Naavi.org

The revision of WhatsApp Privacy Policy and Terms has brought to light why an organization which is working in a multinational environment need adopt the approach taken by PDPSI (Personal Data Protection Standard of India)  for compliance.

The first thing we look forward in a Privacy policy or the Associated Terms of service is who is the service provider? Indian law clearly defines the Privacy Consent as a “Contract” and the essential part of a contract is to identify who is entering into a contract, what kind of commitments are being given and expected, whether the contract is a “dotted line contract” , whether the contract is “Unconscionable”, what is the dispute resolution associated with the contract, what is the liability clause and what is the exit clause etc.

In terms of compliance of the data protection law we also examine if all the required points to be notified (eg Section 7 of PDPB 2019) are covered.

As we observe, WhatsApp has indicated only two versions of their Terms of Service and Privacy Policy, one applicable for EU region and another for the rest of the world. The “Rest of the World” policy is tuned to the US requirements and hence all other countries are in the third world need to follow the WhatsApp policy for the US.

There is Privacy Law already in India

It is to be noted that WhatsApp has not provided an India specific policy at present. Probably WhatsApp thinks that India does not have a Privacy law at present and they want to introduce the new policies before the Act may be passed in India so that they can take some time to implement the new laws.

We would like to point out however that India presently has “Privacy” protection obligation because the Supreme Court has recognized it as a “Fundamental Right” and some Courts (eg Kerala) has indicated that the obligation extends to private companies as well.

More importantly Section 43A, Section 72A and other sections of ITA 2000/8 already determine the data protection regulations in India and it is in operation for a long time. Though there is no Data Protection Authority with an independent mandate to monitor, affected persons (including a group of persons represented by a public interest) can approach any of the Adjudicators or any adjudicator can take up a suomoto investigation of any perceived damage to a data principal.

Since the draft PDPB represents the legislative intent in the near future, it also doubles up as “Due Diligence” and “Reasonable Security Practice” under Section 43A of IITA 2000/8 and hence WhatsApp cannot escape compliance of PDPB 2019 even if the Act is yet to be passed and there could be 89+ amendments to the original draft.

Lack of Transparency on the Entity signing the Consent

The parent company of WhatsApp service is WhatsApp Inc, 1601, Willow Road, Menlo Park, California 940025, USA. WhatsApp Ireland Limited provides the services of WhatsApp to persons who live in the EU territory. WhatsApp LLC provides the services if the user lives in any country other than EU region. WhatsApp business services are also provided by WhatsApp LLC (Refer to the separate terms here).

WhatsApp LLC is located at 1601, willow Road office while the WhatsApp Ireland limited is located at No 4, Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland.

It has six locations, including two in India at Hyderabad and Gurugram, one in Dublin, Ireland, one in London besides two in USA (Menlo park and Austin).

There are registered companies like WhatsApp Africa LLC also registered in USA. In payment services, WhatsApp may use the services of Facebook companies making the maze of companies more complex.

As is common with Facebook, it is not easy to find out the physical location of Whats App offices and the “Transparency” aspect of Privacy compliance fails miserably at this stage itself.

It is not clear if WhatsApp’s two offices in India are considered only “Development” or “Marketing offices” and have legal divisions or Data Protection Officers or the Grievance Officer under ITA 2000/8. It is a reasonable presumption that there is no designated “Grievance Redressal Officer” and the company is not presently in compliance with ITA 2000/8. 

India Specific Privacy Policy/Terms are absent

It is natural that WhatsApp has to adopt policies to be in compliance with US laws where it is the group head quarters . As regards the EU region, it is fine to adopt the policies from the Ireland office.  But not adopting policies relevant to India is a show of arrogance.

Considering that WhatsApp wants to expand its business in India, and is fully aware of the JPC’s views when they met them recently, it appears that WhatsApp did not give too much of value to the Data Sovereignty rights of India and thought it reasonable to ignore India reference in its new policies.

Presently WhatsApp has plans of expanding its operations in India with health insurance and micro-pension products through tie ups with licensed financial services players. It is presently set to partner SBI General to launch health insurance and HDFC Pension to make available NPS products on the App platform. The company is already live on the UPI platform with 4 Banks (SBI,HDFC Bank, ICICI Bank and Axis Bank) and 20 million users.

This partnership provides enough opportunity for WhatsApp to get the benefits of the service with the legal obligations being borne by the Indian banks.

Given these expansion plans, India expected WhatsApp to recognize the existence of our sovereign rights in terms of Privacy or Cyber Security when it thought of revising its Privacy policies with effect from 8th February 2021 which could be after or a few days before the Personal Data Protection Bill in its final form would be presented to the Parliament.

A question therefore arises whether these policies will be compliant with the proposed Indian laws or is set to become operative just before the Act comes into effect so that they can claim some privileges as a legacy policy before the Act came into existence.

A question therefore arises whether these policies should be compliant with the proposed Indian laws and if not should the licensing authorities like RBI and IRDAI withdraw their provisional approvals.

Dispute Resolution

We did briefly discuss the Dispute Resolution Clause yesterday and we can add some additional points today.

The dispute resolution issues are covered in Terms of service and not directly in the Privacy Policy.

The clause mentions the following:

Forum And Venue. If you are a WhatsApp user located in the United States or Canada, the “Special Arbitration Provision For United States Or Canada Users” section below applies to you. Please also read that section carefully and completely.

