Naavi.org

Recently a senior Privacy Pro from Bangalore posted in a professional group posted this message…

“Is.Byjus reading our WhatsApp messages?

I enquired about tuitions to my 7th standard son in a WhatsApp group and within 5 mins I got a call from Byjus!!!”

I also observed that after I listened to my own video on Youtube on Section 65B immediately thereafter the next video suggestion by YouTune was a video on Advaita by a Swami Tatvananda of Ramakrishna Mission. …perhaps because the video had alluded to “Body” and “Soul” and liking the data in a hard disk to soul in a body.

Both the above incidents indicate that the content in WhatsApp or Youtube video used by the user was observed by WhatsApp and Google respectively and used for further promotion. My video was also played on a mobile and hence it could be Google reading the content through android.

If private conversation in a WhatsApp group becomes known to Baiju a commercial entity, then it is clear that there is no privacy in the use of WhatsApp which claims to use “End to End Encryption”. It is clear that WhatsApp reads every message and an AI algorithm flags any marketing opportunity and reports it to the back end system which perhaps provides a subscription based advertising service either through Google Ads or FaceBook Ads and informs the ad information subscribers to push their marketing efforts.

We can therefore conclude that use of “WhatsApp Messaging” for business transactions is a risk to the business information. If a company is using WhatsApp for communicating with its sales force and a sales person reports, “I just met a prospective client who is interested in our product. We can pursue this lead….” , next moment a competitor may be at the doors of your prospective client to deliver a similar product and steal your lead.

Similarly in a hospital communication, if one doctor is sharing some diagnostic discussion with another doctor on a patient’s condition, it is possible that an insurance company may be lifting the information to alter the insurance terms or deny a claim.

While Privacy activists may try to tackle this data breach in a different way, one technology company in Bangalore has been working on a secure messaging system for organizations where data is secured through encryption “From creation to Consumption” instead of only from “device exit to device entrance”.

In a discussion with Mr Vinaykrishna, the owner of this Dubai based company with a development center in Bangalore, he indicated that this product is specially meant to replace the use of WhatsApp for business applications where sensitive personal data is transmitted. He indicated that no data is safe with WhatsApp type of messaging services where the data is permitted to be used for commercial purpose and the “End to End Encryption is only a myth. His contention is that his solution permits the server to be in house and the encryption control entirely within the admin of the enterprise.

It would be interesting to explore such solutions which appear to come from niche companies but take on established global brands like Meta.

A full video interview of Mr Vinay Krishna would be made available shortly on this website.

Naavi

On 20th May 2023, Naavi addressed a group of professionals at the Anna Centenary Library auditorium in Chennai and explained the Section 65B of Indian Evidence Act which is troubling lot of people. This 23 year old provision is now gaining traction because judges in trial courts are now asking lawyers producing electronic evidence to produce Section 65B Certificate for every electronic evidence presented. Some of the lawyers are so frustrated that they want this section to be removed.

It is therefore essential for the community to listen to the views presented here which represents “Jurisprudence”. Some people believe that “Jurisprudence” is what a Judgement presents and hence has to come from the Courts only. But I believe that “Jurisprudence” can come from “Experts” and in the case of technology related issues, it is more appropriate if interpretations come for techno legal experts. Courts will add these views in their judgements when the counsels include it in their arguments and the Judge takes them into consideration.

Naavi has been speaking about Section 65B since 17th October 2000 when ITA 2000 became a law. Naavi produced the first evidence with Section 65B certificate in the SuhasKatti case in 2004. Ever since that date Courts are struggling to come to terms with the section and it was in 2014 with P V Anvar Vs P K Basheer case that Supreme Court finally presented a an acceptable view on the use of the section. Whoever explained the section to the Bench at that time must be congratulated for their work and Judges complimented for bringing out the correct perspective.

However the community of advocates and judiciary continue to question Section 65B particularly the mandatory nature of the section and in this context, the following speech of Naavi given at the Cysi seminar tries to provide clarification.

Any questions based on this may be sent to Naavi and I would be glad to explain it further.

