Dutch fine on Uber.. Is it justified?

The Dutch protection authority recently imposed a fine of Euro 10 million on Uber technologies for failure to disclose the full details of its retention periods to the drivers.

In this context one has to question the decision from the point of view of whether the “Uber Driver’s Data” is “Personal Data” or “Business Data” . If it is considered as “Business Data” then it should not come under the GDPR restrictions.

To answer this question, one has to see what is the relationship between a Uber driver and Uber. If the driver is under an employment contract then he would be treated as any other employee.

Otherwise if he is sharing a business commission, it is difficult to accept that the relationship is any thing other than B2B. The driver as an individual is doing business with Uber and in India we recognize him as a taxable entity different from the same individual for personal tax of non business nature.

The data of the driver that comes with the driving license should therefore be considered as “Business Contact Data” and “Mandatory statutory data to be retained under law”. As a Business contact data it is outside the scope of GDPR/DPDPA.  It could be considered as a mandatory data to be collected and  bound by the terms of agreement as a contract.

Any data collected by the driver of the passengers for the journey is data collected on behalf of Uber and it belongs to Uber and not the driver. The driver is a processor in this context.

DPDPA 2023 recognizes “Business Contact Data” as a concept in the context of the DPO and hence it accepts that a “personal looking data” may actually be shared for the “Business Purpose” which can be considered different from personal data shared for processing for a service.

For example, an Uber driver hiring another Uber car for reaching home is a customer of the second driver and his information shared is for the purpose of travelling and is like personal data. But his own data with the  Contract department is to be considered as “Business Data”. It is possible that Uber may run some welfare measures to the drivers “. In this context it may be considered similar to employee’s personal data.

The classification of data as “Personal” and “Non Personal” may therefore depend on the context and purpose. This needs to be identified during compliance. The process oriented classification of data under DGPSI addresses this.

Please let me know your views.

Naavi

Posted in Cyber Law | Leave a comment

Independent Director or Company Secretary should be the first respondents to DPDPA compliance

After August 11, 2023, DPDPA 2023 or Digital Personal Data Protection Act 2023 has become a law in India. Though the notification of rules is pending, DPDPA 2023 as of today is considered “Due Diligence” and part of “Reasonable Security Practice” under Sections 43A and Section 79 of ITA 2000.

The provisions of the Act are therefore considered effective as of now though the penalty clauses may not be fully relevant. However the Adjudicator under ITA 2000 has the powers to impose penalties if there is an adequate cause of action and may use the penalty table under DPDPA 2023 as a guidance.

To be fair however, no Adjudicator in India may be aware of this power nor are inclined to use them. So the companies who want to procrastinate can breath easily for some more time. Assuming that the Modi Government comes back to power after the elections, the notification of rules may be in the First 100 day agenda.

Hence companies need to start working on compliance today.

If however we try to identify the accountability at corporate level on who has to raise the red flag first, it appears that only the CISOs/CIOs or GDPR aware CCOs/designated privacy officers are the first to recognize the potential impact of the DPDPA and trying to draw the attention of their Board into sanctioning budgets for next level action.

Ideally it should have been the “Independent Directors” or the “Company Secretaries” who should have brought it to the notice of the Board the need to initiate compliance action.

Given the importance of DPDPA compliance and the need to cover the potential penalty risk, associations of these professionals need to draw the attention of these professionals to start understanding their specific responsibility in this regard.

Naavi

 

Posted in Cyber Law | Leave a comment

“Product-DTS” -an evaluation of “Compliance Ready when in use” status under DGPSI

DGPSI (Data Governance and Protection Standard of India which is the premier framework for DPDPA Compliance in India) focusses on compliance of Data Fiduciaries who process personal data collected from India. It includes compliance requirements under DPDPA 2023, ITA 2000 and BIS standard for Data Governance.

A Data Fiduciary often conducts its business with the assistance of software suppliers. may  supply products or software services. 

If the service provider is providing service as exactly prescribed by the DF, then he will  be a Data Processor whose obligations are only to follow instructions in the contract and the compliance obligations are borne by the DF.

In many practical instances, the service provider either does not reveal the complete details of the “Means of processing” either because he treats them as his trade secret or he is too big for the DF. Most cloud service providers fall into this category.

In such cases, the DF who determines the purpose of processing is not in control of the “Means of processing”.

Hence such data processors may have the responsibility of the Data Fiduciary (DF) under the law though we all may call them as  “Data Processors”. 

