Naavi.org

Information Technology Act 2000 (ITA 2000) has been in existence since 17^th October 2000 and in the amendment of 2008, effective from 27^th October 2009, Section 79 was amended and subsequently “Intermediary rules 2011” were notified under the section with effect from 11th April 2011. On 25^th February 2021, the Government of India announced a revision of  which we may refer to as the “Intermediary Rules 2021”.

It was a general observation of the society that “Fake News” proliferated in the digital media and many of these digital media houses were owned and controlled by foreign business interests. There were also  individuals who were using the privilege of easy publishing without any accountability using You Tube and OTT platforms.  “Yellow Journalism” was spreading like wild fire in the digital media and the Government thought it was necessary to regulate this media just like the Press Council tries to discipline the print media or the Cable TV act tries to impose some responsibilities on the TV medium.

During the farmer’s agitation, it was clear that paid celebrity tweeters from abroad were commenting on the Indian developments without  knowing the facts.  These motivated celebrity tweeters and “Fake Journalists” were teaming up with  “Foreign Agents” to spread political messages through the digital media with a specific objective of embarrassing the Government.

It was natural that many of the activists considered that the Intermediary Guidelines 2021 was an opportunity with which Government could be bashed in the Indian Courts. Hence several cases were registered in the High Courts as PIL or in the name of journalists. Though the Government of India has requested for the transfer of these cases to the Supreme Court, High Courts in their eagerness to stamp their views have been releasing their orders as if it is a matter of national emergency instead of letting the Supreme Court take over the cases. Two such orders have already been released one by the Madras High Court and the other by the Mumbai High Court staying some of the provisions of the notification of February 25^th.

It is now well known that media of today is no longer the “Fourth Pillar of democracy” and is only a commercial arm of business. They have their own agenda including over turning elected establishments. We know that one of the prominent US media house even  released advertisement to recruit reporters based in Delhi with a specification that the Journalist should report with a specified bias against the current Government.

The knowledge of these developments was before the Courts and there was a need to appreciate that it was a legitimate requirement of a responsible Government to regulate the digital media. In this direction,  the Government wanted to introduce certain “Ethical Code” for the so called “Digital Media” who were “News Intermediaries” and fell under the provisions of Section 79 of ITA 2000.

The Intermediary Guidelines of 2021 therefore had some provisions which included

1. Self regulation by a digital media
2. Self regulation by an industry group consisting of different members of the digital media

Beyond these two levels of self regulation, the Government had planned to have a administrative mechanism for oversight with a “Compliance Official” at the Ministry level

Such administrative oversight is  required as part of Governance and it is surprising that the Courts donot appreciate such governance controls being established particularly to any body who sports a tag of a “Journalist”.

The main objection raised before the Court was therefore that an “Ethical code” was being suggested and such an ethical code would cause a “Chilling Effect” on freedom of expression. Some of the media Moghuls appear to think that they cannot be made accountable even for malicious news reporting and they donot want even a self regulation. “Say No to Ethics” seems to be the slogan of the petitioners.

The division bench of Madras High Court has stayed “by way of abundant caution”, sub rules (1) and (9) of Rule 9 of IT Rules 2021. Earlier the Mumbai High Court had stayed sub rules 9(1) and 9(3).

The High Courts have been liberal in expressing that they are protecting the “Freedom of Press”, and that the rules cause a “Chilling Effect” on freedom of expression and is “Ultra Vires” the ITA 2000. Additionally, new Jurisprudence is being brought in by the Madras High Court stating that the decision of the Mumbai High Court should have a “Pan-India” effect.

In a democracy while the executive has to respect the judiciary, the Judiciary also has to respect the executive and recognize that they have certain duties. Imposing “Ethics” on media cannot be considered as “Manifestly unreasonable” as the Mumbai High Court said in its order.

We can observe that the same courts had a different interpretation of freedom of speech when they were confronted with the rights of Arnab Goswami or S V Shekar. The lack of consistency is perplexing.

Let’s see what Rule 9(1), 9(3) and (9) state which the Courts felt necessary to stay.

1. 1. 9. Observance and adherence to the Code.—

(1) A publisher referred to in rule 8 shall observe and adhere to the Code of Ethics laid down in the Appendix annexed to these rules.

(2) Notwithstanding anything contained in these rules, a publisher referred to in rule 8 who contravenes any law for the time being in force, shall also be liable for consequential action as provided in such law which has so been contravened.

(3) For ensuring observance and adherence to the Code of Ethics by publishers operating in the

territory of India, and for addressing the grievances made in relation to publishers under this Part, there shall be a three-tier structure as under—

(a) Level I – Self-regulation by the publishers;

(b) Level II – Self-regulation by the self-regulating bodies of the publishers;

(c) Level III – Oversight mechanism by the Central Government.

