Meta Fined $1.3 billion by the Ireland GDPR authority

A new record has been created in GDPR regulatory fine with Ireland’s Data Protection Commission (DPC) imposing a fine of $1.3 billion (Nearly Rs 10766 crores). The population of Ireland as a country is 51,23,536 lakhs (as per 2022 census), marking it a per capita income of Rs 21100.

It may be noted for records that Meta’s global quarterly earning in the period ending March 2023 was $5.709 billion. How much of this came from Europe is not known.

Irrespective of the justification, at this level it is like an “Extortion”. It appears that many EU countries may still consider this as a delayed and diluted fine and Irish authorities is soft on the industry. The previous high was the fine imposed on Amazon at US $ 887 million by the Luxemburg authorities which was about 1 lakh of rupees from per-capita calculation of Luxemberg with a population of around 6 lakhs.

Refer article in Security Boulevard

Refer press release from DPC

Many privacy enthusiasts may rejoice from the shocking effect created by such fines. But the decision exposes the danger of this approach deteriorating into a blood sucking practice.

EU countries have tasted blood and will continue to impose such fines from time to time to establish their global hegemony. Experts feel that many other giants including the already fined entities could face another round of such insane fines.

We must remember that the entire fine collected will go to the exchequer of the country imposing the fine and not paid by way of compensation to any individual who might have suffered on account of the so called Privacy Breach.

The legality of enriching at somebody else’s cause need to be questioned in view of the unreasonable or disproportionate level of fine.

This sort of approach to regulatory deterrence is self defeating and could lead to exodus of business from EU.

It is also predicted that the new US-EU privacy agreement may also get rejected by the EU Court and hence the risk of further fines is extremely high for the industry.

While Meta may be able to drag this 10 year old dispute further by appealing against the decision, many smaller companies will now be required to make appropriate provisions in their financial books to cover such risks.

The problem for the industry is that the fines are coming from decisions of the supervisory authorities on interpretation of adequacy of measures in different instruments of compliance used by the organizations.

In the EDPB decision on “NOYB” complaint it was held that there was a contravention of Article 6 of GDPR by Meta, though the company had used “Contract” as a method of establishing lawful basis of processing as per Article 6(c). Through this decision the EDPB tried to define the business process of content based advertising.

The current decision on Meta is based on the alleged violation of Cross Border transfer regulations under Article 46(1) based on Standard Contractual Clauses.

EDPR chair Andrea Jelinek stated “The EDPB found that Meta IE’s infringement is very serious since it concerns transfers that are systematic, repetitive and continuous. Facebook has millions of users in Europe, so the volume of personal data transferred is massive. The unprecedented fine is a strong signal to organisations that serious infringements have far-reaching consequences”.

While full details of the order are yet to be analysed, some of the information available indicate the following.

Meta has been relying on the Privacy Shield Protocol for transfer of data from EU to US for processing and use in advertising. It was based on SCC and believed to be in compliance with GDPR until CJEU scrapped the Privacy Shield agreement. Following this CJEU verdict, proceedings were launched on Meta by the Irish authorities.

According to one of the interim reports that had been released, a study had indicated that “changes to (the) free flow of data could cause significant harm to telecommunications, digital payments, global services outsourcing and pharmaceutical R&D industries,” and “Based on the estimates of the Analysis Group economists, European businesses and consumers in each of these industries may incur several billion dollars of additional annual costs,” .

The contention from the EU side was that GDPR guidelines require the country receiving the data to offer the same level of protection to the country from which the data is borrowed. In terms of standards, data protection has to match with that offered in the European Economic Area (EEA). Since US laws did not provide such adequate security, SCC was considered as a means to provide such compliance.

It now appears that the SCC instrument has also failed to provide satisfactory compliance.

Naavi considers that the attitude of EU authorities is basically incompatible with the business and commercial entities cannot live in the fear of the arrangements being retrospectively held inadequate and heavy fines imposed.

For the Indian market where there are many data processors processing EU data, Naavi had suggested the unique Pseudonymization process suggested for implementation through a “Data Importer Certification” . This is designed to transfer the cross border transfer risk to the Data Exporter in EU and relieve the data importer from the liabilities.

However this may apply to Data Processors while Data Controllers like Meta have no option other than setting up their processing centers within EU.