If you are not subject to the “Special Arbitration Provision For United States Or Canada Users” section below, you agree that any claim or cause of action you have against WhatsApp relating to, arising out of, or in any way in connection with our Terms or our Services, and for any claim or cause of action that WhatsApp files against you, you and WhatsApp agree that any such claim or cause of action (each, a “Dispute,” and together, “Disputes”) will be resolved exclusively in the United States District Court for the Northern District of California or a state court located in San Mateo County in California, and you agree to submit to the personal jurisdiction of such courts for the purpose of litigating any such claim or cause of action, and the laws of the State of California will govern any such claim or cause of action without regard to conflict of law provisions. Without prejudice to the foregoing, you agree that, in our sole discretion, we may elect to resolve any Dispute we have with you that is not subject to arbitration in any competent court in the country in which you reside that has jurisdiction over the Dispute.

Governing Law. The laws of the State of California govern our Terms, as well as any Disputes, whether in court or arbitration, which might arise between WhatsApp and you, without regard to conflict of law provisions.

Time Limit To Bring A Claim Or Dispute. THESE TERMS ALSO LIMIT THE TIME YOU HAVE TO BRING A CLAIM OR DISPUTE, INCLUDING THE TIME TO START AN ARBITRATION OR, IF PERMISSIBLE, A COURT ACTION OR SMALL CLAIMS PROCEEDING TO THE FULLEST EXTENT PERMITTED BY APPLICABLE LAW. We and you agree that for any Dispute (except for the Excluded Disputes defined below) we and you must bring Claims (including commencing an arbitration proceeding) within one year after the Dispute first arose; otherwise, such Dispute is permanently barred. This means that if we or you do not bring a Claim (including commencing an arbitration) within one year after the Dispute first arose, then the arbitration will be dismissed because it was started too late.

As regards the US and Canada users, the Arbitration shall be “Binding” and unless they opt out they would be waiving any right to have the disputes decided by other means.

Though the consent is obtained on the basis of “Click Wrap” acceptance which has no legal validity in India except as a “Deemed Acceptance”  and the terms are part of a “Standard form/dotted line form” of contract which can be considered voidable in respect of unconscionable aspects of the contract, it is better if we avoid any defense being available to WhatsApp to avoid any legal scrutiny in India.

In case  WhatsApp launches a legal proceeding in US either against an individual user or against the Indian Government, it is difficult to defend in such forums that the jurisdiction is not acceptable. We may therefore end up facing an Arbitration notice or Court notice from the US jurisdiction and spending time, money and effort in filing petitions in Indian courts to counter such cross border litigation notices.

In India, the disputes with WhatsApp may arise out of ITA 2000/8 or PDPA (Proposed). Both of the statutes provide for “Adjudication” and “Appellate Tribunals”. Hence “Binding” arbitrations will not be compatible with the law.

[It may be noted that DDMAC (Data Disputes Mediation and Arbitration Center of FDPPI) as a specialized ODR center for data related disputes has adopted only Mediation and Non Binding Arbitration and avoided binding arbitrations. ]

The terms indicate that WhatsApp can do forum shopping at its discretion and not the other contracting party. This is a typical characteristic of a dominating party to the contract imposing an one sided term on the weaker party and would be considered by Courts in India as a determining factor to adjudicate if this is an “Unconscionable” contract or not.

The other point to note in the dispute resolution clause is that it attempts to over ride the “Limitation Act” of India. This may also be considered “Ultravires” the Indian law.

In view of the above, WhatsApp contract is not an admissible contract and an admissible consent under the Indian law.

It would have been better if WhatsApp had consulted organizations like FDPPI before such a major step is taken which could result in flight of many users to alternate messaging apps including some which may come up from India itself. 

The PDPSI Approach

Had WhatsApp adopted the PDPSI approach , it would have realized that the compliance program and the Privacy Policy has to be developed separately for different applicable law. In that case, there would have been a different Privacy Policy and the Associated Dispute Resolution Policy. By adopting a policy which may be in compliance with GDPR or the US law and assuming that it would automatically accepted under the Indian data protection law, WhatsApp has made a mistake.

Hopefully WhatsApp would correct the same. Otherwise the call from Privacy Professionals in India would be to “Switch From WhatsApp”.

Naavi

Previous Article: WhatsApp needs to change its jurisdiction clause

WhatsApp has announced a new Privacy Policy and Terms of use effective from 8th February 2021. Since then there have been a series of debates in the media about the impact of the change and how should users react. Most of these discussions are on the “Privacy Policy” and not on the “Terms of use”.

The objections have been on whether WhatsApp will have access to the User’s content and share it with Face Book. 

A brief review of the policies is attempted here for opening up more discussions.  It is not easy to decipher the privacy policies of any large MNC like WhatsApp or even Google or Twitter since there could be many  subtle wordings which can be technically and  legally interpreted in different ways. 

We also have to recognize that WhatsApp has created two different sets of policies, one offered by WhatsApp Ireland Ltd to the EU region and the other by WhatsApp LLC  to other countries . Except for the ownership of the service, there does not appear to be any difference between the two policies. This is either a mistake or perhaps WhatsApp thinks that the world outside EU has no importance and hence any policy will do.

Perhaps WhatsApp will realize that countries like India are conscious of the data sovereignty principle and will not tolerate this arrogance.

The Privacy Policy and the Terms of Service have to be read together.  There appears to be more contentious issues in the terms of service rather than the Privacy Policy as explained below.

