Naavi.org

China has announced a law called “Personal Information Protection Law” (PIPL) on 20th August 2021, coming into effect on 1st November 2021.

The PIPL is having 74 articles divided into 8 chapters as follows:

• General Provisions;
• Personal Information Processing Rules;
• Rules for Cross-Border Provision of Personal Information;
• Individuals’ Rights in Personal Information Processing Activities;
• Obligations of Personal Information Processors;
• Departments Performing Personal Information Protection Functions;
• Legal Liabilities; and
• Miscellaneous Provisions.

Considering the general Governance system in China which is a dictatorial regime, the stakeholders would be concerned about the penalty provisions and the extra territorial implications.

Knowing the political nature of Chinese Governance and its reputation as the biggest global surveillance state, China talking of “Privacy” is like the Satan quoting the Bible.

However, the global privacy community is going through the motions of hailing the “Strict Data protection Laws in China”.

There is a possibility that China may continue its “Surveillance Culture” and cyber warfare and use the law to protect its own companies engaged in secret activities to ensure that international demand on any information related to issues such as the Covid Virus related research etc cannot be demanded by US or the UNO.

There are many Indian companies who have foolishly placed their assets in China and will have to live with working with the dictatorial regime and its inconsistent policy formulations. Just as the Indians in Afghanistan who are today struggling to be physically evacuated, many of the top industrialists of India who have built up assets in China will some day be running for evacuation of their data out of China.

Naavi.org has to keep on record its total distrust on China and the expectation that PIPL being used as an instrument of protecting Chinese dictatorial interests more than protecting the “Right of Privacy” of the citizens of China.

However, from the professional view point, we can continue to study the text of the PIPL assuming that the Government of China will be honest and reliable.

If we look at the extra territorial impact of the PIPL, the law is applicable when a company outside China conducts processing activities of information of natural persons who are within China

• for the purpose of providing products or services to natural persons in China;
• to analyze/evaluate the behavior of natural persons in China; or
• other circumstances prescribed by laws and administrative regulations.

Naturally, Companies having processing activities within China of personal information of natural persons would be liable.

Hence all Indian companies who are having establishments within China will have to put up with the strict Chinese regulations if they have any physical presence in China.

Like in GDPR, the PIPL will require a representative to be appointed in China if a foreign company is engaged in the collection of personal information from China.

The legal basis for processing is covered by the following:

• consent by data subjects;
• necessity for concluding or performing contracts to which the data subject is a party, or necessity for implementation of human resources management in accordance with legally-adopted labor rules and systems and legally-concluded collective contracts;
• necessity for performing legal duties or legal obligations;
• to respond to public health emergencies, or necessity for protection of natural persons’ life, health, and property safety under emergency circumstances;
• processing, within the reasonable scope, of personal information for conducting news reports, public opinion supervision, and other acts for the public interest;
• processing, within the reasonable scope and in accordance with the PIPL, of personal information that has been made public by data subjects or through other lawful means; and
• other circumstances as stipulated by laws and administrative regulations.

Since one of the permitted legal basis is  “Performance of legal duties and legal obligations” ,  India should consider introducing  a clause in our law (May be in out Cyber Security law such as ITA 2000) to the effect that

“All organizations established in India including organizations which have managerial and financial control of organizations constituted under laws of other countries shall be liable to provide access to data related to their activities outside India for purposes such as National Security,..etc”.

Data Localization

All personal information collected and generated in China by Critical information infrastructure operators (“CIIOs”) and organizations processing personal information reaching a certain amount designated by the authority are required to store such information in China.

As regards the cross border transfer, PIPL states that apart from the consent Cross-border transfers of personal information can only be made for legitimate purposes such as business needs, and the transferor is obligated to take the necessary measures to ensure that the processing activities of the overseas recipient satisfies the protection standards set forth in the PIPL.

The law does include “Rights” of data subjects just like GDPR though the credibility of such provisions may be questioned.

