Naavi.org

FDPPI (Foundation of Data Protection Professionals in India) has embarked on a major project of conducting a virtual Data Protection Summit on November 19th, 20th and 21st of 2020.

The Summit will consist of six sessions, two on each of the three days, each of 90 minutes each.

Time would be 11.00 am to 12.30 pm and 4.00 pm to 5.30 pm.

Meeting will be on Zoom and will be free.

The Summit will discuss different topics relevant to Indian Data Protection Domain.

The tentative program is as follows:

Session 1: Recent Data Breach Incidents and PDPA of India (Nov 19th 11.00 am)

Session 2: PDPA of India is not a clone of GDPR (Nov 19th 4.00 pm)

Session 3: The Challenge of being a DPO(Nov 20th 11.00 am)

Session 4: The enigma of cross border data transfer(Nov 20th 4.00 pm)

Session 5: Data Trust Score the Indian innovation (Nov 20th 11.00 am)

Session 6: A Unified Framework for Data Protection Implementation (Nov 20th 4.00                            pm)

The sessions will be conducted as Panel discussions with experts in the industry and will be anchored by Naavi.

Watch out for more information here.

Naavi

Since 16th July 2020, when the European Court of Justice (EUCJ) came up with its ruling in the Schrems II case and invalidated the US Privacy Shield, there has been a crisis in the Data Processing industry world wide. The principles on which the EUCJ invalidated the US Privacy Shield was equally applicable to countries like India and hence if personal data from EU could not be transferred to US, it was equally difficult for data to flow into India either directly from EU or through the US.

Subsequently on 23rd July 2020, EDPB (European Data Protection Board) came up with some clarifications of the judgement which also re-iterated that personal data cannot be transferred from EU to US or any other country unless the requirements of Articles 46 or 47 of the GDPR are satisified.

On 10th November 2020, EDPB has come up with two recommendations related to the Schrems II judgement as guidelines of how the industry can be compliant with the requirements.

The first document indicates the measures that supplement transfer tools provided under GDPR. The second indicate the European essential guarantees for surveillance measures.

We need to explore whether these documents suggest any workable solution for Indian data processors who are processing or intend processing EU GDPR data.

Some of the essential aspects of these documents are as follows:

Recommendations 01/2020 on measures that supplement transfer tools

The Schrems II order mandates that the protection granted to the personal data in the EEA must travel with the data wherever it goes. In otherwords when data is sent out of EU region and continued to process in other countries, the level of protection to the Privacy rights of the EU GDPR subjects should be same as is available in EU.

The US Privacy shied was rejected because it was felt that the Ombudsman responsible for protecting the Right to Access of a EU data subject was an appointee of the Government and not an independent judicial authority. Secondly it was felt that the data is not insulated from surveillance from intelligence agencies.

In the light of these developments, US Privacy shield was rejected as an instrument of “Adequacy”. On the other hand the ruling held that Standard Contractual clauses (SCC)  can continue to be one of the acceptable instruments under which a Data Exporter from EU can transfer the GDPR data out of EU.

While the SCC would be available as a tool for transfer as per Article 46 in case of repetitive transfers, the derogations, which includes the explicit consent under Article 47 would be available for occasional transfers.

The guidelines of November 10, 2020 suggest a five step process to be followed by the Data Exporter before accepting the SCC which can be supplemented by appropriate additional clauses.

Step 1: Data Exporter should be aware of where the data is going and whether it is relevant and limited.

Step 2: One of the transfer tools suggested in Article 46 namely, a legally binding and enforceable instrument between public authorities (eg bilateral treaty type documents),  SCC, etc. or the applicable derogations.

Step 3: Data Exporter should make an assessment of the law or practice in the destination country that may impinge on the effectiveness of the appropriate safeguards being relied on.

Step4: Data Exporter should identify and adopt such measures as are necessary to bring the level of protection of the data transferred, upto the EU standard

Step 5: Data Exporter should take formal steps as may be required to adopt the supplementary measures

Step 6: Data Exporter should undertake periodical review.

Recommendations 02/2020 on the European Essential Guarantees for surveillance measures

Additionally, the EDPB guidelines has set out four principles under which the EU would like to be guaranteed that the surveillance measures in the destination country is acceptable.