A: Privacy Policy

The Privacy Policy consists of the following 12 sections.

1 Information We Collect

2. How we use Information

3.Information you and we share

4.How we work with other Facebook companies

5. Our legal basis for processing data

6. How we process your information

7. How you exercise your rights

8.Managing and retaining your information

9.Law, our rights and protection

10.Our Global operations

11.Updates to our policy

12.Contact Us

The policy appears to cover most of the requirements of a Law Compliant Privacy Policy though we cannot say that it is in “Clear and Precise ” format.

A couple of key points of the privacy policy are discussed below.

1. Is there a Discrimination in refusing the service if permissions are not given?

In analyzing the Privacy Policy and commenting if it is acceptable or not, we must appreciate that WhatsApp is a private business of FaceBook and its commercial interests cannot be wished away.  We can only comment on whether there is transparency in the Privacy Policy as notified and the company does not deviate from what is stated in the policy. The right of the company to modify the policy need to be also recognized though we can expect a reasonable notice whenever major change occurs in the policy. Presently a notice of one month has been given and this need to be maintained in the future also.

In order to recognize the rights of WhatsApp to set pre-conditions with a right to reject the service if a certain information is not provided, we must recognize the nature of the WhatsApp service and the “legitimate Interest” built into it. According to its mission statement, WhatsApp started as an alternative to SMS and it now supports sending and receiving a variety of media: text, photos, videos, documents, and location, as well as voice calls.

As we understand, WhatsApp is a “Platform”. It enables a person to send a message to another provided they have downloaded the App in their device and subscribed to the service. Additionally in a “Group Communication”, one to many messages are sent to the WhatsApp server which distributes it one by one to all the members of the closed group. In this context, WhatsApp server is an agent to hold the content until it is downloaded by all the members within 30 days etc. The members of the group are collectively responsible as owners of the group. At present the “Admin” has only limited powers of admission or removal of members but has no powers to delete content posted. The member who posts the content to the group is the sole owner of the message  and make it disappear or remove it within a certain time. This reiterates the status of the service that WhatsApp is a messaging service from the sender of the message to the receiver. The server provides certain intermediary services. The Admin has no role in the transmission of the message. 

Hence it is the WhatsApp subscriber who has a contract with WhatsApp both for sending individual messages as well as to to form and participate in a group messaging activity. The Privacy Policy and the Terms of service are parts of this contract formation.

If therefore the terms of the contract is not acceptable to either of the two parties, there is nothing wrong in the service being not made available. Whether this can be brought under “competition Act” can be debated. But since there are multiple other services of similar nature, it is unfair to bring the service within the provisions of the Competition act and call the right of WhatsApp not to provide a service if the Privacy policy is  not accepted, as “Discriminatory” in terms of the Data Protection laws.

2. Information Collection and Storage

The information collected by WhatsApp is declared as specific to the “Options” used by the user. Hence it is declared as purpose specific. The mobile number and maintenance of log records of the use of the App therefore is directly related to the messaging service and hence within the rights of WhatsApp.

The “Storing” of the information in the servers for the intermediary period when it is yet to be downloaded by the receiver does not mean that the server is reading the information though technically this is possible even if it is in encrypted form. Encryption will prevent third party access but if Whats App really intends  to read the message, they can always simulate either the sender’s phone or the receiver’s phone and use the keys to decrypt it. However this is an unreasonable suspicion and unless there is any evidence of the same, should not be considered as a possibility. 

From the policy it appears that WhatsApp has two storage policies one for the Media and the other for the text message sent. The text part gets deleted from the server after delivery but the media remains in storage in an encrypted form to enable forwarding of the same. The company has a justification for this storage from the technical point of facilitating the forwards. When a forward occurs, this prevents the entire data related to the media travel again from the forwarder to the server. If the forward is to multiple persons, it will save on data transfer substantially. The media is held in the WhatsApp server not permanently but for a certain time so that forwards within this time span would save on data transfer.

Hence storage both from the point of view of maintenance of encryption and temporary storage can be considered legitimate. Criticisms in this regard is not sustainable.

3. Sharing of Information

The policy suggests that WhatsApp access, preserve and share certain information. This however refers to the information that is collected from the account holder such as the account information., messages (in encrypted form ) during the interim period when it is being held for deferred delivery, and meta data associated with the use of the services. 

There is nothing in the policy to suggest that the message content will be read by WhatsApp and used for profiling etc. 

In case the WhatsApp payment system or Contact upload feature, the users may be sharing more information related to the specific service. 

4. Legitimate Interests

The policy declares that legitimate interest relied upon includes provision of accurate and reliable aggregated reporting to business and other partners and statistics on performance, need to demonstrate the value the partners realize etc. 

It also states that Facebook products may be marketed to the users for direct marketing. This indicates that there could be “Advertising” messages sent to the users similar to Twitter inserting advertising in between messages. 

Prevention of fraud, securing against spam, abuse etc are also stated as a reason to use information under legitimate interest. 

Policy indicates that Pubic interest could also be a legitimate interest.

B. Summary views on Privacy Policy

At first glance therefore the policy does not seem to raise grave concern. It is possible that the company may draw a profile and use it for advertising but that is only to be expected as a revenue generation method unless the service becomes a paid service.

Since India is coming up with its Data Protection Law shortly, once the final version of the law is ready, we may review the Privacy policy to check if it is in tune with the requirements.

