Naavi.org

Yesterday we had a spectacle of Mr Arnab Goswami the well known journalist being subjected to 12 hours of grilling by the Mumbai Police on an FIR against  his uttering against Sonia Maino alias Sonia Gandhi, the leader of Congress party. 

What was noticeable in the day’s proceedings was that the two people who were arrested earlier for attacking Mr and Mrs Arnab Goswami were given a bail by some Magistrate probably because the Police chose to charge them on flimsy grounds. Mr Arnab Goswami’s complaint was on the lynching of two Hindu Sadhus in Palghar and the lack of investigation on the murder and the silence of the Congress leader.  

Mr Arnab Goswami has developed his own brand of journalism and his high decible complaining of the lynching in Palghar seems to have so much rattled the Congress party that its supporters filed over 200 FIRs against Mr Arnab Goswami and ultimately took to attacking him in the dead of the night when he was returning from his studios.

The incident required to be condemned by all supporters of democracy including those who are opposed to Mr Arnab Goswami. But the politicians have been mostly silent on the attack and the media is also did not raise its voice. 

At the same time Mr Arnab got a stay on the FIRs from the Supreme Court except one case in Nagpur and the Mumbai Police are trying to use this FIR to teach him a lesson. The lesson that he was required to be taught was not to raise his voice on Mrs Sonia Maino/Gandhi and for that purpose he was subjected to a 12 hour interrogation.

While Police may justify that they needed to show some video footages etc and obtain his views, there was no need for the interrogation to continue for 12 hours. It could have actually been broken up and continued on the next day. 

What this incident has shown is that Police in India remain the faithful servants of the politicians and at their beckoning can be made to drop sections on the assaulters and at the same time grill the journalist until he is tired and loses mental balance. We are all aware how Mrs Indira Gandhi imposed the Press Censorship in 1975 emergency time. What Sonia is trying to do is perhaps to follow the footsteps of her illustrious MIL.

This may not be some thing new in India and we could have ignored it in the normal course.  But  the reason why we need to highlight this here is that this kind of behaviour of the Police creates a distrust on them when we try to justify provision of  some extra powers under law. The distrust on the police will translate itself as the distrust of the Government. 

We should therefore consider the impact of this incident on the discussions that are being held on s the Personal Data Protection Bill (PDPB) where there are some exemptions provided to the Government and the Law enforcement related to the protection of Privacy. The undersigned has on many occassions defended the right of the Police for surveillance through CCTV footage and other means because security of the Citizens is an uncompromisable responsibility. 

On the other hand there are people who are opposed to the PDPB stating that it gives too much of power to the Government and/or the Law enforcement. The current incident  supports this view point and shows how a State Government can make its Police to dance to the tunes of a party controlling indirect power in the State. If this can happen in an incident like this, we can imagine that if the same party is in power in the Center, then the laws like Personal Data Protection Act and its objective of protecting the privacy of citizens would be kicked beyond the Hindu Maha Sagar into an oblivion.

There are already many motivated articles that are appearing in pliable journals stating that PDPB will “Stiffle the digital economy with overbearing regulations”. Today’s LiveMint reports one such article. This article has made  the following remarks.

The above face is a familiar face to many on the You Tube. This person has been posting many interesting videos particularly of ancient archaeological sites in India, Cambodia and many other places focussing on many interesting points which no body else seems to observe.

He has a very discernible eye to spot indications of some peculiarities in the construction of ancient temples many of whom like the Hampi and Mahabalipuram are well known to many tourists. But no body else has found certain points such as the possibility of ancient builders having used technology for rock processing, using of lathe type machines long time back, possibility of aliens being depicted in the sculptures etc.

There is no doubt that some of his findings are very significant and the scientific community could very well do a research of their own either to prove or disprove his views.

It is also an observation that when he talks of many ancient Shiva temples and interprets the Shiva Lingam and the Gopuram of temples  as a depiction of energy transmitters or communicators to the alien world, he speaks of Hindu tradition. Possibly thousands of years back only Hinduism was prevalent in these countries and hence only references to Hindu culture can be seen in these ancient temples.

I have viewed many of his videos and have not found any racist or communal thoughts in his publications.

But very recently, he published a video which he has called probably his last video a link for which is presently available here.

In this video he has pointed out that many of his videos have been subjected to moderation and some have even been removed by You Tube for no discernible reason.

We have seen Twitter always supporting Pakistani and Anti Modi subscribers and allowing fake news to be promoted against India. Now a suspicion arises whether Mr Praveen Mohan is being black listed because he takes the name of Shiva in many of his recent postings. One of the recent postings highlighted a structure in Mahabalipuram which he has called the structure as a “Olakkaneshwara temple” and discussed how it could be a light house built to guide ships approaching the coast.

