Naavi.org

October 17th each year since 2000 has been a day to remember as the day when the Indian Digital Society was born.

Just as India existed from time immemorial but we celebrate August 15 as the day of our independence, Digital India was in existence before October 17 2000 in small parts but got legal recognition with the notification of Information Technology Act 2000. (ITA 2000).  A substantial amendment in December 2008 released a new version of ITA 2000 which became effective from the notification made with effect from 27th October 2009 and acquired more clarity on April 11 2011 with the notification of Reasonable Security Practices under Section 43A and the Intermediary Guidelines under Section 79.

Now Government of India is talking of a “Digital India Act” which is contemporaneous with the current digital world where Social Media Intermediaries, Artificial Intelligence, Meta Verse, E Commerce, Quantum Computing etc were not in existence when ITA 2000 was conceived.

Though the withdrawal of PDPB 2019 did cause a temporary set back in the industry expecting a new set of data protection laws, it re-iterated the importance of ITA 2000 as the current operating Data Protection Law in India since Section 43A and Reasonable Security rules (or  Sensitive Personal Data Protection Rules) continues to exist.

We today speak of 5G and  how it can transform India into a new era of “Digital India” and are proud that  we are leaders in the digital payments with 40% market share in the world for digital payments.  We recognize that the Launch of ONDC-Open Network for Digital Commerce could transform the small business sectors and onboard them on to Digital services. Today even the Supreme Court proceedings are streamed online closing the gap between the common man and the highest judiciary.

All these developments show that Digital India is truly booming.

We must however remember that prior to October 17, 2000, we did not even recognize an electronic document legally and could not authenticate an electronic document digitally. There was no concept of a judicially recognized digital contract though there were technological innovations like the ATM, Net Banking and Demat Shares in use.

But  October 17, 2000 transformed the situation in India with the notification of ITA 2000. The electronic document, Digital Signature and the Digital Contract got legal recognition and  the Digital Society of India was born.

The importance of this development can never be taken away and we need to recognize this and celebrate this even when we are looking forward to a new Digital India Act.

FDPPI therefore will celebrate October 17 2022 as the Digital Society Day by conducting a virtual mini conference on the theme “Digital India in the making” where we discuss the “Role of ITA 2000 in the emerging Cyber Legal system in India”, the “Recent CERT In Guidelines” along with the “Compliance Management Rating” related to CERT In guidelines and ITA 2008 compliance.

Register today for the event on October 17, 2022 between 4.00 pm to 8.00 pm. All those who register for IDPS 2022, a three day virtual event of FDPPI (Third annual event of Indian Data Protection Summit) will be sponsored on behalf of FDPPI.

Register for IDPS 2022 and get a free registration for the October 17 event here:

https://fdppi.in/wp/idps2022-registration/

Register today and participate in the discussions.

The program will consist of presentation from Naavi followed by a panel discussion.

Naavi

Most of the observers of Privacy and Data Protection in India are aware that when WhatsApp tried to introduce its new Privacy Policy in 2017 there was an exodus of users in opposition to the policy. Subsequently WhatsApp did not enforce the policy.

In the meantime the withdrawal of the PDPB 2019 despite the assurance of quick re-introduction of a modified version has again brought the  discussion on where the industry stands in terms of their obligation to protect the privacy to the fore front.

Recently, the Delhi High Court dismissed an appeal by WhatsApp to stall the  investigation by the Competition commission of India (CCI)order calling for an investigation into the messaging apps’ new privacy policy, noting the policy places its users in a “take-it-or-leave-it” situation.  The Court felt that the new  privacy policy of WhatsApp virtually forces its users into agreement by providing a mirage of choice, and then proceeding to share their sensitive data with Facebook companies envisaged in the policy, (ANI report).

The Court made a caustic remark as follows.

“the Court finds merit in the submission of the ASGs appeared for CCI that one of the key issues with the 2021 Policy is its propensity to share the data of its users with Facebook Inc., the parent company of WhatsApp. Solely for the reason that the policies itself do not emanate out of Facebook Inc., the Appellant cannot hide behind the fact that it is the direct and immediate beneficiary of the data sharing mechanism envisaged by the policies.”

Facebook and WhatsApp said that since the issue of WhatsApp’s privacy policy is being heard by the Supreme Court, and High Court, therefore, there was no requirement for CCI to order the probe.

Now WhatsApp has again raised the issue before  the Constitution bench of the Supreme Court, a brief report about which was made yesterday. During the proceedings, it was brought to the notice of the Court that in 2017 the matter had been briefly heard by the Supreme Court. It was also mentioned that the new Data Protection Act may provide a solution to the conflict.

