Naavi.org

Not withstanding the wishes of many to delay the passage of PDPB 2019, it appears that the JPC is determined to complete its work this week and present their recommendations to the Cabinet. This is indicated by the fact that the JPC has scheduled 5 meetings in the

next 3 days to discuss clause by clause consideration of the Bill. It had already been indicated that about 50 of the sections had already been discussed and finalized and hence the remaining 49 sections are due for discussion in these 5 sessions at 10 sections per session.

Hopefully the JPC will be able to complete its task as scheduled.

It is therefore time for all the doubting Thomases that they gear up to be compliant in time. The biggest challenges that the industry will face in this direction is

a) Resistance to Change

b) Unlearning the GDPR Concpets

c) Adopting to the multi compliance management scenario

Resistance to change is a universal problem and when disrupting new legislation is implemented, there will certainly be difficulties. However, I feel this will be a greater problem for the Government, Manufacturing entities and the Small entities  while the IT companies who are already adopted to GDPR may accept and adopt to the new legislation without much of resistance.

However, while those entities for whom Privacy Protection through Data Protection is new will be able to learn the tricks of the trade from PDPA implementation, the IT Companies who are already aware of GDPR and other data protection laws will have another kind of difficulty namely “Unlearning the GDPR Concepts”.

Many of the concepts in PDPA could be different from GDPR and those who are expecting it to be a clone of GDPR will find erring on the wrong side when they think “Being compliant with GDPR is also being compliant with PDPA-India”

The concept of Privacy By Design Policy, Registration with DPA, Mandatory Consent, the Sandbox system, the Section 37 exemption, the Adjudication system etc may pose challenges of their own to those professionals and companies who cannot think beyond GDPR.

Lastly, the Indian Companies will try to act like a personal data hub and be required to be compliant with multiple laws simultaneously. In such a scenario, if they stick to ISO 27701 as a solution for compliance, they could find themselves wanting. They need to quickly get on board the PDPSI system (Personal Data Protection Standard of India) which is being drafted by FDPPI. (Foundation of Data Protection Professionals in India).

These and other details are being discussed today at the PrivSec webinar at 3.15 pm (1st December 2020)

Attendance is by registration here.

When we discuss implementation of data protection particularly in a country like India, we often speak about the need to change the “Culture” and “Attitude”. Hence a lot of emphasis is placed on training, building awareness etc.

While there is no doubt that Indians by nature have a low priority for Privacy and often hold “Security” or even “Freedom of Expression” and “Right to Information” in a higher pedestal and are willing to sacrifice Privacy for Security or Free Speech or Information, there is also a need to flag that “Privacy Protection” is also not in the culture of the business organizations who are expected to be responsible for Privacy Protection.

Privacy is a human right concept and hence its protection is far away from the core business objectives. But today “Privacy Protection” is discussed only in the context of “Data Protection” since “Privacy” is sought to be protected through Data Protection since we follow the belief that the “Right to Privacy” can be guaranteed by “Protecting the Right to determine the use of personal information at the choice of the data principal”. Hence Privacy Protection is seen as “Data Protection” (More precisely the Personal Data Protection)

Data Protection has to be implemented by a Data Processing Company which is essentially a commercial organization that is answerable to its shareholders to make profit. For them, Data is a commodity, a raw material from which a profitable business proposition has to be constructed. Hence any data protection obligation is always a burden on the company and given an option every business entity would like to avoid data protection legislation, though it is not a good political statement to make.

Just as making a statement about the inequalities in our Constitution arising out of appeasement politics, Corruption in Judiciary, are considered politically incorrect, businesses consider that opposing data protection legislation is not politically correct and hence all of them say they welcome Data protection Bill. …but they say they have some suggestions here and there.

Recently these “Friendly Suggestions” have gone to the extent of suggesting that “Personal Data Protection Bill” should be revised to make it a “Personal and Non Personal Data protection and Governance Bill”. While the statement is laudable, we know that the Kris Gopalakrishna Committee report on Non Personal data governance is still to be fully analyzed and converted into a proposition of a Bill. On the other hand, Personal Data Protection bill has gone through the Srikrishna Committee, PDPA 2018, PDPA 2019, several rounds of public consultations and the JPC discussions. Hence the Personal Data protection Bill is almost ready to be finalized. On the other hand Non Personal Data Governance Bill requires at least an year to develop. Non Personal Data Protection is anyway already available through Information Technology Act 2000/8.