This is what is called “Data Localization” and what EU is doing is to achieve “Forced Data Localization” through regulatory fine mechanism.

Indian law has opted for a low level of fine (Maximum Rs 500 crores) and is also prepared to offer a “Protected Data Processing Zone” to the EU data controller and Indian Data Processor to operate. This mechanism can subject to usual security against cyber attacks protect the EU Controllers from the risk of exposure to local laws of the processing country to a certain extent.

However, a complete compliance of EU GDPR will require the data importing country to surrender its sovereignty to the laws of EU . In effect the EU is trying to create new “Data Colonies” and some countries may succumb to this temptation and let the “New East Indian Companies in Digital Avatars” to set up their own virtual countries within India.

A larger debate is required on whether India should agree to such a measure. My view is not to support the privacy infringement of Meta but for regulation to be reasonable.

Naavi

Copy of the order

Posted in Cyber Law | Leave a comment

Be a Certified Data Protection Officer: FDPPI-DNV program to commence on June 17

Cyber Law College which is the training partner of FDPPI (Foundation of Data Protection Professionals in India) is launching the next online program for “Certified Data Protection Professional” from June 17, 2023.

The program is being conducted on behalf of FDPPI and DNV-GL who will provide certifications for the participants and those who take an online examination.

The program will consist of 24 hours of online discussion on Saturdays and Sundays from 10.30 am to 1.30 pm as per the following schedule.

The training will be followed by an optional online Examination which will be optional.

All participants will be given “Participation Certificates” in the name of FDPPI and DNV-GL . Those who take the examination and complete it successfully will be provided the Certificate as “Certified Data Protection Professional” and would be featured in the “Register of Data Protection Professionals” created by FDPPI.

The Fee for the program is Rs 35000/- (Inclusive of GST)

Examination fee for Certification is Rs 6000/- (Inclusive of GST)

(If examination is taken along with the training, the total fee would be Rs 40000/- inclusive of GST)

The maintenance of the entry in the “Register of Data Protection Professionals” and complimentary membership (Basic No Voting) of FDPPI would be as per the rules of renewal by FDPPI.

Currently FDPPI is charging Rs 5000 and Rs 9000/- for entry into Level 2and 3 of the Register . Basic membership (Non Voting) is offered for Rs 6000/- (inclusive of GST) Those who go through this program and pass the examination will be eligible for waiver of the fee for Basic membership and registration in this register either at Level 2 or at Level 3 .

The total number of participants in this group may be limited. Hence early registration should help. Avail early bird discount upto 31st may 2023 in the form of waiver of examination fee.

Kindly register if interested here with payment.

Course on Cyber Law extended to Digital India Act

Cyber Law College has been conducting Cyber Law Course, details of which are available on www.cyberlawcollege.in. This is now been extended to the new Digital India Act that has been announced by the Government now. According to the announcement made by the Government, the draft of the new Digital India Act would be available in June 2023 and it will be discussed during this course as an extension.

This course will therefore be updating the professionals right from the day the draft is available.

Posted in Cyber Law | Leave a comment

CySi in Chennai again debates Section 65B

Cyber Society of India, Chennai conducted a seminar  in Chennai  on 20th May 2023 to  discuss Section 65B of Indian Evidence Act . The seminar held at the Anna University Centenary Library was attended by over 120 participants. Many legal luminaries attended the seminar and also participated in the Panel Discussion lead by the senior Advoate Thyagarajan, and assisted by Advocate Karthikeyan, Balu Swaminathan, Retired DySP, and Technology experts like Vijaykumar.

(The details of the seminar with videos will be available on CySi website later).

I am adding this article here to answer some of the queries that were raised during the seminar particularly citing the Arjun Panditrao judgement. I hope it would add to the volume of information already available in this website.

This section came into effect  in India on 17th October 2000, when ITA 2000 was notified. It was an insertion into the  Indian Evidence Act consequent to the passage of ITA 2000 and is a procedural code on admissibility of t Electronic Document in a Court  of law in India.

Essentially Section 65B creates a condition precedent  before admission of any electronic  record as  a  statement  in a  Court that a human being has to provide a certificate as per Section 65B.