The Privacy policy appears to concede the requirements envisaged in the Indian law regarding providing tracking information when required by the law enforcement.

Perhaps remaining compliant with the Indian law could be one of the reasons for which the Privacy Policy was revised before the Indian Act is likely to be effective.

However, the policy is to large to be considered as easily comprehensible by an ordinary user of the service. Businesses should find a way to simplify their Privacy Notice to the public while keeping a more legalistic and verbose policy for internal use. Otherwise public will need expert interpreters to certify if a Privacy Policy is compliant with the requirement of law and meets the principles of Privacy protection. 

Terms of License

The terms of use however has some aspects which may cause some doubts in the minds of the users.

Fore example in the paragraph “Your license to WhatsApp”, it is stated as follows:

Your License To WhatsApp. In order to operate and provide our Services, you grant WhatsApp a worldwide, non-exclusive, royalty-free, sublicensable, and transferable license to use, reproduce, distribute, create derivative works of, display, and perform the information (including the content) that you upload, submit, store, send, or receive on or through our Services. The rights you grant in this license are for the limited purpose of operating and providing our Services (such as to allow us to display your profile picture and status message, transmit your messages, and store your undelivered messages on our servers for up to 30 days as we try to deliver them).

Though at first glance this appears to indicate that WhatsApp may use the content for its own purpose, the issue is more related to IPR rather than Privacy. Also if the content is encrypted before it is shared by the user with the company, unless it is decrypted, it cannot be used in raw form by WhatsApp. The mention of “Limited purpose” indicates that there is no intention of creating “Derivative Works” from the user’s content and use it commercially though an “Enabling feature” has been wrote in.

Probably WhatsApp will be answerable for IPR violation if the user content is used for creating revenue generating product.  

The statement that “WhatsApp does not claim ownership of the information” further corroborates the status that the content is owned by the user. 

If WhatsApp tries to make derivative works out of the user’s content, they will also lose the status of an “Intermediary” under ITA 2000 and hence cannot claim any immunity for crimes that are committed with the service.

If WhatsApp claims absolute rights to use the content, then they will have to admit knowledge of the content which will make themselves liable for any drug related conversation or other offences using the WhatsApp messages. 

It would therefore be advantageous for WhatsApp to claim that they are not aware of the encrypted content and they don’t use them for any of their purposes. This is evident in the terms also.

The terms of use also take into account the disclaimers expected under the ITA 2000, Section 79, Intermediary rules.

As can be expected there is a disclaimer that “WhatsApp does not accept responsibility for losses” if they have exercised due diligence.

The Dispute resolution clause is not properly constructed in the policy since the both the policy applicable to EU and other countries seem to state that in countries outside EU, the applicable law is that of Ireland. 

This will not be acceptable in India. The amendment to the ITA 2000 intermediary rules as well as PDPB will ensure that WhatsApp is declared as requiring to open a separate Indian office and be considered as a Significant Data Fiduciary. At that time, WhatsApp will need to get itself licensed from the regulator and it may be refused a license to carry on its business unless the applicable law of India and jurisdiction of Indian Courts along with ODR usage is brought into the terms. 

Even the RBI needs to take a look at this since it is responsible for letting WhatsApp to handle payments. 

This will happen to be the most contentious issue of the terms of service/Privacy policy which needs to be addressed by WhatsApp. We may recall here that the Kerala High Court did pass adverse remarks in the Sprinklr case that the Kerala Government had accepted the New York Jurisdiction without proper evaluation of the terms of service.

Summary Views on the Terms of Service

The applicable law and Jurisdiction clause of the Terms are not compatible to Indian legal environment.

The RBI should take steps to withdraw the permission given to WhatsApp for running the payment services unless this clause is changed immediately.

Meity has to issue a notice to WhatsApp under Section 79, that the Jurisdiction clause which is part of this “Implied Contract” between the user and the WhatsApp is not valid in India and it shall accept the jurisdiction of the Courts of India at the residential place of the user as evidenced by the SIM card information.

Also under the PDPB, WhatsApp needs to provide a grievance redressal system which is more data principal friendly by incorporating an ODR facility to resolve grievances. The DPA is yet to come into existence and until that time, Section 43A , 43, 72A, 67C, 69,69A,69B, 70B and other provisions of ITA 2000 will be applicable to WhatsApp and compliance of ITA 2000/8 is necessary to be demonstrated by WhatsApp. 

CERT In should issue a notice to WhatsApp for an assurance that it is ITA 2008 compliant. 

It is open to any interested parties to file a PIL to force WhatsApp to change the Jurisdiction clause if it has to maintain the payment services and operate in India.

It is also a great opportunity for an indigenous messaging app developer to introduce an equally efficient app and  there will be lot of support from India.

(Comments Welcome)

  Naavi

Judiciary and Quasi Judiciary authorities in the country have been accorded a special place in the structure of our democratic society. We respect them and fear them. With the increasing burden on the regular judicial institutions such as Courts, quasi judicial authorities such as Adjudications and Appellate Tribunals have been constituted under different laws so that the first trial and first appeal could be handled by these specialized institutions before the dispute passes on to the higher judiciary normally at the High Court or in some cases bypassing the High Court and going directly to the Supreme Court.

Most of  these institutions are often managed by retired Judges of the High Court and Supreme Court and have powers both to ease the procedures to make litigation convenient to the public but also powers to ensure that they are not inferior to any Court in enforcing its orders.