The suggestion to include Non Personal Data Governance in the Personal Data Protection Bill is therefore a sinister design by the opponents of the Bill to delay the passage.

The conspiracy behind this suggestion which should be the handiwork of some business entities with the help of political opponents is evident because of the identical press reports appearing in different media.

We have already highlighted the report that appeared in livemint.com. Now we can look at the report in moneycontrol.com  which is a replica of the livemint report indicating that there was a press release by some interested parties which has been faithfully reproduced by these publications. The report is categorical that the JPC is unanimous in its decision to revise the scope of the Bill.

The fact that this is fake news planted by vested interests is evident from the fact that JPC has now set up a  series of meetings on a daily basis to discuss the bill clause by clause and finalize it for presentation in the Parliament at the beginning of the Budget session.

The Economic Times today has reported that “JPC split over draft data privacy law, Govt Access” and also an interview with Mrs Meenakshi Lekhi who is the chairperson of the Joint Parliamentary Committee working on the finalization of the Bill.

The fact that any bill proposed by BJP will be opposed by Congress and TMC is well known and hence it is not surprising that the “JPC is split”. This article appears to be a blancing piece since Mrs Lekhi’s interview did not support the fake narrative that further consultations are required.

We may note that ET had just a couple of days back said that more consultations were required with the “Civil Society” since 90% of the discussions were with others. The argument reminded me of the proverbial Panchatantra story of the Monkey and the Cats quarrelling for a piece of Roti that once this side had more and the other time the other side was more. It is a clever suggestion but unfortunately there is no credibility for such stories.

What is more relevant are the observations of Mrs Lekhi which clearly indicates that JPC is unlikely to delay the finalization of the Bill. The opposing views of the members if any will be documented and they may move amendments to the Bill in the Parliament when the Bill is tabled. Then the Parliament may accept or reject the amendments and pass the Bill.

The most contentious part of the Bill  could be

a) Whether the Section 35 on exemptions from the provisions given to the Government agencies should be tinkered with or not

b) Whether Sections 33 and 34 on restrictions on transfer of data outside India should be changed or not

c) Associated with the Data Localization aspect, should the definition of Sensitive Personal information should leave out financial information, etc

It is obvious that the MNCs want to take out the data from India to their country so that they can squeeze the monetary value out of it to the extent possible. The way CIBIL was taken over by Trans Union , how NPCI is sought to be privatized indicate the surreptitious way in which “Data Sovereignty” principle is being given a go by as the vested interests lobby for favorable policies from the Government.

At present with the views of Mrs Lekhi as expressed in the ET article indicate that she is fully aware of the “Games People Play” and will see through the “Yes..But..” objections from the industry as well as the “Straight Criticisms” of the opposition political parties.

We can therefore expect that the PDPB is likely to be an Act soon and probably the Section 35 will be retained without a change and Section 33/34 may be made stronger to incorporate the Data Sovereignty principle. The suggestion of leaving out the financial information from the “Sensitive” character may also be dumped.

We may note that in the last few months, GDPR has adopted a strong Data Localization stance and there is no reason India should not maintain its own Data Localization stand. The Exemptions provided to Government under Section 35 are limited to the extent of permitted by Article 19(2) and there will be a due process. PDPB is better equipped to handle Schrems II objections of the EUCJ than the US privacy shield since the grievance redressal in PDPB is supported by an Adjudication and Appellate Tribunal  and also an exemption can be availed under Section 37 for data processed under GDPR contracts.

Indian law is therefore ready to meet the international expectations with confidence and despite the opposition from the local quarters, it is robust enough to be passed through.

Any law will have scope for improvements firstly through the regulations and later through amendments if necessary. Hence the time for waiting for further changes in the Bill as is being discussed now is past.

Let’s wait for the Bill to be passed into law soon.

