Naavi.org

Section 335 of the New IPC covers “Making of false document” and includes “Electronic Document. Currently, the section 4 of ITA 2000 was already extending any laws which applied to a paper document to the electronic document and there was no need for the NIPC to re-iterate this in multiple sections. At best one reference under the definition clause referring to Section 4 of ITA 2000 and stating that whatever provisions applied to paper documents also applied to electronic documents except where specifically excluded. However without understanding the benefit of the bridging clause in Section 4 of ITA 2000, New IPC states time and again applicability of a section to electronic documents.

One such reference is found in Section 335, Explanation 3 which states

For the purposes of this section, the expression “affixing electronic signature” shall have the meaning assigned to it in clause (d) of sub-section (1) of section 2 of the Information Technology Act, 2000.

This explanation restricts the meaning of “Electronic Forgery” and limits it to digital/electronic signatures under Section 3/3A of ITA 2000.

We may recall the case of The Government of Tamil Nadu Vs Suhas Katti which was historically the first case of conviction under ITA 2000 where “Writing the name of a different person below the message text was considered as Forgery”. This would now be available under Section 336 under the new IPC.

Your comments?

Naavi

The passage of the three Bills which we can refer as the New IPC, New CrPC and new IEA for easy understanding is a momentous development which is nothing short of “Revolutionary”. In such a massive exercise there are bound to be many missed opportunities. These missed opportunities need to be spotted and flagged for future amendment or reading down by the Court. This is the process of development of “Jurisprudence”. Naavi.org will be trying to place its observations from time to time to flag such issues,starting with this .

Naavi

Section 78 of the New IPC (Bharatiya Nyaay Sanhita or BNS 2023) states:

78. (1) Any man who—
    (i) follows a woman and contacts, or attempts to contact such woman to foster
    personal interaction repeatedly despite a clear indication of disinterest by such woman; or
    (ii) monitors the use by a woman of the internet, e-mail or any other form of
    electronic communication,
    commits the offence of stalking:
    Provided that such conduct shall not amount to stalking if the man who pursued it
    proves that—
    (i) it was pursued for the purpose of preventing or detecting crime and the man
    accused of stalking had been entrusted with the responsibility of prevention and
    detection of crime by the State; or
    (ii) it was pursued under any law or to comply with any condition or requirement
    imposed by any person under any law; or
    (iii) in the particular circumstances such conduct was reasonable and justified.
    (2) Whoever commits the offence of stalking shall be punished on first conviction with
    imprisonment of either description for a term which may extend to three years, and shall also
    be liable to fine; and be punished on a second or subsequent conviction, with imprisonment
    of either description for a term which may extend to five years, and shall also be liable to fine

It may be observed that the section covers “Cyber Stalking” also.

A question however arises if “Staliking” is only a phenomenon that applies to a “Man” who follows a “Woman”. Would it not have been better in the days of “Honey Trapping” to make this section “Gender neutral”?

Under Section 2(10), the Act states:

(10) “gender”.—The pronoun “he” and its derivatives are used of any person,
whether male, female or transgender.

There is however a conflict under section 2(19) which states : (19) “man” means male human being of any age;

Jurisprudence demands that this definition 2(10) may be used to consider Section 78 as gender neutral.

Comments are welcome.

Naavi

On 20th December 2023, Lok Sabha passed the following 4 key Bills

1.Bharatiya Nyaay (Second)Sanhita, 2023 (Replacement of IPC 1860)

2. Bharatiya Nagarik Suraksha (Second)Sanhita, 2023 (Replacement of Criminal Procedure Code 1973)

3.Bharatiya Sakshya (Second) Bill, 2023 ( Replacement of Indian Evidence Act 1872)

4. Telecommunications Bill 2023

The Bills will be discussed in Rajyasabha on 21st December 2023.

After the Bills become an Act, there would be a huge disruption in the legal scenario in India. The Telecom Bill along with ITA 2000, DPDPA 2023 and the upcoming Broadcasting Services (Regulation) Bill 2023 (unlikely to be passed in the current Parliament) will be relevant for the study of Cyber Laws in India. We shall discuss this in detail in due course.

It is to be noted that the Bharatiya Nyaay Sanhita (New IPC) would be applicable to any offence committed by any person in any place without and beyond India committing offence targeting a computer resource located in India. This complements and extends the Jurisdiction of Cyber Crimes to beyond India.

Cyber Crime would be considered (Section 111) as an organized crime with relevant consequences.

Section 63 of the new Evidence Act will be replacing Section 65B of the old act. Additionally some more changes have been made which will be discussed in a separate article.

Naavi

The Book, Guardians of Privacy is not another book on DPDPA 2023. It is meant to be a Transformation Agent for those who are today looking at GDPR and trying to understand DPDPA 2023 or looking at ISO 27701 and looking for compliance under DPDPA 2023.

There are a set of CIOs,CISOs or CEOs, who have not looked at the concept of Privacy serious enough to understand the obligations of being a “Data Fiduciary” and needs to go through the drill of understanding the concept of privacy and how it relates to the concept of Personal Data and the DPDPA 2023.

Law impacts on the society through not only what is written in the “Act” and extends to the interpretation provided by the Judiciary and is likely to be provided by the Judiciary. Presently the law of data protection in India is present in the form of “ITA 2000” and “DPDPA 2023”. It will get expanded when the rules are notified by the Government.