However, the Court agreed to have a final hearing of the case and fixed January 17 as the date of hearing so that even before the Government could pass the Act, the Court could pass an order that binds the Government.

The urgency of the litigants is clear that they apprehend that the Act may bring some kind of restrictions on their operations and it is better if they arm themselves with the order of the Court so that they can claim immunity for their past data collection and usage actions and claim that the new Act will apply only prospectively.

Interestingly, one of the observations and recommendations made by the JPC on PDPB 2019 was that sensitive data transferred out of India in the last 2 years should be brought back to India. If the New version of the Bill incorporates this part of the recommendation, it would be a headache for most MNCs both in principle because they oppose the right of the Indian Government to the data collected in India but also for commercial reasons.

It must be observed that India presently has ITA 2000 which under the amendment of 2008 introduced Section 43A and the rules under Section 43A and 79 released in April 2011 specified most of the Privacy protection requirements now being considered under PDPB2022/23 (new version under draft). Hence the actual provisions of PDPB 2019 (withdrawn) was considered as “Due Diligence” under ITA 2000-Section 43A/79.

This situation will continue  till the new Act is passed and specifically repeals Section 43A of ITA 2000.

Hence in the intervening period most companies have to complete their data loot. One of the early successful executions of such data loot has already been discussed in these columns and it was TransUnion taking control of 500 million Indian users’s credit card usage profiles by buying into the shares of CIBIL.  Now VISA and others have been transferring sensitive personal data abroad for processing and the law enforcement agencies are experiencing problems in extracting data from such companies.

We are aware that Twitter had openly challenged the Indian Government that it will protect the Privacy of Indian Citizens through its own privacy policy and terms of use and defied the jurisdiction of the Indian Government. Given a choice the WhatsApp-FaceBook will also assert that they have a specific jurisdiction of their own which the Indian Government cannot intervene.

If we recall the views expressed in these columns (please refer to this article) we had said that while WhatsApp is free to request consent for use of personal data through an appropriate informed consent, the critical issue about their privacy policy was the jurisdiction clause as follows:

Forum And Venue. If you are a WhatsApp user located in the United States or Canada, the “Special Arbitration Provision For United States Or Canada Users” section below applies to you. Please also read that section carefully and completely.

If you are not subject to the “Special Arbitration Provision For United States Or Canada Users” section below, you agree that any claim or cause of action you have against WhatsApp relating to, arising out of, or in any way in connection with our Terms or our Services, and for any claim or cause of action that WhatsApp files against you, you and WhatsApp agree that any such claim or cause of action (each, a “Dispute,” and together, “Disputes”) will be resolved exclusively in the United States District Court for the Northern District of California or a state court located in San Mateo County in California, and you agree to submit to the personal jurisdiction of such courts for the purpose of litigating any such claim or cause of action, and the laws of the State of California will govern any such claim or cause of action without regard to conflict of law provisions. Without prejudice to the foregoing, you agree that, in our sole discretion, we may elect to resolve any Dispute we have with you that is not subject to arbitration in any competent court in the country in which you reside that has jurisdiction over the Dispute.

Governing Law. The laws of the State of California govern our Terms, as well as any Disputes, whether in court or arbitration, which might arise between WhatsApp and you, without regard to conflict of law provisions.

Time Limit To Bring A Claim Or Dispute. THESE TERMS ALSO LIMIT THE TIME YOU HAVE TO BRING A CLAIM OR DISPUTE, INCLUDING THE TIME TO START AN ARBITRATION OR, IF PERMISSIBLE, A COURT ACTION OR SMALL CLAIMS PROCEEDING TO THE FULLEST EXTENT PERMITTED BY APPLICABLE LAW. We and you agree that for any Dispute (except for the Excluded Disputes defined below) we and you must bring Claims (including commencing an arbitration proceeding) within one year after the Dispute first arose; otherwise, such Dispute is permanently barred. This means that if we or you do not bring a Claim (including commencing an arbitration) within one year after the Dispute first arose, then the arbitration will be dismissed because it was started too late.

These conditions need to be taken into account both by the CCI and the Supreme Court to understand what would be the damaging impact of allowing a free hand to WhatsApp to set its own Privacy Policy outside the jurisdiction of the Indian law and create a Twitter like argument that Face Book can make laws for Indian Citizens which overrides the laws made by the Parliament.

I wish some of the lawyers bring forth these facts before the Court in their pleadings.

Additionally, the Government needs to think if they have to include “Retrospective” effect of the data protection laws and provide that since the date of the Puttaswamy judgement all personal data collections made in India by companies and transferred out of India should be copied back to the Indian servers so that at least a copy of the data collected will remain in India. The prospective rule on not transferring the data out of India except with an explicit consent or otherwise can be incorporated in the law.