Naavi

There is an email in circulation about Bal Aadhaar which looks as follows:

The hyper link leads to a website www.yojanakhabar.com looking as follows:

The website is registered by an Arizona resident as indicated below:
This appears to be a “Phishing Website” and action is required to initiate Cyber Crime complaint against the Registrant who is assisted by the intermediary the Registrar.

I have notified UIDAI and I expect they initiate action failing which there will be lack of due diligence from their side also.

It is in such cases that I am seriously against the “Privacy Protection” of domain name registrations supported as a system by ICANN.

It is time some Court declares that Privacy Protection of domain name registration information is against public policy. This should be a compulsory disclosure requirement for all domain name registrants.

Indian Government can pass a notification under Section 79 of ITA 2000 to direct browser owners like Google or Microsoft to flag websites whose domain name registration information is not made public as a website of an “Unverified Owner” . Websites with digital signature of the server obviously would be exempted from this since the verification would be the responsibility of the server digital certificate issuing authority.

Naavi

“Person Who Knows”  (PWK)

“Nothing Personal about Data Protection Bill as JPC proposes to expand scope”… so says an article today in livemint.com

It is well known that there is a lobby of opponents to the PDPB and this media vehicle is part of such lobby which does not want the the Personal Data Protection Bill 2019 to be passed.

The main force behind this opposition are the multinational companies who are opposed to the “Data Sovereignty” principle and any hurdles to their continued exploitation of the Indian Personal Data market. They have the power to influence not only the media but also a section of the professionals and political parties to delay the passage of the Bill as long as possible. These articles are a reflection of such public relations exercise of creating a fake narration to mould amenable public opinion the way they want.

It is interesting to observe the sophisticated strategy used by these agencies to scuttle the Bill.

We can observe that initially there was opposition on the Bill particularly the Data Localization aspect. This was in the PDPA 2018 version.  When the Government buckled under the pressure of these MNC s and allowed free exploitation of personal data in the PDPB 2019 version, this objection became redundant. They these attackers switched to complaining about  “Excessive powers to the Government” and “Constitution of DPA by a committee of Secretaries”, and even roped in the support of Justice Srikrishna himself who was unhappy that CJI was not part of the DPA selection committee.

When JPC started hearing suggestions, some organizations tried to dilute the law by tinkering with the definition of “sensitive information”. They suggested that “Financial Information” should not be considered as “Sensitive” information so that no restrictions should apply for processing of financial information including transfer out of India. The Bill did not prevent transfer but only expected “Explicit consent” for such transfer and these opponents did not want even an “Explicit consent”.

The vested interests want financial information to be freed from restrictions so that they can continue to transfer financial information of Indian citizens abroad. If restrictions are placed, then “Data Laundering” like in the case of Trans Union silently taking over CIBIL with the connivance of the Banks would not have been possible. Even now, the privatization of the NPCI is recommended so that the entire UPI gateway can be spied upon.

The hypocricy of these agencies who oppose PDPB being passed is clear when we consider that at this point of time GDPR is pursuing a “Data Localization” policy by arm twisting the Data Exporters to obtain impossible assurances from the Data Importers of other countries to the extent that the only credible solution of EU data transfer is to set up a data center in EU itself. But these opponents donot have any objections to GDPR.

These opponents are typical “Pseudo Data Protection Proponents” who want India to give up all controls but are silent on GDPR trying to impose its colonial hagemony on India.

In this third wave of attack delaying the passing of the Bill, JPC was persuaded to listen to all business entities for their views.  Much of the precious time of the JPC was wasted on listening to business lobbying rather than how best to frame the law in comparison with GDPR or Singapore PDPA etc.

After these three waves of attack, it appears that a next wave of attacks is being planned represented by the above article in livemint.com.

If the story of livemint.com is true, it would mean that the JPC has been fully taken over by the “Delay Lobby” since the report suggests that

“The Personal Data Protection Bill is likely to undergo a complete transformation as the intent of the Bill is likely to get changed. Most of the members of JPC are of the view that the ambit of the Bill needs to be expanded and it cannot just be about personal data. JPC members are unanimous that PDP Bill should be about data and protection of data,”

This statement is attributed to a “Person in the know of development”…the mysterious and anonymous PWK.

