Naavi.org

The great Twitter hack is a serious development in the Cyber Security scenario that has many implications.

It has highlighted

• • that the security of Twitter is not good enough for the level of its operations and the sensitivity of its operations
  • the foolishness of many Indian Banks who had adopted to “Twitter Banking” using twitter messages to trigger Banking transactions
  • that Social Media is never to be trusted with or without deep fakes
  • Bitcoins continue to be the bane of civilized society as a tool of crime
  • Indian Personal Data Protection Bill was right in insisting that the Social Media Intermediaries need to enable the users from being identified on a voluntary basis

It is time for an Indian Twitter alternative so that we can slowly shift to the Indian alternative with a new account, new password and a new identity.  But the Indian company should ensure that they go much beyond the security that Twitter provided where compromise of one administrator account could land the global commuters at risk of not only an economic crime but a political controversy of large proportions.

In the post Chinese App bans several alternatives have been announced but most of them have failed to provide even the basic functionalities, let alone security.

It appears that the Indian IT and IS professionals have a long way to go to demonstrate their IT skills before the Indian Apps make a dent in the International scenario.

Let’s hope the opportunities beckon the really talented who have presently been working for most of the International brands to turn their attention towards developing the Indian supplier market for Twitter like services.

Naavi

Ever since GDPR became effective on 25th May 2018, there has been a debate as to whether the earlier arrangement between US and EU for “Adequacy” status based on the 1995 directives would be considered as “adequate” under GDPR for cross border transfer of EU personal data.

Under the Privacy Shield, self certifications were registered with the US Department of Commerce based on a Privacy Shield Framework and the Department of Commerce, US entered into valid legal agreement with EU.

On July 12, 2016, the European Commission deemed the EU-U.S. Privacy Shield Framework adequate to enable data transfers under EU law . It provided the legal basis for transfer of personal data from EU to participating US organizations. This was a replacement of the Safe harbor framework which had been earlier turned down by the EU Courts as inadequate.

According to the Privacy Shield a set of information as listed here were required to be submitted by the US entity to the department as a “Commitment”. A certain fee was charged for the self certification (Eg: $975 for a company with turnover of $25million). The organizations were required to place a grievance redressal mechanism (eg Arbitration) free of charge to the EU citizens who would have a recourse to raise their Privacy related complaints for redressal.

The Privacy Shield requirements  addressed the concerns of Privacy reasonably.

However the decision of the EU Court of Justice on 16th July 2020, following a complaint that had been raised in Austria by an activist Max Schrems has now rejected the arrangement from adequacy considerations. But, the Standard Contract Clauses used for cross border transfer were held valid.

Hence US companies who were hitherto relying on the Privacy Shield certifications will have to go for re-writing the contracts with the EU companies incorporating the acceptable Standard Contract Clauses which may bring them to the jurisdiction of the EU Courts directly without the protection of the US judicial system.

However, the obligation to ensure that the SCC s are proper, lies more on the EU entities  unless the US entities by virtue of holding business establishments in EU submit themselves to the jurisdiction of GDPR.

The principal reason why the Court held that the Privacy Shield certification is unacceptable to EU is that the “Ombudsperson” under Privacy Shield may not be having the powers to prevent the US intelligence agencies to deny protection to the EU citizens in a manner EU desires. The Court opined that since the Ombudsperson reports directly to the Secretary of State, he cannot be considered “Independent”.

It is the prerogative of the EU Court to provide whatever guideline it wants to the GDPR authorities including directions to accept or reject the agreement it entered into with the US in the interest of the Trade and Commerce.

But if the EU Court considers that the US Secretary of State being the authority to whom the Ombudsperson of Privacy Shield reports is unacceptable from the Privacy protection of a EU citizen, it is to be considered as rejection of the authority of the US Government to take such steps as may be required at the level of the Secretary of State of US to protect their country.

In the current political scenario where it appears that EU is slowly being consumed by Islamic fundamentals and there are demands in some of the EU states about introduction of Sharia law, it is necessary for the global community to ensure their own protection. This includes an ability to retain their sovereign rights to monitor the data movements in the interest of national security. Hence it is to be considered as the sovereign right of US to have a due process of law that provides the Secretary of State some control on the Ombudsperson and cannot provide total independence as EU desires.