Judiciary has already spoken a lot on the concept of Privacy. Puttaswamy Judgement was a watershed moment in India declaring that Privacy is a fundamental right. It also did expand the meaning of Privacy through the individual detailed judgements which formed the “Obiter dicta”. The views expressed focussed on Privacy as a right as well as the Information Privacy which was specifically mentioned. It will take some time for Judiciary to expand on these concepts and how Information Privacy in practice need to be handled by the industry. This “Privacy Jurisprudence” will develop over time and it is the duty of experts to keep building up this Jurisprudential thoughts.

In the meantime, practitioners in the industry are looking at implementation of Information Privacy in a manner that they would remain compliant with the law. However the translation of law into implementation practice in an IT environment is a challenge to most technological people.

It is here that the title “Data Fiduciary” used in the law assumes importance. In GDPR, the comparative word used is “Data Controller”. One can control what is handed over to him to control. The GDPR therefore considers that “Personal Data” handed over to it by a Data Subject can be “Controlled” as desired by the data subject or as permitted under law.

One can recall the Privacy Standard under HIPAA which stated that “A covered entity or business associate may not use or disclose protected health information, except as permitted or required by this subpart or by subpart C of part 160 of this subchapter.” The law then went into the details of how the act can be implemented. Hence this law was a self contained implementation framework.

However, DPDPA 2023 as well as GDPR do not have detailed prescriptions. The operating part is defined under words such as “Reasonable”, “Necessary and Proportionate”, “Risk Based” etc. This leaves a lot of responsibility to the implementation agency.

In this respect, Indian law goes a step further than GDPR by choosing to replace the Data Controller as a Data Fiduciary. This nomenclature essentially means that “Personal Data” is a property entrusted to the Data Fiduciary who is a “Trustee” with a certain objective. A trustee is bound by the objective of trust and not necessarily by the written instructions. In view of this, even where a “Consent” is taken, if certain action is not in the interest of the beneficiary (Data Principal in this context), the Trustee (Data Fiduciary in this context) has a duty to protect the interests of the Data Principal.

In discharging this obligation, Privacy Jurisprudence may have to define what is the “Beneficial Interest” that needs to be protected.

While the Act only talks of “Reasonable Safeguards” the “Safeguards” themselves may have to be determined on the basis of “Risks” and the “Risks” depend on the “Risk” and “Risk” depends on what the law expects as “Privacy”. This takes us back to the Judicial interpretation of “Privacy” though DPDPA 2023 meticulously avoids the word.

It is in this context that the Guardians of Privacy as a book tries to identify a “Compliance Framework” in the form of Digital Governance and Protection Standard of India (DGPSI) which is an attempt to capture the requirements of how a Privacy Protection System can be put in place, can be audited and assessed.

While the book discusses the top line requirements of the standard framework in the DGPSI-Lite and DGPSI-Full versions, the consultants are expected to absorb the concepts of the framework and design their own templates for implementation.

With the three components of Law, Governance and Audit, this book is expected to be an instrument for transformation of present ISO 27001 auditors into Data Auditors and present ISMS/PIMS systems to DGPMS.

In the coming days there could be updates for the book which will be not only because of the rules to be notified but because of other developments. We shall try to keep the readers suitably informed either through a supplementary E-Book or through a new edition.

Naavi

During the Sociawood congregation in Hyderabad on 17th December 2023, Naavi’s book…Guardians of Privacy was officially made public with the initial copies being given away to some of the dignitaries.

The book has discussions on

1. Privacy , Emergence of the concept in India and DPDPA 2023, useful for those who want to study DPDPA 2023 as the law of data protection in India
2. Concept of Data and Data Protection for Business Managers and the emerging BIS standard for Data Governance
3. The “Data Audit” under ISO 2700, ISO 27701 and the unique DGPSI, Digital Governance and Protection Standard of India.

More on this would be presented in due course.

Naavi

It appears that the delay in the announcement of rules under DPDPA2023 is partly due to the hesitancy of the Government to take the lead in defining the rules but depend on the BigTech to tell how they are to be regulated.

It appears that the Government is holding closed door discussions with the industry an euphemism for the Big Tech lobby before finalizing the rules.

As per this report in Indian Express Government is likely to adopt an Aadhaar based age determination system to identify minors and the need for parental consent. However this may have a conflict with the Supreme Court decision which restricted the sharing of the Aadhaar information with private sector.

The proposed regulation of using Aadhaar may require both the aadhaar of the minor and their parent/s to be shared with the private sector.

We need to wait how the rules will overcome this conflict.

It may be easier to use “Consent Managers” as the gate keepers for minor’s data and regulate the Consent Manager in accordance with the Supreme Court regulation.

We may however caution that it is inappropriate for the Government to depend on the industry for advice on the implementation of DPDPA 2023 knowing fully well that the industry would only look at their self interest first.

Industry will be happy to be permitted to collect Aadhaar information of every user so that they can identify who is a minor and who is not so that they can thereafter decide who has to give consent.

It may be possible to make this a “Voluntary” proposal from the user but is fraught with risks of complete aadhaar data base being officially coming to be disclosed to the private sector data fiduciaries.

Instead, developing a Consent Manager who could use Virtual Aadhaar and provide Minor Consent mandatorily through such consent managers would be a more meaningful proposition.

Naavi