They are

1. 1. Processing should be based on clear, precise and accessible rules
   2. Necessity and proportionality with regard to the legitimate objectives pursued need to be demonstrated
   3. An independent oversight mechanism should exist
   4. Effective remedies need to be available to the individual

If therefore, Indian data importers need to continue their data processing contracts, they need to satisfy the Data Exporter with the above principles and go through the five steps of evaluation. The findings should be documented as a “Due Diligence”.

As regards the situation in India, if a company is processing EU data and the EU data subject has to exercise the right of Access, correction, portability and deletion (Forget), Indian laws should fall within the acceptable parameters set by the EUCJ.

In India, Section 69 of ITA 2000 is one law that supplements the Indian Telegraph Act and provides surveillance rights. When PDPA is enacted there will be Section 35 and 36  of the Act that will provide exemptions from the Indian law to the law enforcement agencies.

However, under Section 37 of the PDPA of India (as per current Bill) any processing operation involving the processing of personal data of foreigners can be notified as exempt from PDPA. Hopefully every Indian company engaged in the processing of personal data from EU will use this provision.

But Section 69 of ITA 2000 and the Indian Telegraph Act as well as some other sectoral regulations may have jurisdiction on all the data processing activities of an company which includes local data and foreign data. In such cases, the possibility of surveillance measures could come in for dispute by the EU agencies.

It is in this context that a great disservice has been made by the Maharashtra Government and the Mumbai Police by their persistent harassment of Republic TV which required Supreme Court intervention for what appeared to be a clear violation of human rights. The political system failed to bring quick end to the problem and Judiciary took an unreasonably long time to resolve the issue. The lower courts including the Mumbai High Court did not appear to have covered themselves with glory and it was only the supreme court which came to the rescue of the human rights principles involved.

What this incident indicates is that if a company in Maharashtra is processing personal data of EU and it falls into the bad books of the local police supported by the local Government, there could be various forms of harassment including seizing of data centers, arrest of data center employees etc., which could halt the company’s operations.

Though one can justify that it is illegal the local Police have proved that they are supreme can can even manipulate witnesses and evidences and carry their mission through. In every case, it is impossible for Supreme Court to come to the rescue of the company.

Hence the risk of surveillance by the local administration is a risk that every company functioning in the state of Maharashtra has to bear. Any true professional who is conducting a due diligence in India on a company in Maharashtra cannot therefore give a clean chit that the company is immune to “Republic Attack”.  Hence it is near impossible for Data Importers in Mumbai or Pune to convince their business partners in EU region that they will meet the standards of surveillance mentioned in the November 10th document.

Sitting in a far away place, it is possible for Data Exporters that what happened in Mumbai is a reflection of the situation in India as a whole and if this perception is not removed the data processing business in India will be permanently affected. NASSCOM needs to give a thought to that possibility.

Naavi has been suggesting the Karnataka Government to initiate certain measures to counter such a perception to say “Bengaluru is not Mumbai” and “Data Processing regulations in Bengaluru is compliant to the International expectations”. If the Government implements some of these suggestions, it may be possible for IT companies to shift their data processing activities from centers in Maharashtra to somewhere in Karnataka.

Hopefully the Government of Karnataka will come up with appropriate strategies in this regard.

Naavi

Naavi.org had earlier pointed out how CIBIL which was once owned by Indian Banks was quietly transferred to a foreign company for undisclosed consideration by a number of Indian public sector Banks in a concerted move.

In the process, more than 500 million sensitive personal data sets of Indian Citizens was acquired by the foreign company along with the revenue benefits flowing out of the profits.

See the details here:
CBI Enquiry is required for finding the truth behind TransUnion taking over CIBIL
Is TransUnion-CIBIL guilty of Accessing Critical Personal Data through surreptitious means?
Data Laundering ..is it covered under PDPA?

Now there is a report that NPCI is all set to sell its equity to 131  companies including Banks, PSOs, etc in what is said to be an attempt to create “Distributed Ownership”

According to the report, invited companies include the likes of JP Morgan Chase, DMRC, Western Union, Airtel, Jio, Paytm, Bank of America, etc.

It may be noted that presently NPCI is owned to the extent of 82% by 12 domestic Banks while the remaining is held by 40 smaller Banks and select cooperative, rural and foreign banks.

At present it is stated that only 4.6% of equity would be diluted for about 1800 crores. However, we cannot forget that CIBIL similarly started  a dilution program which eventually meant that the company which was owned by the Indian Banks later went into the control of Trans Union completely.