Under Rule 8, these guidelines are applicable to publishers of news and current affairs content and publishers of online curated content, provided they operate in the territory of India or such publisher conducts systematic business activity of making content available in India.

The appendix referred to above  states

(a) “A publisher shall not transmit or publish or exhibit any content which is prohibited under any law for the time being in force or has been prohibited by any court of competent jurisdiction.

(b) A publisher shall take into consideration the following factors, when deciding to feature or transmit or publish or exhibit any content, after duly considering the implications of any content as falling under the following categories, and shall exercise due caution and discretion in relation to the same, namely:—

(i) content which affects the sovereignty and integrity of India;

(ii) content which threatens, endangers or jeopardises the security of the State;

(iii) content which is detrimental to India’s friendly relations with foreign countries;

(iv) content which is likely to incite violence or disturb the maintenance of public order.

(c) A publisher shall take into consideration India’s multi-racial and multi-religious context and exercise due caution and discretion when featuring the activities, beliefs, practices, or views of any racial or religious group.

Rest of the appendix talks about providing ratings such as U, U/A etc which is commonly used in other context such as film censoring.

It is difficult to understand which part of this rule is considered “Chilling”. It appears from the ruling of the Court that the “Reasonable Exceptions under Article 19(2)  of our constitution” is what the Court is referring to as “Causing Chilling Effect”.

If the Court was seriously concerned only about the oversight mechanism, then there would have been no need to stay 9(3)(a) and 9(3)(b) which was creation of the self regulatory systems (supported by the grievance redressal mechanism).

The Court makes a reference to the “Shreya Singhal Case” where the Supreme Court had interpreted the law applicable to  “Transmission” of an electronic message (under Section 66A of ITA 2000) to “Publishing” of an electronic  message in Twitter and Face Book and struck down the section without taking efforts to read it down.

Similarly in the current case also the Court has resorted to staying rule 9 (1) and 9(1)(3) when it was not necessary.

It appears that Courts themselves need to impose a self regulation on themselves not jump to scrap the law at the drop of the hat. Where necessary they should exercise the option of “Reading down” the law so that the functioning of the Government is not disrupted but the misuse of the law is prevented. If the Courts are trigger happy and shoot down not only the laws but also the administrative notifications, then the executive will stop being decisive. This will encourage inefficiency and procrastination.

In the instant case, “Digital Publishers” cannot escape being recognized as “Intermediaries” under ITA 2000 and hence they have to be accountable for what they publish to the extent of tagging the content, removing the content when there is a Court order etc. This cannot be considered as “Ultra-Vires” ITA 2000. The ethical code itself is within the provisions of Article 19(2) and the earlier Supreme Court decisions and hence the current Court order appears to be challenging Article 19(2) of the Constitution.

When the dust settles down on this case, three questions remain to be answered by the judiciary.

One of the questions is to what extent a decision of a High Court in one state should be considered as applicable “Pan-India”.  If this is universally acceptable, there is a possibility that desired decisions adverse to the Government may be obtained by a clever choice of the High Court.

The second question is whether the Courts should resort to striking down administrative guidelines as easily as they seem to do without appreciating the long term impact it may have on converting a functioning executive to a non-functioning executive which will reduce the efficiency of Governance.

The third question is whether the Courts should exercise a self regulation for themselves and use “Reading down Provision” as a rule and not strike down provisions of law. When the striking down is for provisions having direct reference to Article 19(2), it is questionable if such an order itself is ultra-vires the powers of the Court at this level.

Like we say “Bail is the rule and Jail is an exception, “Reading down should be the rule and scrapping of law/staying of the law should be an exception”

Naavi

Foundation of Data Protection Professionals in India has organized a free webinar tomorrow on September 19, 2021 at 11.00 am. The webinar would be available on Zoom.

The objective of the webinar is to present the PDPSI framework for Data Privacy Compliance. PDPSI is the Personal Data Protection Standard of India which is developed by Data Protection Professionals and incorporates the essence of other industry best practices and builds on them.

PDPSI distinguishes itself from other frameworks for ISMS, PIMS or DPMS and focuses directly on PDP-CMS. It recognizes that while Internet is encouraging globalization of our business, the proliferation of data protection laws in the world are creating hurdles for business in implementing the regulatory measures whether it is GDPR or PDPB 2019 all of which come with a heavy penalty system at 4% or more of the turnover as an administrative fine.

Time has come for India to show the way to the world by a “Unified Framework” of compliance that assists all organizations including MSMEs to remain compliant without much of a pain.

The Indian Government is repeatedly postponing the adoption of the PDPB2019 because the vested interests in business want to avoid the law that makes them accountable for processing of personal data.

FDPPI believes that instead of  preventing the law being passed, industry has to come up with its implementation plan that would satisfy all stakeholders namely the Individuals, the Privacy Activists, the Companies in Data Business and the Government.

