the Court can turn around that a delay of more than 6 years tantamount to “Contempt of Court”.

Even if the Court remains silent, there will be activists who will file such a petition and also ensure that the Parliament in the next session is disrupted on the issue that Government is not serious and has to resign.

Why the Big Tech Company objections are not sustainable?

Most of the big tech companies have already been in the process of consultation and many of them deposed at the JPC. Some voluntarily stayed away from deposition even when they were invited.

Hence their claim now to a new consultation is completely unacceptable..

Demand of the US Bodies is driven by a rejection of Indian democracy

It looks very odd that the commercial companies lead by the Social Media companies known for  their fake news propagation are demanding the scrapping of the Joint Parliamentary Committee report and wants an industry body to dictate what the Parliament has to pass as a law or not.

This is an attack on the sovereignty of our Parliament and must be  rejected.

What are the Concerns?

According to Indian Express, one of the main problem is “insistence on local storage of data and restrictions on cross border flow of data”. Lack of large data centres is cited as an issue.

It appears that the industry body which has made such statements is not in sync with the developments  of PDPB 2019/DPA 2021 in India and is commenting on the draft of PDPB 2018.

While we still support the PDPB 2018 version of “Cross Border transfer of data” which required copy of all data transferred had to be kept in India, it is to be noted that the present version wants only copies of the “Sensitive Personal Information” has to be kept in India.

Even the RBI which has a sectoral regulation on transfer of banking data out of India has now allowed processing of financial data outside India though the processed data has to be brought back to India.

It was interesting to observe that one of the experts in the ASSOCHAM seminar was suggesting that “Since Storage is also considered as processing, storage outside India can also be considered as continued processing and hence data may never be brought back to India”. I presume that this was just a mischievous joke and not to be taken as a suggestion to bypass the RBI directive.

The claim of the group as reported in Indian Express may therefore be considered  a “Fake Report”.

Non Personal Data included in the Bill

The JPC-2 fell into a trap set by the opponents which were the same industry bodies who are today opposing the inclusion of non personal data in this Bill. The earlier version of the Bill had the provision of Section 91(now re numbered as Section 92) which empowered the Government to direct a data fiduciary to transfer anonymised non personal data to the Government in certain circumstances where it is required for better Governance.

Some of the same Big Tech companies which are in news today were unhappy since they felt that the Government will take over their data and raised a hue and cry that the provision was ultra-vires the “Personal Data Protection Act”.

The JPC fell into the trap and tried to widen the scope of the Act by calling it as “Data Protection Act” and adding that it applies to non personal data also. Now the same big tech companies are objecting to this widening of the scope.

The industry is again misrepresenting the situation that apart from the Section 25 where reporting of non personal data is “Empowered”, no change has been proposed on any other aspects of Non Personal Data Governance. This provision can remain in the act without being taken further.

The reason why the JPC fell to this trap was that some bureaucrats thought that if there is a single DPAI for both personal and non personal data it would be good. They forgot that the Non Personal Data Governance is much more than “Reporting of Data Breach” and involved “Monetization”. Security of Non personal Data was not a concern of this legislation since ITA 2000 already addresses this requirement.

Having bitten the bullet of Non Personal Data now, it is necessary for the Government to stand up and say that “Data Breach reporting provisions” are only an “Empowerment” and the DPAI may consider it is required or the current system where such reports go to CERT IN are sufficient.

The Section 92 provision is required for National Security (like the Ukraine situation) and can be justified.

Is Innovation discouraged or disincentivised?

One of the other concerns raised in the ET reports is that

1. “Recommendations run counter to global standards…Many  of our joint member companies in India and from across the globe will be significantly impacted by the report.”
2.  It also states “recommendation to establish a domestic alternative to the international SWIFT banking system is unprecedented”.
3. They continued to hold a wailed threat…  “When these and other recommendations in this report are considered as a whole, their result, if enacted, would lead to a significant deterioration in India’s business environment, degrading the Ease of Doing business in and with India, and negatively impacting India’s domestic start-up ecosystem and global competitiveness. The ability of companies to participate in the Indian market would be dramatically impacted, thereby reducing foreign direct investment in India”

It is unfortunate while these companies accept the EU GDPR regime with insane penalties being levied on them, they think that they are able to dictate terms to the Indian Parliament.

