Naavi.org

FDPPI and Naavi.org successfully celebrated the virtual event to celebrate the Digital Society Day 2022, on October 17, 2022. A Brief report of the event is presented below.

The event started with a brief welcome from T C Manju, Consultant Operations, FDPPI. This was followed by Naavi introducing the importance of the day and also introducing the FDPPI and its activities briefly.

This was followed by a talk from Mr Rakesh Maheshwari, Senior Director, MeitY on his experiences regarding ITA 2000 particularly in the implementation of the Intermediary guidelines.

This was followed by Dr (Advocate) Pavan Duggal who shared his reminiscences on ITA 2000. Dr  (Advocate) Prashant Mali followed with his views and suggestions on ITA 2000.

This was followed by a brief presentation by Naavi on the concept of Compliance Management Rating (CMR) for CERT-IN and ITA 2000 compliance.

There after a panel consisting of Commander Mukesh Saini, Dr A Nagarathana, Dr Mahendra Limaye and Advocate M G Kodandaram discussed the relevance of ITA 2000 in the current regulatory scenario.

In the valedictory session, Commander Rajeev Seoni, presented a summary and his views on the proceedings. A Lucky draw was held for the participants who attended the program and three persons were chosen by a spinning wheel draw and they will be sent FDPPI T-Shirts.

Vote of Thanks was provided by Ashok Kini, Co-Founder Klickstart.

Some of the pictures captured during the event are provided below.

We thank all those who made the event a success.

A link to the recording is available here.

Naavi

We in India remember August 15 as our Independence day. We also remember January 26 as our Republic Day.  Similarly October 17 is a day to remember as the day when a legally recognized Digital Society was born in India.

On October 17, 2000, the Information Technology Act 2000 (ITA 2000)  was notified and legal recognition was provided to electronic document, digital signature, electronic contracts.  With this and other provisions of ITA 2000, a new society which uses electronic documents for communication  became legally acceptable to the judicial system in India.

Without ITA 2000, an e-mail or a website or an SMS or a WhatsApp message would not be considered as a document equivalent to a document. An offer and an acceptance in electronic document would not constitute a valid contract. We were virtually living in a “Digital Jungle Raj” before October 17, 2000.

Today, we have our Supreme Court  and Parliament streaming its proceedings in Court, Parliament , Companies conducting Board Meetings and AGM on line, Digital Contracts being matters of routine, Virtual surgeries tackling matters of life and death all with an assurance of legal recognition. WhatsApp have been accepted as valid method of sending Court notices and digital money has become the order of the day. We could now move to another world of Meta Verse and humanoid robots in the coming days. Internet has become more a serious world of business and Governance and not remained only a world of fun.

Today’s Digital India therefore owes its existence to the fundamental legal changes that ITA 2000 brought to our society. Irrespective of the amendments made or to be made October 17 will for ever remain as the day to remember because of the tectonic shift that occurred this day in the year 2000.

Naavi has been therefore conducting events on October 17 trying to focus on the importance of the day. This year India is getting ready for an overhaul of Digital India regulations. The new Telecom Bill has already been up for discussion. The new Personal Data Protection Bill could be open for public comments soon and discussions on substantial amendment of ITA 2000 could follow.

To remember the day, Naavi.org and FDPPI have organized a webinar and brought together Veterans of ITA 2000 to share their thoughts on how ITA 2000 has evolved over the last 22 years and how it is likely to move further.

The webinar would start  at 4.00 pm today (October 17, 2022) on the virtual place, here

Join here

You can all participate in this celebration courtesy FDPPI and its supporting members Klickstart Business Solutions & Services LLP and Maruti Quality Management Services.

Look forward to meeting you to celebrate the Digital Society Day of India 2022.

Naavi

JOIN HERE

In the Privacy domain, the “Employee Privacy” is one aspect of Privacy Management that often has a direct conflict with the Data Protection Compliance regime.

Under GDPR we have seen that Courts and Supervisory authorities have  ruled that even an employee who uses “Customercare@company.com” email for personal communication is entitled to privacy rights.