DGPSI addresses this issue by defining the role of the service provider as a “Joint Data Fiduciary” and makes him directly responsible for the compliance.

In many cases the service of the service provider is contracted through dotted line contracts and not through negotiated contracts. Hence the DF is forced to pick a service available on the web by simply clicking the “I accept” button for the terms of service along with the privacy policy of the service provider.

In such cases the DF is expected to at least send a proper notice to the service provider that the DF treats him as a Joint Data Fiduciary for the purpose of compliance of DPDPA 2023 and tries to get an acknowledgement.

Going further, some DFs may request the service provider to produce an assurance in the form of an audit such as ISO 13485 for medical devices or FDA CFR audit certification.

The same issue arises when an AI service is provided in the form of an algorithm or managed services.

DGPSI considers such sub systems as a “Compliance Entity” and expects them to separately be assessed for compliance of DPDPA as if that sub system is an enterprise by itself.

In such cases, the AI algorithm becomes the subject “Data Fiduciary” which is required to be compliant with the DPDPA 2023.

Hence the AI algorithm has to be evaluated on the basis of

  1. Who is the owner of the algorithm
  2. What personal data elements it collects and from where?
  3. Is there a Consent or other forms of established legal basis for processing?
  4. What is the evidence that there is a notice and consent?
  5. Who accesses the personal data and why at the time of processing or storage as long as it is within the control of the algorithm
  6. How does the “Rights of data principals fulfilled”?
  7. How does security of data handled and  “Breach” gets recognized?
  8. How does other obligations like handling of cross border restrictions, minor data handling and nomination handling etc addressed by the algorithm owner?
  9. What does the contractual terms of use state in terms of inter-se obligations of compliance?

The Data Trust Score mechanism of DGPSI addresses an evaluation of these requirements against the parameters used for compliance and through some weightage system arrives at a score which is called the “DTS”. We have already discussed Web-DTS and AI-DTS as two concepts covering compliance of the website and an AI algorithm.

A similar system is now being applied for vendors of specific devices or services to evaluate whether during the lifecycle of the data processing that happens within the service, the obligations of DPDPA is complied with and if so how.

This evaluation can be done only if there is a specific context in which we are aware what type of data is collected and processed.

However there will be some instances where a device or a system supplier would kike to claim that “When you use our products, you can meet your regulatory obligations”. This would be like evaluating a product for “Compliance Readiness When in use”.

This compliance ready evaluation has to assume a context which is representative of the most relevant use case and makes an assessment.

“Compliance Ready-when in use” is evaluation is  a DTS evaluation that represents the maturity of the product or service which addresses this issue. We may simply call them “Product-DTS” for easy reference.

When it comes to evaluation of AI algorithms, the DGPSI will draw from the EU-AI act to define the risk etc. Similarly when it comes to medical devices, DGPSI will draw from ISO 13485. With such an approach, DGPSI will remain the unified approach for compliance not only at the “Data Fiduciary” but also at the “Joint Data fiduciary” who is a contract partner of the Data Fiduciary .

Attend FDPPI training programs to discuss this further.

(Comments are welcome)

Naavi

Posted in Cyber Law | Leave a comment

Mumbai High Court should apologize to citizens of India for their Kunal Kamra judgement.

As expected Congress has used a “Fake video” of Mr Amit Shah to falsely claim that Mr Amit Shah has stated that if it comes to power, BJP will remove reservations to SC/ST etc. Actually he had said that BJP will remove the unconstitutional reservation given to Muslims on the basis of religion.

This was not a simple fake video like the Rakshita Mandanna case which was a case of personal reputation damage to a celebrity. In another instance, Rahul Gandhi’s video was modified to remove words about “Hindustan’s Ka …” when he was referring to redistribution of wealth .”Removal of some portions of the video” is also a fake video meant to alter the meaning of the electronic document.

On the other hand the Amit Shah video included removal of a portion and re-arrangement to some extent.

I am certain that before the election is over, we will have an even more dangerous fake video in the name of Mr Modi himself which may be created for the purpose of filing a complaint with the election commission. We will come to know only if such videos come to public but if they are being circulated in private circles of voters, we will ever come t know.

It is important that NIA should take over the Amit Shah case and investigate since this is a gross violation which includes Section 66, 66C, 66D and 66F of ITA 2000 besides some IPC sections. It also involves conspiracy since it was distributed. Section 79 and Section 85 may also be invoked to fix the liabilities of the intermediaries who facilitated the distribution of the video.

Mr Revant Reddy may not be directly responsible, but is definitely carrying the vicarious liability and should co-operate in the investigation.

