Naavi.org

November 9, 2022 was an important day when my 14 year old crusade for justice for S Umashankar who had lost money in a Phishing fraud at ICICI Bank reached a significant milestone. A judgement was pronounced by Madras High Court dismissing the appeal of ICICI Bank against the order of the TDSAT.

Copy of the judgement  is here

The episode started on 2nd September 2007 when the following e-mail was received by an NRI customer of ICICI Bank, Tuticorin. This was later identified as the phishing mail.

The mail had come from the same email from which the Bank was sending monthly statements and he considered it as having come from the  Bank and proceeded.

(Though the customer was perhaps not aware, it was later pointed out in the Trial  that the URL provided as the phishing link was a sub domain of ICICI Bank (https://verification.icicibank.com) which meant that the ICICI Bank server had been hacked and mail was being sent from there. Such hacking  had been pointed out by Naavi.org earlier in one case of an educational institute.)

After the phishing mail having been responded, a sum of Rs 646000/- was transferred to a Mumbai Fort branch account of ICICI Bank  in 6 transactions of Rs 1 lakh each and one of Rs 46000/- in quick succession on 6th and 7th September 2007.

ICICI Bank refused to accept its responsibility for the fraud and the customer approached the Adjudicating officer in Tamil Nadu through Naavi as a power of attorney holder and filed the application in June 2008. This was the first case for Adjudication in India.

After several rounds of enquiry, the Adjudicator gave a speaking order in 2010 awarding compensation to the customer.

ICICI Bank went on appeal to Cyber Appellate Tribunal and after a series of hearings, the case was posted for judgement and 3 days before the judgement the Chairperson attained super annuation and the case got stuck up till TDSAT took over Cyber Appellate cases in 2018. After several hearings TDSAT  upheld the order of the Adjudicator .

This time ICICI Bank appealed in Madras High Court and the proceedings were held for about 2 years interrupted by the Covid and finally on 9th November 2022, the appeal was dismissed.

The case is considered historic as the first adjudication case and for the fact that Bank was held liable for negligence.

In both Adjudication, CyAT and TDSAT, the undersigned argued under a power of attorney.

In Madras High Court due to some technical issues,  Naavi was recognized as a consultant to assist the Court and the arguments were finally made by an advocate Mr M A Ranganath.

Finally the Appeal has been dismissed and TDSAT judgement prevails.

We need to wait and see if ICICI Bank goes on an appeal to Supreme Court or closes its fight.

Under ITA 2000 adjudication is expected to be completed in 4-6 months and Appeal in the Tribunal in 6 months. But this case went for 12 years in Adjudication and CyAT out of which major delay was the non appointment of the Chair person in CyAT.

The case indicates the inefficiencies in the system which needs correction.

Since 2007 to this day, things have changed even in Banks and better security measures have been introduced. RBI has also introduced the Zero Liability system and very recently measures have been initiated to stop payment at the transferee Banks.

The recklessness shown by ICICI Bank in this case is beyond imagination and is a great example of what should not be done. It is a good case study for Bankers which should be used in Bank Training Colleges.

The case has already been part of examination question in some premier Law Colleges and it will be more often be used now after the High Court decision.

Naavi

When GDPR was introduced EU created so much fuss that it appeared that EU was making a law for the world. The extra-territorial jurisdiction was hyped up so much that Indian companies went into a shock from which they are yet to fully come out.

Subsequently the world was getting used to the GDPR when the Schrems Judgement and the following EDPB guidelines again caused a big stir on Cross border transfer of personal data.

The US Government under Mr Biden caved into the EU pressure and signed on the dotted line in the EU-US privacy agreement.

Now emboldened by the success of GDPR, EU seems to take yet another giant step in global Techno legislation through the Artificial Intelligence Act.

Copy of the Act is available here

The release of the draft Act has come when India is yet to finalize its version of the Data Protection Act and naturally there is a thought about whether any of the provisions of this Act could be included in the Indian proposed data protection Act.

The Tech giants raised a hue and cry when PDPB 2019 asked for Algorithmic bias audit. Probably they will go through this new law with care to see if it affects their business adversely.

The proposed regulatory framework on Artificial Intelligence with the following specific objectives:

-ensure that AI systems placed on the Union market and used are safe and respect existing law on fundamental rights and Union values;

– ensure legal certainty to facilitate investment and innovation in AI;

-enhance governance and effective enforcement of existing law on fundamental rights and safety requirements applicable to AI systems;

– facilitate the development of a single market for lawful, safe and trustworthy AI applications and prevent market fragmentation.

It may take a while for us to study the Act and comment but initial indications are clear that the law could be causing some discomfort to the Industry as well as the Government. Will it remain a small temporary disturbance or a major upheaval?…only time will tell.