The same person seems to also say

“JPC is unanimous in its decision that purpose of the Bill should be redefined and more clearly defined. Some members feel that earlier the Bill was a little vague and needed improvement. Now the focus is on data, not just personal but also non-personal, sensitive and critical data as well,”

It appears that these quotes are “Planted” to create confusion and continue the work of the lobby to delay the Bill and finally get it into a shape where it can be questioned in the Supreme Court as not in conformity with the Puttaswamy judgment. I donot think the JPC is “Unanimous” though it may be the view of some opposition MPs who are supporting the vested business interests. The demand to invite more and more business entities to be interrogated in the JPC is also a conspiracy to delay the JPC activity since the very objective of JPC is not to interrogate FaceBook or Twitter etc but to correct the clauses of the Bill.

The current suggestion to change the intent of the Bill is nothing but a conspiracy to get the Bill scuttled.

I suppose members of the Committee like the Chairperson Mrs Meenakshi Lekhi, Mr Tejasvi Surya, Mr Rajeev Chandrashekar and others recognize that this Bill is important for multiple reasons.

I would like to highlight that the passage of the Bill is already delayed beyond reasonable limits and the recent data breaches in Big Basket, Lupin, Dr Reddy Laboratories, Dr Lal Pathlabs or Breachcandy hospital indicate that the industry needs to be reined as early as possible.

We should also appreciate that  it is a commitment of the Government of India to the Supreme Court that a robust privacy protection law would be passed in India at the earliest. But it is now 3 years since the Puttaswamy judgement and according to the mysterious  “PWK”, we are still not clear on what should be the focus of the Bill. He feels that this Bill should not be limited to the “Personal Data Protection” but include “Data Protection”.

Does PWK know that Information Technology Act 2000 already is a legislation that provides for “Data Protection” of both Personal and Non Personal Data and we donot need another so called “Non Personal Data Protection Act”?

Unfortunately some people are unable to understand the concept of “Anonymization” which is the wall that separates “Personal” data and “Non Personal” data and liberates the personal data from the need for protection and takes it to the realm of “Governance” where a regulation as suggested by the Kris Gopalakrishna Committee takes over to unlock the financial benefits. Many seem to confuse “Anonymization” with “De-identification” and hence feel that “Anonymous personal data” can be “De anonymized”. This concept is inherently wrong since “De-anonymisation” means a “Criminal re-discovery of identity parameters”. Just as any “Encryption” can be “Decrypted” by hackers using brute force or other methods, anonymisation may be de-anonymised but this is a crime that is required to be tackled separately and is being done in ITA 2000.

If we accept that the universe of “Data” contains “Personal Data” and “Non Personal Data” and “Non Personal Data” includes “Anonymized Personal Data”, then we have a clear role for three legislations namely PDPA for security of Personal Data, ITA 2000 for security of  Non personal data and Non Personal Data Governance Act (suggested by Kris Gopalakrishna committee) for the unlocking of financial benefits in the non personal data.

If “Non Personal Data Protection” requires to be strengthened we need to tinker with ITA 2000 and there is no need for any new Act. Even the often referred to “Cyber Security Act” is redundant and the planned objectives of such an act can be achieved through amendments to ITA 2000.

It would be interesting to know if this mysterious PWK can clarify why do we need a separate law for “Non Personal Data” related Governance or Security instead of focussing on the Personal data Protection.

The Puttaswamy judgement wanted a law on protection of “Information Privacy” and PDPB 2019 which is a follow up of PDPB 2018 (Not withstanding some differences) tries to achieve this.

If  the Government now tries to convert this into a “Data Protection Bill” which is not meant to protect “Privacy” of individuals but only protect “Data”, then there is every possibility  that  the Supreme Court may strike down the law as not in conformity with the Puttaswamy judgement.  The JPC is being led to a trap to change the focus of the law from “Personal Data Protection” to some thing else so that the same PWK  can later argue in the Supreme Court that the Government abandoned the “Information Privacy” as suggested by the Supreme Court.