He has indicated that this video was taken off by Youtube. It appears that it has been restored but it is not clear if other videos which he has referred to in his disclosure have also been restored.

But the incident indicates that there could be an anti India bias in the action of You Tube and perhaps they donot want thoughts which could re-write some of the historical concepts ignore the developments in countries like India in the ancient times and consider that all scientific developments originated only from the west.

It is time we Indians bring it to the notice of You Tube that its actions are being watched. If it thinks that it can misuse its popularity to prevent content that supports Indian culture and heritage, then its credentials as a company from US which champions free speech will be severely dented.

The Indian Government has to take note of this development and seek an explanation from You Tube as to their commitment to free speech.

A similar question has to be also raised on GMail which continues to hide the “Originating IP address of email senders” in e-mails received by g-mail account holders ignoring the right of an e-mail account holder to know from which IP address he has received an e-mail. The e-mail is a transaction between the sender and the receiver, GMail is only an intermediary under ITA 2000.

If this status of an intermediary has to be retained, GMAIL should not interfere with the communication that emanates from the sender’s computer and reaches the receiver’s computer. By changing the header information that starts its journey from the sender’s personal computing device, GMAIL is processing the information and not acting purely like an Intermediary. Hence it should lose whatever protection law normally provides to intermediaries.

Unfortunately in India our CERT-IN or the MeitY does not pull up companies when they behave illegally and irrationally and we tend to accept their actions as unquestionable.

Hope MeitY takes note of Mr Praveen Mohan’s complaint and also just as they reacted to Zoom with a project to develop an Indian counterpart, they should look for an Indian counterpart of You Tube.

Naavi

As the country has moved into the digital way of doing Business, Governance and conducting personal life, the threats of various kinds arising from the use of computers, mobiles and other devices that work on “Data” have only increased.

Technology persons often pursue their creative goal unmindful of the impact they cause on the society. Hence they often talk of “Disruption”. We as corporate managers and as users of technology therefore often confront the so called “Zero day vulnerabilities” that are exploited by hackers around the world to make money and commit all sorts of offences.

As a result today, we often find it difficult to trust content on the website, message that comes in WhatsApp or Twitter or even an email that lands directly with us. Now a days, if I get a phone call which says I am calling from Bank, instead of listening to it, we are more concerned in ending the call because we donot know if even picking up a call will let some virus in.

The biggest threat that we face today is therefore “Lack of trust” in anything that comes to us as “Data”. So, it may not be “Data which is on the run”. Some times we have to run away from data.

Recently we came to know that “Data” of one big company were attacked by a hacker group who first of all encrypted the data and made it unusable and further threatened to release confidential data to the public. They wanted payment of a big sum of ransom that too to be paid in the currency of the criminals called Bitcoins.

“Phishing” continues to affect us particularly importers and exporters who face impersonated messages such as we have changed our Bank account..please remit the invoice payment instead of the regular account to another account. In one such case a big company in Saudi Arabia paid out rs 190 crores to the fraudsters instead of to ONGC. We are also aware that many times money has been taken out of the Banks through the SWIFT messaging systems.

Every day we also hear about the losses common people face through GPay or other mobile payment systems

These kinds of frauds appear simplistic and not as sophisticated as the Stuxnet attack on the Iranian nuclear system or North Korean attack on Sony corporate network, or DDOS attacks launched from CCTV cameras, robots made to drop material on shop floor to murder workers, Automated Cars being hacked causing accidents or Drones trying to hack into your systems by hovering around your wifi devices.

While we are struggling to tackle such technology related attacks, the advent of a new law in India called Personal Data Protection law  is making the life of Corporate manager more complicated because the law is expecting you to take pro-active steps to prevent frauds failing which even when there is no attack, the corporate may be  imposed hefty fines.

This new development is coming in the form of “Personal Data” which is a subset of the “Data” and is like the “Hazardous inventory” you may have in your godown.  It may look small in quantity but the drums of those explosive chemicals require greater attention than the tonnes of steel which you can leave in the open space without much of a security risk.

The cyber threats like ransomware have moved from “Encryption” to “Threat to release the information” because release of personal information could be more damaging to a company than not being able to decrypt the information that is locked up.

The threats are therefore changing their nature and companies have to ensure that apart from protecting data from being unauthorizedly accessed, modified or denied access, threats such as “Non Availiability of Consent”, “Use of data for purposes other than for which they were collected”, “Retention of personal data beyond the expirty date”  etc can become more damaging.