Recently a case has also been reported from Illinois, the freight comapny BNSF Railway Co has been ordered to pay a compensation of $228 million in a class suit on behalf of its employees.

The  decision  handed Wednesday evening in Chicago federal court, came after the first trial under the Illinois Biometric Information Privacy Act (BIPA), a state law which restricts collection of biometric data like fingerprints or retinal scans.

The plaintiff, on behalf of himself and a class of other truck drivers, claimed he was fingerprinted when he entered BNSF’s railyards to make pickups and deliveries and that BNSF violated Section 15(b) of the BIPA by collecting his biometric data without first giving him written notice and obtaining his informed consent.

This decision could mean that the employees of an organization may enforce Privacy rights on par with the public.

A majority of Data Protection Professionals are themselves employees of an organization and hence they would welcome this development. So would be the Privacy Activists.

However, to be fair to all stake holders we need to question this decision of the Illinois Court (as reported in the media).

Employees are privileged persons within an organization. Law recognizes that any errors  and omissions of an employee may create a vicarious liability on the organization.  Employees work under a long term contract built on trust. They create the security systems within an organization and can collaborate with criminals to harm the organization and its third party customers.

Hence there is a need to enforce from security perspective of the company and its customers a strict regime of surveillance on the activities of the employees.

Hence having CCTVs inside an organization, monitoring the computer activity as well as collecting and using biometrics should be considered as “Legitimate Interest of an Organization” and should not be considered as “Privacy Violation”.

What may be required is an assurance based on a higher level of information security so that the employee information collected for a specific purpose of employment is not misused. Using the information to monitor employee behaviour from the perspective of security is however an exception.

Some Data Protection laws like the PDPB 2019 did provide “Exemptions” from Consent for employee monitoring activities required for performance assessment and fraud prevention.

The Illinois case could be one coming under such a requirement where the company wanted only authorized persons to enter the goods yard. Similarly the GDPR case in which an employee misusing the corporate email account for personal use had specifically violated the terms of contract. In such cases there should be no enforceable right to privacy.

It is for this reason that we advocate that “Employee Privacy” should not be equated to “Privacy of Non Employees”. Employees should be informed enough to provide their consent and understand the need for security to give up the  special privileges that comes with the Privacy.

If this right of the employer is not recognized, then employees may tomorrow claim that they will work under pseudonymous ID or even anonymous ID and receive their salaries through Bitcoins and in principle they will have a case to justify.

We must therefore consider that “Employees of an organization are privileged persons and in respect of the personal data shared by them with the company in their capacity as employees should be exempt from provisions of prior Consent (except at the time of onboarding), Rights of Portability, Right to forget. They may continue to enjoy Right to access and  Right to Correction.

Comments and views are welcome.

Naavi

Economic Times carries an interesting article on the “Shape of Things to Come” as the MeitY continues to work on the modified PDPB 2019, stating that “Reworked Personal Data Bill may relax rules on data localization”

The article quotes the MoS, IT, Mr Rajeev Chandrashekar as saying

“Cross-border flow of data will, … be permitted as long as the government is able to access the data legally and such data of citizens is safe even if it is stored in cloud architecture“

The interpretation of ET is that the Government may  change the provision regarding the “Critical Information” being necessarily stored in India.

The PDPB 2019 had already diluted the PDPB 2018 provision of cross border data transfer and removed the need for keeping even a copy of the personal data transferred out of India as long as it is not  “Sensitive”. Sensitive personal data was also freely transferable subject to a copy being retained in India and necessary consent from the data principal. No data has so far been declared as “Critical Data”.

Hence there is nothing to dilute the PDPB 2019 version in this regard as it is already diluted to the core.

As against this GDPR has been strengthening its Data Localization policy and recently even the US bent down to EU and agreed to change its Judicial System to accommodate the interest of EU GDPR. It has agreed to set up a Judicial authority that can be approached by the EU Citizens whose data is processed in USA. It can be expected that this special court will even recognize the supremacy of the EU jurisdiction over such data processed in USA.