The availability of powers and the respect from the society needs to be repaid by these institutions with a sense of responsibility to the citizens of the country.

It is necessary to point out that the National Company Law Tribunal (NCLT) has in the case of Net4India failed to show this responsibility despite having been pointed out that the action or inaction of NCLT has resulted in lakhs of consumers of Net4India being left in the lurch with their digital business being disrupted.

Not withstanding the respect due to an institution like NCLT, it is our duty to point out the fact that NCLT missed its duty to serve the consumers of Net4India by being ignorant and irresponsible.

In the hope that this situation would not recur in the future, we provide here some thoughts along with why we need to be critical of what NCLT has not done in the case of Net4India to protect the interest of the consumers.

Net4India is one of the oldest Internet Service Providers in India and provided services for registration of Domain Names under the license from ICANN. It provides services for hosting websites, hosting e-mail services, providing digital certificate to web servers for secure web transactions etc.

Many large and small business organizations and individuals had availed their services from Net4India and have been running their web based services. Even Naavi started his activities on the web through Net4India.

Some where down the line, Net4India borrowed money from SBI and defaulted. It appears that SBI was negligent in providing the facilities and probably there was corruption and fraud in SBI which resulted in the loans being granted, not properly monitored and allowed to turn into NPAs. Given the nature of activities of Net4India and the head start it had on other competitors, it was a gold mine by itself and did not require Bank finance for its normal business.  If an enquiry is held on how SBI granted credit facilities running to more than 100 crores and let it rot, it would perhaps come to light that the officials of the bank had colluded with the company in financing overtrading and diversion of funds.

The bankers remained mute spectators when Net4India did some manipulations to shift its assets, use the services of Open Provider to keep up its public face while slowly shifting the assets out of the company. (See here)

Having committed a possible fraud, SBI made use of the provisions of the NCLT to shift the liabilities to  Edelweiss Asset reconstruction Co Ltd which invoked insolvency proceedings.

Medianama.com quotes the advocate of the Resolution Professional and indicates how there was a fraud committed over a period by the company. The advocate reportedly stated

“The RP discovered that the entire business and income of the Corporate debtor has been diverted to Net 4 Network [Services Limited], thereafter 70% shareholding of the Corporate Debtor in Net4 Network was surreptitiously transferred to a related company called Track Online India Private Limited, which is another company of the same Promoter-Director and thereafter the business of the Corporate Debtor was on 20.10.2016 transferred to Net4 Network [Services Limited] (once upon a time wholly owned subsidiary of the Corporate Debtor company) through Master Reseller Agreement (MSA), which has made Net4 Network “Master Reseller”, therefore as on the date the Corporate Debtor has remained for name sake because its shareholding in Net4 Network was transferred leaving no control over Net4 Network [Services Limited] and then strategically business as well. “

This sort of fraud could not have occurred except through connivance of the Banker, the company like Openprovider.com as well as other professional firms like the statutory auditors and company secretaries. Even ICANN and NIXI should have been able to see the fraud before it became irreparable.

The Ministries of Finance or Consumer Affairs have been silently watching the happenings and not tried to resolve the issue in a manner where the consumer’s interests are protected.

For a long time MEITY also was a silent spectator until after the issue was escalated through this website, NIXI started helping out registrants of dot in domain names ensuring that they were transferred to other registrars.

The India representative of ICANN has also been doing his bit to get the ICANN supervised domain names like dot com names to other registrars through the dispute resolution process with the ICANN which is slow and painful.

However the domain name owners are not able to recover their money stuck up with the Net4India accounts. They are cumulatively “Creditors” of Net4India in its insolvency provision which the NCLT has conveniently ignored.

Each of the 70000 plus customers (may be upto 3 lakh according to one estimate) have different amounts from Rs 1000 to Rs 25000/- in their accounts remaining as balances in their accounts with Net4India which were ear marked for their future renewal of services. These were in the nature of pre-assigned payments and not available for being used for repayment to SBI or Edelweiss and NCLT should have arranged for this to be segregated and accounted for the individual customers, which it has failed to do so.

The NCLT also failed to recognize that Net4India even as a shell company was a “Going Concern” and if its rights of being a domain manager for 70000 customers had been traded with another registrar, the rights would have fetched a value of its own. This “Intangible value of the domain business” went un accounted before NCLT declared Net4India as insolvent.

NCLT also failed to give notice to each of the 70000 domain name registrants who were small creditors to the company before the Insolvency proceedings were launched.

NCLT by launching the insolvency proceedings closed down the running operations of the company and the services of the consumers got disrupted.

NCLT has to be therefore squarely blamed for the disruption of the businesses of 70000 plus consumers of Net4India.

NCLT had within its powers to ensure that before ordering closure of the company, sale of its immovable properties etc., an search for auctioning the customer rights to other registrars at a premium. Some other registrar would have valued the customer acquisition of 70000 domain name operators as a great opportunity and acquired the entire business which NCLT valued at “Zero” value at least under a management contract at say around Rs 10 crores with a seamless continuation of the services to the consumers which is priceless.

But NCLT was not aware of the damage it was creating to the digital markets in India and /or was not concerned. It had its blinkered approach to going through the motions of resolution so that SBI could recover its own fraud proceeds and Edelweiss could make some money of its own.