The rights include

• Right to know and to decide relating to their personal information;
• Right to restrict or prohibit the processing of their personal information;
• Right to consult and copy their personal information from the processors;
• Right to portability of their personal information;
• Right to correct and delete their personal information; and
• Rright to request the processors to explain the processing rules.

It is interesting to note that there is a provision that the close relatives of a natural person can exercise these rights for their own legitimate and justifiable interests after the natural person is deceased, unless the deceased has made other arrangements when she or he were alive.

It is understood that the processor’s obligations include  appropriate internal management systems and security measures for compliance but appointment of DPO may not be mandatory except for organizations involved in large scale processing.

Penalties

Violations of the PIPL may lead to an administrative fine of up to RMB 50 million or 5% of the processor’s turnover in the last year (it is unclear if this is local or global).

Other penalties include order for rectification, warning, confiscation of illegal gains, suspension or cessation of service, cessation of operation for rectification, and revocation of operating permits or business licenses. The person-in-charge or other directly liable individuals may also be individually liable and fined or prohibited from acting as directors, supervisors, senior managers or personal information protection officers.

If the processing activity violates the rights or interests of a large number of individuals, a public interest action may be initiated by the People’s Procuratorate (i.e., the authority responsible for criminal prosecution), consumer protection organizations or other organization designated by the cyberspace administration.

(P.S: We await the English version of the draft for detailed study.)

Naavi

Reference:

twobirds.com

The GH Raisoni Law College is organizing its 16^th KSHAN Moot Court which will be held on the 4^th and 5^th of September, 2021 on a virtual platform.

As a part of the FDPPI’s activities under the P& Y Program to involve the youth of the country into the activities of FDPPI, FDPPI is collaborating with the GH Raisoni Law College, Nagpur in the conduct of the above Moot Court Competition. This is the 16^th National Appellate Moot Court Competition -2021 is being organized by students of G.H. Raisoni Law College, Nagpur and G.H. Raisoni University’s School of Law. All India Reporter (AIR), and FDPPI- are collaborating in the conduct of this program.

Dr Mahendra Limaye, one of our esteemed members has been the brain behind the P& Y Program and the organization of this event.

As a part of the collaboration, FDPPI would be extending valuable educational opportunities to the Winners and the First and Second Runner’s up as rewards.

We look forward to involvement in more of such programs in association with law colleges.

About KSHAN

KSHAN is a National Level, inter-college moot court competition organized by the student bodies of the Law Schools under the Raisoni Group of Institutions. They conduct a nationally known Trial and Appellate Moot Court on Criminal Law. This year’s edition of KSHAN is the only Appellate Moot Court that has a special focus on Criminal Writ Petition and Data Privacy.

About AIR

AIR (All India Reporter) is a publication house known for its presence in all three media information transmission forms: Print, CD-ROM and Web base. It has a journal that reports on all benchmark judgements given by various courts around India. It was established in 1914 and has its head office in Nagpur.

The problem statement of the competition is available here. 

FDPPI has announced the following rewards. 

1. Winner: Free Certification Course-Admission, Video lessons and Examination for Module I and Module G and Basic Membership of FDPPI : Valued at Rs 25,000/-

2. First Runner up: Free Certification Course-Admission, Video lessons and Examination for Module I and Basic Membership of FDPPI: Valued at Rs 14,000

3.Second Runner up: Free Certification Course-Admission, Video lessons and Examination for Module I: Valued at Rs 10,000/-

Naavi

FDPPI pioneered the Indian Data Protection Summit in 2020 and conducted a three day virtual summit on November 19th, 20th and 21st.

This year again on November 19th, 20th and 21st, FDPPI will have a virtual summit Indian Data Protection Summit 2021 or IDPS 2021.

FDPPI will invite speakers and sponsors for the program.

A Program committee would be preparing the schedule for the event and will be shared here.

Any suggestions in this regard may be sent to FDPPI/Naavi.

