Naavi.org

India is entering the global order of Privacy Protection with the enactment of “Personal Data Protection Act” some time in 2021 when the Bill (PDPB 2019) will be presented to the Parliament.

Even while a section of the industry is working at delaying the passage of the Bill, the Government is silently working at implementing the provisions of the proposed bill in its National Digital Mission without waiting for the Bill to be passed, DPA to be constituted etc.

This approach is consistent with the law in India since Information Technology Act 2000 (ITA 2000) already has provisions under Section 43A.  This provision of ITA 2000 mandates protection of sensitive personal data under “Reasonable Security Practice”.

“Reasonableness” under Section 43A can be extended to “Due diligence” which includes the general legal development in the country that India is shortly enacting a comprehensive personal data protection Bill which will expand and replace Section 43A of ITA 2000.

The fact that PDPB 2019 is the “Due Diligence Prescription under Section 43A of ITA 2000” is the reality and though the penal provisions of the law may not be effective as at this time, the principles of personal data protection under PDPB 2019 are applicable as of now as part of Section 43A of ITA 2000. This has been rightly recognized by the Ministry of Health which has adopted the emerging law into its NDHM project through a comprehensive ” Health Data Management Policy”.

Since this policy indicates how other sectoral regulators may also think of advancing the implementation of PDPB 2019 without waiting for the formalities of its passage into a law, we can explore this policy is greater detail along with the other details of the NDHM through a series of articles.

Watch out for more information

Naavi

( To be continued)

All Articles in the series:

1.National Digital health mission shows the way… Be Ready before PDPA becomes effective

2.NDHM is a trend setter… Get started early on the Privacy Protection journey

3.Consent Management under NDHM

4. NDHM-Health Management policy Objective need not be linked to ISO standard

5.Managing IDs in NHD ecosystem

6. Data Fiduciaries under NDHM

For any financial crime to prosper, there has to be a means of benefitting from the crime. This means that the proceeds of the crime should be converted into legit wealth of the criminal. This is precisely what we call as “Money Laundering”.

Normally we expect that the Government of the day, the Central Bank and the Courts of the Country will do everything under their control to prevent “Money laundering” so that financial crimes are discouraged.

Unfortunately, in India our system does everything to make corruption easy.

And in this exercise the regulators, the Government and the Courts are all happy shifting the blame to another if the decision is difficult.

This tendency is clearly visible in the way the Bitcoin issue is being handled in India. It is no surprise that Bitcoin users and Bitcoin business entities want Bitcoin to be made a legal tender so that it neither becomes a crime to use them or to deal with them. For some time RBI resisted this but Supreme Court came to the assistance of the Bitcoin industry and gave a “Deemed Acceptance” of Indian Banks opening and operating bank accounts for the purpose of trading in Bitcoins and other crypto currencies.

The moment Supreme Court came to the assistance of the Bitcoin Exchanges, the fact that Bitcoin is a currency of the Criminals and Currency best suited for receiving and handing over large value bribes became more relevant than ever before.

Today an article “India’s Banks Are Once More Serving Crypto Traders and Exchanges” indicates the mindset of the industry and how they are slowly putting pressure on Banks to open out to maintaining the accounts for Bitcoin exchanges.

I would like to challenge these Banks….

–“how do Banks consider the opening and operating a bank account for a Crypto Currency exchange which allows buying and selling of Bitcoins and crypto currencies which are not “Currencies” but are “Commodities” and they are subject to the legal principle of transfer of property namely “No body shall transfer a title free from the defects of the transferor’s title” (unless the transferee is a holder in due course of a negotiable instrument” as not “Money Laundering”.

If Banks become bankers to money launderers where is their obligation to the “Prevention of Money Laundering Act”?.

It is perhaps unfair to blame only the Banks because this situation has arisen solely because of the Supreme Court. The Chief Justice of India could have reviewed the subject order and corrected the perception of the honest public of India that Supreme Court is supporting Bitcoin. But he is perhaps busy with other issues.

There was a time when the supreme Court was asking the Government of India what measures they are taking for prevention of corruption and black money. But now the Supreme Court of 2020 is seen actually as a facilitator of digital black money in the form of Bitcoins.