The JPC has to be careful because there is every indication that there are sympathizers to the “Delay PDPB Lobby” within the Government advisors as is evidenced by some earlier incidents.

We recall that some time back a piece of a shoddy note on “Encryption”  was issued by some official in MeitY and was subsequently withdrawn causing an embarrassment to the Government.  (An enquiry was ordered on the incident, details of which never came out).

Similarly notifications under section 69 of ITA 2000 as well as Intermediary Guidelines , the notification on Crypto currency ban, have all been issued and withdrawn as if it is a game of  one step forward and two steps backward.

There appears to be a clear conspiratorial strategy  by vested interests in creating more embarrassments to the present Government since it lacks conviction and is easily swayed by the views of these lobbies.

The livemint report is indicative of a similar attempt. From all angles the suggestion to change the focus of the Bill appears to be a “Conspiracy” to scuttle the PDPB 2019. While other countries in the world are working on how to tackle the uncertainties in business arising out of the Schrems II judgement, these suggestions are driving India back instead of moving forward.

We may now expect in the next wave of friendly suggestions that

“it is not enough to change the focus of PDPB 2019 from Personal Data to Non Personal Data but make some amendments to the constitution itself so that under Article 21 we can add Privacy as a separate fundamental right rather than relying on the 9 member Supreme Court decision.”

This can effectively postpone the bill until the next Parliamentary election and BJP gaining the necessary majority for Constitutional amendment.

The motivation behind the planting of this story with insinuations reflected in the article  is indicated in the  same report which suggests that JPC is likely to hold three sittings in the near future to finalize the bill. This ppears to have created panic amongst the camp that wants to scuttle the bill which has prompted it to come up with this  ridiculous fake plant.

I hope, Mr Gyan Varma to whom the article is credited should reveal his anonymous source namely the PWK who appears to be creating this “Fake Narration”.

Alternatively I wish  the JPC Chair person should come forward and deny the report.

We are expecting that the Bill will be presented in the Parliament in February as confirmed by Mr Ravi Shankar Prasad during the Bengaluru Tech Summit 2020 and it will be passed into law in the coming session.

Naavi

(P.S: Some corrections were made to the earlier version of this article to provide better clarity)

Bengaluru Tech Summit 2020 (BTS 2020), was successfully conducted by the Karnataka Government on November 19, 20 and 21st. The summit was inaugurated by the honourable Prime Minister Mr Narendra Modi and several dignitaries from India and abroad were part of the proceedings.

The BTS 2020 had multiple tracks covering both IT and BT segments such as One Health, Innovation Corner and Knowledge Hub. The technical discussions covered Drones, Robotics , Cyber Security, Digital Learning, etc. Unfortunately despite Data Protection being an important area which affects both the IT and BT segments and India is in the verge of passing a data protection law, there were no specific coverage of data security in the program. Both the PM and the IT minister during their speeches made reference to Data Security and the forthcoming law underscoring the importance of the topic.

Recognizing this void and not let the Bengaluru Tech Summit go without a discussion on Data Protection, FDPPI stepped in with its own summit Indian Data Protection Summit 2020. holding two high powered panel discussions on each day covering different topics on the Data Protection such as the law in the pipeline, (PDPB 2019), the global laws such as GDPR, the professional opportunities emerging because of the new law , the challenges posed by the Schrems II judgement of he EUCJ, the innovative Data Trust Score system in the Indian law and FDPPI’s own innovation of the Personal Data Protection Standard of India.

Never in the history of India such an elaborate public webinar had been held on the subject available free for the participants.

IDPS was covered through Six panel discussions involving more than 25 professionals participating in panel discussions structured in the following sequence.

1. Recent Data Breach Incidents and PDPA of India
2. PDPA of India is not a clone of GDPR
3. The Challenge of being a DPO
4. The enigma of cross border data transfer
5. Data Trust Score the Indian innovation
6. A Unified Framework for Data Protection Implementation

It was interesting to note that the  battery of experienced Data Protection Professionals who participated in the program were all members of FDPPI.

Na.Vijayashankar, anchored the entire program and added his enlightening thoughts to the discussion.

