Will TDSAT hold its hearings through Video conferencing?

Posted on July 22, 2018 by Vijayashankar Na

Telecom Disputes and Settlement Appellate Tribunal (TDSAT) is a body created initially for settling the disputes in the Telecom sector. However the Finance Bill  2017 has changed the character of TDSAT by merging the Cyber Appellate Tribunal (CyAT) which was set up under ITA 2000 to hear appeals from the Adjudicating officers all over India and the CCA.

TDSAT was set up under TRAI Act 1997 (as amended) and exercises both original and appellate jurisdiction. CyAT on the other hand exercised only an appellate jurisdiction and not original jurisdiction.

TDSAT does not seem to have issued separate rules for handling Cases transferred from CyAT and probably it may do so some time in future. In the meantime the existing law and the rules regarding TDSAT may be considered as continuing.

In CyAT, the appeal filing fees was Rs 2000/- and no fees was fixed for miscellaneous applications. TDSAT presently prescribes a fee of Rs 5000/- for the petitions and Rs 1000/- for Miscellaneous applications. CyAT required 6 copies of petitions to be submitted while in TDSAT, 5 copies may be sufficient but one additional copy is required to be given to the counter party.

TDSAT procedures include a specific “Mediation Procedure” which may be referred to the mediation center of the tribunal. The Mediation Center charges a nominal fee of Rs 1000/-. The fees of the Mediator and the Office expenses are borne by TDSAT. This is definitely a huge advantage for the small petitioners.

Naavi.org had raised two other points in its previous article which we would like to re-iterate.

First is the possibility of TDSAT holding its hearings outside Delhi in cities like Bangalore, or Chennai or Mumbai or any other place where the petitioners are located.

Second was the possibility of using online interactions through Video conferencing. If this is acceptable, the first requirement of holding sittings outside Delhi may not be that important.

The online hearings can also be extended to the Mediation process so that the need for travel of the petitioners and respondents to Delhi can be reduced.

Naavi.org has already drawn attention to the fact that it is ready to provide the services of ODRGLOBAL.IN where a facility is already available for conducting online arbitration supported by evidentiary capture of proceedings under Section 65B of Indian Evidence Act. ( More details are available at www.odrglobal.in). TDSAT may either use this facility itself or create a similar facility for its own use. If this suggestion is accepted, there would be a revolutionary change in the way justice is rendered to the petitioners.

Naavi would be happy to provide any assistance to TDSAT in implementing such technology innovations if required.

We look forward to how TDSAT approaches its new responsibilities for the cases transferred from CyAT.

Naavi

 

Posted in Cyber Law | Tagged | Leave a comment

Will TDSAT render justice to Cyber Crime Victims?… I seek some answers

Posted on July 21, 2018 by Vijayashankar Na

Cyber Crime victims in India have been waiting for a long time for the re-activation of Cyber Appellate Tribunal (CYAT) which became dysfunctional on 30th June 2011 during the UPA II regime and never came back to life even after the NDA Government under Mr Modi came to take charge.

Despite the push given to Digital India by Mr Modi and repeated reminders from activists like the undersigned, the Government and the Chief Justice of India who ever was in charge during this time could not find a replacement for Mr Rajesh Tandon who superannuated while he was the Chairman of CyAT. What was surprising was that during part of this time when CyAT was dysfunctional, there was a retired High Court judge namely Justice Krishnan, who was appointed as a member of the CyAT but was not designated as the Chair person though he was eligible.

Mr Gulshan Rai who has been in the forefront of CERT for a long time and later moved onto the PMO was the person in charge of CyAT as an administrator and despite being in the PMO, could not impress upon Mr Modi to re-activate the CyAT.

In the Finance Bill of 2017, Mr Arun Jaitely gave another body blow to the CyAT by abolishing the CYAT and merging it with the TDSAT. It was like the proverb, which states Don’t Cut off your nose if you cannot cure cold, but that was precisely what Mr Jaitely did as a Finance Minister.

As a result of this apathy of the Government of India, the CyAT which was closed on 30th June 2011 with many pending petitions of Cyber Crime victims who had lost lakhs of rupees and believed that there will be justice at the end of their struggle, remained in operative until the beginning of this month.

It has taken a full 7 years for the system to be re-activated. I am sad that no body in the Government least of all the Law Minister and IT minister Mr Ravi Shankar Prasad took this issue seriously.