The Government is also not concerned because if “Bribing” becomes easy, the Government employees are the most happy persons because a large part of the market share of corruption predominantly belongs to the Government employees.

What is left is for all of us is to think of conducting  a training to public on how to buy bitcoins and use it for paying bribes.  Presently only the digital savvy persons and receiving large amount of bribes are perhaps using bitcoins. It is time that we let the small time people such as clerks in Government offices and traffic cops to also be conversant with the use of Bitcoins and how to collect their bribes with Satoshis. (1 satoshi is 1/100,000,000 of 1 bitcoin and 1 satoshi is approximately equal to 1.3 paise. ). It would be better if the Government of India declares a new currency term 100 satoshis equal to 1 Satoshi rupee so that it becomes easy for the public to give and receive bribes.

Perhaps the Ministry of Finance and the Ministry of IT would also be able to provide some financial incentives to people who can conduct outreach programs for conducting such training programs.

May be it is also time for the PMO to consider that in the next Mann Ki Baat, Mr Modi can speak of opening out our economy by merging the Bitcoin as part of our currency system so that we become a part of a global digital currency system.

Any such move would not be opposed by the opposition parties nor the Supreme Court because every body is happy. Hence no Bharat Bundhs and no Delhi blockade. In fact the Urban Naxalites may be persuaded to withdraw from the farmer’s agitation if the incentive of Bitcoin legalization is offered.

Naavi

Software companies in India have been trying to get the Indian Patent law changed to allow patents for Computer Software and Business Methods. Such patents are available in USA but were so far considered not patentable in India because Indian Patent Act Section 3 (k) stated as follows:

3. What are not inventions.—The following are not inventions within the meaning of this
Act,—

 (k) a mathematical or business method or a computer programme per se or algorithms;.

However, it appears that this situation has now changed and a patent number 353365 issued on 1oth December 2020 for an invention titled “Halting a denial of service” appears to be a patent granted for a software which is a “Business Method”.

Earlier it was considered that only if a software is part of a hardware, the device could be patented and “software-per-se” was not patentable.

There are 9  claims under this patent  namely

It is to be noted by users of all anti-DDOS products that if they are using any of the methods described above in the patent, they may be liable for infringement of the patent unless they obtain the necessary license.

All auditors need to flag similar methods used by the auditee organizations as a “Risk” and possibility of financial liabilities arising thereof have to be factored.

All Cyber Insurance companies need to rework their assessments of organizations if there is a potential infringement.

This patent issued by the claims filed by the Registered Patent Agent Mr Tarun Khurana and approved by Mr Roopak Jain as  the Controller of Patent (Apparently in the Delhi branch of Patent Office) appears to be a milestone in the history of Software Patents in India.

Based on the issue of this patent, there could be a flood of patent applications from the software companies in India and also applications for re-considerations of earlier applications rejected by different patent offices.

(Comments welcome)

(P.S: Naavi.org is not fully agreeable with the interpretation of the patent office that this patent is outside the provisions of the Section 3(k) since it is a “Method” and no “Physical Device” has been indicated as the patent.

Nevertheless, it is the prerogative of the Patent office to take a view of its own unless otherwise challenged. This will however be a precedent in the case of other software patent applications and if any other party finds that their patents were unfairly rejected, then they may try to amend their claim and seek reversal of the earlier decision either through a review or by approaching the High Court.

In the past Patents have been claimed on basic aspects of network functioning such as hyperlinking, reverse auctions in the e-commerce scenario, single click buying in E Commerce scenario, the GIF imaging etc which have caused extreme discomfort to the users.

This patent is also a basic “Firewall” feature where the data packets are filtered against some pre-set rules. The only distinguishing feature is that “There should be a Processor” that is coupled with the NIC which does the analysis of the packet and its filtering. Unfortunately the patent application is not for this “Processor” but given for the “Method”.

