DPDPA and Journalism

An interesting debate has ensued about the impact of DPDPA on the Journalists. The Editors Guild of India (EGI) has sent a representation to the Minister Mr Ashwini Vaishnav noting its objections on the Act which was passed more than an year back in August 2023 .

The objections have been well articulated by MediaNama in its article here. The article also provides a link to the copy of the representation made by EGI. Many other websites and NGOs have started stating “Press Freedom at risk”(Citizens for Justice and peace), “Concern over impact..” (greaterkashmir.com) etc.

The letter essentially says

“The fundamental role of the press and its ability to ensure transparency and accountability would be severely undermined by the data principal’s ability to simply refuse consent to the processing of their data.” Accordingly, the EGI has sought exemption to data fiduciaries undertaking processing for journalistic purposes .

We must appreciate that as a representative body of the Journalists, EGI has every right and perhaps even a duty to represent their concerns.

In fact, FDPPI has actually organized the event “Voice of the Industry on DPDPA Rules” on July 27 to keep industries informed about the upcoming DPDPA Rules and how they should be prepared to meet the regulations. This event is also expected to collate the views of the industry on the proposed rules and present it to MeitY with an object of getting proper clarifications where required or to suggest solutions where required. (eg: The solution to the Age-gating problem presented in yesterday’s article)

The main issue that confronts the implementation of DPDPA is that it is a regulation for the whole canvas of “Digital Personal Data Collectors, Processors and Disclosers”. It includes Journalists as well as every other profession including Medical Doctors, Law firms, Chartered Accountant firms etc. It includes the State Bank of India or the Apollo Hospital chain as much as the street side co-operative bank or my family doctor.

Some of the professionals like Journalists work as part of an organization in which case the organization will be a Data Fiduciary and the professional would be an employee. But when such a professional sets up his own business then he himself will become the “Data Fiduciary” and cannot escape liabilities.

It would be difficult to provide wholesale exemptions in which case the law will be amenable to abuse. We have already raised our voice against the concessions that are likely to be provided to organizations like Face Book and Google which will dilute the implementation. Similarly, we need to ensure that because of the “Fear of the Soros Media Group”, Government should not yield and start making concessions without proper application of mind.

Instead the DPB can ensure that while imposing penalties if any, the status of the Data Fiduciary would be taken as a key input.

While we acknowledge the concerns expressed by the EGI, it is necessary to point out that the “Voluntary Provision” and “Legitimate use” provisions are good enough to provide the freedom to the Journalists to go about their journalistic duties. The EGI will definitely be required to ensure that Journalists are properly informed and educated on how to navigate the DPDPA.

I invite the EGI to send their representative to the FDPPI’s event of July 27 at Bengaluru where they can share their concerns and also understand that this is not the exclusive problem of Journalists but it affects several others who are trying to find solutions and not escape from the responsibilities. (visit www.fdppi.in for details on the event)

Posted in Cyber Law | Leave a comment

Is there no solution for Age-gating?

India provided legal recognition to electronic documents through the Information Technology Act 2000 (ITA 2000). This gave legal recognition to electronic documents. ITA 2000 also introduced the Digital Signature and later on the Electronic Signature (e-Sign) as a means of authentication of an electronic document. The two together enabled “Electronic Offer and Acceptance to conclude an Electronic Contract valid in a Court of law” subject to exclusions in Section 1(4) of ITA 2000 and the Schedule I of ITA 2000.

Now the DPDPA has been enacted and the “Issue of a Notice and obtaining Consent” in a legally valid form has become relevant. The “Consent” as per Section 6 of DPDPA 2023 is expected to be an agreement meant to be enforced in law by a Data Principal against a Data Fiduciary.

The need for a legally acceptable online Consent Contract poses the following legal challenges.

1.Consent needs to be authenticated by a Digital/Electronic Signature and a mere Click-Wrap consent may be disputable.

2. If Consent is a Contract, its validity after the death of a data principal is disputed and hence the “Nomination” clause may be disputed.

3. If Consent is a Contract the validity of consent provided by minors or mentally disabled persons for whom a Court has granted a legal guardian may also be disputed and it is necessary to establish that every consent was given by a person of above 18 years of age and every consent of a person less than 18 years of age (or a mentally disabled person) was given by his guardian.

We now need to find a solution to each of these problems while implementing DPDPA 2023 and formulating DPDPA Rules.

In this connection, I draw the attention of readers to two of my earlier writings on this topic indicating that I have been trying to find a solution to this issue for a long time and the thoughts expressed in the underlying articles need to be pursued by the Government.