Unfortunately even after 23 years of the existence of the law, the legal community and the judicial community is not clear about why this certificate is required, who has to provide the certificate etc.

Naavi presented the  first Section 65B certificate in the case of Suhas Katti in the year 2004.  The Court admitted the evidence and  proceeded to hand  out the historical first judgement  in India under ITA 2000 convicting Suhas Katti for a message posted  on Yahoo group.

Subsequently the Afzal Guru case  in the Supreme Court in 2005 diluted the  requirement of Section 65B Certificate and  it  was only in 2014 during the Anvar Vs  Basheer judgement that the mandatory nature of Section 65B certificate was reiterated.

Since then there have been a consistent effort from different  sources  to  nullify this judgement. First  a two member bench of the supreme court (Shafi  Mohammad case) tried to provide a  “Clarification” to the Anvar  judgement which was a  three member judgement. Then another three member bench in the case of Arjun Pandit  Rao categorically stated  that the Shafi  Mohammad  judgement  was wrong.

However the three  member Arjun Pandit Rao judgement introduced one more element of doubt  in the minds of the  community by stating that “the  required certificate  under Section 65B(4) is unnecessary if the original document itself is  produced.” (Para 32 of the first part of the judgement).

In the seminar, there was one section of the legal community which was perturbed with the insistence of Section 65B certificate  in the  trial proceedings and wanted  the section to be removed because of  the difficulties  it is creating  in the trial process.

I would like to  re-iterate that “Electronic Documents” can be easily manipulated and  fake evidence created to fix  any innocent person. Hence the  Section 65B  Control which requires one  human to take the responsibility for the document is  essential and  for this purpose, the mandatory nature of  the requirement should not be  tampered with.

The confusion regarding Arjun Pandit Rao judgement about the “Original” document  arises  because we often confuse the container  of  an electronic document  with the  electronic document and considers  the  hard disk as  a “Original”.

Even assuming that the hard disk is the “First Electronic Imprint of  an  evidentiary sequence of binaries which constitutes an evidence” and it is  available to the Court and  therefore  we can say that the “Original”  lies inside the hard  disk, the Judge cannot take it as an evidence unless he connects the hard disk to a processor and a monitor with key board, speaker etc running  on an operating system, Bios and  an  application. All these hardware and  software usage is  influencing the evidence  as being read by the Judge and the choice of what software and  hardware to use becomes his choice.  Hence  the Judge would be creating an expression of evidence by his own decisions.

Hence the reading of the evidence by the Judge from the “Original” hard disk will be unacceptable as evidence. If however a third party renders a Section 65B certified “Computer Output” where  he provides the details of how he read the document , then the Judge can accept it as evidence and proceed. This is the essence of “Admissibility” which Section 65B provides.

As Anvar vs  Basheeer judgement has clarified, the “Genuinity” can  still be disputed with counter evidence by the defence and the Court can come to its own decision. The Court has the ultimate power to either accept the Section 65B certificate provided by the presenter or the challenger without holding any of them as “Malicious” or “Fake” but only because the perspectives  of the two certifiers were different.

There will be occasions when a letter draft is stored by a person on a computer and is printed out and thereafter  the letter is physically signed. This refers to a case where the letter content is owned by the signer and  in such a case there is no need  for Section 65B certificate because the evidence is the printed letter and not the electronic document.

Section 65B  certificate becomes relevant when a person who is not the owner of the content certifies that such content exists  in electronic form on a computer and he  took a copy of the same and certified it under Section 65B  procedure so  that it can be admitted as evidence  without production of the original.

This should provide clarity to  the doubt created by Arjun Pandit Rao judgement.

For rest of clarifications, kindly go through the videos or articles already present in this website.

Naavi

[P.S: Kindly check for a detailed analysis of Section 65B in this previous article at  naavi.org as also this  article on ShafiMohammad]

Posted in Cyber Law | Leave a comment

.

Posted in Cyber Law | Leave a comment

Is there a limit to the powers of Supreme Court of India?

While one section of the political parties propagate the view that Democracy is under threat in India, I have one question to ask the community whether the threat to Indian democracy is from our top Court itself?

Presently the Supreme Court is hearing a petition regarding the same sex marriage where the Constitution bench is trying to interpret the institution of marriage, what makes a person man or woman , what is the concept of marriage etc.