We should remember that the NPCI also holds highly valuable sensitive personal data which is infact “Critical” since the UPI IDS are unique and link to the financial assets of millions of Indians. An attack on NPCI will debilitate the country to the extent that it would be of interest to the national enemies engaged in cyber terrorism and cyber war.

What may start as a 4.6% dilution at Rs 1800 crores may firstly be valued much more than Rs 1800 crores and secondly, it may not stop at 4.6% and go to much higher. In the case of CIBIL, the dilution started at 10% and reached 92%. Similarly NPCI may soon be sold out completely to the foreign hands.

I call upon the Finance Ministry to withdraw this proposal forthwith as it will not be possible to guarantee that NPCI will not be sold off to foreign interests just as CIBIL was sold in a scam.

This sort of dilution is may be considered “Data Laundering” and the forthcoming PDPA has to question such ownership transfer of companies with critical personal data since it is a   data sovereignty issue.

Naavi

EDPB published the following press release today:

During its 41st plenary session, the EDPB adopted recommendations on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data, as well as recommendations on the European Essential Guarantees for surveillance measures.

Both documents were adopted as a follow-up to the CJEU’s ‘Schrems II’ ruling.

As a result of the ruling on July 16th, controllers  relying on Standard Contractual Clauses (SCCs) are required to verify, on a case-by-case basis and, where appropriate, in collaboration with the recipient of the data in the third country,

–if the law of the third country ensures a level of protection of the personal data transferred that is essentially equivalent to that guaranteed in the European Economic Area (EEA).

The CJEU allowed exporters to add measures that are supplementary to the SCCs to ensure effective compliance with that level of protection where the safeguards contained in SCCs are not sufficient.

The recommendations aim to assist controllers and processors acting as data exporters with their duty to identify and implement appropriate supplementary measures where they are needed to ensure an essentially equivalent level of protection to the data they transfer to third countries. In doing so, the EDPB seeks a consistent application of the GDPR and the Court’s ruling across the EEA.

The recommendations contain a roadmap of the steps data exporters must take to find out if they need to put in place supplementary measures to be able to transfer data outside the EEA in accordance with EU law, and help them identify those that could be effective.

The recommendations on the supplementary measures will be submitted to public consultation. They will be applicable immediately following their publication.

In addition, the EDPB adopted recommendations on the European Essential Guarantees for surveillance measures. The recommendations on the European Essential Guarantees are complementary to the recommendations on supplementary measures.

The European Essential Guarantees recommendations provide data exporters with elements to determine if the legal framework governing public authorities’ access to data for surveillance purposes in third countries can be regarded as a justifiable interference with the rights to privacy and the protection of personal data, and therefore as not impinging on the commitments of the Article 46 GDPR transfer tool the data exporter and importer rely on.

Reference:

Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data.

Recommendations 02/2020 on the European Essential Guarantees for surveillance measures

WhatsApp has been in news as a messaging Company providing End to end encrypted messaging services in the past, introducing vanishing messages etc. As a messaging company it had its share of controversies involving spread of fake messages and mobilization people for creating social unrest etc.

Now by introducing the WhatsApp Pay, WhatsApp is changing its profile from a messaging app to a Fintech App. Perhaps we will need to look forward to a different set of issues arising between WhatsApp and the Government of India involving data localization and financial fraud control.

With  RBI providing the regulatory clearance for WhatsApp Pay, users of WhatsApp can  now send and receive money from their contacts just like exchanging messages. Additionally, payments can also be made to persons not in the contact list with the use of QR code.

WhatsApp is having a customer base of around 350 million in India and hence as a Peer to peer payment system it is expected to catch on quickly. Presently GooglePay and PhonePe are said to have a market share of around 40% each in the UPI based payment system worth Rs 3.5 lakh crore transactions per month, to which WhatsApp will join.

All these systems will use the UPI network of partner Banks and compete with the Wallet Companies and PPIs particularly for small payments, though they themselves donot undertake any  liability for the transactions.

While GooglePay and WhatsPay are monetizing their customer base acquired from a different service, AmazonPay and PhonePe (taken over by Flipkart) may use the E Commerce customer base to spread their wings into the FinTech domain.

In terms of business strategy, the way messaging and e-commerce business is merging onto banking and finance business is interesting. The trend is “Unified Business Services” and these companies are enlarging their revenue base from advertising to financial services. Soon they will also wade into insurance and investment broking besides traditional banking itself.