This principle that the EU Court seems to propagate through this judgement can tomorrow also provide it a reason to reject the authority of the DPA in India as well as in many other countries.

Hence the decision of the EU Court should be considered as an affront to the global community challenging the authorities of the respective Governments to set up their own apex data protection authorities in good faith with necessary independence but always subject to “National Security Considerations”.

This argument will bring us back to the debate of “Privacy is a right which is not absolute” and has to be considered as subject to “Reasonable Restrictions”.

Though many activists consider “Reasonable” as “Total” and donot agree with any restrictions, it is the fundamental right of any citizen of a free country like US or UK or India to consider that it is the prime duty of the Government to protect its citizens from terrorism, international crime etc.

If this requires surveillance of a certain order subject to a reasonable “due process”, it is unacceptable for a  foreign Court to interfere.

The decision of the EU Court will now place US on par with the India and hence from business perspective, Indian companies now may feel that they can compete for data processing contracts directly with US since both are subject to SCC obligations. To this extent, the development can be considered as advantageous to India.

However, this is not a time to gloat over the new business opportunity that has come up but to recognize and oppose the re-emergence of the age old colonial mindset in Europe with the added danger that the current rulers of EU countries may function more under the influence of Islamic fundamentals posing a greater political risk to the international business.

It would be interesting to see how UK reacts to this development and how US counters. The best option could be not to make a fuss about the decision, ignore it and let the businesses settle their commercial interests through the SCCs. It could be inconvenient in the short time but would be acceptable in the long run as a business process.

Naavi

Reference

EUCJ Judgement of 16th July 2020

EDPB clarifications dated 23rd July 2020

Standard Contractual Clauses

EU controller to non-EU or EEA controller

• decision 2001/497/EC 
• decision 2004/915/EC 

EU controller to non-EU or EEA processor

• decision 2010/87/EU 

ICO UK Templates

Controller to controller template

Controller to processor template

Article that appeared in India Legal Print magazine

When countries move from a “No Data Protection Law” to a “Strict Data Protection Law”, one of the problems faced by the companies is how to handle the legacy personal data which is already with them.

This data could have been collected earlier either without proper consent or without the consent information being available for reference now. Even if the consent had been obtained earlier, it is unlikely that the information provided to the data principal would not have been made as required under the current data protection requirement.

For example, the PDPA of India when implemented would require the notice for personal data collection to include the following points

(a) the purposes for which the personal data is to be processed;
(b) the nature and categories of personal data being collected;
(c) the identity and contact details of the data fiduciary and the contact details of the data protection officer, if applicable;
(d) the right of the data principal to withdraw his consent, and the procedure for such withdrawal, if the personal data is intended to be processed on the basis of consent;
(e) the basis for such processing, and the consequences of the failure to provide such personal data, if the processing of the personal data is based on the grounds specified in sections 12 to 14;
( f ) the source of such collection, if the personal data is not collected from the data principal;
(g) the individuals or entities including other data fiduciaries or data processors, with whom such personal data may be shared, if applicable;
(h) information regarding any cross-border transfer of the personal data that the data fiduciary intends to carry out, if applicable;
(i) the period for which the personal data shall be retained in terms of section 9 or where such period is not known, the criteria for determining such period;
( j) the existence of and procedure for the exercise of rights mentioned in Chapter V and any related contact details for the same;
(k) the procedure for grievance redressal under section 32;
(l) the existence of a right to file complaints to the Authority;
(m) where applicable, any rating in the form of a data trust score that may be assigned to the data fiduciary under sub-section (5) of section 29; and
(n) any other information as may be specified by the regulations.

In the current regulation which was contained under Section 43A of ITA 2000/8, the Reasonable Security Practice rule no 5(3) stated

(3) While collecting information directly from the person concerned, the body
corporate or any person on its behalf snail take such steps as are, in the
circumstances, reasonable to ensure that the person concerned is having the
knowledge of —

(a) the fact that the information is being collected;
(b) the purpose for which the information is being collected;
(c) the intended recipients of the information; and
(d) the name and address of —
(i) the agency that is collecting the information; and
(ii) the agency that will retain the information.

