Naavi.org

Recently when the JPC submitted its report on PDPB 2019 dissent notes were  presented by a few members of the committee belonging to opposition parties . Some of these were related to “Excessive powers” to the law enforcement and “Lack of parliamentary oversight”.

Two recent incidents in EU directly reflect the views of the EU community on these issues and are interesting for us to take note since they may come in for discussion during the Parliamentary debate on DPA.

While it is difficult to accept the views of the EU society on both these counts, it is nevertheless interesting to take note of these issues.

First is the decision of the EDPS passing an order on the Europol to delete vast amount of data held for criminal investigation purpose. Second is the reprimand issued on the EU Parliament itself for violations of GDPR.

No doubt the EDPS appears to be a hero in his own right but whether these actions are good for the society in the long run is difficult to say.

The EDPS involved is Mr Wojciech Wiewiórowski who was appointed on 5th December 2019 for a term of 5 years. Earlier he has serverd as Assistant European Data Protection Supervisor from 2014 to 2019.

He is certainly a highly learned person with vast experience in the field of Data Protection and served as the Polish Data Protection Commissioner since 2010 till he moved to the EDPS.

In the first instance the EDPS accused Europol of becoming a counterpart of the NSA in USA and clandestinely spy on the citizens in a mass surveillance effort.

It is said that Europol has accumulated quadrillions of bytes of sensitive data (about 4 petabytes equivalent to 3 million CDROMs).

The data has been collected from various sources including criminal records, extracted from encrypted phones and other sources. The EDPS has ordered that the data shall not be held for more than 6 months and Europol shall take steps to delete the rest of the data within one year.

Technology has been used for everything from Artificial Intelligence, Robots, 3D printing, Crypto currencies, Web 3.0 and so on. But when law enforcement wants to use technology there is objection from many quarters. This discrimination on use of technology for national security is not good for the society.

In another decision, the EDPS has issued an order reprimanding the EU Parliament for allowing transfer of data to Google and Stripe against the Schemed II principle.

Though no fine was imposed, a reprimand has been issued and an order to make changes to the notice and address other issues pointed out.

For some this may seem as a heroic commitment to privacy where the EDPS has taken on its own appointee (like the Bhasmasura syndrome referred to in another context). But if we consider the long term implications of both these decisions, it appears that the EDPS is indirectly endangering the global security by assuming itself power over and above the European Parliament and Law Enforcement and is diluting the counter terrorism efforts of the Europol.

Naavi.org had raised the red flag in June 2018 on “Whether GDPR will convert the entire Internet into Deep web” by carrying Privacy beyond its natural limitations. It appears that this prophesy is now coming to haunt us. On the one hand the “Meta Verse” mafia  has joined hands with the Crypto Currency mafia in an attempt at creating a Web 3.0 which is an attempt to create a nation beyond all nations. At the same time, people on the right side of the law like the EDPS are showing holier than thou attitude on privacy to dilute security to the extent that criminals and terrorists  will thrive.

This fight between the Privacy activists and National Security agencies in EU is not an internal issue of Europe. If the Europol is not able to gather enough intelligence required to identify terror activities, then terrorists operating from within Europe may not only attack EU but also other global citizens. We in India are therefore concerned about the stance taken by EDPS on the Law Enforcement issue in particular and wish that the Europol is not weakened by the over enthusiasm of the EDPS.

A serious global debate is required to be undertaken in this regard by all the security agencies. Perhaps NIA should take the lead to discuss with the NSA, Europol and other similar agencies to ensure that Europol is not rendered impotent.

A time has come for the Indian Government that while passing the Indian act, it should be ensured that the security concerns are not ignored. After all Right to security is as much a fundamental right as Right to privacy whether the Supreme Court agrees or not.

Naavi

We are all aware that insurance companies are aggressive in marketing their policies and are in the forefront of misusing the provisions of law regarding infringing the privacy of individuals. Bigger the company, bigger are the violations.