Naavi

Honourable Minister of State for IT, Sri Rajeev Chandrashekar has announced that the first draft of Digital India Act would be available for public debate by June 7.

Already, the Minister has conducted several public consultations on the general framework to be adopted by DIA. Naavi.org has also discussed the contours of the emerging Act in the following articles

1. The New Digital India Act in the making-1 : Cyber Crimes under IPC?
2. New Digital India Act in the making-2: Integrity of ChatGPT like models
3. New Digital India Act-3 : Should the negative list be continued?
4. Digital India Act-4 :Is there only one type of Intermediary in ITA 2000?
5. Digital India Act-5: Adjudication
6. Digital India Act-6: Fighting the Information Warfare
7. Digital India Act-7: Data Monetization
8. Digital India Act 8: Regulatory Oversight on PlayStore/AppleStore
9. Digital India Act-9 : Digital Media Disclaimer

As we all are aware, the Digital India Act (DIA) is meant to replace the current comprehensive law namely the “Information Technology Act 2000” which has been amended substantially in 2008. The new DPDPB 2022 is an off shoot of Section 43A introduced in the 2008 amendment. There have been several CERT In guidelines and Intermediary guidelines that have also been released from time to time. A reasonable number of Cyber Crime cases have been investigated by the Police and several court decisions have also developed Cyber Crime jurisprudence.

If the new law in the form of DIA is introduced, there will be a substantial disruption to the understanding of Cyber Laws in India. We the professionals need to unlearn and re-learn several concepts.

In order to prepare the Cyber Law Professionals for the upcoming law, Cyber Law College of Naavi is starting a new Course on “Certificate in Cyber Laws ” . This course will have two parts. The first part will cover the current laws. The second part will cover the proposed DIA in whatever form will be available in the month of June. If the Government provides a copy of a draft Bill, the Course will cover a discussion of the Bill section by section so that professionals will be able to participate in further discussions and understand the emergence of the law with a close observation of the debates that would take place later.

If the new Bill is not introduced, we will discuss the draft as is present now and covered over several articles indicated earlier.

The motto of Naavi/Cyber Law College is to enable Cyber Law Professionals to be Ready before others so that you can keep up the Knowledge leadership.

The full details of the Course for Part I is available below:

Part I of the program consists of 14 hours of online sessions available at present. This will be supplemented with the Bridging Session the duration of which will be decided based on the requirement.

The recorded programs can be completed in about 1 month. Once the new Bill is available, the schedule of live sessions for DIA would be announced. Since Naavi has also scheduled a course on “Certified Data Protection Professional” starting from June 17 as a week-end program, the DIA course will be scheduled during the week days at about one hour per day for which a schedule would be announced later. If the Government does not present the draft Bill, the Bridging session may be a short session.

Registration for this course is now open. The fees is a moderate Rs 6000/- (inclusive of GST). Participants can complete the course and obtain a participation certificate. They will also be provided an option to take an online proctored examination and if successful they would be provided with a Certificate as “Certified Cyber Law Professional (DIA)”.

Since this program is now under the umbrella of FDPPI certification, details are also available here. Kindly register only in one place.

Register here

Naavi

The fine imposed on Meta at $1.2 billion holding the Standard Contractual Clause agreement unacceptable and US-EU agreement in the form of Privacy Shield rejected by the EUCJ and insisting that the US legal system has to be changed, is an attempt to use GDPR fines as an extortion tool against companies to teach a lesson to the US authorities.

Recently during the Ukraine war, US confiscated the properties of Russian businessmen under its “Sanction” mechanism though the dispute was not between US and Russian Citizens. US thought that hitting the citizens of a country through economic sanctions is a way of “Proxy war”.

Now EU is paying back US with the same coin. It is extorting money from Meta, Amazon and Google periodically under GDPR fines. In some cases the supervisory authorities say that legal Basis of “Contract” is not acceptable even though GDPR says so. In another case SCC is not acceptable though EDPB says so. It has become difficult for businesses to develop a compliance plan with certainty. (Though the undersigned has suggested some means of overcoming these issues to a reasonable extent)

The Meta decision is also a reflection of the cartel of EU supervisory authorities forcing Irish authorities to keep the fine at the higher level to show their power. DPC left to itself might have imposed a lesser fine.