Additional requirements were provided on minimal retention, purpose limitation, right to access and correction, Opt out option, right to withdraw consent, grievance redressal, disclosure norms, security safeguards etc were to be followed by body corporates collecting sensitive personal information, but were not mandated clearly to be part of the “Privacy Policy” to be published which was the “Notice” as we now refer to.

The privacy policy was required to indicate the type of personal or sensitive personal data or information collected, purpose of collection, usage of such information, disclosure and reasonable security.

As we can see though the intention of Section 43A was similar to the PDPA 2020, the details specified as the requirements of notice in the PDPA 2020 are far more than what was envisaged under Section 43A of ITA 2000.

It can safely be said that the consents if any in the pre-PDPA 2020 time would be insufficient to meet the requirements of PDPA 2020.

The Data Fiduciaries therefore have to obtain fresh consents by serving fresh notices to the Data Principals.

In the ITA 2000, there was no concept of a Data Fiduciary and the Data Processor though in the clarifications provided by the Government, it was indicated that the Data Processor was not responsible for the consent and only that body corporate which had a direct relationship with the data subject would be required to collect the consent.

If therefore we strictly interpret the emerging regulations, all legacy personal data with the Body Corporates will have to be forensically deleted as soon as the PDPA 2020 comes into effect or new consents should be obtained.

Assuming that the organisations would send out e-mail notifications to the data subjects and seek the consent based on a new consent, it can safely be assumed that a very large number of such data subjects would either not respond or their e-mail addresses would be no longer correct and hence they would not be able to respond.

In such cases a large number of data sets have to be purged.

When GDPR came into effect, similar problems were faced by the Data Controllers and while most of them might have purged the data, some have archieved them under legitimate interest claims and some might have not taken any action other than sending a reminder for re-permission.

There were many instances where data subjects retorted back to the re-permission request with a question, “Where and when you got my personal information? How are you processing it?, Where is the past consent? etc”..  Unable to face such questions, some companies simply purged the data without making an attempt to renew the earlier consent though this resulted in loss of earlier investment.

In the case of GDPR, since the EU Directive was already in force, perhaps it was not necessary to provide for any transition option from the legacy system to the GDPR system. But in India where the earlier system did not require the consent of the type now required, it would be unfair to penalize those organizations which were in compliance of Section 43A but may fail the current requirements.

Hence there is a need for providing a smooth transition from Section 43A (ITA 2008)  based personal data collection to the Section 7 (PDPA 2020).

Such a transition has to provide relief to those organizations

a) Who hold consents as per Section 43A of ITA 2008

b) Send out Opt-In request to the new consent forms but not receive confirmation

to phase out such data over a period of time relevant in the context of the legitimate interest of the organization.

Though it would have been good if this had been covered under a clause to enable the DPA to enable a smooth transition from ITA 2000/8 to PDPA 2020, there is no reason to despair since it is possible that this provision can be covered under Section 14 by the DPA with appropriate notification.

Hopefully if this comes for discussion during the discussions of the JPC and the vested interests who want to delay the passage of the Bill hold it out as one of the reasons why the Bill should be re-considered, the Government would be able to provide an effective counter argument that it could be covered under the notifications from the DPA.

Alternatively a simple additional provision can be added to Section 14 under “Processing of personal data for other reasonable purposes” to include a provision to the following effect.

Section 14 (4) : Where the Authority considers it necessary and expedient, it may through appropriate notification provide for necessary transition from the legacy laws to the provisions under this Act, through the legitimate interest declared in the “Privacy by design policy” as per section 22 of the Act.

Naavi

Section 65B of Indian Evidence Act came into existence on 17th October 2000 along with the notification of ITA 2000.

For all the professionals in the legal circles including the Judges, understanding Section 65B and its necessity was almost impossible. Even today after 21 years, if debate is still going on on this section, one can understand….not the complexity of the law but the difficulty of unlearning and re-learning in human beings.

For decades the legal professionals are trained to look at evidence in the mould of “Oral” and “Documentary” or “Primary” and “Secondary”. As long as they continue to cling on to these concepts, it will be difficult to appreciate the need for Section 65B.