A new line of argument is surfacing in India in support of the Currency of the Criminals and Terrorists namely the “Bitcoins” and Crypto currencies”. …that “The space has become too large to ignore”

Well, whether it is the Taliban in Afghanistan or Crypto currency in India, if we follow  “Procrastination” as a policy of Governance, the menace will only become larger  and the monster will become stronger.

Had US and India collaborated and ensured that the Afghanistan is not left in the lurch, we would not have seen Talibanis sitting in Kabul today and taking over the arms and other assets of the Afghan army. With this tackling Talibanis is only becoming more difficult than otherwise. While USA is not directly affected by this development, India is going to face an adverse impact of the raise of Taliban in Afghanistan.

Similarly the Government is unable to take a decision for passing the “Banning of Crypto Currencies bill” because the Finance Ministry is either confused or is under the influence of the Crypto Mafia.

Today any action in Afghanistan has to be tempered because we may have our people stuck in there and cannot be endangered. Similarly, the more time we take for banning the private Crypto Currencies in India, greater will be the problem later since many innocent investors would get stuck with the holdings.

Just as USA believed that Taliban has changed (though many believe that USA was only pretending to believe), Indian Government seems to believe that Bitcoins are technology innovations to be supported and are harmless. What if it is digital black money? What if it is used for terror funding?, What if it is used for extracting ransom?, it is still dear to our politicians because they can take bribes in Bitcoins and stash it away in foreign countries by a click of a button.

It is a shame that US plunged Afghanistan into this turmoil and it will be an equal shame for the Modi Government to plunge the Indian Economy into a turmoil by letting Crypto Currencies become a replacement currency for Indian rupees.

Some of the experts are creating confusion in the minds of the Finance Ministry that we need to have a Crypto Rupee before banning Bitcoins. This is only a tactic for delaying the decision since a Government Controlled Crypto Currency will not command the premium that Bitcoin commands since Crypto Rupee would be accountable for tax purposes. Hence any intelligent Crypto currency owner will not convert his current crypto stocks to Crypto rupee and would rather convert it through the virtual havala route into a foreign currency. None of the black wealth currently in the form of Bitcoins etc will therefore come to the open because Indian Government comes up with its own Crypto Rupee.

Sooner the Government realizes the dangers of delaying action against the Crypto Currencies, it is better for the country.

Dear Mr Modi and Mrs Nirmala Sitharaman, Procrastination in handling the Crypto Currency bill will not pay and you will come to regret your decision to delay. I will be there to point it out again and again until you wake up from your slumber.

Naavi

The demand for “Transparency” in processing of personal data is part of every data protection laws. As an associated concept, most data protection laws also mandate that there  shall be no automated decision making.

As the technology develops, many organizations use AI/ML algorithms that are opaque about how data is processed within the algorithm. The algorithms may also be property of third party service providers which data controllers may use.

Some of the service providers who provide their service under the SaaS model operate as “Joint Controllers” and not as “Processors” since they would not like to share the “Means of Processing” with the Data Controllers. They commit on the end result and hold the processing in confidence as their trade secret or protected intellectual property.

Many data protection laws allow for masking of information from normal disclosure requirements for reasons of protection of trade secrets.

In this environment, there are a few thoughts that are emerging about “Algorithmic transparency”.

Algorithmic transparency is the principle that the factors that influence the decisions made by algorithms should be visible, or transparent, to the people who use, regulate, and are affected by systems that employ those algorithms.

Under this principle, the inputs to the algorithm and the algorithm’s use itself must be known, and they need not be fair.  The organizations that use algorithms must be also accountable for the decisions made by those algorithms, even though the decisions are being made by a machine, and not by a human being.

The concept of “Algorithmic accountability” raises a question about the protection of trade secrets  involved in development of such algorithms which may be the core element of many start ups.

Recently, a study by Saasbhoomi.com has come up with a finding that Indian Saas ecosystem has the potential to create $ 1 trillion in value and nearly half a million jobs by  2030 

If however the Saas ecosystem has to realize its full potential, it has to wade through the challenges posed by the emerging concept of “Algorithmic Transparency” in privacy laws.