During this time there were a few cases like

  • a) The Case of ICICI Bank vs S.Umashankar in which ICICI Bank had been ordered by the Adjudicator of Tamil Nadu to pay compensation to the Cyber Crime victim, which had been heard extensively over a period of more than an year, arguments were completed, written arguments were also submitted and the CyAT had posted the case for judgement three days past the expected date on which the Judge was supposed to retire.

  • b) The Cases of Gunashekar and Vijaykumar Vs PNB in which PNB was jumping from Adjudicator of TN to CyAT and CyAT to Madras High Court and playing one authority against the other only to delay the case as long as possible until it got stuck at CyAT.

  • c) The cases of Gujarat Petosynthese Ltd and Mr Rajendra Prasad against Axis Bank and ICICI Bank respectively where the Adjudicator of Karnataka had dismissed the petitions holding that the word “Person” used in Section 43 of ITA 2000 does not include a “Company”.

Out of the above litigants, is is sad to note that one of the complainants has already expired. Others are now 7 years older and soon we will have a situation where the Court will call for a hearing only for the legal heirs to attend.

I would like everybody involved in these disputes including the Banks who consider their fraudulent customers more valuable than victim customers and use all their financial might to frustrate the complainants and the advocates who spend more effort in seeking adjournments rather than getting into presenting their fair views to think who is responsible for the delay in the delivery of justice.

They should expect that  the dis-satisfied souls of deceased Cyber Crime victims will hover around these Courts for justice until justice is delivered. Unfortunately our politicians are worried only about Farmer Deaths and not Cyber Crime Victim’s death. Even Mr Modi knows only about the “Fasal Vima Yojana” and not “Cyber Crime Insurance”.

Despite RBI mandating Cyber crime insurance way back in June 2001 and advising Banks to absorb the legal risks in such cases, Banks led by the insensitive fraud tolerant CMDs have failed to take action. Now RBI has also advised that there should be “Zero Liability” in certain cases but Banks hardly recognize the authority of RBI and ignore all such customer friendly directions.

Finally now the TDSAT has started calling up pending applications and trying to take stock of the cases. This is a silver lining but could be a silver lining which may recede fast into the background if TDSAT does not take some procedural steps to ease the process of justice delivery.

TDSAT is used to hearing petitions of big companies like the Vodofone, Reliance or Aircel and hearing arguments from the likes of Kapil Sibal or Gopal Subramaniam. They will now have to come down to earth and look at cases in which the dispute is in a few lakhs or even thousands and the victims cannot afford to engage lawyers of repute in the Supreme Court and would prefer to argue the cases themselves.

Is TDSAT prepared to re-orient itself to be able to do justice to this relatively poor victims? … I am looking for an answer.

CyAT had a simple procedure and  a nominal fee. Will TDSAT follow the same principle?…. I am looking for an answer

CyAT was prepared to travel and hold hearing in Chennai twice during its tenure… Will TDSAT hold hearing in South India so that the expense of travel compounded by adjournments does not kill the cyber crime victims a second time?….. I am looking for an answer

CyAt was prepared before it went out of action to conduct proceedings over Video Conferencing though it did not materialise. (Mumbai Adjudicator held one hearing over video conferencing for a Nagpur case and showed it was feasible). Will TDSAT be prepared to hold such online hearings so that Cyber Crime victims need not travel to Delhi everytime?... I am looking for an answer

Naavi.org promises that if TDSAT wants to use the online dispute resolution platform of odrglobal.in, it will offer such service if required, free of cost without any obligations. (ODRGLOBAL is an online platform that is compliant with ITA 2000/8, Indian Arbitration and Mediation Act and also the proposed UN model law on ODR). Will TDSAT agree to use the platform for the benefit of the Cyber Crime victims?.….. I am looking for an answer

I wish that this message reaches those who matter in the Government of India and the TDSAT and I will get answers to all the above questions. These are not questions raised by an activist alone but by the hundreds of Cyber Crime victims.

All my friends who receive this message are requested to kindly forward this to the relevant persons so that a serious attempt is made to correct the damage inflicted on the Cyber Crime victims of India over the last 7 years in the CyAT being held in a non functional state.