The concept of “Evidence” as we know needs to be looked afresh in the context of electronic documents. I have explained the concept several times in the past both on this website as well as on ceac.in as well as through some You tube videos.

(The latest video is available at https://www.youtube.com/watch?v=jEpEmQGjYsM&t=3s).

The concept had been admitted in a Court way back in 2004 in the Suhaskatti case (AMM Court in Chennai, where the undersigned had provided the first Section 65B certificate in India) but got derailed by the Supreme Court in  the Afzal Guru case in 2005.

For those who think law is made only through Judgements and the wordings used in the statute and intentions of the law makers are secondary, the Afzal Guru judgement was proof enough to say that Section 65B certificate is not mandatory.

In the P V Anvar Vs P K Basheer  judgement, (2014) the Supreme Court had made it amply clear that Section 65B certificate was mandatory for admissibility of all Electronic documents as evidence. It also over ruled the Afzal Guru judgement.

However there were still people who did not agree and they rallied behind the erroneous judgement of the Shafhi Mohammad Case (2018) which gave a strange self contradictory statement that

a) If a person is in possession of the original document, Section 65B is not mandatory.

b) If a person is not in possession of the original document, Section 65B certificate is not mandatory

In other words, where it was possible for the Court to examine the original document, the Court said that a Certificate was mandatory. If the Court itself can view the document, the relevance of the certified copy would only be a technical requirement. On the other hand where the original is not before the Court and what is produced as evidence could be a fake evidence, Shafhi Mohammad judgement said that the certificate is not required.

In this judgement the Court got confused with the difficulty in obtaining a Certificate in a case where the person having the original is not cooperative in producing the evidence and ruled in favour of making it not necessary. In the process it ignored the possibility of fake evidences being fabricated in electronic form and produced as admissible evidences without anybody taking the responsibility for the same.

To some extent the current judgement delivered on 14th July 2020 in the case of Arjun Pundit Rao addresses this issue.

In this case the petitioner  who was a defeated candidate in an election challenging the election of Pundit Rao on grounds that the nominations were filed beyond the allowed time period and had to be rejected,  was relying on the digital evidence which was with the Returning Officer (RO). The RO however appears to be not cooperating with the respondent refusing to provide a Section 65B certificate. Though the petitioner had a copy of the video which it appears was also available to the Court, the absence of the Certificate was sought to be used by the defendant to get the evidence rejected as it went against him.

This case was therefore a case of an official who is a neutral person in this petition being biased and not cooperating with the Court and needs to be addressed in that perspective. It is open to the Court in this case to either make the RO an accused for withholding evidence or summon the evidence to the custody of the Court.

Once in the custody of the Court, the Court could have called its own expert (may be a Section 79A-ITA 2000 accredited Digital Evidence Examiner) or allowed cloned copies to be released to the petitioner to re-submit the evidence with Section 65B certificate.

We may recall that the AMM Court in Egmore which handled the Suhas Katti Case used this process in another case where it had the CD in its possession but still felt the need to call the undersigned for a Section 65B certificate to take it on record.

We may also recall that in the last parliamentary election in Mandya, Karnataka, in a prestigious battle, a similar issue of an objection raised by a candidate and recorded in the video before the RO was sought to be summoned by one of the candidates (who eventually won) but the RO claimed that the relevant portions were erased  and not available. The absence of a Section 65B certificate enabled a fabricated electronic document to be retained by the RO. Had this case been tested like the Pundit Rao case, then the question of the RO tampering with the evidence and being punishable under Section 65 of ITA 2000 or 204 of IPC would have surfaced.

The Punditrao judgement therefore has flagged such difficulties and also suggested that the Court could summon such records (Para 43 of the judgement). This cannot be a reason to expemt Section 65B Certification.

As I have held repeatedly, Section 65B certification is required to bring in a human being into the evidence and establish a method to convert the stream of binaries which is the “Original Evidence” into a “human readable/audible/visible form”.

In the P V Anvar judgement despite many points being cleared, making a reference to the CD as a “Original Document” was a small aberration. It however was not material to the final judgement but showed that the distinction between a “Container of electronic Evidence” and the “Electronic Evidence” itself was still getting mixed up.