Though most data protection regulations do respect the presence of “Trade Secrets” in business and accommodate some flexibility in application of transparency norms, the issue may gather momentum in the coming days through Privacy Activism.

The old Canadian Privacy law PIPEDA already spoke of the need for Algorithmic transparency and indicated in its model code that Transparency  in the context of Privacy requires  algorithmic transparency. It said that Consumers would now have the right to require an organization to explain how an automated decision-making system made a prediction, recommendation or decision.

Even in UK where there is a competitive privacy activism against GDPR, there are discussions on Algorithmic transparency. One of the recent articles in blog of the Center for Data Ethics and Innovation  recommended that the government should place a mandatory transparency obligation on all public sector organisations using algorithms when making significant decisions affecting individuals requiring the proactive publication of information about the algorithms.  It will not be long before activists take up the idea and start pushing the concept in the private sector also.

If innovation has to be nurtured, there needs to be an appropriate regulation which does not mandate disclosure of what the Saas developers would consider as their proprietary information.

If however  the Saas developers tend to ignore the privacy regulations, there will be ground for the Privacy activists to push hard for algorithmic transparency.  This could lead to a new round of conflicts between the IPR supporters and the Privacy supporters. Considering the attitude of some of the supervisory authorities in EU and the EUCJ itself, it will not be surprising if some of the Supervisory authorities may start ruling in favour of algorithmic transparency.

We hope that the upcoming Indian data protection law recognizes the need for encouraging innovation by supporting some level of confidentiality of the trade secrets which include the way algorithms process personal data.

If there is a need for balancing of the demand for algorithmic transparency with the disclosure of automated processing, the Indian authorities may consider using the Sandbox system and demand that the information about the processing of personal data by algorithms may be escrowed in confidence  with the Data Protection Authority and protected by the Copyright laws.  In the recent days Indian Patent authorities have been liberal in interpreting the “Software” for patent and have provided patent for essentially software operations. Some algorithm creators may use Patent to protect their innovations and if so it may satisfy the privacy activists. Probably the sandbox system will come to assist the patent applicants during the time the patent application remains in contention before approval.

Naavi

The human tragedy in Afghanistan is well captured by the above picture where people are desperately trying to enter an aircraft which can take them to a land where they can survive and hopefully prosper.

Unfortunately the developments in Afghanistan is a result of a self centered world of USA, Russia, China and Pakistan and we are mute spectators to this tragic development. Unfortunately, we may not be able to positively influence a change in Afghanistan.

But we can learn from this tragedy and ensure that we stay protected. While their is a political lesson in this tragedy, which we hope the Government of India learns, we as private citizens have to dilute the depressing feelings arising out of these developments by diverting our attention on the lessons that we can learn and apply in our other activities. 

It is in this context that I have taken the liberty of extending the analogy of this mad rush to leave Afghanistan to the mad rush of investors to invest in Loss making companies in India.

My apologies for making the human tragedy a part of this discussion.

Naavi

When we observe the political turmoil in Afghanistan and the disruptions caused in the investment world with the IPOs of loss making Start ups like Zomato, some similarities strike us hard. Many of the persons fleeing from Afghanistan were desperate to get in to an aircraft without knowing their future after they get in. Many clung on to the wheels and later fell down to their death when the aircraft was in the air.

This visual has now become a “symbol of desperation”.

While the Afghanistan desperation was to run away from a problem, the desperation can also be seen in another light …desperation to join a bandwagon…like the investors who flock to buy the shares of loss making start ups with the hope that if a series of events materialize, then they will reap a huge reward.

There is no doubt that Stock markets are full of examples where winners have emerged from most unexpected quarters and created history. Zomato may be one such company in all probability.

At the same time, Stock market is also full of examples of companies which have raised money with grand hopes and are now languishing or have already closed down. Unfortunately, successes are reported and failures are buried.

Market perceptions are created around the success stories but we should not forget that  the risks represented by the failed companies lurk behind and can surface any time.