1.What is an “Adult Pass”? – naavi.org (July 13, 2005)

2.“Personal Digital Age” needs to be given a legal recognition (February 20, 2023)

A few days back, in a discussion between MeitY and the Face Book/Google representatives on DPDPA Draft Rules, the press reports have emerged to the effect that the meeting concluded that no solution is acceptable to the industry in this regard and they should be given the freedom to determine their own method to identify “Minors”. They have also asked for exemption on regulating “Behavioural Monitoring and Targeted advertising” of minors.

In summary the Face Book and Google have asked for complete exemption on any regulation of their activities on Minors and the Government seems to be yielding to this demand. Without the acceptance of the draft rules by Face Book and Google, they are unlikely to be adopted by the Government.

In this context I also draw the attention of the readers to the article in Mint published on 23rd November 2023 (Link here) which provides useful information on the use of Social Media by minors in India. According to this article about 35 % of users are minors and spend more than 3 hours per day. I leave it to the sociologists to quantify the adverse impact of this with the development of the minors which the busy parents of the day are unable to control. The article also records that more than 73% of the parents do prefer to exercise control through parental consent but the services donot enable them. As a result, it is not only the adult content but unauthorized E Commerce purchases, possible drug purchases, possible crime information etc are also easily accessible to minors causing a threat to the society.

Regulating content to Minors is therefore a social responsibility of the Government and there is no need to tune the regulations to protect the commercial interests of Face Book or Google. It is even more surprising that these same organizations are in the forefront of litigating against the Government whenever they donot like the law. It would have been fair if the Government had kept them at a distance till the cases they have filed against the Union of India in respect of ITA 2000 rules are not withdrawn instead of seeking their consensus on the proposed DPDPA rules. The reason why a more robust PDPB 2018/PDPB 2019/DPB 2021 was replaced with the DPDPA 2023 was the objections of these organizations and now they are not allowing the Government freedom to make the regulations also.

Under these circumstances the giving up of the age-gating regulations is not a wise move and needs to be re-visited.

It is not correct to say that there is no solution or that any solution is not scalable etc (Refer here) . These are the same agencies who have filed objections to the ITA rules on identification of “Originator of a WhatsApp Message” on unsustainable technical excuses. Their views are not final and Government needs to honestly try alternatives even if they serve the purpose partially.

Some of the solutions that can be tried are indicated below.

1.Use of “Age Certificates” to be issued by UIDAI to every Aadhaar holder which can be produced for every consent.

This will also serve the purpose of curtailing fake accounts in social media.

There will be the “Privacy Objections” but as long as release of identifiable data behind the Age Certificate is subject to valid legal process, there is no violation of Privacy principles.

This is the easiest and most effective manner and only India can do this and perhaps not USA.

Aadhaar information of a minor is also associated with the name of the parent which can be used for matching the name declared by the minor. There may be exceptions when a mother wants to provide consent instead of the father whose name is in the Aadhar but such exceptions can be handled through escalation of the requests.

It is for UIDAI to confirm if they are not able to meet the scaling requirements and what should they do to use the services of subsidiary agencies to scale up the requirements.

“Age Pass” and “Guardian Pass” can be two ancillary services that can be issued by UIDAI and would be of great use to the community. As long as the link to identity is regulated by a proper legal process, this should be acceptable to Supreme Court also though an initial objection would definitely be filed by the “Andolan Jeevies”.

2. DPDPA has introduced the concept of “Consent Managers”. These consent managers can maintain a KYC of their customers and hence age-gating responsibility can be undertaken by them. There can be specialized Consent Managers to manage Minor’s consents who may be Authorized User Agencies of UIDAI.

3. Another method of partial satisfaction of confirming whether a consent giver is an adult or not is through the TRAI and the OTP system. Whenever an OTP is given through a number X, TRAI can ensure that the owner of the OTP authenticating SIM is an adult and his name is so and so… which can be matched with the name of the guardian stated by the minor.

4.The problem of legal guardians of mentally disabled persons is different. I am not aware if Aadhaar has a system of recording this information and if not, it needs to be introduced. Secondly the Courts have to develop a data base of legal guardianship certificates issued by any Court across India and make it available to authorized agencies like UIDAI or an accredited Consent Manager of DPDPA.

5. MeitY can also check with RBI if Banks will be willing to issue an ID Card “I am Not a Minor” or “I am a minor till ….. and my guardian is …….”

I would also urge the Ministry of Consumer Affairs to incorporate some of these suggestions as a part of the regulation of E Commerce Transactions by minors. Regulating e-commerce transactions of minors can also be attempted with the cooperation of RBI by creating a “Minor Payment Card” associated with any Credit/Debit card which the Banks can issue after a KYC process.