Towards this objective, FDPPI as an organization of Data Protection Professionals ahs come up with the PDPSI framework that enables organizations to be compliant with the data protection regulations even as they evolve from ITA 2000 to PDPB2019 to the next version of the Act when the bill is passed.

In order to obtain the views of the data protection professionals, Naavi will be presenting the framework in a webinar tomorrow in an event organized by FDPPI in partnership with MMA and has extended invitation to all professionals

FDPPI would be happy if the professionals could understand the PDPSI framework as designed and also enable its further development in the coming days.

During the discussions, Naavi will also address how PDPSI absorbs the best practices of the industry present in ISO 27001,ISO 27701 as well as IS 17428 and further extends it to some futuristic thoughts.

FDPPI also would like to act as a Federation of Data Protection Organizations in India and will present some of its plans in this regard during the webinar.

Let’s therefore meet tomorrow virtually at Zoom,

Meeting ID: 826 5702 6467: Passcode: fdppi1909

Naavi

On 4th June 2021, the EU official journal released a document titled “Commission implementing decision (EU) 2021/914” as a guide to incorporation of new SCC draft. This is being put into practice by 27th September 2021 and all contracts between EU data exporters and Indian data importers may be subject to review.

The text of the publication is available here.

Some essential features of this development is captured here.

1. The role of standard contractual clauses is limited to ensuring appropriate data protection safeguards for international data transfers.
   1.  the controller or processor are free to include those standard contractual clauses in a wider contract provided that they do not contradict, directly or indirectly, the standard contractual clauses or prejudice the fundamental rights or freedoms of data subjects.
   2. Controllers and processors are encouraged to provide additional safeguards by means of contractual commitments that supplement the standard contractual clauses
   3. The use of the standard contractual clauses is without prejudice to any contractual obligations of the data exporter and/or importer to ensure respect for applicable privileges and immunities.
2. The standard contractual clauses may be used for such transfers only to the extent that the processing by the importer does not fall within the scope of the Regulation .
3. With some exceptions, in particular as regards certain obligations that exclusively concern the relationship between the data exporter and data importer, data subjects should be able to invoke, and where necessary enforce, the standard contractual clauses as third-party beneficiaries. …Therefore, while the parties should be allowed to choose the law of one of the Member States as governing the standard contractual clauses, that law must allow for third-party beneficiary rights.. (#1)
4. In order to ensure effective enforcement, the data importer should be required to submit to the jurisdiction of such authority and courts, and to commit to abide by any binding decision under the applicable Member State law. (#1)
5. Annex to the notification provides the Standard Contractual clauses
6. There are four modules of the SCC, one for Transfer of data from controller to controller, second for transfer from Controller to processor, third for transfer from Processor to Processor and fourth for  transfer from processor to controller. (#2)

It is important to recognize that the use of a particular model of SCC is based on the identification of whether the data exporter or the importer is a controller or processor. The use of the Module 4 indicates a possibility that there may be a data exporter who is a processor but transfers the data to a controller under a contract of his own.

The context in which this contract is to be used will be an important decision to be taken by the companies in India.

Module I, II and III are more straight forward since they determine the flow of instructions from an upper data-riparian party to a lower data-riparian party. Module 4 however is different.

The notification is a mix of provisions applicable to the four modules and to understand the same, we need to segregate the 18 clauses into each of the four different modules.

(Further detailed analysis may be necessary to understand the complications that may arise in drafting a viable contract or vetting the contract that may be provided by a data exporter from EU.)

Naavi

Notes:

#1: This indicates that the importer’s obligation to provide enforcement rights to data subjects is meant for member states and not for other sovereign countries. However, the general definition of data importer and the need for SCC actually arise for data transfers outside the EU. Hence there is a little ambiguity on how a data importer who is a commercial entity agree to accept obligations which may not be permitted under the local laws. In this context the responsibility of the Controller to confirm that it warrants that reasonable efforts have been taken by him to determine if the data importer is able to satisfy the obligations (Clause 8 of Annexe) becomes critical.

#2. GDPR recognizes three roles in a data processing contract namely, “Controller”, “Joint Controller” and “Processor”. In this context an SCC from the “Processor” to a “Controller” appears to be a strange construct.  But it may take into account cases where a data controller is located outside EU (processing the GDPR data) and engages the services of a Data Processor inside EU who may in turn use a sub processor outside EU. In such a case the Data Processor inside the EU may require to secure his interests to be compliant with GDPR and this contract may help that cause. It may apply to cases where a company outside EU is the controller and the processor in EU is its subordinate office.

RBI has issued an informative booklet for public information containing information on modus operandi of different financial frauds.

The publication would be useful to general public.