Will Zomato succeed or fail in the long run? is anybody’s guess. But the logic is that if there are enough number of desperate investors who can take the risk, the game of creating value out of nothing will succeed.

Such companies who create value out of nothing but perceptions are what I call as “Crypto Companies”. It is like 100 people saying “Let this data file be called a Crypto currency and be valued at Rs 1 lakh each”. The 101 st person has to say “Amen”.

The success of Crypto Currencies is before our eyes. Despite the value of a Crypto Currency is all in the mind, there are people who have made money in crypto currencies. (… and several more number of people who have lost money).

Zomato like companies create value in the minds of investors through  heavy promotional expenditure. Many investors believe that Zomato has so much of data about the eating habits of people that this can be converted into money through “Cloud Kitchen” or charging subscription from Hotels for listing etc. It is the power of “Big Data” that investors are banking upon.

But “Data” is only a tool and the ability to convert it into profitable and sustainable business needs to be established. If Zomato turns out to be a “Company without Promoters”, every body investing in Zomato including the VCs and current managers are in the game only to  make money by exiting at an appropriate time. If so, who is there in the long run? to realize the hopes of a number of small investors who will be investing their money in Zomato shares today?..Only God knows.

It is in this context that the emerging situation in Afghanistan appears to hold a mirror to the shareholders of Zomato.

Taliban has disrupted the political system in Afghanistan with a new perspective on human rights.  What if in other parts of the world, Women are considered equal to men, in Talibani Afghanistan, women will be a commodity and are consumed by the Talibani men. It may be disgusting for many to even think of such a proposition but it is an accepted reality within the jurisdiction of Afghanistan.

From the abject surrender of the Afghan Government it appears that there will be lot more of Afghanis who are not Talibanis but donot mind Talibani rule. We know that there are many in India who think it is right in their religion to subjugate women as a commodity and welcome the Talibani rule even in India. The world has to therefore learn to live under this dual system of “Talibani” and “Non Talibani” systems of Governance.

Similarly, the investment world seems to be entering a phase where stock markets will have a Larsen Toubro or Maruti Suzuki or BHEL whose shares are traded along with the Zomatos and PayTms and people will make or lose money based on when they enter and exit a stock. This is a great time for Share Brokers who as intermediaries with insider knowledge (or pretending to have such insider knowledge) will be able to rule the investment world.

The Indian Government preferred to accept its inability to influence the developments in Afghanistan and perhaps will also accept its inability to influence the raise of “Crypto Companies” in the Indian investment scenario.

The solution for investors is “Identifying the Risk, investing within their risk appetite limits” and be prepared to trade on the “Probability of making a profit in one investment that offsets the losses in another”.

The Risk on the Horizon

But on the horizon lurks the risk….. Just like the possibility exists that Talibans may enter India, destroy the Country and India embraces Shariat law (as the trend that has emerged in some parts of Kerala), the “Crypto Companies” may suck up all the investment capital and starve the genuine manufacturing companies of the L&T variety. Then we may have only Crypto Companies ruling the investment world and the giant manufacturing companies will only be subordinate companies.

In such a world dominated by Crypto Companies, we may not have any “Make in India” companies, as every investor would like to invest only in the “Magic of Monetization of Dreams of the future” through advertising and brand building.

I wish we give a serious thought to reversing this trend.

Create Zomato s within L&Ts

One solution to this is for all companies to immediately recognize that the “Value that Zomato has created in the minds of investors” is also available to other companies like L&T which otherwise als have a huge valuation from their traditional business. Even  companies like Vodafone which may have reached the near zero valuation in their traditional business also have the potential of re-birth through proper valuation of data in their possession.

Most companies therefore need to set up a R&D activity on “How to Monetize my Data”? and try to build their own versions of Zomatos and PayTms within their existing companies. This will enable them to increase their valuation taking into account their strengths both in the Non Digital economy and the Digital economy.

The “Digital Transformation of the Asset base of a Non Digital Company”…is an exciting opportunity for professionals to discover and harness.

Naavi