The investigation should be carried out immediately (as is being done) so that culprits are put behind bars before the next phase of elections.

In this context I want to recall the Mumbai High Court judgement in the case of Kunal Kamra where one judge did not see the danger of the fake news and did not uphold the right of the Government to at least call out fake news distributed in respect of the Government bodies.

Judges have their own biased views and often their judgements are not based on neutral evaluation. The judgement on Kunal Kamra case was one such instance which was however saved to some extent by one of the judges taking a right stand. But this was sufficient for the Supreme Court to stay further action by the Government and the media to keep blaming the Government.

Now the WhatsAPP case is before the Government and the lawyers are already speaking falsehood and creating the ground for the Judges to give wrong judgements. I wish the Judges be aware that technology is being not only misused by people but are also mis represented in the Courts.

For example, WhatsApp is arguing that if they agree to “Identification of the original forwarder of a message”, it has to break the encryption and therefore the Privacy of the message. This is falsehood and the petitioners have to be castigated for making such wrong claims.

Adding a header information to an encrypted message is not breaking the encryption of the message. It may require some technology changes but is not to be considered as impossible. Hence the Court should not accept this false argument.

Instead, Court should ask WhatsApp why their grievance redressal system requires customers to go to US courts/Arbitration and not settle it within the Indian jurisdiction and why they have different privacy policies for EU, US and India?

If WhatsApp threatens to leave India, it only shows their arrogance. To some extent Courts are responsible for this arrogance since the Supreme Court and several High Courts have honoured WhatsApp in the past with recognition of the blue tick etc. and become dependent themselves.

The dependency of India on WhatsApp as a messaging platform is not desirable and is a national risk. Just as there was movement against Zoom at one point of time (which was not justified fully), monopoly of WhatsApp must be broken by encouraging indigenous solutions.

This should be possible even with the preservation of end to end encryption from the user to user which is more effective than the device to device encryption currently used by WhatsApp (with an ability for itself to decrypt if required.).

The messaging platform needs to become a carrier of message only and whether the payload is encrypted or not should be the choice of the messaging parties. Use of two key encryption should be actually more effective than the current device to device encryption.

Hopefully the Courts will treat these technology related cases with an admission of their own ignorance and offer apologies when they make a mistake. One such apology is due from the Mumbai judge who did not foresee the dangers of fake news.

Naavi

Also read:

We Want License to Misinform?

Posted in Cyber Law | Leave a comment

WhatsApp threatens Bharath : Great opportunity for indigenous firms

In a high court proceeding in Delhi High Court challenging the Intermediary Guidelines WhatsApp has threatened that if the Government of India goes ahead with implementation of its Intermediary Guidelines, it may be forced to quit India.

WhatsApp is perhaps emboldened by the fact that Indian Judiciary including the Supreme Court have been naive enough in recent times to judicially accept WhatsApp messages for sending Court notices etc developing a dependency which would create some operational problems if WhatsApp quits.

The reason behind this is that the Government of India has for security reasons stated that if required and a proper notice is served, WhatsAPP should be able to provide the origin of messages in WhatsApp. This does not need decryption of the message but only the header information.

It is possible that in certain cases decryption of messages may be required for national security reasons. In such cases, whether it is WhatsAPP/Meta or Apple, there should not be an embargo that no such demand would be made.

At best, it can be made subject to a quasi judicial committee consisting of a special judge of Supreme Court along with the designated representatives of Meity and MOH for quick decision making in times of crisis.

According to this report in Hindustan Times Mr Tejas Karla, the counsel of WhatsAPP has told the High Court that without the concurrence of WhatsApp, Government of India has no right to introduce such rules.

The contention of WhatsApp which is a commercial entity owned by a US Citizen is in principle unacceptable. It is a rebellion against the sovereignty of India. It has no such fundamental rights and it has no right to represent the Indian citizens for their fundamental rights only to protect the commercial interests of the company.

WhatsApp has also threatened that

“Requiring messaging apps to ‘trace’ chats is the equivalent of asking us to keep a fingerprint of every single message sent on WhatsApp, which would break end-to-end encryption and fundamentally undermines people’s right to privacy,… and such an action could a message could disturb the peace and harmony in the country and could pose public order issues.”

The Company has therefore admitted that a message when decrypted could pose public order issues meaning that it was inherently a message that was meant to destabilize public order within a community. It’s argument is that this conspiracy should be allowed to continue and not be exposed.