Since these are  “No Liability” monetization deals to encash on the customers they acquired when India did not have any Data Protection laws, they are great as business deals but uncomfortable for Fraud watchers.

Traditionally Banking has been separately regulated by RBI in India but the current developments indicate a trend where the frontal face of the business is a Google or WhatsApp or Amazon but the back end is the licensed banking service.

This creates a perception that WhatsApp or Google is the payment institution but actually the customers are authorizing these agencies to operate Customer’s Bank accounts as if they are power of attorney holders for operating the Bank account.

For example WhatsApp pay is having an arrangement with five banks namely the ICICI Bank, HDFC Bank, Axis Bank, SBI and Jio Payment Bank who are licensed to carry on banking business. When we use WhatsApp, we are allowing WhatsApp as our agent to operate our Bank account through a chain of third parties.

When a WhatsApp customer activates the payment system, he is assigned a unique WhatsApp UPI ID which includes the phone number. This is used as a QR code for receiving the payment and is therefore linked to the UPI Id of the customer in his preferred Bank account based on the mobile number.

While using the system,  the payment link will immediately open the UPI app and the instruction is re-directed to the user’s Bank. User’s Bank sends the payment to the WhatsApp assigned UPI ID of the contact and at the destination this UPI ID has to be converted into the personal UPI ID of the contact through the intervention of WhatsApp.

The WhatsApp payment server (which could be different from the message server) therefore may be involved in converting the assigned UPI ID of the users to their real  UPI Ids in their respective Banks and vice versa. The rest of the transaction is handled by the Banks.

The initiation of the service is therefore like an authority to operate the Bank account for a limited purpose. However the Customer may not realize that he is the Principal and WhatsApp is his agent for execution of the transaction.  Since he inputs the PIN directly, we presume that it is not visible to WhatsApp. But WhatsApp is forcing the user to use the UPI app which he may not otherwise would like to use. It also holds several permissions and therefore it is not clear if the transaction data is visible to the WhatsApp server.

The “Request for Payment” prompts the issue of the payment instructions from the sender of the payment.

The authentication for the transaction is the 4 number PIN set by the customer for his UPI account with the Bank which is neither a digital signature nor a complex password. The only additional security that can be expected is the link to the mobile device and perhaps the SIM number. The mobile device therefore becomes critical to the security and if the device is lost, there is every possibility of the compromise of all the Bank balance one may have in multiple Banks to which the mobile has been registered.

By  this convergence of messaging platforms with the Banks, the financial risks have multiplied. At the same time these UPI based systems have been designed in such a manner that the partner Banks of WhatsApp are acting as “Undisclosed Agents” of the front end messaging companies. Whenever there is a fraud, which is inevitable in a financial transaction, the consumer will therefore be searching for finding out who is responsible for the fraud.

For example, in the WhatsApp Pay system there are 4 Banks involved in the back end (one each of the payer and the payee, one each of the WhatsApp accounts of the two parties who are partnering WhatsApp. Additionally NPCI is involved as the switch and WhatsApp as the front end at both the payer’s end and the receiver’s end. This is not disclosed in the Privacy Policy and no specific privacy policy is attached to this service.

The above diagram roughly suggests the institutional architecture of the WhatsApp pay system .

A fraudster can execute a fraud at any of these 8 points. A WhatsApp Spyware can compromise either of the two ends of WhatsApp, trojans can compromise the traditional banking channel and NPCI switch can be compromised by any other malware. The net result of  manifestation of any of these vulnerabilities is that an unauthorized payment occurs and money is debited in the payer’s account.

RBI needs to confirm who will hold the liability for such frauds and whether the “Limited Liability” system applicable for other online frauds also applies for WhatsApp pay kinds of payments.

The Banker Customer relationship is between the Payer and his Bank and hence the liability for the unauthorized payment will first fall on the Paying Bank. This has to be clarified by the RBI.

Unfortunately the Bank would be in the background and the victim of a fraud would first try to contact WhatsApp to report a fraud. At present WhatsApp has not made any provision for reporting of disputes along with the payment message. (P.S: Google pay seems to have made such a provision).

Hence the victim may be required to run from pillar to post to lodge his complaint and get his money back. Every body will pass the buck and the victim would be told that he alone should be responsible for the fraud because every other organization has international level security while the user is ignorant, negligent and must have clicked a wrong button etc.