US companies like Meta need to decide if this GDPR fine should be accepted and gulped down as the EU tax to live with or to fight back on the unreasonable nature of the order.

Recently, EU imposed certain Export restrictions on India to punish India for its Russian policy. India hit back with counter sanctions by increasing the import duties on EU imports. Similarly, Meta, Google, Amazon and the other international non-EU entities should start charging a “GDPR surcharge” on their services and generate additional revenue to meet the future fines. This will be a sort of “Insurance” against “GDPR administrative fines”.

Pricing of all products and services to EU should be peppered to add “GDPR Risk Factor”. This could be around 10% of the revenue so that some funds are built up for administrative fines.

Indian companies also should start collecting such “Compliance Surcharge” for their services particularly to EU customers. In future “Compliance Surcharge” should be considered part of the pricing strategy for any data related business and the CFOs and DPOs need to work out what should be the surcharge for different data elements based on the country of origin.

Perhaps it is time for PDPCSI (Personal Data Protection Compliance Standard of India) to add this requirement in its Model Implementation Specifications.

It is suggested that Compliance surcharge rates have to be developed for different country’s data and the collection funded into a special reserve as if it is a “Self Insurance Fund”.

Comments are welcome.

Naavi

The decision of DPC in the Meta issue imposing a fine of $1.2 billion is a reflection of a war between EU and US. EU wants US to change its laws to give up the rights of its law enforcement authorities to access the personal data transferred from EU to US for processing.

Without this immunity against the rights of the law enforcement agencies, the other instruments such as “Contract with the data subject” or “Standard Contractual Clauses” will not be considered “Adequate”.

It is not for Meta to change the US laws and hence options before it are clear.

1. Transfer all processing of data into EU so that there is no cross border transfer. This would be a forced data localization.
2. Persuade US Government to follow the Indian approach of allowing setting up of “Data Colonies” in US where there is immunity from US law enforcement’s powers.
3. Don’t transfer the personal data from the data subject to its facilities in US but “Buy and own the data from the data subject” (Provided this is not challenged legally) before it is transferred as its own “Asset”.
4. Stop activities in EU region completely and black out EU…also persuade other tech companies to black out EU in a “Global Sanction against colonization attempt of EU”

All Indian Companies also have to ensure that they donot take a “Data Controller Stance” in any activity in EU and if so, localize the processing in EU. If data is brought into India our laws will prevail.

For a brief period, there was a suggestion of providing “Diplomatic Type Immunity” to special data processing zones and if it is introduced, such zones will be “Data Colonies” of the EU data controllers.

It appears that Vasco Da Gama is back in India …. with permission from the local kings…like what happened centuries ago in Calicut. Read this article to find out how Portugese started their occupation by defeating King Zamorin who was responsible for giving them the entry to India.

Naavi

Also see: Meta Fined $1.3 billion by the Ireland GDPR authority

A new record has been created in GDPR regulatory fine with Ireland’s Data Protection Commission (DPC) imposing a fine of $1.3 billion (Nearly Rs 10766 crores). The population of Ireland as a country is 51,23,536 lakhs (as per 2022 census), marking it a per capita income of Rs 21100.

It may be noted for records that Meta’s global quarterly earning in the period ending March 2023 was $5.709 billion. How much of this came from Europe is not known.

Irrespective of the justification, at this level it is like an “Extortion”. It appears that many EU countries may still consider this as a delayed and diluted fine and Irish authorities is soft on the industry. The previous high was the fine imposed on Amazon at US $ 887 million by the Luxemburg authorities which was about 1 lakh of rupees from per-capita calculation of Luxemberg with a population of around 6 lakhs.

Refer article in Security Boulevard

Refer press release from DPC

Many privacy enthusiasts may rejoice from the shocking effect created by such fines. But the decision exposes the danger of this approach deteriorating into a blood sucking practice.