PS: In case NCLT feels aggrieved with this criticism, we would like to know what measures NCLT took to bring the interests of the consumers of Net4India to the resolution process, whether notices were given individually to each of these consumers, whether there was any attempt to value the “Contractual Rights” created through domain services contracts at least at a notional nominal value to the books. We are willing to apologize if there has been a reasonable effort from NCLT in this regard.

At present several of the affected persons are rallying around Naavi.org and many of them have been able to resolve a part of their problem in getting the domain names transferred, But they still have not been able to recover the money stuck with Net4India and there are many more whose domains are still not transferred particularly by ICANN. All of them have to view NCLT as the villain who protected the fraud partners for Net4India at the cost of innocent consumers of Net4India.

Future Actions Required

For the time being let us leave the NCLT to learn from its mistakes but focus on what we need to do in the future.

1. Bring the value of digital assets into the books of accounts.

The first and foremost action required to be undertaken by all of us who are users of domain names and other digital assets created out of contracts to bring the value of such assets into the books of account.

For example, Naavi.org as a domain name is valued at $1328 at Godaddy. In terms of expenses it costs around Rs 942.82 to renew every year which can be capitalized.  If Ujvala Consultants Pvt Ltd which has registered the domain names for Naavi aggregates all the domains under its control and values it either at the market value estimated by Go daddy or at capitalized annual expenditure to be written off over a period of time instead of being considered as an expense, the balance sheet of Ujvala would reflect an asset value of several lakhs which today is not getting recognized.

If under the similar principle, Net4India had recognized the value of its domain name  business at some valuation method say on the basis of cost of acquisition, the net present value of future business or the cost for a competitor to build 70000 plus customers, then its balance sheet would have carried an asset base of crores of rupees which the NCLT could not have ignored.

The Accounting professionals, ICAI and Ministry of Finance should therefore think of introducing a system where by digital assets are accounted for in the books as “Intangible Assets”.

It is possible that the Ministry of Finance would immediately think if they can tax this asset. It would be cruel if they did so. But since the valuation method may not be universally agreed upon, the accountants can start by placing a “Contra entry” in the books of account so that the valuation does not affect the balance sheet in real terms.

While the ICAI may take its time to understand the value of this “Digital Asset Valuation”, considering the future advent of Non Personal Data Protection regulation where valuation of data may become a realizable value, Naavi has already recommended inclusion of the “Personal Data Valuation” as a best practice under the PDPSI (Personal Data Protection Standard of India) which is a new standard of data protection and assessment of compliance.

2. Registrars of Domain Names to be regulated by MeitY

Considering the critical nature of the business of domain name registrars, the adverse impact if registrars go out of business in future as well as to reduce the incidents of domain name frauds. the Meity has to recognize that Registrars are a special category of “Intermediaries” and  introduce appropriate regulatory control.

The Data Protection Authority (DPA) under Personal Data Protection Act (proposed) should also recognize domain registrars as “Significant Data Fiduciaries” and bring them under the regulatory control.

Both the above suggestions are well within the powers of Meity at present and hence we hope that they would be considered seriously.

Naavi

The revised recommendations on the Kris Gopalakrishna Committee on Non Personal Data reiterates the significant role that the Non Personal Data Authority.

It may be noted that the Committee has ab-initio been influenced by the industry to include a recommendation that it must be created with “Industry Participation” . This recommendation has to be taken with circumspection.

While NPDA has to consult industry and have persons with industry experience in its constitution, “Regulation” has to be segregated from the industry. If industry organizations become part of the regulatory agency, the regulatory functions will be corrupted.

Hence the committee’s suggestion “NPDA must be created with industry participation” needs to be rejected.

The NPDA’s  Enabling functions include

a) Ensuring unlocking of economic benefit from non-personal data

b) Creating a data sharing framework

c) Managing the meta data directory of data businesses in India

NPDA’s Enforcing functions include

a) Establishing rights over Indian Non-Personal data in the digital world

b) Address privacy, re-identification of anonymized personal data, prevent misuse of personal data

c) Adjudication when a data custodian refuses to share data with the data trustee.

In defining the enforcing functions, mention of “Privacy” indicates a deliberate attempt to create overlapping powers against the Data Protection Authority being created under PDPB 2019.

While the report says that the roles of NPDA should be harmonized with the CCI and DPA, there is an element of overlapping of regulatory functions which need to be consciously avoided.

As regards “Privacy”, the DPA under PDPB 2019 should be given the unambiguous authority. When there is a doubt the NPDA should refer the Privacy issue including the re-identification of anonymized personal data or misuse of personal data to the DPA for necessary adjudication and corrective action as may be required. 

This has to be kept in mind when the new Non Personal Data Regulation Act is framed.

Naavi

In the previous article, we discussed the “Consent for Anonymization” which has been recommended by the revised report submitted by the Kris Gopalakrishan report.

One other concept which has been suggested by the committee which requires some detailed look is the definition of “High-Value Data Sets” (HVD).

The concept of HVD is a little confusing as it is used in reference to the “Role of an Organization”. In general, concept however it appears to be a Special Category of Non Personal Data” just like how “Sensitive Personal Data” is defined in the PDPB as different from Personal Data in general.

The report defines HVD as

-a “Data Set” that is “beneficial” to the community at large

-shared as a “public good” subject to certain guidelines

There are 15 different types of data sets which have been listed as HVDs plus “and others” whatever it means.