I invite suggestions from others to improve the above thoughts.

If MeitY authorizes, Naavi would be working with some of the technology partners to develop a prototype for one or more of the above suggestions.

I reiterate that there is a solution for Age-gating and we only need to discover it with some effort. If MeitY can assure that they will stand by the principle, technology players can invest their time and effort to find a solution.

If however, the “Minor Consent system” is ruled by the Face Book and Google, then no Indian technology company may be interested in investing for such development. The ball is now in the court of MeitY whether they want indigenous efforts to be invested in fining a solution to the Age-gating problem.

Naavi

Posted in Cyber Law | Leave a comment

Is Crowdstrike outage an AI Failure?

The failure of Crowd strike security software causing global chaos will be analysed by experts in Due Course.

In the immediate, it appears that there could be a failure in the Artificial intelligence based automated response which has generated a false alarm.

The appearance seems to be related to update issue. But probably it is a false report. Or the fault has been triggered in the updated version recognizing the update itself as an act of Cyber threat.

This should be a wakeup call for all those who think AI makes things more reliable. It was amusing to know that many airports are shifting to manual mode to tide over the crisis.

Workaround

One of the suggested work around is:

  1. Boot Windows into Safe Mode or the Windows Recovery Environment.
  2. Navigate to the C:\Windows\System32\drivers\CrowdStrike directory.
  3. Locate the file matching C-00000291*.sys and delete it.
  4. Boot the host normally.

Terrorists have been found to use a second bomb blast after some time in the same location to smoke out victims from the first blast and kill them with the second.

A similar risk could be there in this case. It is said that the workaround will disable some security features. Attackers may be planning to hit in this time window.

Organisations should be careful.

Naavi

Posted in Cyber Law | Leave a comment

MeitY seeks Endorsement of Big Tech for DPDPA Rules

It can only happen in India that Companies like Meta are in the forefront of challenging Government notifications such as the Intermediary Rules in Courts and they are the same entities who are also consulted for advise on how we frame rules.

In its continuing bid to placate the Big Tech before releasing the DPDPA draft Rules, MeitY held a discussion yesterday with select Big Tech Players like Meta to get their approval for the proposed DPDPA Rules.

The DPDPA rule that requires age verification and parental consent for those who are less than of 18 years of age is a rule that hurts FaceBook and it is trying to ensure that the rules are not stringent.

Several newspapers have carried a report today based on the meeting which states that a discussion took place on the method of determining the “Minority” status of the users in this meeting.

One such report is from Indian Express here.

Despite the presence of all the Tech Experts, the meeting has concluded that it is not possible to implement any solutions even based on tokens issued by UIDAI. Hence it is decided that we should leave it to Meta and Google to determine their own methods to declare that a person is not a minor.

It is surprising to think that UIDAI cannot tokenize the existing data related to Aadhaar into “Persons of above 18 years of age” and “Persons Below the age of 18” as of date and add “Name of Parent in case of Persons below 18 years of age”.

This decision means that the Meta-Google type of companies will device their own methods on how to determine whether a person is a minor, who is his parent and take consent as they deem fit. This will avoid the responsibility of the Government to suggest any solution and leave it to the Courts later to determine if the systems adopted by the industry is acceptable or not.

I hope that with this clearance from Meta and Google, the Government will at least now release the rules for public consultation and meet the 100 day commitment of Modi 3.0.

Naavi

Posted in Cyber Law | Leave a comment

Section.. 63 of Bharatiya Sakshya Adhiniyam..Perspective from Naavi

In the new Indian Evidence Act which became effective from 1st July 2024, the earlier Section 65B of Indian Evidence act has been modified as Section 63.

This being an important section in the Act, Naavi has tried to place his perspective through this detailed video.

Your comments are welcome .

Naavi

Posted in Cyber Law | Leave a comment

Calling attention of all CERT IN accredited auditors

There are a number of CERT-In auditors who are registered with CERT IN for different kinds of audits.

With the notification of DPDPA 2023 expected during this year, there will be new business opportunities that will open up for Audits in the DPDPA segment of the market.

In order to enable the CERT IN auditors to explore the new opportunities that may be coming up, FDPPI is planning a one day training program at Bangalore on the “Emerging Opportunities for CERT IN Auditors in DPDPA”.

Looking forward to your interest for finalizing the dates and venue. The tentative date is in August first week.

Naavi

Posted in Cyber Law | Leave a comment