Naavi

  • Disclaimer: There is no political agenda in the above statements though I have expressed my complete dissatisfaction with the officials and ministers under the current Government. My views should not be misunderstood. For the records, I am a supporter of Mr Narendra Modi and his policies.
Posted in Cyber Law | Tagged , , , , | 1 Comment

A Serious issue in WhatsApp Usage leading to personal data leak Reported

Posted on July 21, 2018 by Vijayashankar Na

WhatsApp has been in news in India in the context of its use in spreading “Fake News” and causing “Lynchings”. There has been some harsh words already spoken of by the Ministry and blaming WhatsApp for some of the lynchings and it appears that WhatsApp is trying to respond to the concerns also.

We understand that WhatsApp is making some changes to its software first to distinguish a “Forwarded Post” with a suitable tag and then to restrict the forwards to five at a time. It has also enabled disablement of “Posts by all” and an option to restrict it only to the admins.

We must understand that WhatsApp is a closed group communication and the postings are meant for the members of a specific group. It is only when some member makes a forward to another group that the message spreads.

The Lynchings are a different problem. It may arise either out of true news or fake news and it may be spread either through WhatsApp or other means. It is not correct to link the lynchings to WhatsApp.

It is our considered opinion that many of the lynchings that have happened in recent days indicate that lynchings were planned first as a means to disturb the community peace and the WhatsApp message was only an excuse or even a plant. The Police might have failed to trace the origin of some of these messages but they have succeeded in some cases. A deeper research is called for to find out if there is any political conspiracy to use WhatsApp as an excuse to spread hatred and cause violence in the society.

It is fine that WhatsApp might have taken cognizance of some of the concerns and tried to bring about some changes in the software. This should help mitigate the risk of misuse though the larger solution lies in better public awareness that “All Messages are not necessarily true” and “Some Messages are maliciously implanted by anti social elements”.

However, I would like to point out a different aspect of a data protection related issue in WhatsAPP and bring it to the attention of WhatsApp authorities which could land WhatsApp is deep trouble.

Just as Google was slapped with a $5 billion fine, EU authorities may be waiting to slap another fat fine on WhatsApp and enrich themselves if WhatsApp does not immediately take some remedial action.

I have brought this to the notice of WhatsApp through their support e-mail and am waiting for them to respond if they have a view. After giving them some time to respond, I will share the  issue  in the public platform.

Naavi

Posted in Cyber Law | Leave a comment

Understanding the GDPR: General Data Protection Regulation

Posted on July 21, 2018 by Vijayashankar Na

{This is a guest post from Dan Sincavage, Co-Founder, www.tenfold.com }

The GDPR–or General Data Protection Regulation–is a regulation passed by the European Union on April 27, 2016, with an effective start date of May 25, 2018. Officially classified as regulation 2016/679, the GDPR expands upon and replaces the Data Protection Directive 95/46/EC of 1995. It serves as the EU’s effort to synchronize and harmonize laws on citizen and resident data privacy throughout its member states.

GDPR is based on Privacy by Design/Default, a set of user-centric principles that bequeath a sacred status to user privacy from the get-go rather than as an afterthought. Piggybacking on that is ability of users to sue organizations under the GDPR who might mishandle personal data. To accomplish this, the GDPR mandates new user-oriented information-handling processes to which EU companies will soon find themselves beholden, not to mention subject to significant penalties in the event of a violation.

The complete text of the GDPR legislation clocks in at 88 pages. There exist within it 173 recitals and 99 articles, each one applying universally to all EU member states. The key provisions of this sweeping legislation are provided below, and constitute the essence of what the law entails and how it affects data storage and retrieval for all related EU entities.

Who the Law Protects

There is a slight bit of confusion when it comes to just who falls under the protective auspices of the GDPR measure. The term “natural person” appears frequently throughout the text, and while this indeed refers to EU citizens, it actually extends further to those merely residing in the EU.

To wit, a natural person in EU nomenclature is any human possessing “legal personality”. That’s a very law-like definition that essentially boils down to a person who acts on their own behalf rather than in the interests of a business entity (sometimes known as a “legal entity”) or a government entity (or “public entity”).

To simplify matters, all humans native to or residing inside the EU with data to protect are blanketed under the term “data subject”. The rights of these data subjects to control and even extensively delete their private data is at the heart of the GDPR.

