Naavi.org

The fine imposed on Meta at $1.2 billion holding the Standard Contractual Clause agreement unacceptable and US-EU agreement in the form of Privacy Shield rejected by the EUCJ and insisting that the US legal system has to be changed, is an attempt to use GDPR fines as an extortion tool against companies to teach a lesson to the US authorities.

Recently during the Ukraine war, US confiscated the properties of Russian businessmen under its “Sanction” mechanism though the dispute was not between US and Russian Citizens. US thought that hitting the citizens of a country through economic sanctions is a way of “Proxy war”.

Now EU is paying back US with the same coin. It is extorting money from Meta, Amazon and Google periodically under GDPR fines. In some cases the supervisory authorities say that legal Basis of “Contract” is not acceptable even though GDPR says so. In another case SCC is not acceptable though EDPB says so. It has become difficult for businesses to develop a compliance plan with certainty. (Though the undersigned has suggested some means of overcoming these issues to a reasonable extent)

The Meta decision is also a reflection of the cartel of EU supervisory authorities forcing Irish authorities to keep the fine at the higher level to show their power. DPC left to itself might have imposed a lesser fine.

US companies like Meta need to decide if this GDPR fine should be accepted and gulped down as the EU tax to live with or to fight back on the unreasonable nature of the order.

Recently, EU imposed certain Export restrictions on India to punish India for its Russian policy. India hit back with counter sanctions by increasing the import duties on EU imports. Similarly, Meta, Google, Amazon and the other international non-EU entities should start charging a “GDPR surcharge” on their services and generate additional revenue to meet the future fines. This will be a sort of “Insurance” against “GDPR administrative fines”.

Pricing of all products and services to EU should be peppered to add “GDPR Risk Factor”. This could be around 10% of the revenue so that some funds are built up for administrative fines.

Indian companies also should start collecting such “Compliance Surcharge” for their services particularly to EU customers. In future “Compliance Surcharge” should be considered part of the pricing strategy for any data related business and the CFOs and DPOs need to work out what should be the surcharge for different data elements based on the country of origin.

Perhaps it is time for PDPCSI (Personal Data Protection Compliance Standard of India) to add this requirement in its Model Implementation Specifications.

It is suggested that Compliance surcharge rates have to be developed for different country’s data and the collection funded into a special reserve as if it is a “Self Insurance Fund”.

Comments are welcome.

Naavi

The decision of DPC in the Meta issue imposing a fine of $1.2 billion is a reflection of a war between EU and US. EU wants US to change its laws to give up the rights of its law enforcement authorities to access the personal data transferred from EU to US for processing.

Without this immunity against the rights of the law enforcement agencies, the other instruments such as “Contract with the data subject” or “Standard Contractual Clauses” will not be considered “Adequate”.

It is not for Meta to change the US laws and hence options before it are clear.

1. Transfer all processing of data into EU so that there is no cross border transfer. This would be a forced data localization.
2. Persuade US Government to follow the Indian approach of allowing setting up of “Data Colonies” in US where there is immunity from US law enforcement’s powers.
3. Don’t transfer the personal data from the data subject to its facilities in US but “Buy and own the data from the data subject” (Provided this is not challenged legally) before it is transferred as its own “Asset”.
4. Stop activities in EU region completely and black out EU…also persuade other tech companies to black out EU in a “Global Sanction against colonization attempt of EU”

All Indian Companies also have to ensure that they donot take a “Data Controller Stance” in any activity in EU and if so, localize the processing in EU. If data is brought into India our laws will prevail.

For a brief period, there was a suggestion of providing “Diplomatic Type Immunity” to special data processing zones and if it is introduced, such zones will be “Data Colonies” of the EU data controllers.

It appears that Vasco Da Gama is back in India …. with permission from the local kings…like what happened centuries ago in Calicut. Read this article to find out how Portugese started their occupation by defeating King Zamorin who was responsible for giving them the entry to India.