At present the liability for Banks for phishing frauds have been determined on the principles set by the S Umashankar Vs ICICI Bank case which has been decided at the Adjudicator’s level and confirmed at the TDSAT level, under ITA 2000. It has been held that under Section 43(g), non adherence to security measures mandated by RBI would amount to “Negligence” or “Lack of Due diligence” which legally becomes “Assistance to another for committing a fraud”. (See TDSAT Judgement here).

The principle established by this judgement places reliance on the RBI as a regulator to set the security standards. Additionally availability of any other guidelines under law would be applicable. Here the Section 43A of ITA 2000 and the reasonable security practice mentioned there in becomes relevant. The Due diligence mentioned under ITA 2000 extends now to the draft Personal Data Protection Bill 2019 which may soon become a law and substitute Section 43A.

Thus while settling the liability under the WhatsApp fraud, it would be relevant to invoke the provisions of ITA 2000 and PDPA of India under which WhatsApp would be a Data Fiduciary and all other agencies will be either Data Processors or Joint Data Fiduciaries.

At present WhatsApp does not have a Privacy Policy as required under PDPA nor ITA 2000. RBI has not been transparent about the details of the arrangement with WhatsApp apart from the total limitation of about 20 million users.

In particular we need clarification on whether RBI has exempted WhatsApp from the data localization principle or other due diligence requirements. We also need to know if RBI has flagged the risks to consumers and built any safeguards such as mandatory Cyber insurance.

In the meantime WhatsApp must make efforts to be compliant with PDPA on the basis of the current draft bill and upgrade it as and when the Act is finally passed.

It would be better for the Governor of RBI to come up with an assurance to the Country that the risks of allowing UPI based payment systems by the global giants has been properly assessed and adequately mitigated.

We therefore suggest that RBI should come up with  a “Master Circular” to clarify the working how this system of payment systems operated by private non licensed Fintech players like Google, WhatsApp, Flipkart, Amazon etc.,  the Bank’s responsibilities and Customer’s rights.

Naavi

The way Mumbai Police has handled the Republic TV case with

-the reopening of a closed case

-of what possibly was a murder and treating as a suicide

– bringing in the abetment link for a business contract dispute,

-deliberately misreporting the TRP report submitted by a market research agency to substitute one Channel to another

– arm twisting witnesses by visiting them in the night,

-bringing pressure on the research company to change its report,

-arresting the editor of a TV channel,

-moving him into a jail with criminals,

-assaulting, intimidating etc.,

is a Bollywood script which would have been a block buster movie and could have been titled ” Singham the new Don”.

This could perhaps qualify as a  human rights and freedom of press issue. However, since Human rights are normally available only for terrorists  and the freedom of press is only available to a privileged class of journalists only, this case is not perhaps eligible for the activists who are normally interested in taking up such issues and they remain in a self imposed silence.

We also presume that the hands of the Central Government are tied and the High Court and Supreme Courts which open their offices in the middle of the night to hear the Yakub Memoms, now want to enjoy their well earned week-end holidays and take their own sweet time to hear a case of this nature.

Since even Mr Subramanya Swamy or Mr Modi or Amit Shah have found themselves helpless in the matter, it is unnecessary for us to express any view on the matter.

We can only say ‘Jai Ho’ to our democracy which enables a party like Shivasena to win an election on the strength of their association with BJP and later associate with Congress, form the Government and do what it wants.

Our concern is only what does all this mean to the  Data Protection industry which we need to discuss.

Impact on Data Protection Industry

As we all know, there is a provision in laws such as GDPR that if the regulatory agency of a country finds that another country has acceptable data protection measures, then under the “Adequacy” clause, personal data can be transferred from the host country to the destination country without the restrictions otherwise imposed in this regard. As a result, in order to preserve the data processing business coming from the EU region, most countries strive towards meeting the requirements of GDPR to gain the adequacy status.

The reason why nearly 130 countries are passing personal data protection laws is that it is the first step towards gaining the attention of EU authorities to even make a claim to the “Adequacy” status.

But as we recently found out, the EU demands a heavy pound of flesh to provide the “Adequacy” status. Nothing less than an abject surrender and will satisfy the EU Courts as was indicated in the Schrems II judgement of the EU Court of Justice. In this case, the US privacy shield which was considered acceptable even by the EDPB was rejected by the Court. The reason was because it felt that the guaranteed assurances were unsatisfactory since the Ombudsman was appointed by the President of United States and the Intelligence agencies like FBI continue to have right of surveillance over the personal data transferred from EU for processing in US.