How GDPR Defines Personal Data

The GDPR defines personal data quite simply: Information (“data”) that can be used to identify a natural person (“data subject”). This seems self-evident on its surface, and indeed, certain identity-related elements fall naturally within this definition, such as name, ID number, home address, and more. But in the current era of sophisticated online data tracking technology, the amount of transmittable, personally identifiable data has ballooned (at least in the EU’s opinion), and with it, the number of privacy touch points potentially available to corporate and government bodies.

This massive list includes, but is not limited to, online identifiers such as IP addresses, social media accounts, email addresses, accounts numbers, browser cookies, and more. Constituent to this are direct identifiers and indirect identifiers, both of which establish the data subject’s identity by degrees. For instance, a direct identifier is a name, ID number, home address, and so on. Indirect identifiers include date of birth, location, or even title, and while they don’t pinpoint data subjects directly, they can nevertheless unmask a person’s identity when used in concert.

Personal Data vs Sensitive Personal Data: What’s the Difference?

In short, sensitive personal data is more or less a subset of personal data. However, as the name implies, sensitive personal data is information that is not as objectively verified as standard personal data. For instance, a data subject’s home address or date of birth can be independently and objectively verified. Under the GDPR, this is personal data, but it’s not “sensitive”. Another way to think of sensitive data is as “privileged” information, i.e. data that must be communicated by the subject themselves.

Some examples of sensitive personal data include:

  • Racial or ethnic origin
  • Religious beliefs
  • Genetic data
  • Trade union membership
  • Biometric data
  • Health data
  • Sexual orientation
  • Data pertaining to the subject’s sex life

The GDPR’s aim is not to restrict the processing of personal data altogether, only to eliminate those instances where data might be processed without the full and clear consent of the data subject. In any respect, the GDPR dictates that data must be processed transparently and equitably at all times. This sounds simples on the surface, but unfortunately for the controllers handling personal data, there are a number of requisites in the GDPR that reveal the attendant difficulty involved.

At least one of the following requisites must be met for lawfully processing personal data:

  • Direct consent from the data subject
  • Execution of an agreed-upon contract or as a preliminary step thereof
  • Legal compliance on the controller’s behalf
  • Protection of the subject’s vital interests or those of another person
  • Tasks performed in the public interest or as an extension of the controller’s official authority
  • Tasks performed in the controller’s legitimate interests or that of a third party unless superseded by the rights and natural protections of the subject, especially children

While not exceedingly divergent from the above, the standards for lawfully processing sensitive personal data are nonetheless more tightly confined to at least one of the following (some of which are duplicated from personal data):

  • Explicit consent of the subject
  • Necessary for obligations to employment, social protection and social security laws, and collective agreements
  • Protection of subject’s interests when subject is incapable of consent, whether physically or legally
  • Processing of data belonging to members or former members of and by a not-for-profit entity with a political, philosophical, religious, or trade union affiliation; strictly prohibited from divulging said data to third parties
  • Data made public by subject
  • Necessary for legal claims
  • Tasks performed in the public interest
  • Administering preventative or occupational medicine, assessing subject’s working capacity, medical diagnosis, health or social care
  • Public health as a public interest, including protection against cross-border health threats or to guarantee quality healthcare, medicine, or medical devices
  • For purposes of data storage, inquiry, and statistics

What Is a Controller?

According to GDPR lingo, a controller is the entity–natural person, legal entity, public agency, authority, or similar–that makes the decision on why personal data is being processed. They specify whose data will be collected, which categories of data to include, the length of time needed to store the data, and more. Not only that, but a controller determines if the data subject needs to be alerted that their personal data is about to be processed or if the subject’s consent is needed prior.

In that same vein, controllers are most often with whom data subjects will directly come in contact. As the public “face” of the data processing endeavor, controllers are the ones responsible for ensuring tight controls on how the subject’s information is managed. Aside from protecting the trust and privacy of the subject, the controller must ensure compliance with the GDPR at every turn.

But just as the data subject need not be an EU citizen, neither must the controller be based in the EU. Controllers can originate anywhere across the globe; so long as they engage in the processing of data for natural persons currently in the EU, they are bound by GDPR guidelines. The best examples of this come by way of social media giants such as Facebook and Twitter; search engines like Yahoo!, Bing, and Google; or retail outlets like Amazon, eBay, and more. Despite being headquartered within the US, these companies must regardless fulfill the requirements of the GDPR or risk non-compliance.