Naavi

Also see: Meta Fined $1.3 billion by the Ireland GDPR authority

A new record has been created in GDPR regulatory fine with Ireland’s Data Protection Commission (DPC) imposing a fine of $1.3 billion (Nearly Rs 10766 crores). The population of Ireland as a country is 51,23,536 lakhs (as per 2022 census), marking it a per capita income of Rs 21100.

It may be noted for records that Meta’s global quarterly earning in the period ending March 2023 was $5.709 billion. How much of this came from Europe is not known.

Irrespective of the justification, at this level it is like an “Extortion”. It appears that many EU countries may still consider this as a delayed and diluted fine and Irish authorities is soft on the industry. The previous high was the fine imposed on Amazon at US $ 887 million by the Luxemburg authorities which was about 1 lakh of rupees from per-capita calculation of Luxemberg with a population of around 6 lakhs.

Refer article in Security Boulevard

Refer press release from DPC

Many privacy enthusiasts may rejoice from the shocking effect created by such fines. But the decision exposes the danger of this approach deteriorating into a blood sucking practice.

EU countries have tasted blood and will continue to impose such fines from time to time to establish their global hegemony. Experts feel that many other giants including the already fined entities could face another round of such insane fines.

We must remember that the entire fine collected will go to the exchequer of the country imposing the fine and not paid by way of compensation to any individual who might have suffered on account of the so called Privacy Breach.

The legality of enriching at somebody else’s cause need to be questioned in view of the unreasonable or disproportionate level of fine.

This sort of approach to regulatory deterrence is self defeating and could lead to exodus of business from EU.

It is also predicted that the new US-EU privacy agreement may also get rejected by the EU Court and hence the risk of further fines is extremely high for the industry.

While Meta may be able to drag this 10 year old dispute further by appealing against the decision, many smaller companies will now be required to make appropriate provisions in their financial books to cover such risks.

The problem for the industry is that the fines are coming from decisions of the supervisory authorities on interpretation of adequacy of measures in different instruments of compliance used by the organizations.

In the EDPB decision on “NOYB” complaint it was held that there was a contravention of Article 6 of GDPR by Meta, though the company had used “Contract” as a method of establishing lawful basis of processing as per Article 6(c). Through this decision the EDPB tried to define the business process of content based advertising.

The current decision on Meta is based on the alleged violation of Cross Border transfer regulations under Article 46(1) based on Standard Contractual Clauses.

EDPR chair Andrea Jelinek stated “The EDPB found that Meta IE’s infringement is very serious since it concerns transfers that are systematic, repetitive and continuous. Facebook has millions of users in Europe, so the volume of personal data transferred is massive. The unprecedented fine is a strong signal to organisations that serious infringements have far-reaching consequences”.

While full details of the order are yet to be analysed, some of the information available indicate the following.

Meta has been relying on the Privacy Shield Protocol for transfer of data from EU to US for processing and use in advertising. It was based on SCC and believed to be in compliance with GDPR until CJEU scrapped the Privacy Shield agreement. Following this CJEU verdict, proceedings were launched on Meta by the Irish authorities.

According to one of the interim reports that had been released, a study had indicated that “changes to (the) free flow of data could cause significant harm to telecommunications, digital payments, global services outsourcing and pharmaceutical R&D industries,” and “Based on the estimates of the Analysis Group economists, European businesses and consumers in each of these industries may incur several billion dollars of additional annual costs,” .

The contention from the EU side was that GDPR guidelines require the country receiving the data to offer the same level of protection to the country from which the data is borrowed. In terms of standards, data protection has to match with that offered in the European Economic Area (EEA). Since US laws did not provide such adequate security, SCC was considered as a means to provide such compliance.

It now appears that the SCC instrument has also failed to provide satisfactory compliance.

Naavi considers that the attitude of EU authorities is basically incompatible with the business and commercial entities cannot live in the fear of the arrangements being retrospectively held inadequate and heavy fines imposed.

For the Indian market where there are many data processors processing EU data, Naavi had suggested the unique Pseudonymization process suggested for implementation through a “Data Importer Certification” . This is designed to transfer the cross border transfer risk to the Data Exporter in EU and relieve the data importer from the liabilities.