Supreme Court thinks that the questions it is addressing are questions of law. But it appears that the questions being addressed are questions of the Society. The institution of marriage is a societal order and the laws related to marriage address some peripheral issues that correct aberrations.

However, what the Supreme Court is trying to do is to interpret the societal concept of marriage itself and whether there is any rule that it has to be between two persons of different gender and why law should not be made to recognize same sex marriage.

In my view irrespective of the final decision that the five wisemen arrive in the end, the society will consider this an intrusion on its societal norms.

In the past Supreme Court was arrogant enough to interfere in the customs of the Shabarimala temple. Often it interprets the constitution though the Court itself is a creation of the constitution. There are judges who say that what is written in the constitution is not sacrosanct but what the judges interpret is sacrosanct. Supreme Court has created its own rule that certain parts of the Constitution is beyond the powers of the Constitution makers themselves since they form the “Basic Structure” forgetting that if some body had the power to create the basic structure, the same body should also have the power to change it.

Some time back some legislators changed the basic structure of the constitution to add words such as “Secular” into the preamble. No body argues whether this was or was not an alteration of the basic structure. Supreme Court needs to ponder over this.

In Physics there is a law called “Principle of Uncertainty” which says that we cannot measure the position and velocity of an electron simultaneously. If we try to measure the velocity, the position will change and if we try to measure the position, the velocity will change.

Similarly Supreme Court is a creation of the Constitution and if it interprets the Constitution, the inherent power of the Supreme Court will change. Supreme Court is not “God” and create its own interpretation of the Constitution under which its own existence remains.

Our Constitution makers gave some powers to the Supreme Court and left some powers to the legislature. There was no conflict in this arrangement since the executive and the judiciary had different roles. The executive would make the laws and the Judiciary would interpret.

However this system has been corrupted with the approach of the Judiciary that it assumes powers to interpret the constitution itself. Tomorrow if the legislature wants to change the Constitution, can Judiciary come in the way?

Sooner this aberration is corrected, it is better for the Indian society.

Though the Judiciary can pat its own back and say they are upholding the constitution by taking complete control of what should be there in the Constitution and What should not be there and how any word in the constitution has to be interpreted, we are aware when it comes to the Crunch, the Supreme Court does not support the real democracy.

We are all aware of what the Supreme Court did when Mrs Indira Priyadarshini alias Indira Gandhi imposed Emergency. Now we are seeing that the Supreme Court is silent on the Police atrocity in Punjab illegally arresting the Times Now Crew members including a lady journalist and held them custody for several days hoisting false cases.

This is the same Supreme Court which was willing to sit in the midnight to hear the petition of a terrorist. It saw human rights in that context but not in the context of Bhawana of Times Now.

It is therefore time for Supreme Court to voluntarily put a restriction on itself and respect the Constitution of India. Respecting constitution of India includes not usurping the power to re-write the Constitution.

But “Self Regulation” against absolute power is against human instinct and it requires a philosophical level maturity for any human being or an organization of human beings to voluntarily give up powers when no body can challenge them in usual course. Supreme Court needs to prove that it has reached that level of maturity to impose a self regulation on itself and vow not to impose itself above the Constitution and the Society.

I hope that the “Same Sex Marriage” case is a fit occasion for the Supreme Court to publicly announce that Supreme Court is part of the Society and does not interpret societal issues from its limited interpretation of words in a law and also that it respects the Constitution and the power of the legislature to make the Constitution even if it is not to the liking of a few lawyers.

In the absence of a national referendum on the same sex marriage issue, we need to wait for the people to vote in the Parliamentary election where Same Sex Marriage legislation becomes part of the manifesto of one of the political parties. Alternatively the Supreme Court should order a referendum on this issue through the Election Commission itself.

If the Constitutional Bench of the Supreme Court considers itself the “Constitution Re-Writing Bench” then we have dark days for Indian Democracy ahead of us not from the bad laws that the Government may make but by the bad interpretation of the law that the Supreme Court makes.

Today, we are exercising our right under the Constitution by exercising our franchise in the Karnataka State Elections. Of course, this is a vote for the Assembly election and not for the Parliament. But even the state assembly is part of the Constitutional structure of the Country and hence the vote in the state assembly is a vote for the strengthening of the Constitutional structure of India of which the Supreme Court is a part.