We have separately discussed how this right of the Government may be protected in the new law through the series of articles on “The Shape of Things to Come” which have been published earlier.

It is to be noted that one of the media has recorded the following report:

Naavi

Also Refer:

Previous article (This was a quick response based on sketchy information then available)

Live updates from livelaw.com

Report in cnbc.com

A peculiar issue has emerged in the Supreme Court today where, the petition on the Privacy Policy of WhatsApp filed in 2017 is now forcing a new hearing on January 17, 2023. This is pushed to be the final hearing in this case and may provide immunity to WhatsApp to go ahead with its proposal to use the Privacy Policy it has proposed under the blessings of the Supreme Court.

If Supreme Court upholds the petition, it would adversely affect many provisions that the Government may be planning to introduce on Intermediary liability through the Intermediary Guidelines, the Telecom Bill, the Data Protection Bill and the future amendments to the ITA 2000.

The issue which prompted the petition was that WhatsApp wanted to amend its Privacy Policy and had issued a notice that unless a specific Privacy policy is agreed to, it would stop the services for the Indian users.

The objection to the Privacy Policy was that it did not provide adequate Privacy protection to Indian users and at the same time provided a better Privacy protection to EU users clearly discriminating the Indian users  against the EU Users.

Naavi.org had also pointed out that the Privacy Policy was also objectionable since it provided grievance redressal to users with a jurisdiction of the US Court bypassing the Indian Court system.

Now, in the urgent hearing that took place today, reference was made to the Government withdrawing the PDPB 2019 and the proposal to come up with a new version. At the same time there was no discussion that if the Government has promised to get the Bill passed in the next Budget session, where is the need for urgent disposal of the case through a hearing as finally agreed to in January 2023 before the Budget session.

Strangely the impression given to the Court  appeared to that new Bill is being created only to address the WhatsApp issue as if it is an attempt to put them in an adverse position which should be prevented.

At the end, the Court ordered that by December 15, 2022, all the counsels would provide their pleadings and a final hearing would be held on January 17, 2023.

The hearing is before the Constitutional Bench as if the Privacy Policy of WhatsApp is a constitutional issue.

We are all aware that the concern of WhatsApp is commercial exploitation of the personal data of Indian users before the Government bringing in some form of restrictions on transfer of data outside India.  This could seriously affect the commercial interest of Face Book and it is not clear   if this is an issue involving the Protection of Privacy of Indian Citizens. It could turn out to be a classic case of using the Privacy pretext to protect the business interests of Face Book.

The counsel representing the Government (Solicitor General Mr Tushar Mehta) did not provide the confidence that  the interest of the Indian Government would be fully protected against the WhatsApp’s demands. There could be a serious need for intervention of an appropriate body to ensure that the Government does not deliberately give away the case to WhatsApp.

The honourable Supreme Court  also appeared to be unclear at this time of the issues involved in the WhatsApp petition and will be dependent on the pleadings to be filed. If the Government counsel plays a weak hand, the case would be won by WhatsApp before it starts.

Nobody seem to also remember that at present the law applicable for this case is Information Technology Act 2000 as amended in 2008 and even if the new Bill is tabled in draft form in the coming session of the Parliament is unlikely to be passed when the Court sits for a final hearing and hence the case has to be decided on the current law of privacy protection as enshrined in Section 43A/79 and its rules.

If these issues are not properly placed before the Supreme Court,  the decision of the Supreme Court in January 2023 will be based in inadequate information and on a wrong position of law. It could also bring undue pressure on the Government which may force an immature version of the new draft law .

There is a hint that there is a conspiracy to let the Data Horse bolt away before the stable is locked.

We need to wait and see how the media interprets this development tomorrow.

In the meantime, I request that an appropriate legal firm which has a comprehensive view of the issues involved intervenes  in the case.

Naavi

Related Articles:

WhatsApp petition deserves to be rejected at admission stage itself.

WhatsApp relegates India to the Third World of Privacy Regulation

WhatsApp needs to change its Jurisdiction clause in the Terms or else, exit from India.

Continued from previous article

Another unique concept relevant to the Telecom Bill is the “Right of Way”. This is a right under which a telecom infrastructure provider will be facilitated the use of public property upon application. Rejection can be only on very substantial grounds.

The “Right of Way” may also be used against “Private Property” under Section 14 which could have an impact on public through forced acquisition of private property.

Under this section, Any facility provider may submit an application to the person owning the property to  seek right of way for telecommunication infrastructure under, over,
along, across, in or upon such property.