In the Punditrao judgement we have moved a step further towards establishing the truth of what Section 65B is by categorically rejecting the Shafhi Mohammad judgement and also providing a solution to the problem which could have prompted the Shafhi Mohammad judgement.

However there is still a small omission which we may perhaps wait for some other Judgement to clarify.

I have pointed out that Section 65B(1) defines what is a “Computer Output” to which the further sub sections apply. According to the section “Computer Output” is the print out or stored, in a media produced by the computer.

The section verbatim is

(1) Notwithstanding anything contained in this Act, any information contained in an electronic record which is printed on a paper, stored, recorded or copied in optical or magnetic media produced by a computer (hereinafter referred to as the computer output) shall be deemed to be also a document, if the conditions mentioned in this section are satisfied in relation to the information and computer in question and shall be admissible in any proceedings, without further proof or production of the original, as evidence of any contents of the original or of any fact stated therein of which direct evidence would be admissible.

(P.S: Emphasis added for attention)

Para 21 of the Punditrao judgement for some reasons forget to allude to the words (hereinafter referred to as the computer output). The fact that  sub sections  65B(2) to 65B(5) refer to the “Computer Output” as defined under Sub Section 65B(1) is an important aspect to recognize as this provides clarity to the procedure of certification.

Many pundits interpret “Computer Output” to the original document (eg: in the Punditrao case, the video recording in the office of the RO first registered in the DVR or a memory card in a Camera in the form of binary strings) and interpret that the person who administers that device has to provide the certificate. This certificate is the first of the series of certificates that would be required as a “Contemporaneous Certificate” whenever the document is moved from one device to other.

In practice, the RO could place the first original memory card in safe custody by making a clone copy with a Section 65B certificate available to the candidates in a CD. Then these CDs may be copied by the petitioner to be produced in the Court for which a second Section 65B certificate is produced by the person who faithfully converts the document in the CD to say a pen drive presented to the Court.

The word “Computer Output” refers to each of these documents at different stages of transfer. It is not referring only to the first computer output. Hence when a CD content is re-copied, the re-copied material in print form or soft copy form is the computer output that Section 65B refers to and the certifier has to record how he converted the document in the source CD to the print out faithfully.

This recognition that the Original is in the possession of a person who allows some body else to access it who can take a print out and create a “Computer Output” is ingrained in the Section 65B. Because of this provision, if a document is viewable on the website  any viewer can record it and certify it as sourced from the website and prepare a Section 65B certified copy in print or soft copy form.

As long as the Certificate contains the details of the electronic document (which is the rendition of the binary stream as viewed through a software and hardware), the method of viewing and printing it, the details of the devices used for the purpose and contains the identity and signature of the person who viewed, printed and is signing the certificate, the Section 65B certified document is admissible.

Further the PunditRao judgement also did not refer to Section 17 of Indian Evidence Act which is important to note that Indian Evidence Act recognizes “Contained in electronic form” as a statement which is different from “Oral” and “documentary”. If we recognize this, “Three forms of Statement”, we will understand the further sections of admission where Sections upto 65 refer to “Documentary Non Electronic Statements” while 65A and 65B refer to “Documentary Electronic Form of Statement”.

I suppose we will then be able to forget Sections 59 and 60 on proving by oral admissions, Sections 61 to 65 proving by documents and look at Section 65A and 65B without the pre conditioning of our mind with the concepts of “Primary” and “Secondary” etc.

I request all Evidence Experts to take a fresh look at Section 65B based on the above and the Punditrao judgement as well as the Anvar Judgement.

I would be glad to receive any further comments if any.

Naavi

Copy of Judgement

We have discussed the Shafhi Mohammad judgement of the Supreme Court in the past through several articles, (Refer: The tragedy of Shafhi Mohammad). The matter had come for review in the case of Arjun Punditrao Vs Kailash Kushanrao and the SC had referred it to a larger bench  on 26th July 2019.

Today the judgement in this case has been released which has rightfully reversed the judgement of the two member bench in the Shafhi Mohammad case and endorsed the earlier three member judgement in the case of P V Anvar Vs P.K. Basheer.

While a detailed analysis of the judgement can be taken up later, it is noted that the judgement reiterates that section 65B certificate is mandatory for admissibility of electronic documents as evidence in a Court of law.

Naavi