The 15 types of HVDs are the following

i. Useful for policy making and improving public service and citizen engagement
ii. Helps create new and high-quality jobs
iii. Helps create new businesses – startups and SMEs
iv. Helps in research and education
v. Helps in creating new innovations, newer value-added services / applications
vi. Helps in achieving a wide range of social and economic objectives including
vii. Poverty alleviation
viii. Financial inclusion
ix. Agriculture development
x. Skill-development
xi. Healthcare
xii. Urban planning
xiii. Environmental planning
xiv. Energy
xv. Diversity and Inclusion

The organization (either a Government or a non-profit organization)  responsible for the creation, maintenance and data sharing of HDVs are called a “Data Trustee”.

It is envisaged that a community of people can come together to create a “Data Trustee” and host the HVD.

The Data Trustee will have a responsibility to ensure that HVDs are used only in the interest of the community. The data trustee will also ensure that the HVD is not re-identified and also maintain a “Grievance Redressal mechanism”.

Key Guidelines for HVD processing

The report suggests that for every HVD, there will be one Data Trustee but one data trustee may be responsible for more than one HVDs.  What appears to be the intention of the committee is that the organization that collects, processes or shares HVDs will be called a Data Trustee (like the Data Fiduciary in PDPB). But a single such Data Trustee may manage multiple HVDs.

The HVD will be maintained in a data infrastructure which corresponds to “Technical-material” elements like the actual data bases, APIs organizational systems etc. This is similar to the concept of “Personal Data Processing Sub Units” which has been recommended under the PDPSI (Personal Data Protection Standard of India).

Depending on the type of HVDs, the regulatory authority namely the Non Personal Data Governance Authority (NPDGA) will set the guidelines to determine appropriateness of the chosen HVD  such as the objectives, what is the public good involved  etc. It would be necessary for the Data Trustee to secure an “Expression of Interest” from a minimum number of community entities to be part of the HVD initiative.

It appears that the concept suggested here is like a “Trade Union” and if there is a difference of opinion among the community constituents, about the Data Trustee, there could be issues like in an industry with multiple trade unions.

However,  the committee envisages that there will be only one Data Trustee per HVD. The concept of “One Data Trustee” for “One HVD” appears to be short sighted and needs rethinking.

Otherwise the committee appears to think the “Data Trustee” as similar to Significant Data Fiduciaries or Guardian Data Fiduciaries under PDPB 2019. There has to be a process of registration of an entity as Data Trustee at the NPDGA.

Naavi

After the Kris Gopalakrishna Committee on Non Personal Data Governance (KGC) submitted its first report , public comments had been invited. Now the Government has published a revised report after receiving the comments and requested for a second round of public comments to submitted before 27th January 2021.

Comments can be submitted here

The revised report can be accessed here.

From the publication, it appears that this is a report revised by the Committee itself and not by the MeitY.

One of the major revisions appears to be in reiterating that in the Personal Data Protection Bill 2019, Sections 91(2) and 93(x) may be omitted.

Section 91(2) stated :

(2) The Central Government may, in consultation with the Authority, direct any data fiduciary or data processor to provide any personal data anonymised or other non-personal data to enable better targeting of delivery of services or formulation of evidence-based policies by the Central Government, in such manner as may be prescribed.

Explanation.—For the purposes of this sub-section, the expression “non-personal data” means the data other than personal data.

Section 93(x) stated:

(x) the manner in which the Central Government may issue a direction, including the specific purposes for which data is sought under sub-section (2) and the form of disclosure of such directions under sub-section (3) of section 91; or 30

This does not make any material difference to the Personal Data Protection Bill (PDPB) though it will satisfy the demands from some of the opponents of the Bill who had identified this as a point of contention.

The other major point that could impact the PDPB 2019 is the recommendation regarding Consent for Anonymized Data.

The revised report suggests that “Consent should be obtained from the data principal for anonymization of personal data”.

It may be observed that Naavi has suggested the inclusion of the consent for anonymization as part of the Notice/Consent format to be used under PDPSI (Personal Data Protection Standard of India) as a measure of compliance under the principle of “Abundant caution”.

However, personally, it is necessary to record that this proposition is not considered necessary and perhaps is self contradictory to the major objective of the Non Personal Data Governance (NPDG) regulation. It may also be not fully in conformity with the principle of “Right to Carry on Business of choice” in the constitution as per Article 19(1)”(g).

According to Article 19(1)(g), it is a fundamental right guaranteed by the constitution to “practise any profession, or to carry on any occupation, trade or business”.

Why is this Provision Self Contradictory?

The revised KGC report states

“It is clear from industry feedback to the Committee and from its own research that large collections of anonymized data can be de-anonymized, especially when using multiple non-personal data sets”

Accordingly, it is suggested by the revised recommendations that “Data Collectors” at the time of collecting personal data should provide a notice and offer the data principal the option to opt out of the data anonymization.

This suggestion is considered as “Self Contradictory” since it directly negates the very definition of “Anonymziation” as provided in the PDPB 2019.

According to Section 3(2) of the PDPB 2019, Anonymization is defined as follows.

(2) “anonymisation” in relation to personal data, means such irreversible process of transforming or converting personal data to a form in which a data principal cannot be identified, which meets the standards of irreversibility specified by the Authority;

The Data Protection Authority is expected to provide the necessary technical guidelines as to determine what is the yellow line between “Identifiable Personal Data” and “Anonymized Personal Data”.