Hence organizations need to change their outlook on defining what is a “Cyber Incident” and how they have to respond to a Cyber incident involving potential personal data loss.

The advent of the new law means also new responsibility centers in the organization along with the conflicts between the senior executives whose area of influence is getting disrupted.

The CEOs therefore have both the challenges of shielding against the known cyber threats but also bring about a transition of the organization to recognize the need to change the focus of security from “Protecting Data” to “Protecting the so called privacy rights of an individual”, which may require a complete overhaul of the business architecture.

The days for business managers is therefore challenging and exciting.

Naavi

www.liveibc.com/mmalive

www.facebook.com/mmachennai
www.youtube.com/madrasmanagementassociationchennai

In case you need any further assistance contact MMA Chennai:

The PIL filed against the Kerala Government and Sprinklr in the Covid patient data processing contract has brought before the Kerala high Court one of the first real tests of the Privacy Protection principle in India

The Court has in its preliminary hearing passed several injunctions against the US company Sprinklr raising questions on the privacy protection of the patients. The Court has set the next hearing by 18th May 2020.

We need to note that India is in the threshold of passing its own Privacy protection law and soon thereafter there will be discussions with the GDPR and other international regulators about the “Adequacy” of the Indian privacy protection regime. For this consideration, apart from the law as passed, the attitude of the Courts will be an important factor. Hence the way Kerala High Court decides in this case will determine if the Indian judicial system respects privacy adequately or not.

The order therefore requires to be studied on some of the academic points that it raises.

Copy of the order

This case has arisen because Kerala Government entered into a contract with Sprinklr, an online data processing company to process the Covid patient’s data. It has been challenged on several grounds and what we are interested is the privacy issues that have come up for discussion.

The issue here is that the data sought to be processed by Sprinklr is “Sensitive Personal Data” and there is an issue of  “Reasonable Security Practice” and “Due Diligence” under ITA 2000 (Section 43A) . Since the Personal Data Protection Bill 2019 (PDPB 2019) is sought to be a direct replacement of Section 43A, the reasonable security practice may be currently considered as the compliance requirements as stated in the PDPB 2019. Hence we need to evaluate the arguments on whether Privacy Protection is adversely affected or not by the contractual arrangement with reference to PDPB 2019.

In this connection , the Data Protection obligations, the Rights of the Data Principal, the mandatory explicit consent, the restrictions on transfer of personal data outside India, the security requirements etc become relevant.

At the outset we need to identify that the information on Covid is “Sensitive Personal Information” and hence it requires “Explicit Consent” for processing  and transfer out of India.

The Court has spoken of the need for “Confidentiality” and “Anonymization” that also need to be discussed.

According to the defense of Sprinklr,

a) The confidentiality of the data of the citizens is guaranteed as per the terms of the contract.

b) The State Government has undertaken to take full responsibility for its protection

c) Available protection systems on the Amazon cloud service makes it impossible for Spinklr or anyone else to breach confidentiality or to deal with the data surreptitiously or maliciously.

d) Sprinlkr at present does not hold any data at present and has transferred all such data back to the Kerala Government.

e) Data resides in India and hence any breach of its confidentiality will expose Splinklr to action in India and hence the standard form clause of jurisdiction in USA should not be objected to.

The MeitY has argued that Sensitive personal data should always remain in India and also that the data should be anonymized before it is handed over to the processors. It has also rightly insisted that the data which was transferred earlier should be confirmed as having been purged by the company.

Considering the current status where the Court does not want to adversely affect the Government’s efforts in controlling Covid, the Court has decided to take an interim view only on ensuring the confidentiality of the data and take up a detailed hearing later on.

The injunctive relief granted by the Court is therefore under this consideration that Confidentiality of the data has to be maintained.

The approach of the Court is to be appreciated that they have tried to take a balanced view and rejected most of the contentions of Sprinklr without taking any drastic step that could adversely affect the Covid prevention efforts of the Government.

But when the case is heard in detail the defense provided by Sprinklr will come for a detailed scrutiny. In this regard, its Privacy Policy, the Terms and conditions, the Data Protection Addendum, the GDPR privacy by Design policy will all come for scrutiny.

There is a possibility that between now and the next hearing, Sprinklr may make changes in its website policies which will amount to tampering with the evidence. Hence all these documents have been archived by CEAC  and any changes  if attempted will be provable as tampering of evidence. 

From a first glance of these documents, it appears that the defense of the company that it follows international standards of data protection and hence nothing can go wrong may not be a tenable argument. There is enough indication that the documents are only statements of intent which does not seem to be reflected in the actual implementation.  The information so far available on the news reports is sketchy and if the company is subjected to intense cross examination, it may be possible to bring out more inconsistencies to prove that they donot have any credible evidence to substantiate their defense.