On receipt of an application from a facility provider, such person may enter into an agreement, specifying such consideration as mutually agreed.

In the event the person  does not provide the right of way requested, and the Central Government determines that it is necessary to do so in the public interest, it may, either by itself or through any other authority designated by the Central Government for this purpose, proceed to acquire the right of way for enabling the facility provider to establish, operate, maintain such telecommunication infrastructure, in the manner as may be prescribed. may enter into an agreement, specifying such consideration as mutually agreed.

It is very important to ensure that this provision is not misused and hence there should be an effective system for grievance redressal which does not appear to be available at present in the Act. Though Section 18 does recognize the need for dispute resolution, there is no clarity if individuals whose property is sought to be tress passed by the telecom companies would get access to proper compensation .

The act is heavily skewed towards the industry and may require some more balancing in favour of the public.

Naavi

The preliminary observations on the Bill is closed here. Further comments may be developed as required subsequently

Continued from the earlier article

One of the key elements of regulation is the “Spectrum”.

 This law adds a new “Asset Class” called Spectrum which is ” a range of frequency” of radio/electromagnetic waves.

Spectrum will be an exclusive asset of the Government and can be licensed.

The licensee will have the contractual rights of exploitation of the spectrum and this “Right” is having a value which should appear in their balance sheets.

If the licensing is for a period, the value should be depreciated over the period as a deferred expenditure.

The Government is recognizing “Re-farming” of the spectrum so that a licensed frequency range can be used for purposes other than for which it was earlier licensed. Government may also harmonize the frequency range for efficient use of the spectrum. (rearrangement of the frequency range). Government may also re-assign the spectrum allocation to improve efficiency.

Sharing, trading , leasing of the spectrum is also permitted under law.

However in case of insolvency the spectrum may revert to the Government under certain conditions of default.

All these provisions add a new dimension to valuation of intangible assets to which class Spectrum also belongs to. This is interesting and has extendibility to data valuation which is being promoted by the undersigned.

Naavi

Continued from previous article

The key purpose of the Telecom Bill is regulating the Telecom industry . Accordingly Chapter 3 covers Licensing, Registration, Authorization and Assignment.

The first point to be noted is the “Exclusive Privilege” created for the Government to provide tele communication services within India including setting up of the telecommunication network and use and assignment of spectrum.  The license will be subject to terms and conditions which becomes the basis of operation and determination of other obligations under the Act.

It is necessary to note that even possession of a wireless equipment requires authorization. Wireless equipment under the Act means

“any telecommunication equipment used or capable of use in wireless communication, including any wireless transmitter that is capable of use for broadcasting or emission of wireless communication”

Since the definition is broad and may cover even a wireless router and mobile, the Government needs to provide an exemption list while notifying the Act.

Similarly the possession of any equipment that can block tele communication is prohibited.

Possession of equipment that can pick “off the air telecommunication signals” also needs to be subject to strict licensing. Such equipment is used for surveillance by intelligence agencies and by unauthorized agencies.

An interesting provision is that

“Any entity which is granted a license under sub-clause (2) of Section 3, shall unequivocally identify the person to whom it provides services, through a verifiable mode of identification as may be prescribed.”

“The identity of a person sending a message using telecommunication services
shall be available to the user receiving such message, in such form as may be prescribed, unless specified otherwise by the Central Government.”

The above provisions should be read with the wide definition of telecommunication services which states

“telecommunication services” means service of any description (including broadcasting services, electronic mail, voice mail, voice, video and data communication services, audiotex services, videotex services, fixed and mobile services, internet and broadband services, satellite based communication services, internet based communication services, in-flight and maritime connectivity services, interpersonal communications services, machine to machine communication services, over-the-top (OTT) communication services) which is made available to users by telecommunication, and includes any other service that the Central Government may notify to be telecommunication services;

This means that in both E-Mail and Mobile services, the identity of the sender of the message should be available to the receiver. 

This will put an end to the menace of fake E-Mails and Fake Voice calls at least to a substantial extent.

We will wait and see how the Gmail or WhatsApp will respond. Presently they are using “Anonymization” as a right and using “Privacy” as a fig leaf to let criminals act through their platforms. This should stop and probably they will oppose this provision as they did when it was first proposed in PDPB 2019. Even the domain name registrars have the tendency to hide the identity of the registrants on the pretext of Privacy and facilitate frauds of phishing etc.

We welcome this provision whole heartedly. At the same time, in order to make “Privacy” available through “Pseudonymization”, we have proposed “Regulated Anonymity” proposed by Naavi way back in 2012. May be this should be considered with some modification now and TRAI should provide it as an option under the rules.

…to be continued

Naavi