To make matters slightly more complicated, controllers not originating within the EU must designate a representative from inside the EU to help process data in a way that satisfies the GDPR. The representative accomplishes this by coordinating with that nation’s governmental body in charge of overseeing GDPR compliance, also known as the supervisory authority. It’s more or less a checks and balance system to prevent non-EU nations from roguish data processing.

What Is a Processor?

While controllers oversee the whys and whats of personal data processing, processors are the entities designated by the controller to perform the processing itself. The processor may be a natural person, a legal entity, public agency, authority, or similar, and as with controllers, they may also originate outside the EU. No matter the location or the type of entity, the bottom line remains the same: as long as the processor is managing personal data belonging to a natural person within an EU member state, GDPR still applies.

Rather than micromanaging every processing-related task, controllers may choose to rely on the processor’s systems and data security. However, controllers are the ones ultimately responsible for making sure this happens.

What is a Supervisory Authority?

Each member of the EU is required by GDPR to arrange a supervisory authority whose chief duty involves monitoring whether the regulation is being faithfully applied. The GDPR states in no uncertain terms that the regulation must be enforced consistently within every EU member state. To make this a reality, supervisory authorities are mandated to cooperate with one another when it comes to the free flow of data. Member nations are allowed to arrange for multiple supervisory authorities, but one must be chosen as a representative before the European Data Protection Board (EDPB). The same supervisory authority is also required to guarantee that the other supervisory authorities are following GDPR.

What is a Data Protection Officer?

A Data Protection Officer (DPO) is required under GDPR rules to manage and implement an organization’s data protection policies. This applies to any entity that archives extreme levels of personal data. And it doesn’t necessarily apply only to customers or users; any organization with a significant data burden even for its own employees is obligated to elect a DPO. The definition of who constitutes a data subject are far-reaching in the GDPR.

Each DPO will be in charge of educating its parent entity from top to bottom in the requirements for satisfying the regulation. He or she also conducts training for staff members who are directly involved in processing personal data, routinely audit the organization’s data security, and recommend fixes accordingly. In addition, DPOs also liaison with supervisory authorities and enforce the entity’s compliance not only with the GDPR, but with member state laws as well.

Data subjects may interact with DPOs as their main point of contact, too. As the public “face” of the data processing operation, DPOs carry a host of responsibilities, all with the goal of remaining as open, transparent, and subject-focused as possible. These include:

  • Inform subjects for which purposes their data is being processed
  • Provide access to their data
  • Explain the safeguards enacted by the company to secure their data
  • Disclose the involvement of third parties
  • Disclose the duration that their data will be archived
  • Respect the subject’s right to have their data deleted
  • Fulfill all data requests from subjects with timeliness and/or inside of one month from receiving the request

Take, for instance, a security firm that utilizes closed-circuit TV to surveil and monitor either communal areas or private businesses. Because their core activities constitute a public task, this firm would need to elect a DPO. The same is true for any processor that engages in minimal data retrieval or processing such as call centers. By contrast, entities that provide ancillary support, including payroll and IT support, need not install a DPO.

Exactly who can serve as DPO is left largely to the entity’s discretion. The DPO may be “in-house” or external, and they may perform other tasks for the company as well. However, they may do so with the proviso that their work for the company and their work as DPO does not create a conflict of interest.

While the role of DPO will look different from company to company, there are a few qualifications that the DPO must meet as outlined in the GDPR. These include:

  • Expertise in data protection law, both national and European
  • In-depth knowledge of the GDPR
  • Comprehensive understanding of the organization’s data processing structure
  • Ethics and integrity
  • Free to carry out their tasks independently

Data Breaches

We tend to think of “data breach” in rigid terms connoting the theft of confidential information from within the confines of an otherwise guarded data security system. With the GDPR, however, a data breach does not begin or end at theft but instead is defined much more broadly. It can include accidental or illegal destruction, loss, change, unauthorized access to or disclosure of personal data whether processed or archived. Once a breach occurs, controllers must notify the supervisory authority without “undue delay” or inside of 72 hours. This deadline holds true whether the breach was discovered by the processor or by the controller, although it is the controller’s responsibility, not the processor’s, for notifying the supervisory authority.

Controllers must then notify the data subject that their data has been compromised, otherwise known as an individual notification. Despite the thoroughness of the GDPR’s overall coda, it does not mandate individual notifications if certain conditions have been met. These include:

Regarding that last condition, the entity or controller is still required to alert data subjects through public means.