The program was highly appreciated by the participants.

During the program, FDPPI also announced their programs which included

1. 1. Certification pf Data Protection Professionals
   2. Unified framework for multiple data protection law compliance-PDPSI (Personal Data Protection Standard of India)
   3. Launching of the Data Disputes Mediation and Arbitration Center on an Online platform
   4. Launching of an annual award for “Champion Data Protection Professional” along with “Champion Data Protection Team” and “Champion Data Protection Organization”.
   5. Launching of the Data Protection Journal of India as a quarterly journal from the next quarter

The IDPS will be repeated each year and is likely to become a flagship event in the field of Data Protection in India in the coming years.

Naavi

When Section 66A of ITA 2000/8 was scrapped, by the Supreme Court in 2015, most people hailed the decision of the Supreme Court as a torch bearer of “Freedom of Speech”.

Naavi.org had its reservations on the scrapping since it felt that the Supreme Court had come to a wrong decision by not distinguishing between “Publishing” and “Messaging”  and also for not reading down the section instead of scrapping it all together along with the provisions related to Spamming, Cyber Stalking, Cyber Bullying, Cyber extortion, Cyber harassment etc.

The Central Government has not since then come up with an alternative to Section 66A and only trying to work with tinkering of the Intermediary guidelines in a half hearted manner. Hence fake news and cyber defamation continue without appropriate controlling measures under ITA 2000.

The inability of the Central Government to come up with an alternative to Section 66A since 2015 when the judgement was pronounced has now lead to a situation where Kerala Government has come up with an Ordinance under the State Police Act which challenges both the Supreme Court as well as the Central Government’s powers and intentions to regulate the Cyber Space.

Section 90 of ITA 2000 states as follows:

Power of State Government to make rules

(1) The State Government may, by notification in the Official Gazette, make rules to carry out the provisions of this Act.

(2) In particular, and without prejudice to the generality of the foregoing power, such rules may provide for all or any of the following matters, namely

(a)the electronic form in which filing, issue, grant receipt or payment shall be effected under sub-section (1) of section 6;
(b)for matters specified in sub-section (2) of section 6;

(3) Every rule made by the State Government under this section shall be laid, as soon as may be after it is made, before each House of the State Legislature where it consists of two Houses, or where such Legislature consists of one House, before that House.

Since ITA 2000 was a central law, it was interpreted that under Section 90, States only have powers to frame rules for implementing the provisions of the law and not frame new laws by themselves.

However, under the argument that “Law and Order” is a state subject, some States made laws under their Police Act applicable to Cyber Cafes, Online Gaming etc. Now this trend has been extended to the Kerala Government’s Ordinance related to “Publishing of information in electronic form”.

Copy of the Kerala Ordinance

The Kerala Ordinance states as follows:

Amendment of Section 118 of Kerala Police At 2011 (8 of 2011)

In the principal act after Section 118, the following section shall be inserted namely:

118A: Punishment for making, expressing, publishing or disseminating any matter which is threatening, abusive, humiliating or defamatory:-

Whoever makes, expresses, publishes or disseminates

through any kind of mode of communication,

any matter or subject

for threatening, abusing, humiliating or defaming a person or class of persons,

knowing it to be false and

that causes injury to the mind, reputation, or property of such person or class of persons or any other person in whom they have interest

shall on conviction, be punished with imprisonment for a term which may extend to three years or with fine which may extend to ten thousand rupees or with both.

Presently it is being interpreted that this ordinance is applicable for publications in Twitter or FaceBook or other social media.  The LDF government has reportedly said that this amendment was done to ‘control cyberbullying’.

We can look at the impact of this ordinance under two assumptions.

Firstly, the ordinance uses the term “any kind of mode of communication”.  This does not specify that “Electronic Communication” is part of the ordinance. Since legal recognition to electronic document as equivalent to paper document was provided through ITA 2000 which is a central law and Section 90 of that law restricts the powers of the police to only issue rules for implementing the law as provided there in and not introduce a new penal section with imprisonment etc., it can be argued that the ordinance may not be applicable for electronic documents.