However this may apply to Data Processors while Data Controllers like Meta have no option other than setting up their processing centers within EU.

This is what is called “Data Localization” and what EU is doing is to achieve “Forced Data Localization” through regulatory fine mechanism.

Indian law has opted for a low level of fine (Maximum Rs 500 crores) and is also prepared to offer a “Protected Data Processing Zone” to the EU data controller and Indian Data Processor to operate. This mechanism can subject to usual security against cyber attacks protect the EU Controllers from the risk of exposure to local laws of the processing country to a certain extent.

However, a complete compliance of EU GDPR will require the data importing country to surrender its sovereignty to the laws of EU . In effect the EU is trying to create new “Data Colonies” and some countries may succumb to this temptation and let the “New East Indian Companies in Digital Avatars” to set up their own virtual countries within India.

A larger debate is required on whether India should agree to such a measure. My view is not to support the privacy infringement of Meta but for regulation to be reasonable.

Naavi

Copy of the order

Cyber Law College which is the training partner of FDPPI (Foundation of Data Protection Professionals in India) is launching the next online program for “Certified Data Protection Professional” from June 17, 2023.

The program is being conducted on behalf of FDPPI and DNV-GL who will provide certifications for the participants and those who take an online examination.

The program will consist of 24 hours of online discussion on Saturdays and Sundays from 10.30 am to 1.30 pm as per the following schedule.

The training will be followed by an optional online Examination which will be optional.

All participants will be given “Participation Certificates” in the name of FDPPI and DNV-GL . Those who take the examination and complete it successfully will be provided the Certificate as “Certified Data Protection Professional” and would be featured in the “Register of Data Protection Professionals” created by FDPPI.

The Fee for the program is Rs 35000/- (Inclusive of GST)

Examination fee for Certification is Rs 6000/- (Inclusive of GST)

(If examination is taken along with the training, the total fee would be Rs 40000/- inclusive of GST)

The maintenance of the entry in the “Register of Data Protection Professionals” and complimentary membership (Basic No Voting) of FDPPI would be as per the rules of renewal by FDPPI.

Currently FDPPI is charging Rs 5000 and Rs 9000/- for entry into Level 2and 3 of the Register . Basic membership (Non Voting) is offered for Rs 6000/- (inclusive of GST) Those who go through this program and pass the examination will be eligible for waiver of the fee for Basic membership and registration in this register either at Level 2 or at Level 3 .

The total number of participants in this group may be limited. Hence early registration should help. Avail early bird discount upto 31st may 2023 in the form of waiver of examination fee.

Kindly register if interested here with payment.

Course on Cyber Law extended to Digital India Act

Cyber Law College has been conducting Cyber Law Course, details of which are available on www.cyberlawcollege.in. This is now been extended to the new Digital India Act that has been announced by the Government now. According to the announcement made by the Government, the draft of the new Digital India Act would be available in June 2023 and it will be discussed during this course as an extension.

This course will therefore be updating the professionals right from the day the draft is available.

Cyber Society of India, Chennai conducted a seminar  in Chennai  on 20th May 2023 to  discuss Section 65B of Indian Evidence Act . The seminar held at the Anna University Centenary Library was attended by over 120 participants. Many legal luminaries attended the seminar and also participated in the Panel Discussion lead by the senior Advoate Thyagarajan, and assisted by Advocate Karthikeyan, Balu Swaminathan, Retired DySP, and Technology experts like Vijaykumar.

(The details of the seminar with videos will be available on CySi website later).

I am adding this article here to answer some of the queries that were raised during the seminar particularly citing the Arjun Panditrao judgement. I hope it would add to the volume of information already available in this website.

This section came into effect  in India on 17th October 2000, when ITA 2000 was notified. It was an insertion into the  Indian Evidence Act consequent to the passage of ITA 2000 and is a procedural code on admissibility of t Electronic Document in a Court  of law in India.