EU countries have tasted blood and will continue to impose such fines from time to time to establish their global hegemony. Experts feel that many other giants including the already fined entities could face another round of such insane fines.

We must remember that the entire fine collected will go to the exchequer of the country imposing the fine and not paid by way of compensation to any individual who might have suffered on account of the so called Privacy Breach.

The legality of enriching at somebody else’s cause need to be questioned in view of the unreasonable or disproportionate level of fine.

This sort of approach to regulatory deterrence is self defeating and could lead to exodus of business from EU.

It is also predicted that the new US-EU privacy agreement may also get rejected by the EU Court and hence the risk of further fines is extremely high for the industry.

While Meta may be able to drag this 10 year old dispute further by appealing against the decision, many smaller companies will now be required to make appropriate provisions in their financial books to cover such risks.

The problem for the industry is that the fines are coming from decisions of the supervisory authorities on interpretation of adequacy of measures in different instruments of compliance used by the organizations.

In the EDPB decision on “NOYB” complaint it was held that there was a contravention of Article 6 of GDPR by Meta, though the company had used “Contract” as a method of establishing lawful basis of processing as per Article 6(c). Through this decision the EDPB tried to define the business process of content based advertising.

The current decision on Meta is based on the alleged violation of Cross Border transfer regulations under Article 46(1) based on Standard Contractual Clauses.

EDPR chair Andrea Jelinek stated “The EDPB found that Meta IE’s infringement is very serious since it concerns transfers that are systematic, repetitive and continuous. Facebook has millions of users in Europe, so the volume of personal data transferred is massive. The unprecedented fine is a strong signal to organisations that serious infringements have far-reaching consequences”.

While full details of the order are yet to be analysed, some of the information available indicate the following.

Meta has been relying on the Privacy Shield Protocol for transfer of data from EU to US for processing and use in advertising. It was based on SCC and believed to be in compliance with GDPR until CJEU scrapped the Privacy Shield agreement. Following this CJEU verdict, proceedings were launched on Meta by the Irish authorities.

According to one of the interim reports that had been released, a study had indicated that “changes to (the) free flow of data could cause significant harm to telecommunications, digital payments, global services outsourcing and pharmaceutical R&D industries,” and “Based on the estimates of the Analysis Group economists, European businesses and consumers in each of these industries may incur several billion dollars of additional annual costs,” .

The contention from the EU side was that GDPR guidelines require the country receiving the data to offer the same level of protection to the country from which the data is borrowed. In terms of standards, data protection has to match with that offered in the European Economic Area (EEA). Since US laws did not provide such adequate security, SCC was considered as a means to provide such compliance.

It now appears that the SCC instrument has also failed to provide satisfactory compliance.

Naavi considers that the attitude of EU authorities is basically incompatible with the business and commercial entities cannot live in the fear of the arrangements being retrospectively held inadequate and heavy fines imposed.

For the Indian market where there are many data processors processing EU data, Naavi had suggested the unique Pseudonymization process suggested for implementation through a “Data Importer Certification” . This is designed to transfer the cross border transfer risk to the Data Exporter in EU and relieve the data importer from the liabilities.

However this may apply to Data Processors while Data Controllers like Meta have no option other than setting up their processing centers within EU.

This is what is called “Data Localization” and what EU is doing is to achieve “Forced Data Localization” through regulatory fine mechanism.

Indian law has opted for a low level of fine (Maximum Rs 500 crores) and is also prepared to offer a “Protected Data Processing Zone” to the EU data controller and Indian Data Processor to operate. This mechanism can subject to usual security against cyber attacks protect the EU Controllers from the risk of exposure to local laws of the processing country to a certain extent.

However, a complete compliance of EU GDPR will require the data importing country to surrender its sovereignty to the laws of EU . In effect the EU is trying to create new “Data Colonies” and some countries may succumb to this temptation and let the “New East Indian Companies in Digital Avatars” to set up their own virtual countries within India.

A larger debate is required on whether India should agree to such a measure. My view is not to support the privacy infringement of Meta but for regulation to be reasonable.

Naavi

Copy of the order