The EDPB suggested that Data Exporters in EU may get an assurance from the Data Importers through the Standard Contract clauses (SCC) in the agreement. But it must be recognized that a Data Importer of a country like India or US cannot sign a contract which is in conflict with the local laws made either by the Parliament of the country or enforced by the national security agencies.  Even if such terms are signed off in a contract, it will not prevent the local law enforcement authorities to invoke them ignoring the contractual obligations.

Hence there is no way any country can satisfy the EUCJ regulations on Data Importer’s obligations without picking up a fight with the law enforcement agencies in the local area, which has become an existential risk for the company.

It is here that the Mumbai Police has established a precedence that it is the supreme law making body in the country and not answerable to any body other than the party in power in the state. This will definitely be taken up as an argument against India in any international forum when required that in India, the local Police (not even the CBI) have the ultimate call on what data they want to ask from a company and for what reason.

Any outgoing employee of an organization or a contactor for whom the company refuses to settle dues because of any reason may commit  suicide and it is enough for that company to be in the radar of the Police for “Abetment to Suicide”.

It is time for all companies to scan their employee/contractor suicides and ensure that it does not point to any possible abetment charge.  This will be a new “Threat vector” that security professionals need to consider.

As a result of this Mumbai development, the “Adequacy” and “SCC” are unlikely to be of any use for Indian Companies to establish a case for transfer of personal data.

The only credible option is to ensure that there is an explicit consent from every data subject for transfer of personal data for processing into India for which the Data Controller has to take necessary measures.

Thus the developments have rattled the Indian position on data protection in the global environment and will set us back by a few notches in the “Ease of Doing Business”.

What JPC on PDPB can do

In order to safeguard the Indian data protection industry, one precaution that the Joint Parliamentary Committee on PDPB 2019 need to take is to prescribe in PDPA of India that

“any offence either under PDPA or under ITA 2000 or other laws against data processing organizations shall be investigated only by a central investigating authority like the CBI and NIA with the concurrence of the Data Protection Authority”

In other words,

“Data” should be declared as a new class of  “Asset” whose management and security does not fall under the jurisdiction of the state police.

The logic for this is that Data is an asset like “Spectrum” and is neither movable, immovable nor it is an intellectual property nor an actionable right.

Therefore, Data should be declared as a new and exclusive class of asset.

Just as there is a separate law for intellectual property, the Personal Data Protection Act should be regarded as the exclusive law for Data which which should be governed only under the directions of the Data Protection Authority.

This would mean that many provisions of ITA 2000 in respect of data related crimes should require permission of the DPA for the local police to investigate. This should be similar to the restriction that the local state Governments can impose on CBI investigation in the State which many of the states including Maharashtra, West Bengal etc have imposed.

Alternatively, ITA 2000 may be amended and Section 80 should be amended to make a “Central Cyber Crime Force” the sole police authority to investigate and prosecute Cyber Crimes.

Probably this will increase the efficiency of Cyber Crime management since all Cyber Crimes are inter state crimes if not international crimes.

This new definition of an asset class will be an innovative amendment that can be brought to PDPB 2019.

I hope JPC will take note.

What other State Governments like Karnataka can do

In the meantime, Naavi.org suggests that a progressive State Governments such as Karnataka, should undertake some special measures to provide assurance to the international data market that what happened or is happening in Maharashtra is an aberration and does not represent the way law is implemented elsewhere in the country.

We have to assure the international community that India is not a banana republic though Maharashtra has the right to be. We are a true federal democracy and tolerate states like Maharashtra as part of our democracy. We can assure that Karnataka is a “Data Angel” with special assurances for the data processing industry.

The least that can be done is for the state Government to give a press statement that what happened to the media companies like Republic and Hansa in Mumbai will never happen in Karnataka.

Along with such an assurance, the Government has to invite all those IT Companies like Infosys which were at one point of time unhappy with the Karnataka Government  and shifted their expansion operations to Pune to come back to Bangalore.

It is time to reassure the IT industry that Karnataka shall be a safe haven where data processing companies  that there will be no interference from the State in the day to day affairs of a commercial organization whether it is a media company or a data processing company.

This is therefore an opportunity for Karnataka Government and it should appropriately strategize to harness the opportunity.

Naavi