Copy of the publication is available here

Yesterday, the news paper The Hindu reported that it expects “More delays on Data Protection Bill as panel reopens debate”

The report was based on the fact that the JPC under the new Chairman Mr P P Choudhary has convened two sittings on September 15th and 16th with the agenda ” Comparison between The Personal Data Protection Bill, 2019 as introduced in the Parliament, as discussed in the Joint Committee and the suggestions for amendment by the Chairperson, Joint Committee.”.

According to the news paper, two key amendments are being proposed namely

1. 1. Expanding the scope of the Data Protection Authority to cover personal as well as non personal data
   2. Expand the scope of “Data Breach Notification” from “Personal Data Breach notification” to even “Non Personal Data Beach”.

Accordingly the news paper predicts that there will be objections from the committee members and demands for more detailed discussion leading to further delay in the passage of the Bill.

It is understood that if the Government does not want to pass the Bill, then it can be delayed and anything can be used as an excuse. On the other hand if the Government wants to pass the Bill, it can pass it despite the opposition.

However, there was perhaps a technical gap in the process earlier and the Bill after its earlier discussions and corrections made was not re-presented in its final corrected form back to the JPC for its final approval but presented directly to the speaker of the Loksabha. Perhaps this needed a correction and a meeting was required for this purpose before the presentation of the Bill in the Parliament in the next session as per the commitment of the Government.  We presume that the JPC meeting on September 15th and 16th is required for this purpose.

As regards the two amendments suggested in the report of the Hindu which may also be only be be a speculative report, our views are as under.

The Personal data protection act needs to co-exist with the current ITA 2000 and the proposed Non Personal Data Governance Act. It is a legislation which is prompted by the Puttaswamy judgment and meant to focus on the protection of Privacy as per the Constitution through a data protection legislation that addresses the “Information Privacy Issue”.

The main objective of this legislation is to provide that the data principal should be able to exercise his choice regarding collection, use and disclosure of personal information. It is enforced on those organizations which collect and process the personal data in India.

While PDPB2019 absorbs Section 43A of ITA 2000, it is not a legislation to replace ITA 2000. ITA 2000 has a mandate to define and manage Cyber Crimes which are data related crimes without a distinction of whether the data is personal or non personal.

Presently, ITA 2000 has civil and criminal provisions and victims of data related crimes can approach the Adjudicator for compensation for losses suffered as per Section 46 of Chapter IX of ITA 2000. The Police can prosecute persons for the offences indicated in Chapter XI of ITA 2000.

The PDPB2019 adds the dimension of administrative penalty which was not the subject matter of “Adjudication” under ITA 2000. At the same time, PDPB 2019 does not address the offences under Chapter XI.

However overlap between ITA 2000 and PDPB 2019 may occur because of

1. 1. Section 43 which has the potential for being extended into personal data related crimes.
   2. PDPB 2019  in addition to retaining the power to levy administrative penalty on the data fiduciaries also retains the power to provide compensation to the data principal. This could be an overlap with the power of the Adjudicator under ITA 2000.

Given the general reluctance of IT Secretaries (adjudicators under ITA 2000) to adjudicate on cyber crime cases, they may be happy to pass on the responsibility to the Adjudicator under the DPA and hence the overlapping jurisdiction of the two adjudicators may not affect the enforcement. If however, there are multiple forums available in a few cases, it can be handled as we presently handle cyber crimes with the adjudicator as well as the consumer court etc.

The “Non Personal Data Governance Act” is yet to be drafted and even when it comes into existence, it is not expected to interfere with ITA 2000 in terms of offences. This Act is meant to be for “Establishing a structure for Governance of Non Personal Data” and the
Protection aspects can continue to be addressed by the ITA 2000.

PDPB 2019 defines what is “Personal Data” and what ever is not a personal data automatically falls into the purview of Governance under the Non Personal Data Governance Act (when it comes into existence) and the purview of protection as per the ITA 2000.

There is no need for PDPB 2019 to extend the authority of the Personal Data Protection Authority under the PDPB 2019 to the domain of Non Personal Data Governance or Protection. It is enough if the PDPB 2019 defines Personal data so that the boundary between Personal Data and Non Personal data is defined through either “Anonymization” or because the data itself does not contain any personally identifiable element.

If PDPB 2019 tries to extend the scope of the authority of DPA to Non Personal Data or extend the Data Breach definition to Non Personal Data, there will be a needless interference with the activities of the CERT-In which is a quasi judicial authority under ITA 2000 and is the authority designated to receive data breach reports.

Any move to extend the definition of “Data Breach” under PDPB 2019 to Non Personal Data Breach will bring lakhs of cyber offences to the table of the DPA .Data Breach may occur due to Viruses in Computers or Mobiles, through negligence or malicious attacks or even technical failures.

If all these data breaches land at the desk of DPA, it will paralyze the functioning of the DPA.

Hence the move to enhance the scope of PDPB2019 to Non Personal Data, if it is true, is avoidable.

Naavi