I recently had an occasion to observe that HDFC life issued a life policy for me though I was not eligible and to make it possible for them to issue the policy they included the name of my son on whose life I had no intention of insuring. But HDFC life created the policy in such a manner that the proposal was from my son though the payment was made out of my account.

Assuming that this is an error that can be ignored though it has caused my investible resources to get stuck for some time now, immediately on receipt of the policy document, I returned it to the Mumbai office of HDFC Life asking for immediate cancellation and followed up several times through email. But HDFC life maintained a stoic silence until a representative of mine physically visited their branch in Bangalore to find out. He was informed that my email address was not registered and hence they were not responding. If I had made the payment, sent a courier and followed up with the email, it was improper for them not to try contacting me. Only when the other joint holder sent the same request they responded only with a request not to cancel.

They are also insisting that the joint holder of the policy has to visit their branch to finalize the cancellation. While issuing the policy there was no need to visit but now they are insisting on this formality, though both the holders

I have now reported the issue to the CEO of HDFC Life as well as IRDAI and waiting for the response.

I have now requested HDFC Life to let me know what process they follow when they receive a courier package containing a policy followed up with a request for cancellation. How can this request remain responded for the technical reason that the email address is not registered though the name and other details are visible in the returned policy.

This would be a classic contravention of the Data Protection Act 2021 which could result in penalty of upto Rs 10 lakhs. If on receipt of such complaint the audit or inspection shows that there is no proper process, then the penalty can be upto 4% of the total worldwide turnover of HDFC life.

The persons handling support@hdfclife.com or service@hdfclife.com need to realize that a request of the type I made is indicating a risk of a penalty that could run into crores of rupees and should log it as an “Incident”. Such incidents are auditable by the Data Protection Authority.

It is clear that HDFC life may not have a DPO at this point of time, but whoever takes up the mantle will have a huge task of repairing the lax attitude of the support/service handlers.

Naavi

It is well known that pensioners are dependent on Banks for disbursal of their pensions. Once the pension is approved by the relevant Government department, the instructions are passed on to the Bank and periodical payments are initiated by the Bank. The pensioner is entirely dependent on the Bank for crediting what is due.

An instance has come to the light where the Dombivli branch of State bank of India has suddenly sent a message to a lady pensioner of advanced age that since 1st February 2011 there was an excess payment of payment in the account (average about 15%) and a total amount of around Rs 502000/- has become recoverable. The Bank has gone ahead to block the SB account of the account holder and left the pensioner in the lurch.

A question has to be raised here about whether the payment made by the Bank and credited in excess to the account holder is recoverable?.

According to Banking law applicable for wrong advice of credit, if the customer has altered his position genuinely on the basis of the advise of the Bank, the amount even if excess cannot be arbitrarily recovered. In the case of payment of pension, it is a full and final settlement by the paying authority and it is legally unfair to recover. If there was an error then the excess has to be recovered from who ever was responsible for the excess payment and the Bank has the right to absorb the loss if it deems fit.

I am bringing this incident to public knowledge here so that the authorities responsible for payment of pension in the Central Government may take suitable steps to advise State Bank of India, Dombivli branch to take appropriate corrective action in respect of the complaint which is with them.

In case the authorities want more details, Naavi.org would be providing the same.

We wish SBI and the Central Government responds to this issue immediately.

Naavi

The recent issue of Sulli deal and Bulli Bai apps being hosted on GitHub has exposed GitHub to liabilities under ITA 2000 as a Significant Social Media Intermediary (It is estimated that there are 5.8 million users from India).

According to Git hub it is primarily a “Repository” of code. At the same time it also provides services for hosting the code on a website which becomes a publishing service.

In the copyright law, software code is considered as “Literature” and an “Expression”. Hence hosting of codes to directly render services from Github servers like the Sulli deal and Bulli Bai can be classified as publishing activity.

Hence Git Hub is liable both under IAT 2000 and the new Intermediary Guidelines of February 25 as well as the new law coming under DPA 2021 applicable for Significant Social Media Platform.