It will be interesting to observe how both sides take the case from here. We would refrain from more discussions at this stage for reasons of propriety. If however a need arises in the coming days, more points may be taken up for discussion.

What we are interested is in observing if the Court will impose a heavy penalty as envisaged in PDPB 2019 which is also consistent with the GDPR which the Company swears by. The penalty to be imposed has no relation to the fact that the sensitive personal data has now been returned or that the Company has deferred the receipt of remuneration by 6 months. We know that “Data” has value and just as Crude oil can be sold at -37$ per barrel, it is not impossible to think that “Data” can be bought at “Zero” value for the hidden benefit it represents.

Also the attempt to justify the jurisdiction clause which requires Kerala Government to raise its disputes if any in New York is laughable to say the least. If a dispute arises, the company would definitely raise the jurisdiction clause and stall any proceedings in India.

I wish the company was more straightforward than to claim that the jurisdiction clause does not matter. If so, it will be a great precedent to all other customers of Sprinklr and other service providers to simply ignore the jurisdiction clause and proceed in India.

It is open the Court however to accept the admission of the company that since data is stored in India, the company can be sued here. The Court can  confirm that since the Contract is a standard form contract, and it is not supported by authentication by digital/electronic signature, it has only the status of an implied dotted line contract and hence the jurisdiction clause deserves to be rejected as an Unconscionable clause”.

This will help many others and also provide a new reason for imposing data localization in the PDPB 2019 since it helps in overcoming the inconvenient jurisdiction clause. If the company retracts on this argument as they are likely to do, then the current argument will be considered as an attempt to mislead the Court.

It is also strange that the Company is arguing that the State Government is indemnifying the Company by taking “full responsibility”. If so, it is another point that proves that the contract is unfair to the Kerala Government.

Another point which the Company seems to  forget  is that in “Personal Data Protection”, ensuring “Confidentiality” is only one aspect. It is an information security issue and is a necessary but not sufficient condition of data protection obligation.

What is more relevant in data protection is that beyond securing the confidentiality, integrity and availability of personal data there are other aspects of consent, rights, the lawfulness of the processing etc.

Hence just because the data is protected (we are not aware if the Amazon cloud data was actually encrypted), it does not mean that all obligations of data protection are fulfilled. Also just because no data breach has occurred now, we cannot say that the contravention of the privacy right cannot be recognized.

Hence the last word has not been said in this case. We hope that the High Court stands upto the principles and come to a good conclusion without succumbing to the defense of “urgency” etc.

Naavi

Also Read

It is reported today that the Kerala High Court has ordered that Kerala Government was wrong in getting the personal data of Covid patients processed with Sprinklr, without de-identifying the personal data. It has also ordered that the patients are to be notified by the Government .

The Kerala Government had appointed the  US based service provider for analysis of Covid patient’s data which ran into a political debate of nepotism as well as a debate on the infringement of privacy of citizens. We can leave the political controversy aside and focus only the issue related to the Privacy of the patients.

In this case, Kerala Government was a customer of Sprinklr and used the Software as a Service (SaaS). Data was provided to Sprinklr initially directly on their website and later by the Kerala Government from is website. Processing was done by the Sprinklr engine which must have worked from US and then the processed information was stored either in US or other servers.

The service involved sharing of the Covid patient’s data which is “Sensitive personal data” under ITA 2000 (amended in 2008) as well as any norms that can be traced to the forthcoming Personal Data Protection Act in India or the prevailing global norms of GDPR.

Though the Company is a US company is bound to follow the principles of “Reasonable Security Practices” under Section 43A of ITA 2000/8. The Company is also expected to follow “Due Diligence” which is “following such practices as a prudent person would follow under similar circumstances”.

As of 25th April 2020, a prudent organization in India dealing with “Sensitive personal information” would consider the provisions of the Personal Data Protection Bill 2019 as the guidelines of privacy to be followed as due diligence.

The Kerala Government is also obliged to consider the Justice Puttaswamy judgement declaring Protection of Privacy to be a fundamental right of an Indian citizen.

More importantly, the Kerala High Court itself in the Oomen Chandy Case  (WP(c) No 40775 of 2017),5  has  said

“The newly recognized fundamental right to privacy, which takes within its fold the right to protect ones reputation as well, would merit classification as a fundamental right that protects an individual,  not (only) against the arbitrary State action, but also from the actions of other private citizens, such as the press or media,”..