The new recommendations appear to express its lack of confidence in this definition and the ability of the DPA to find out an acceptable technology recommendation for determining what constitutes “Irreversible process”.

The argument that “Anonymized data can be de-anonymized”  and its acceptance as a legal principle is a dangerous precedent. The same argument can be extended to “Encrypted Data can be Decrypted”.

If we presume that “Encrypted Data can be decrypted” then any data leak consisting of “Encrypted Data” has to be considered as a “Data Breach”. This goes against the accepted principles of Data Protection recognized even under laws such as HIPAA/HITECH Act and takes “Encryption” out of the equation constituting “Security of Information”.

If Anonymized data can be re anonymized then we have to accept that encrypted data can be decrypted. It is only a question of “Technology used for breaking Anonymization or Encryption”, “Efforts applied” and “Intention”.

Accepting the suggestion therefore is a serious blow to the Information Security principle that “Encryption Secures Information”.

The more practical way of addressing the concern is to clarify that “Anonymization” is an “Irreversible process”, meeting the standards of “Reasonable irreversibility” to be notified by the Data Protection Authority.

If some Data Analytics company or a Data Analyst uses efforts such which are large enough, any encrypted data can be de-crypted or any anonymized data can be identified. If such effort is being applied, it must be considered that the intention is “Malicious” and the identification should be considered as a contravention of Section 82 of PDPB2019 and punished accordingly. It may also be considered as “Diminishing the value of information residing inside a computer or affecting it injuriously by any means” under Section 43-66 of ITA 2000 and punished accordingly.

Hence there is sufficient deterrence in the law to ensure that breaking the anonymization as per the standard prescribed cannot be “Presumed”. If this can be “Presumed”, then every regulatory feature prescribed in PDPB can be presumed as infeasible of being regulated and this would be self contradictory by itself.

Why the Provision is Unconstitutional

If Anonymziation as per the standards set by the Data Protection Authority is followed, then the “Identifiable Personal Data” becomes “Non Personal Data” and becomes the subject matter of governance under the new law namely the Non Personal Data Governance Act (NPDGA). The objective of this NPDGA would be to unlock the value in the data which is considered “Non Personal”.

A substantial part of the Non Personal Data includes “Anonymized Personal Data”. If there is no freedom for the Personal Data Collector to use “Anonymized personal data” as “Non Personal data” and unlock the value, then the business arising there of is being effectively killed. In such a case any personal data collected which is for a specific purpose and limited for usage to the time until the purpose is accomplished will have zero value after the purpose is completed since it has to be mandatorily extinguished.

If we consider “Profile” as also “Personal Data” then all the profiles also need to be extinguished after the purpose for which the profile data was collected. On the other hand, if the “Profile data” could be anonymized then it would be useful to the community without adversely affecting the privacy interest of the individual.

It is to ensure that personal data collected should be useful to the community that the principle of “Permitted Data Processing and Disclosure” allows exceptions to some of the restrictions on personal data processing for Public Interest, Emergent requirements of the data principals and others, as well as the law enforcement.

Along with these rights of the society in public interest, safety and law enforcement, the right of a business to carry on business with anonymized data in a manner that does not adversely affect the privacy of the erstwhile identifiable personal data must be considered as “Legitimate Interest” of the business and protected under Article 19(1)(g).

Hence the proposition is considered unsustainable from the point of view of fundamental rights.

Rights Cannot be recognized in “Re-birth”

In India we believe that individuals go through cycles of birth and death and all of us have a history of previous births. There have been many instances where hypnotists have claimed that through “Age Regression” they can extract the previous birth information of an individual.  Some studies appear to suggest that some past birth experiences are also proved correct. The Nadi Astrology system also supports the views of “Karma” from “Previous birth” having an impact on the present life of an individual.

Without going into the details of a discussion on this subject of Re-births, I would like to point out the similarity of the individual’s re-birth to the re-identification of an anonymized personal data.

Once personal data is anonymized (as per standards prescribed in law), then it must be considered as “Dead”. Just as we cannot recognize the legal rights of property or family relations of a previous birth because a hypnotist can extract what appears to be an “Evidence” of previous birth,  we cannot provide rights to the data principals whose private data has been anonymized and a criminal data scientist de-anonymizes it for  commercial benefit.

Hence the concept of “Data, Re-born” should not be provided sanctity under law as much as the rights of a person on his previous birth cannot be recognized under law. It would be like recognizing the right of a person to write a will that if he returns in his next life, the property should be restored to him in the new birth.

Suggestion

It is therefore suggested that the recommendation of the “Revised Kris Gopalakrishna Committee report” regarding the “Consent for Anonymization” is rejected.

However the definition of “Anonymization” under Section 3(2) of PDPB 2019 can be modified as under.

(2) “anonymisation” in relation to personal data, means such irreversible process of transforming or converting personal data to a form in which a data principal cannot be identified, which meets the standards of irreversibility specified by the Authority, by reasonable, non malicious efforts.

It can also be suggested that a definition of “De-Anonymization” can be added to the PDPB as

3(..) De-anonymization means converting “anonymized personal data” which has been subjected to a standard irreversible anonymization process as per Section 3(2), to a state where it can be identified as personal data either partially or fully, whether accurately or not.

Inclusion of the above definition of “De-anonymization” would meet all the concerns that the revised Kris Gopalakrishna Committee report expresses.

 Naavi