On this august occasion, the above thoughts crossed my mind and I wanted to share it with the citizens of India who are the real custodians of the Indian Constitution.

I hope that the Supreme Court takes this as a friendly advise from a senior citizen of India who has his own rights under the Constitution far beyond what any institution created by the constitution can assume for itself.

Naavi

Posted in Cyber Law | Leave a comment

What is Echo Chamber effect in Social Media

Social Media developed over a period as a way of individual expression that could reach others on the Internet. Website itself was the first incarnation of this tool of expression. It was however a data publishing platform controlled by a person or an organization. Blogs were another version of the same with a greater focus on individual opinions.

When Twitter and FaceBook evolved, they became a platform for collection of views from different persons and probably like a friendly congregation for exchange of views.

Over a period businesses and thereafter the political influencers realized that thee social media platforms like Twitter and Face Book could be used to create opinions in the society for a given cause by consistently posting the information about a particular idea.

As we progressed, these opinion makers started using fake accounts or robotic accounts to post the views more to create numbers of likes or forwards/re-tweets. These unfair ways of creating fake accounts and fake messages got a boost with AI lead content creation and the Large Language Models which could read a message, create a related message either in support or in opposition and post them all like “Algo Posting”.

The Language models like ChatGPT which learn out of the content available on websites pick up this data and there is an amplification effect as the higher numbers of a similar opinion gets into the learning of the ChatGPT kind of software and in due course they become the popular view point on a topic. Just as today we refer to Google search when we want some information and believe what comes out to be true, the society will start believing what ChatGPT provides as a view point in most of the cases without realizing that ChatGPT learning has been poisoned through fake reports.

A few days back, the Democratic party President in USA namely Mr Joe Biden who became the President of USA by what mostly believe through manipulation of postal ballots had a discussion with both Google and Microsoft at the Whitehouse on the dangers of AI.

Probably he would have asked for their help in ensuring that Democrats win the next presidential election by manipulating the Search Engines and Language model responses.

As this doubt raises in the society, whether it is true or not, a perception gets created that what we see or hear in the web space is unreliable. It is not only the text information that can be manipulated by fake account handles but also the deepfake videos that may be put out. In situations like Elections, if a fake video message goes viral in the last minute, there is no way it can be countered by the other party in time.

Hence, perceptions will get crated and actions initiated on false perceptions before it can be corrected.

We in India is presently in hotspot and this kind of deepfake videos and deep fake voice messages can be expected in the Karnataka Elections in the last week of campaigning.

As far as the public is concerned, we put put a warning that they should not implicitly trust What’sApp messages or FaceBook posts or YouTube videos. But most of the people congregate to groups of like minded persons and every one in the group keep posting information that is non controversial and is acceptable to most of the members. As a result the groups become an “Echo Chamber” with every member rei forcing the views of the other person.

This echo chamber effect is dangerous from the point of view of the society as it has the effect of polarizing the groups based on their different political affiliations.

In order to guard against this effect, groups need to ensure that opposing view points need to be allowed to be expressed within the group subject to the conversation being civil and friendly.

Group admins need to balance out the expressions with appropriate moderation so that extreme views are not expressed to hurt other members of the group.

Currently the messaging groups are designed either to be broadcast type where only admins post or where any of the members can post without pre-moderation. Some platforms provide for editing and deletion but some donot. As a result some times views which even the person posting wants to genuinely regret and wants to withdraw remain on the platform causing damages all round. Admins may have the right to remove a content but it will become “Censorship”.

Hence a new system is required in the groups of WhatsApp or similar platforms for creation of “Breakout Rooms” where special occasion discussions which are outside the main theme of the group could be discussed.

Group admins also need to ensure that every member is identified on the group platform and no forward of messages in the group to outside groups takes place without moderation. If the breakout rooms are “Read Only” type, then it may be possible to restrict forward from the breakout rooms.

Alternatively, during situations like an impending election, the “Forward” facility may even be temporarily suspended so that views of the members of a private chat group remain within the group and does not leak to the outside world.

Probably these and more thoughts need to be debated when we discuss the new “Digital India Act” and build a “Trusted Internet Space”.

Naavi

Posted in Cyber Law | Leave a comment