The IDPS 2022 is likely to start a discussion on the Act on 11th November in one of the panel discussions.

Let’s look forward to the discussions…

Naavi

IDPS 2022 will be one of the richest Data Protection seminars/webinars to be held in India. Over 18 hours of content are planned to be delivered by experts between 2.00 pm to 8.00 pm on each of the three days, November 11, 12 and 13.

The webinar would be available on the virtual platform of ibentos..com.

Attendance is free but with pre-registration at fdppi.ibentos.com

Additionally more exclusive pre-recorded content would be available in the resource center. Some examples of content that would be available in the resource center are given below.

Bookmark this page and block your calendars. You cannot afford to miss this opportunity.

If you are an employed professional, ,it is time to inform your HR department and your boss that you need to take time off to attend to this webinar. The second and third days are weekends and you need to free yourself only from the afternoon of Friday.

Inform your colleagues also to attend and spread the word through your social media contacts. FDPPI is a not for profit organization and the seminar is offered free. All of you are our co-sponsors of the event and we request you to market the event to your contacts.

Naavi

Yesterday there was an important TV interview of Mr Rajeev Chandrashekar with Mr Arnab Goswami where the minister provided a great insight into the new Intermediary Guidelines  which come as an amendment to the February 25 2021 guidelines. The original version of this was the 11th April 2011 notification under Section 79, a part of which got endorsed by the Shreya Singhal judgement and part of which was clarified by the Visaka industries  judgement .

During the course of the interview several important aspects were discussed by Mr Rajeev Chandrashekar some of which are discussed here.

As regards the formation of the Grievance Appellate Committee (GAC), the minister stated that they delayed the notification by 3 months waiting for the industry to come up with a self regulation which they failed to do. According to the 25th February notification, a suggestion was made that industries could set up Level II dispute resolution mechanisms by creating a dispute resolution body at different industry levels.

Naavi.org had proposed setting up of a digital media compliance guidance center  along with the ODR service from www.odrglobal.in.

Additionally Naavi had suggested an important Self Regulatory method for the industry on the lines of the Domain Name dispute resolution policy such as IDRP/INDRP. This needs mention in the light of the observation made by the minister in the above interview.

We had proposed that the industry should develop an “Intermediary Dispute Resolution Policy” which incorporates the suggested regulatory methods and a voluntary contractual obligation to meet the requirements and settle disputes at the Level II dispute resolution mechanism managed by the industry itself.

Unfortunately the industry was in a combative mode and went to Court to obtain stay on the guidelines and several High Courts readily obliged staying the guideline in part. Had the industry responded positively  the Grievance Redressal Committee would not have been a critical necessity.

Even now the industry should look at the suggestions made for the “Intermediary Dispute Resolution Policy”. 

Second interesting aspect that came up during the interview was related to the “Naavi’s Theory of Data” in which we have discussed the hypothesis which we have named as “Additive Value Hypothesis”

The Additive value hypothesis was one of the three hypotheses which Naavi proposed under this theory, the other two being “Data Definition hypothesis”  and ” Reversible Life Cycle hypothesis“

This theory was presented in the context of the Personal Data Protection Act and the additive value hypothesis recognized that when data changes its avatar from the raw data status to different levels of personal data including pseudonymized state or anonymized state, its value changes. The value may increase in some processes as the depth of the personal data increases and reduces when the data elements are pruned.

When Diamond is cut, we may chip off part of the stone but depending on the angle of the cut the value of the diamond increases. Similarly in some forms of pruning of information, information may shrink but its value may increase.

The theory suggested that the entity responsible for the transformation of data from one status to the other should be credited with the value addition and made the owner for that part of the data. This is the same principle which is followed in the IPR law where value keeps adding and each subsequent creator of value may claim ownership subject to the licensing contract.

In the Arnab Goswami interview, a point was brought by Arnab that “News is created by agencies” and its value is unfairly reaped by the Google kind of information aggregators. He was making a case for the News industry to get a part of the value realization.

This concept that “Raw News” is created by a news agency which is aggregated and modified to create further value by the Intermediaries like YouTube etc goes well with the Naavi’s theory of data. The “News” as data is a matter of “Non Personal Data Value Realization” and hopefully the Government will try to find a mechanism for recognition of data value and a data value exchange mechanism.

This is part of the continuing discussion on Data Monetization and Data Valuation that Naavi/FDPPI are engaged in.

Reference:

Changes to Intermediary Guidelines

Guidelines challenged in Delhi High Court

Delhi High Court judgement of 20th April 2021 (WP 1082/2020)

The Chilling Effect