In our opinion, the “Processor” should have been segregated into a “device” and patent should have been provided for the device  which is the hardware plus the embedded software. It is our considered view that the Patent office has erred in granting the patent in its current form under the current provisions of Section 3(k) … Naavi)

Naavi

It is unfortunate that there is a need to fight and continue fighting on the Bitcoin which is an obvious evil to the country, because there is such an overwhelming support to the system which is a wonderful tool of corruption.

But the fight needs to be carried on…One day God will hear…even if Mr Modi does not…

Check on my detailed views if you are interested.

Naavi

(Views expressed here are personal views of Naavi only released in the interest of the citizens of India)

To

Sri Narendra Modi
Prime Minister of India
New Delhi

Sub: Why we should eliminate the Digital Black Money called Bitcoins from the face of India

Dear Sir

I am one of the admirers of your leadership and believe that in the path of progress of India, substantial ground has to be covered under your regime before it is too late. Whether it is Anti-CAA or Anti-Farm Bills, we are aware that opposition parties will try to discredit you and discourage you so that you will stop taking any further reformist steps. Unfortunately the large part of media has also last its sense of duty to the public and hence they help build false narratives that sustain the anti reformist agenda of the opposition.

At this time of crisis some times people like us hesitate, thinking whether it is fair to raise one more contentious issue and seek your intervention. We are afraid that this would probably  increase your stress and  we don’t want you to break down.

But I am also constrained to think that there is one thing which is an unfinished agenda for you which is possible to be achieved only under your leadership and not otherwise. That is the elimination or at least an attempt at reduction of the Black Money.

Your first effort to demonetize large value currency was frustrated by the corrupt intermediaries and to some extent presence of a large quantity of fake currency in the country. The effort to prevent “benami” property holding through Aadhaar linking has been put on the back burner because of the power of the unaccounted assets which drive business and politics in our country.

Now I would like to say that behind this power of the “Black Wealth”, the continued recognition of “Bitcoins” and “Crypto Currencies” is the main reason. The crypto currencies and Bitcoin provide an excellent opportunity to the possibility of building black digital wealth and conducting the black money havala transactions. All intelligent black money holders have already converted their black money and wealth into Bitcoins and any further efforts in the physical world to curb benami properties etc will not have the required impact to reduce black money and black wealth in India.

Some time back RBI tried to ban bitcoins but the power of black money prevailed and bitcoins got a new lease of life from non other than the honourable Supreme Court itself.

I have therefore lost trust in the RBI or even the Supreme Court doing anything further to curb the menace of “Bitcoin”. I am sure that many of the bureaucrats and politicians also love Bitcoins because it is the best way to take bribes.

The current farm agitations are also perhaps funded out of Bitcoins because Canada is in the forefront of Bitcoin usage. I am sure that Bitcoins are used for funding terrorist transactions as well.

Despite the fact that recognition of Bitcoins would kill the economy, the Government of India has remained silent and this can only be interpreted as corruption showing its power at the highest level.

The last hope to get this Digital Black Money eliminated is you and hence I am constrained to write this letter once again.

Kindly take the bold step of banning crypto currencies, first by making a statement from your end or from the MOF end. Then kindly issue an ordinance to bring it to effect immediately.

By banning crypto currencies, you will be seriously choking the underworld economy in the digital world and there will be a reduction in cyber crimes, ransomware attacks.

I will not be surprised if even the farmer’s agitation would be weakened since all the funding agencies will have to run for cover to recover their own existence if crypto currency wealth is extinguished.

Just as the Canadian Prime Minister is trying to bring pressure on the farmer’s agitation, there would be many foreign countries who may have their opposition to a move for banning crypto currencies in India, but I wish you would be able to convince them that it is our internal decision.

Probably there would be many countries which will rally behind you in this measure and make you a global leader of a movement to eliminate Crypto Currencies from the world economy.

Do you have the courage to take this step? I only pray God that you will get the strength to take this step.

Bitcoin is a menace worse than Drugs, that can destroy the country. Let us wake up before it is too late.