Hence both the Kerala Government and Sprinklr were bound to recognize the Privacy protection guaranteed under the Puttaswamy judgement and initiated Privacy protection measures in the collection, processing, storing and disposal of the sensitive personal information.

In the Indian context, the Privacy law may be new to the Kerala Government but Sprinklr is claiming that its services are “GDPR Compliant”. Hence Sprinklr was fully aware to the sensitivity of the information being processed and even if the Kerala Government was not conversant with the privacy laws in general, should have cautioned the Government on how to address the issue.

The first thing that comes to everyone’s mind is the “Consent” from the patients. There is also the question of possible transfer of data out of India either for storing or for processing for which  an “Explicit Consent” was required to be called for by Sprinklr even if Kerala Government was not aware.

Further though the Government can claim exemption for “Medical Emergency”, the exception under PDPA applies only to an entity such as a hospital transferring the patient data for the purpose of medical treatment etc and not for Big Data analytics which can be done by many Indian companies.

Further, Indian PDPA goes beyond the “Consent” related constraints and holds the person who collects and processes the personal data in a capacity of a “Data Fiduciary” meaning a “Trustee” who has to protect the privacy of the data principal as per the Puttaswamy judgement principle. Hence no implied consent with concessions for transfer of data to a US entity can be presumed as “Due Diligence”.

In the instant case, both Kerala Government and Sprinklr are “Data Fiduciaries” since the purpose and means of processing is determined more by the SaaS company than the Kerala Government which is the user of the service under the terms and conditions under which the Sprinklr service is on offer. (Though the Data Protection Addendum on the website makes the Kerala Government the Controller and Sprinklr the Processor. In that case the data protection clause should have been directed by Kerala Government to Sprinklr which certainly is not the case here.)

As per the statement of one of the advocates representing the Kerala Government, it is claimed that the Company has a privacy policy and follows international data protection norms ensuring a high level of confidentiality of data. It is stated that the data was stored in an encrypted form in Amazon cloud in Mumbai.  If this contention is proved by evidence, it can prove that one copy of the data was perhaps stored in India. While the security of the information might have been secured against further breach because of encryption, the disclosure of the data to the service provider is still outside the consent mechanism.

The High Court has taken note of this in its order and come to an opinion that it was wrong for the Kerala Government to have shared the information with the SaaS provider without “Anonymization”. (We presume the Court was referring here to Pseudonymization or de-identification).

A quick glance at the Website of Sprinklr.com indicates that it uses several sub processors for processing work, and makes a mention of GDPR  and CCPA. However it does not mention compliance of ITA 2000/8 nor any Indian privacy laws.

Whether the policies which are declared on the website are operative or not can only be tested if data principals in India send requests for personal data processed and seeking portability of the data or right to forget. The company will most probably  reject any such requests under some excuse.

As regards the cross border transfer, the policy does not even recognize that it is in operation in India and hence the possibility of its compliance to Indian laws is clearly absent. It clearly says that it offers its clients the option to host the data in USA and Europe and there is no mention of the storage in Mumbai.

Without going too deep into an analysis it can be considered that Sprinklr is not in compliance with Section 43A ITA 2000/8 and it has rushed to the processing because the business opportunity fell on its laps.

Now that the Kerala High Court has caught the privacy related short comings in the process, it is necessary for Sprinklr to immediately stop receiving identified personal data of the patients which is any way not required for the purpose for which the data is being shared with them. The analytics that they may do has no relation to the identity of the person by name and hence it should immediately agree to an intermediary like NIC conducting “De-identification” process before the data is handed over to Sprinklr.

Simultaneously Sprinklr should transfer the processed data up to date to a custodian like NIC and purge all related data in all its servers and provide appropriate evidence of the erasure.

There is therefore no logic for the Kerala Government or Sprinklr to take any  excuse to process the identified data. They need to immediately engage the services of another intermediary, trusted in the Indian environment such as NIC or CDAC to put together a de-identification-re-identification framework  to continue further processing.

NIC should be more than capable of this exercise and if not there would be a number of software companies in India who can do it.

It would be interesting to see how the case develops further and whether the Court takes any cognizance of the principles of privacy protection that has been included in the upcoming privacy act.

In the next hearing we hope that the Court will place a substantial fine both on the Kerala Government and Sprinklr on the lines suggested in the PDPA Bill 2019 which is Rs 5 crores for the Kerala Government and upto 4% of the global turnover of Sprinklr. This will be in addition to the personal relief that can be claimed collectively by the data principals.

Naavi

(P.S: This is a quick comment based on the news reports that have just appeared. More may follow)

Also Read