Essentially Section 65B creates a condition precedent  before admission of any electronic  record as  a  statement  in a  Court that a human being has to provide a certificate as per Section 65B.

Unfortunately even after 23 years of the existence of the law, the legal community and the judicial community is not clear about why this certificate is required, who has to provide the certificate etc.

Naavi presented the  first Section 65B certificate in the case of Suhas Katti in the year 2004.  The Court admitted the evidence and  proceeded to hand  out the historical first judgement  in India under ITA 2000 convicting Suhas Katti for a message posted  on Yahoo group.

Subsequently the Afzal Guru case  in the Supreme Court in 2005 diluted the  requirement of Section 65B Certificate and  it  was only in 2014 during the Anvar Vs  Basheer judgement that the mandatory nature of Section 65B certificate was reiterated.

Since then there have been a consistent effort from different  sources  to  nullify this judgement. First  a two member bench of the supreme court (Shafi  Mohammad case) tried to provide a  “Clarification” to the Anvar  judgement which was a  three member judgement. Then another three member bench in the case of Arjun Pandit  Rao categorically stated  that the Shafi  Mohammad  judgement  was wrong.

However the three  member Arjun Pandit Rao judgement introduced one more element of doubt  in the minds of the  community by stating that “the  required certificate  under Section 65B(4) is unnecessary if the original document itself is  produced.” (Para 32 of the first part of the judgement).

In the seminar, there was one section of the legal community which was perturbed with the insistence of Section 65B certificate  in the  trial proceedings and wanted  the section to be removed because of  the difficulties  it is creating  in the trial process.

I would like to  re-iterate that “Electronic Documents” can be easily manipulated and  fake evidence created to fix  any innocent person. Hence the  Section 65B  Control which requires one  human to take the responsibility for the document is  essential and  for this purpose, the mandatory nature of  the requirement should not be  tampered with.

The confusion regarding Arjun Pandit Rao judgement about the “Original” document  arises  because we often confuse the container  of  an electronic document  with the  electronic document and considers  the  hard disk as  a “Original”.

Even assuming that the hard disk is the “First Electronic Imprint of  an  evidentiary sequence of binaries which constitutes an evidence” and it is  available to the Court and  therefore  we can say that the “Original”  lies inside the hard  disk, the Judge cannot take it as an evidence unless he connects the hard disk to a processor and a monitor with key board, speaker etc running  on an operating system, Bios and  an  application. All these hardware and  software usage is  influencing the evidence  as being read by the Judge and the choice of what software and  hardware to use becomes his choice.  Hence  the Judge would be creating an expression of evidence by his own decisions.

Hence the reading of the evidence by the Judge from the “Original” hard disk will be unacceptable as evidence. If however a third party renders a Section 65B certified “Computer Output” where  he provides the details of how he read the document , then the Judge can accept it as evidence and proceed. This is the essence of “Admissibility” which Section 65B provides.

As Anvar vs  Basheeer judgement has clarified, the “Genuinity” can  still be disputed with counter evidence by the defence and the Court can come to its own decision. The Court has the ultimate power to either accept the Section 65B certificate provided by the presenter or the challenger without holding any of them as “Malicious” or “Fake” but only because the perspectives  of the two certifiers were different.

There will be occasions when a letter draft is stored by a person on a computer and is printed out and thereafter  the letter is physically signed. This refers to a case where the letter content is owned by the signer and  in such a case there is no need  for Section 65B certificate because the evidence is the printed letter and not the electronic document.

Section 65B  certificate becomes relevant when a person who is not the owner of the content certifies that such content exists  in electronic form on a computer and he  took a copy of the same and certified it under Section 65B  procedure so  that it can be admitted as evidence  without production of the original.

This should provide clarity to  the doubt created by Arjun Pandit Rao judgement.

For rest of clarifications, kindly go through the videos or articles already present in this website.

Naavi

[P.S: Kindly check for a detailed analysis of Section 65B in this previous article at  naavi.org as also this  article on ShafiMohammad]