Naavi

Earlier articles on this website on Bitcoins are available here:

Data Trust Score is an innovative mandatory provision in Indian Personal Data Protection Bill 2019 which introduces measurability an accountability to the compliance initiatives of a Data Fiduciary. In this three part article, Mr M.G. Kodandaram, IRS, retired Assistant Director NACIN, analyses the legal aspects of the Data Trust Score system….. Naavi

(Continued from part-2)

In this concluding part we shall deliberate on the fair means to use of the mandated principles within the scope of the objectives and the proposed legal framework, to arrive at the possible data score methodology. The author is not inclined to propose a definitive scoring pattern as the bill in hand is still a legislation in the making and more changes are expected before it becomes the law of the land. Once the legislation gets the nod of both the houses, carrying out such an exercise will be more realistic and useful. Therefore in this part the discussions are limited to the components that should be part of the DTS system.

Objectives of the bill

The Preamble part of the bill declares the purpose of the legislation as, “to provide for protection of the privacy of individuals relating to their personal data, specify the flow and usage of personal data, create a relationship of trust between persons and entities processing the personal data”. It further vouches (i) to protect the rights of individuals whose personal data are processed, (ii) to create a framework for organisational and technical measures in processing of data, (iii) laying down norms for accountability of entities processing personal data,(iv) remedies for unauthorised and harmful processing, and (v) to establish a Data Protection Authority of India for the said purposes.  The honourable Supreme Court in the case of Justice K.S. Puttaswamy[i] v/s Union of India has held that right to privacy is a fundamental right and therefore it is necessary to protect the personal data as an essential facet of informational privacy. At the same time it is necessary to create a collective culture that fosters a free and fair digital economy, ensuring empowerment, progress and innovation through digital governance. No doubt that the data is the lifeblood of any digital business, but on its abuse, the ultimate losers are the consumers, who may receive an irreversible shock on their private life.

Obligations of the fiduciary

The privacy rights of an individual has to be accomplished for which the data fiduciaries are expected to follow certain obligations stipulated under section 4 to section 11 of the bill.  The Bill allows the processing of data by Fiduciaries only after the due consent is obtained from the individual / Principal. For obtaining the consent of a Principal for collection or processing of personal data there is need of issue of a notice by the fiduciary to such person, stating the reasons in clear, concise and easily comprehensible terms. The procedure for issue of notice to the principal, at the time of collection of data[ii], for obtaining the consent is elaborate and due care to be taken to devise digital tools for meeting the requirements. In the notice the Principal should be informed about the purpose, nature and categories data being collected. The identity and contact details of the data Fiduciary and the contact details of the data protection officer are also to be informed to the Principal. Such Principal should be informed of the procedure to withdraw his consent in the mandated way.  Further a personal data can be processed only for specific, clear and lawful purposes. The Data Fiduciary shall not retain any personal data beyond the period necessary to satisfy the purpose for which it was processed and shall delete the personal data at the end of processing. The personal data may be retained for a longer period only after the data fiduciary gets necessary consent from the Data Principal. During the compliance audit, it is for the data auditor to comment on each one of these parameters followed by the fiduciary, before proceeding for the quantification of DTS score. The measure so made should indicate the trust factor of the fiduciary in handling the personal data of the principals.

It is pertinent to mention here that the relationship between the principal and fiduciary enshrined in the bill are of special and unique nature.  Here the fiduciary should extend a breach-proof mechanism to the personal data owner / principal which are equivalent to safeguarding the fundamental rights of the principal. Therefore the measure applied to score the ‘trust-worthiness’ needs to be rational and realistic. Efforts should be made to measure directly or indirectly all the stipulated obligations, compliances and functions of the fiduciary, and by using digital tools, wherever possible to meet the meet the requirement of law.

Voice of principal needs recognition

From the above deliberations we find that there are compliances mechanisms and complaint mechanism in place but the crucial element of feedback mechanism is missing in the entire framework under consideration. As stated in the earlier part, the major stake holder or the beneficiary in this entire bill is the principal, but her/his observations about the services rendered by the fiduciary are not provided due place in scoring the credentials of the fiduciary. Further any personal data breach that takes place at the fiduciary’s location, through the dark nets may land in the hands of the cyber criminals, who could exploit the data to cause injury to the principal. The safeguards taken by the fiduciary to eliminate personal data breaches protects the principal from being a victim of cyber crime. The satisfaction of the principal about the protection layer provided by the service providing fiduciary is an important element in measurement of trust score. The DTS is supposed to express the trust of the principal as to the level of protection the fiduciary has extended. Therefore the principal’s feedback about the satisfaction in the services provided by the fiduciary will be one of the best indicators of mutual trust, the author feels.