The Right to Erasure

The right to erasure is EU parlance for the right to be forgotten, or the right for a data subject to have their personal data comprehensively deleted. A data subject may invoke their right to erasure under four primary scenarios:

  • The initial purpose for archiving the personal data no longer applies
  • The subject removes their consent
  • The subject requests erasure in the event of non-compliance with GDPR guidelines or breach of data security
  • Legal reasons

Data Minimization

Data minimization is one of the more important Privacy by Design/Default principles mandated by the GDPR, and as the name suggests, it’s all about minimizing the amount of data that is collected, processed, and archived. Controllers are duty-bound to gather only as much personal data as is needed to perform the required task and reserve said data exclusively for the task in question, i.e. no migrating personal data from Task A over to Task B unless the data subject has consented.

Keeping with similar principles laid out elsewhere in the GDPR, data minimization requires controllers to limit the processing of a subject’s personal data according to certain stipulations. More specifically, this means only data that is relevant, adequate, and necessary to the purpose for which it was originally collected. Anything beyond this violates the GDPR and opens the entity to fines.

Right to Rectification

Privacy by design/default may be at the heart of the GDPR as a whole, but part-and-parcel therein is the right of data subjects to contest the processing of inaccurate or incomplete data. They may do so by requesting that the controller in question rectify their associated data, whether correcting false information, filling in missing data, or amending data with a clarifying statement. Controllers must respond to such requests in a timely manner or no later than one month from receipt. 

Consequences for Failure To Comply

The consequences for failing to comply with the GDPR vary depending upon the transgression and can be divided between administrative fines and fines for breaches, whether a data breach or breach of consent, privacy, and the like. For failure to comply with administrative or preparedness standards, entities may be fined the greater of 2% annual global turnover or 10 million euros. Fines for breaches are double at 4% of annual turnover and 20 million euros, whichever is greater.

Conclusion

Without a doubt, the GDPR poses many new risks and challenges for data processing entities across the world who traffic in the personal data of EU residents. Perhaps even scarier is that the stress on collection, processing, and record keeping systems won’t be entirely calculable until after the regulation has actually gone into effect, leaving controllers and processors doing their best to tread water, so to speak, and avoid fines for non-compliance. The trade-off for successfully implementing the regulation, however, is worth it. Users’ personal data will be much less prone to abuse, translating to renewed confidence and trust on the part of data subjects, and greater engagement between all parties involved.

{This is a guest post from Dan Sincavage, Co-Founder, www.tenfold.com }

Posted in Cyber Law | Leave a comment

National Health Stack Plan… This is the Digital Health Aadhaar Scheme…Available for Public Comment

Posted on July 19, 2018 by Vijayashankar Na

The Press Release from  PIB has called for public comments on the proposed National Heath Stack. (NHS)

NHS is the proposed scheme by NITI Aayog that envisages maintenance of a centralized health record for all citizens of the country to facilitate better management of the health care. This would be assisting in the implementation of the ambitious “Modi Care” or “Ayushman Bharath” scheme which is planning to cover 5 lakh to 10 crore poor families under a health insurance program.

Obviously there will be privacy issues, data protection issues and Fraud management issues inherent in such a program and its implementation would be watched keenly by the community of experts.

The Consultation document is available here

The scheme envisages besides creating a master registry of health data of citizens, a federated personal health records (PHR) framework, a National Health Analytics Platform and other components such as Digital Health IDs, Health Data Dictionaries and Supply Chain Management for Drugs, Payment Gateways etc.

Along with DISHA2018, this document will bring revolutionary changes in the way Health Care and Health Care Insurance is likely to be handled in the coming days.

What would be interesting for Data Protection professionals would be to study the proposed “Data Empowerment and Protection Architecture (DEPA) which would interact with the ID systems like Aadhaar etc.

Apart from the Privacy Considerations, Data Protection Requirements, the possibility of “Frauds” has also been envisioned and some thoughts have been given in this direction.

We have the experience of HIPAA and Obama Care in US and hopefully the lessons learnt by the US authorities in administering those programs would come in handy in India when Modi Care is being planned and implemented.

The Political opponents and the supporting sections of the society will raise many questions and perhaps try to ensure the defeat of the program. But people who are interested in national welfare should welcome this massive project and provide assistance to the Government in implementing it successfully.