The Court should not only reject this argument but also castigate the company to have taken such a stand against the sovereign rights of the company.

In the meantime, Naavi.org has been suggesting companies to switch over to indigenous applications which may provide similar services in a “Cyber Law Compliant Manner”. There could be more than one such solution to be available and we have come across one such application called “Ledger Chat” which provides the functionalities of WhatsApp within the Indian legal jurisdiction. Presently it is being used for Corporate requirements and can be used by Supreme Court or the High Court.

Considering the volume of information to be handled in public domain, the app can be used by other intermediaries including network giants like Tata Telecom to develop a WhatsApp equivalent services without riding on the foreign powers like WhatsApp.

I hereby request Ledger Chat to

a) Implead in the suit in Delhi High Court and present its product as a solution to replace WhatsApp.

b) Provide the solution to Delhi High Court and Supreme Court for their use if necessary in association with a reputed company like Tat Telecom.

I request the advocates representing the Government not to yield to the WhatsApp arguments as they tend to do in the past. We are aware of the enormous financial muscle of WhatsApp to sway opinions but we hope there are still enough nationalists left in the Judicial system in India who will uphold that the country cannot be held to ransom by these companies.

I am aware that a bigger threat awaits if similar stand is taken by Google and Microsoft and we as a Country have to be ready to meet such challenges.

Hopefully if Modi is around, we can atleast demand this from the Government whether it is done or not. For advocates who represent such parties without remembering that their duty is to “Justice”, I would like to say that your first duty is to protect the nation and representing a client is only secondary.  For those advocates who still have a ethical mindset, kindly contact LegerChat company and offer to represent them in the Delhi High Court. Any IT solutions integrator who is interested in taking this solution to the Delhi High Court and Supreme Court should also contact them and offer help. In case there are any other similar solution providers they are welcome to contact Naavi.org so that their solutions can also be highlighted.  

More info on LedgerChat is available here: https://ledgerfi.io/

Naavi

Comments Received and Our views

Comment 1: India may not be able to create a product at a global scale. Koo did not succeed.

Comment 2: Data Security in messaging can be preserved through e2e encryption and WhatsApp is guaranteeing it. What is the need for putting 140 crores under surveillance by providing the option to break the e2e.

Comment 3: WhatsApp is used globally . The sender and receiver should both be using the same messaging app.

My Views:

I donot think that India cannot create a global scale product. Our software engineers sit with other MNCs and create the products which today are considered as global products. It is a journey and we need to support the Made In India initiative. The scaling up for global use depends on the network capacity and there could be issues that should be sorted out. Koo did not succeed because we did not support it. Had we supported it and had Mr Modi and his team supported it, it could have succeeded. (Refer various articles on Koo at naavi.org). Finally Twitter failed for its own reasons and sold out to X. X is trying to re-engineer the model and we need to wait and see how their model will succeed.

WhatsApp may have e2e encryption from device to device. What is important for us to recognize is that WhatsApp is lying when it says that the Government wants the encryption to be broken. What the Government has stated is that every message needs to have a “Origination ID” when it enters the systems in India. This means that the customers of WhatsApp should be tagged as “Indian” and “Non Indian”. When a message is received by the Indian, it should be assigned with a header information which contains the message ID. Any further forwarding of the message should identify “Message Id”, “From” and “To” . There is no need to break the message encryption. Hence “Surveillance” of 140 crores does not arise. These are falsehood circulated by WhatsApp and its lawyers.

Every messaging application as a platform wants both to be on the platform. But if customer@gmail.com can send a message to customer@hotmail.com, there can be a message exchange system that can send and receive messages across multiple messaging platforms. It may require some standardization but is not impossible.

Naavi

Posted in Cyber Law | Leave a comment

Sanatan Economics… A wonderful analysis

This video introduces a beautiful interpretation of economics and compares the Capitalism, Communalism and the unique concept which Dr Ankit Shah the speaker speaks about Sanatan Economics. 

The video has emerged consequence  of the Rahul Gandhi Concept of “Re-distribution  of wealth”. But what has emerged is a new knowledge which has application in many other fields.

The Concept revolves around “Dharma” and “Karma”…which is “Obligation” and “Duties”. The speaker also discusses how the “Temples” acted as an “Intermediary” to ensure that the society follows Dharma through the institution of Temples and how “Food Security” was ensured through the system of “Prasadam”.

I wish readers do not look at this as a political idea but appreciate the new concept.

Comments are welcome.

Naavi

Posted in Cyber Law | Leave a comment