The legislative intent of the Police Act is also to be considered as restricted to the regulation of the police activity and ideally it should refrain from passing a law carrying punishments unless that is related to the prevention of carrying out of duties of the Police as envisaged under the Act.

For example if the defamation is of a “Police Officer” and aimed at preventing him from discharging his duties, then the Police Act could be considered as having jurisdiction to make regulations.

But infringing on a Central Law meant to provide legal recognition to electronic documents and regulate crimes associated with cyber crimes, should be considered as ultra-vires the Section 90 of ITA 2000.

It is however possible that this view may not be acceptable to the majority of legal professionals who may say that “Maintenance of Law and Order” includes regulating the Cyber Activities and hence the State Government has the power to make laws of this nature.

While we donot support this view, we can continue our discussion further presuming that this is the popular and acceptable legal position.

Under this assumption. “Any Mode of Communication” used in the ordinance may be considered as inclusive of electronic mode of communication and hence the social media comes into relevance.

The clarifications given by the politicians indicate that this law is not meant to regulate the “Media” and hence it may be used only to punish “Individual Citizens” who express themselves on platforms which are not considered as “Social Media”.

A doubt that comes to the mind here is, If Twitter is a Social Media and Kerala Government does not want to apply this law to Twitter, then a contributor to the social media called Twitter may claim to be a “Social Media Journalist” and his publication becomes “Social Media Journalism”. Hence politicians are assuring that they may not be targeted.

However, since no body believes the politicians this assurance has no meaning.

The next point to be noted is that this section will be applicable only for postings which are “Known  to be false”. If the person posting the message does not “Know” that it is false but believes that it is “True” or it is in fact “True”, then the section is not applicable.

This means that unless there is a prima facie evidence established by the Police that the information is “false and the person is aware that it is false”, there is no cause of action under this section.

The section requires “injury to the mind, reputation, or property of such person or class of persons or any other person in whom they have interest“.

It is not clear what is meant by “in whom they have interest”. Perhaps this could be interpreted that the person to be charged should have an intention to defame a person in whose defamation there must be some interest of the person.

If we presume that Kerala Government has the power to make laws covering Cyber defamation or Cyber bullying as was the scope of Section 66A of ITA 2000, then the amendment is a direct affront to the Supreme Court in the Shreya  Singhal judgement.

If the power of the Kerala Government to bring out this law for punishing  use of electronic documents as part of an expression of opinion as per the “Freedom of Speech” enshrined in the Constitution, then every State Government may make their own Section 66A and later every other section of Chapter XI of ITA 2000 and create their individual versions of ITA 2000.

This will lead to a chaotic situation and breaking the structure of the Union of India. Hence it has to be curbed at the very beginning itself.

In order to ensure that ITA 2000 remains the only law for regulating electronic documents, it is necessary for the Government to recognize that “Cyber Space” is a different jurisdiction which should not be considered as belonging to a “State”. It should be always at the Union Level . Hence Cyber Laws should belong to the Central Government. The implementation can be delegated to the local police but law making should remain with the Center.

As a further improvement, the implementing Police can also be made a “National Unit” and brought directly under the Union Government administration so that Cyber Police will be a national cadre. This will enable better expertise to be built up and resources to be shared.

If Cyber Laws are allowed to be created and implemented under local laws of the State or later under Municipalities etc., then movement of people within the country would be highly restricted since police in one state will start enforcing their writ in another state and people would not like to travel to a state at which any of their twitter posts may be found objectionable.

The way police in a state implement the law is best showcased by the Maharashtra Police under the Shivsena Government and no person will be safe in expressing any opinion which may remotely be objectionable to a politician in a rogue state.

The Kerala Ordinance should therefore be seen in this context of creating a highly objectionable precedent and hence should be scrapped forthwith.

Naavi

P.S: ” Responding to the adverse views about the Ordinance, the Chief Minister of Kerala has made an announcement that the provisions of the Ordinance will not be implemented. However, the ordinance needs to be withdrawn by the Governor officially or allowed to lapse.  However the principle of Cyber legislation to be in the central domain as a legislation of Cyber space needs to be pursued.”