If we look at the Aadhaar scenario, there has been a competitive criticism by the professionals in the Privacy and Data Protection industry basically led by the political considerations.

Now NHS scheme could be a “Digital Health Aadhaar” scheme having wide ramifications.

I hope that the opposition that surfaced for Aadhaar does not resurface in respect of the NHS and Modi Care program.

I therefore urge all the Data Protection Professionals who were in the forefront of criticising the Aadhaar and even went to the extent of submitting their own objections to the Supreme Court, collaborated with foreign agencies to find loopholes in the Aadhaar system, to take a deep look at the proposed consultation paper and record their views today instead of coming up with their objections later.

Send your comments if any by 1st August 2018 to healthstackniti@gmail.com

[Also refer to www.disha2018.in for information on the proposed Digital Information Security for Health Care Act and the EHR guidelines.]

Naavi

Posted in Cyber Law | Tagged , | 3 Comments

Data Processors may be able to create a Diamond out of Charcoal..if Indian Data Protection Act is innovatively drafted

Posted on July 17, 2018 by Vijayashankar Na

In the Privacy and Data protection circles, a debate is going on for some time in India. Naavi.org had also suggested this to the Srikrishna Committee during the public consultations. (Refer: “Personal Data Should be Considered as Personal Property”). Subsequently, DISHA 2018 in its draft form has endorsed this view.

Now the TRAI Chairman also seems to have suggested “Ownership of telecom data must rest with users: Trai“. Detailed copy of the recommendations is available here.

Though GDPR does not speak the language of ownership, and stops at “Data Subject’s Rights”, the California Privacy Protection Act recognizes the Data Subject’s right to “opt-in” to a selling of personal data and also provides that

” A business may offer financial incentives, including payments to consumers as compensation, for the collection of personal information, the sale of personal information, or the deletion of personal information. A business may also offer a different price, rate, level, or quality of goods or services to the consumer if that price or difference is directly related to the value provided to the consumer by the consumer’s data.”

This provision also indicates that the personal data is considered a possession of value for the data subject which can be exchanged for financial benefits. This is essentially a character of “Property”.

The world therefore seems to be veering down to the view that personal data is the property of a data subject and when he gives a consent for collection, he is actually alienating his property to the Data Collector and providing permission for specific use of the property for which he has a right to charge a price.

This is precisely the nature of “Intellectual Property” when the right is “Licensed” to another person for a price and can be sub licensed with a royalty flowing into the original intellectual property owner as the value keeps building up with the super structures built over the original property.

A similar benefit can be assigned to the Personal Data if it is accepted as a “Property” an “Intangible, Virtual property” recognized as a class of property on its own.

I hope that the Indian Data Protection Act which is under the final drafting stage will recognize this view and ensure that a proper system is introduced to enable data subjects to value their personal data and negotiate with data collectors to get a good price.

The undersigned suggested that there is a need to recognize the role of a “Data Trust” (Refer: “Look beyond GDPR and Create Personal Data Trusts to manage Privacy of data subjects“) with whom the data subject can park their personal data and let them manage it so that the data subject gets a maximum value for his personal data.

Such Data trusts can anonymize, pseudonymize or otherwise re-package the data and create marketable packages and license it under different terms to interested data controllers and data processors. The Data controllers and Data processors can then innovatively aggregate the personal data and create value out of the raw data. 

The need for such a thought has also been explained in detail in the concept of “Theory of Dynamic Data” where the power of an innovative data processor to convert raw data which is worthless in the hands of the individual can be made into a valuable data and part of the value can be shared with the data subject has been outlined. 

“Data Processors may be able to create a Diamond out of Charcoal” is the idea discussed in the above theory which requires the recognition that Data is a property of the data subject and he should have the right to sell it or license it for a consideration and the data processing businessmen can compete fairly with each other in giving the maximum value of the data for the data subject.

If the Government of India recognizes the potential of “Personal Data as a Valuable Personal Property”, billions of Indians can pool together their inherent data asset that is born with them and perhaps create a small fortune for themselves.

Will the authors who draft the Indian Data Protection laws be innovative enough to incorporate the “Theory of Dynamic Data”,  “Licensing of Personal Data” and role of “Data Trusts” in the eco-system, is the moot question. Let’s us wait and see how things shape up.

Naavi

Posted in Cyber Law | Leave a comment