As regards any provisions of the proposed Act that the tech companies need to follow there is perhaps another 2 year window to attain compliance. Hence whether it is providing the “Verified” badge or adopting a proper consent or obtaining security certification or Algorithmic transparency the two year time is more than sufficient.

It is therefore our considered view that the objections raised lack conviction. We can wait for the regulations to be announced by the DPA in the next 6 months or more and then consider if the concerns expressed are real or imaginary. If there are real difficulties, the Government may consider appropriate amendments.

Naavi

A FDPPI-IACC  hybrid event on March 4, 2022

Implications of the Upcoming Data Protection Bill 2021…..The Compliance Perspective

You can register either at IACC or FDPPI.

IACC registration for physical event

FDPPI registration for webinar: 

The Minister of IT Mr Ashwini Vaishnav recently commented  that there is no plan to scrap the current draft data protection regulation (as has been falsely projected by some journalists) and he hopes that the bill will be passed soon if not in the current session at least in the Monsoon session.

He said that there have been comprehensive consultations and we should be able to resolve differences if any and get the bill passed.

Simultaneously the media campaign has started again to highlight that the Social media Companies are unhappy, the Start Up companies are unhappy etc. Organizations like NASSCOM who have to support the initiative of getting an early law in place are only reflecting the objections of the industry and making it difficult for the Government to go through with the passage of the Bill.

The objections raised are largely excuses and even if they are relevant, it is possible to be corrected either through notifications or in the next amendment. We need to be keep them aside for the time being and see how the law gets assimilated by the industry after which we will have more information on what changes are required.

The tech companies are already in compliance with the GDPR regime and they are aware of how to wade through the data protection law. Indian law cannot be too hard compared to GDPR. Start ups have been given 3 years time under the Sand Box time and hence should not have any complaint.

The Social Media intermediaries are only required to allow the choice to their customers to verify themselves and after such verification insist that their identity be disclosed with their messages. This will not disable the Social Media intermediaries to continue having fake accounts and spread fake messages if they so desire. The viewers will start discounting the posts of un verified accounts and the media need not be bothered.

At the same time, the media has the option to be an “Intermediary” and not be considered as a “Publisher” if they can give up the control on the content. There is a new attempt to pitch the Ministry of I&B against the Ministry of IT saying that there will be overlapping of the domains. We know that the ministers of the two ministries held a joint  press conference to announce the February 25, 2021 Intermediary rules and it is unlikely that they will start objecting to each other now.

IAMAI has also criticised the bill as if it poses a risk to the digital eco system by having an impact on free speech. We donot know how there is a conflict since the Constitution itself has provided for reasonable exceptions to any fundamental right and it would apply even to the right to privacy.

IAMAI has also criticised the expansion of the scope to Non Personal Data is an enabling provision forced on JPC by the earlier objections and can be clarified through the notifications.

The restrictions on data transfer outside India has already been softened to bring it very much below the GDPR standards and compared to the Indian law, GDPR with the recent EDPB guidelines is a more strict data localization law than the DPA 2021.

The DPA 2021 when implemented will have to manage conflicts with several sectoral regulators including the CERT In, RBI, IRDAI and TRAI. It is therefore not a burden for them to handle the Cyber Law division of I & B ministry also as another sectoral regulator.

We can expect that the DPA as a body of 7 senior persons will device a method of consultation with the sectoral regulators as envisaged under Section 56 of the Bill.

There is no doubt that industry will be happy without any regulations and hence are opposing the regulations. Cost of Compliance is associated with every law and cannot be a reason for non regulation. It is strange that the companies  donot complain with cost when GDPR is imposed on them but have only objections when there is an Indian law of similar nature.

The attitude of the industry and the associations that represent them are not sustainable on close scrutiny. The objections are only saying that we donot want any regulation and want to be not accountable for data breaches or for compliance and has to be ignored.

I hope the MeitY will not yield to the pressure tactics and go ahead with the law for early passage. If they yield then they will be liable for Contempt of Court since the bill has been already delayed beyond any reasonable time.

Naavi