Finding fault or gap in services should not be based on the mere observations of the auditor or on sheer outcomes of the complaint mechanism in place. The principal’s voice should be heard which deserves a place in formulating the score for the fiduciary. Therefore a feedback system should be legislated wherein the fiduciary should be asked to obtain responses from their principal whenever they provide them with any service.  This will also adds value to the review mechanism of the fiduciary.

 As per the above deliberations it is clear that there is no provision made in the law for a principal to offer the feedback about the services extended by a fiduciary. This needs to be used as a positive aspect to draw the trust scores, the author observes. A suitable section could be inserted prescribing an effective feedback mechanism and using them to determine the scoring of the data trust.

Authority to be well equipped

Further in a Democratic society like Bharat, to take up the huge responsibility of implementation of this law and the disproportionate issues that could emerge, the Authority concerned should be well equipped in terms of skillful techno-legal manpower along with robust digital platform to be used as e-governance vehicle. As per section 49 of the bill, “It shall be the duty of the Authority to protect the interests of data principals, prevent any misuse of personal data, ensure compliance with the provisions of this Act, and promote awareness about data protection” which a huge responsibility to be discharged. Further the responsibilities Authority include, (i) taking prompt and appropriate action in response to personal data breach (ii) maintaining a database and the data trust score on the web, (iii) classification of data fiduciaries, (iv) monitoring technological developments and commercial practices that may affect protection of personal data,(v) receiving and inquiring complaints, (vi) selection of auditors,(vii) prescribing the design by policy and DTS measures, together with registration and regulations of various provisions relating to safeguard the interest of the principals are going to be matters of great concern.

As the task involved is around safeguarding the fundamental rights of a citizen, it becomes all the more important as the Supreme Court and high courts could be directly approached for reliefs. Added to this the technological advancements are on an accelerated mode, so also the information exchanges and communications as well as the cyber crimes. Unless the officials are proportionately equipped with techno-legal skills, the implementation of law may leave huge scar in governing of citizens. The Authority must select officials with requisite technical and legal qualifications only. Such executives are to be suitable trained which is going to be the most critical element for the successful implementation of this new regime.

The section 49(3) requires the Authority to be treated like any other fiduciary as far as the processing of the personal data is concerned. It expressly mandates that, “it shall be construed as the data fiduciary or the data processor in relation to such personal data as applicable, and where the Authority comes into possession of any information that is treated as confidential by the data fiduciary or data processor, it shall not disclose such information unless required under any law to do so, or where it is required to carry out its function under this section”. This is a crucial aspect of the bill that deserves special attention. Further all the central government departments are following the standards prescribed under Service Quality Management System as per IS 15700- SEVOTTAM, which should be made applicable the Authority.

Conclusions

The computation of DTS by the auditor to be fair and justifiable may consist of the following major components:

• Outputs from the measurable components like
  • (a) dynamic grievance redressal mechanism;
  • (b) online periodical compliance by fiduciary;
  • (c) reported breaches and remedial action taken along with time frame. etc.,
• Outputs from the verification report drawn by the data auditor on subjective issues such as obligations met by the fiduciary, appreciations and deficiencies noticed during the audit etc.,. and
• Feedbacks from the principal about the quality of the services provided as against the mandated obligations and the trust she/he could recommend.
• The Observations by the executives who are implementing these provisions.

The suggested weightage to obtain the consolidated DTS score form the above four components could be, for first three components, 30% each and 10% for the last.   The author welcomes any additional suggestions and ways to measure the trust score so that it becomes the forerunner in the cyber society and the best practices to ensure privacy of the individual.

                                                                                                          (Concluded)

[i] (2015) 8 S.C.C. 735 (India)

[ii] Sec.7, PDP bill