As an Intermediary and a Paltform, GitHub has to provide for identification of the users, appoint a local compliance officer and be accountable. It cannot take excuse that it is not an Indian Company or it’s servers are in India etc even if it is owned by Microsoft.

Microsoft may claim that it is only the owner of the basic platform and each hosted app is a separate service provided by the users. This would mean that Microsoft itself is a cloud service intermediary and would escape direct liability as long as it can identify the wrong doers.

In the Sulli Deal and Bulli Bai cases therefore, the law enforcement has a strong case against  Microsoft to enforce the law and expect them to co-operate beyond just removing the applications, which is the first step. Now Git hub should be able to preserve the evidence under section 65 and 79 about the transactions in the account including IP address information for a minimum period of last 6 months.

I hope the Government and CERT-IN should take steps to ensure that Git Hub does not make it difficult for law enforcement to get necessary information to continue their investigations.

Naavi

It appears that the power of corruption and the criminals have now invaded the security guardians. As per the news report, Norton a well known company in the Anti Virus software business is added to the download of Norton 360. This is a crypto miner that would mine Ethereum which is fungible with Bitcoin and other crypto currencies.

Though Norton claims that it is an opt in feature and can be turned off, in reality it is stated that it is difficult to remove. We all know that all users are not alert enough to filter such unwanted software at the time of downloading.

It is unfortunate that anti virus companies which were identifying Crypto Miners as “Potentially Unwanted Program” have now yielded to the power of the corrupt.  Norton would be collecting 15% mining fee and use the resources of the users in terms of computing power and electricity to generate this revenue.

This is a completely unacceptable behaviour for a security company. For long time, common man as been alleging that anti virus companies themselves spread the virus and then sell removal tools. Norton has gone one step further to join hands with the “Computer Contaminant” manufacturers to promote Computer contaminants.

India is in the verge of declaring Crypto Currencies illegal and ITA 2000 already has a provision under Section 43 read with Section 66 to consider installation of any program without proper consent as a criminal offence. Even the DPA 2021 has introduced a provision for certification of software to ensure any malicious codes to be present in any software.

Hence the Norton Service is a challenge to the “Opt-in” provision and the sanctity of the consents obtained, whether they are truly well informed consent as per the standards of contract under Section 14 of Indian Contract Act (Refer section 11 of DPA 2021).

I urge CERT-IN to send an advisory to the public about the danger of installing Norton 360 and also advise all Government Agencies to refrain from using Norton Services.

By associating with the Currency of the Criminals, Norton has lost the credibility as a trusted security company and it has to be red-flagged for security purposes.

Naavi

The year 2022 is unfolding before us and I wish all of you a happy new year.

The year 2022 is more likely than ever before to see the passing of the Indian Data Protection Act.

Since September 2018 when FDPPI was formed we have been preparing professionals in India  to be aware of the Indian Data protection scenario through our continuous educational activities.

In the process we have conducted Training Programs leading to “Certification”, webinars in the form of “Indian Data Protection Summit” and “Jnaana Vardhini” events.

We have also developed a base framework for compliance for the industry.

The time has now come to upgrade all our efforts to a higher level as the country prepares itself for the full fledged Privacy and Data Protection Era.

In this direction FDPPI will be introducing a FDPPI “Continuing Professional Education Program (FDPPI-CPE Program) similar to other professional organizations.

The FDPPI-CPE program is aimed at not only ensuring that our professionals  will be better placed to meet challenges that they may encounter in the domain of Privacy and Data Protection  in the real world, but also ensure that the industry respects our professionals more than ever before.

It is desired that an FDPPI Certified professional should command a respect as well informed and updated professional in the eyes of the industry and the FDPPI-CPE program has to enable it.

Please watch out for the details of the program that would be shared here in a couple of days.

We may start the program with some simple provisions and introduce more features in the coming days.

Naavi