Rajeev Chandrashekar has at present not made a statement that indicates such abject surrender of the country’s interest to foreign powers and allow a “Data Colonisation” by EU through GDPR.

If we restrict our interpretation to the words that have been quoted, it only means that the Cloud Operators need to satisfy that Indian Law Enforcement will not be denied access to data when required with the pretext that they are not subject to Indian Privacy laws.  This point is also coming up directly for discussion in the Supreme Court in the Whats App Privacy Policy case and Government cannot take different stands in the draft law and the Court.

EDPB wants Indian Data importers to commit through their contractual agreement that they will not let Indian law enforcement to enforce their rights whether they are the Police or ED or CBI. Most Indian Companies have been quietly signing off contracts with their business vendors to ensure that their businesses are preserved.

In other words, most of the Indian companies are being forced to be more loyal to EU than India. Neither Press nor the Government is aware of this development.

I challenge the MeitY to conduct a survey of data processing contracts entered into by the Indian data processors in the last 3 months and check if they have agreed to revise their SLA s to meet the EDPB guidelines. This will reveal how Indian Companies are quietly ceding data territory to foreign powers for the business they are signing. Most companies are also signing off on indemnities for data breach liabilities far in excess of their own financial capabilities pushing India to “Potential Insolvency”.

If hackers target foreign companies having data processing contracts with India and huge data breaches happen, it would be many Indian companies who will have to foot the bill.

Has information security auditors factored in this incidence of “Foreign Data breach Risk” on Indian Companies?

In my opinion these are questions which every body is afraid to ask.

We therefore conclude that

“Given the security situation in the Country, there is no way India can give into the desires of the EU GDPR to convert India into a Data Colony of EU. This is a national security issue and MeitY has to work within this framework of National Security”.

In the last two months, we have written the following 23 articles indicating what should be the “Shape of Things to Come”.

In these articles we have tried to comment on what “right” has to be protected? how we should define “data”? how we should classify “critical personal data” and how we should approach the “Data Localization” issue.

One of the suggestions made is that Data Protection by law should protect the Right to Security of a citizen of India, retain the need for consent and maintenance of copy of all personal data, processing and storing of Critical Personal data only in India etc.

We have also suggested defining of Critical personal data as

Critical Personal Data means such personal data, deprivation, incapacitation or destruction of which would cause significant harm to an individual and includes biometric data or genetic data or unique official identifiers and personal data under the control of such entities or computer resources whose activities if incapacitated or impaired may have debilitating impact on national security, economy, public health or safety.

I wish MeitY tries  to take into account the views expressed in the series of articles presented at Naavi.org before finalizing its recommendations.

We are waiting for the draft to be released by the Government to make a section by section comment and take on record the areas where there could be need for changes.

Naavi

To
The Honourable Chief Minister of Karnataka
Bengaluru

Dear Sir,

One of your recent decisions make me wonder …”If a person is running a Mandi and allows farmers to display his wares and bring together buyers and sellers, does he become a farmer?”

Kindly clarify.

Why Do I think so?

The Karnataka Transport Department has issued an order stating that Uber, Ola Auto service has to be stopped because they are charging a minimum of Rs 100/- as against the Government fixed minimum of Rs 30/-

Mr Sriramulu the Minister has threatened that he has ordered his officials to seize autos plying in defiance of the order. This gives a free hand to the police to stop every auto and demand information from the auto driver and  increase his collections.

I would like to categorically state that your move to block Uber/Ola auto is not in the interest of the public nor in the interest of Auto drivers. It will make only a marginal dent to the Cab aggregators unless you are arm twisting them for contributions to BJP for fighting  the BBMP elections.

I am a staunch supporter of BJP and Mr Modi but is compelled to call out the decision of the transport department as not in the interest of the citizens of Bengaluru of which I am also a part.

I request you to kindly give a thought to the basic nature of business  which the “Aggregators” are in. The” business of aggregation” cannot be equated to the business itself which it integrates. Karnataka Government has already made this mistake when they last made a law to treat Uber and Ola as “Taxi Operators”. I had pointe out at that time itself that this was a wrong decision. unfortunately, the companies instead of fighting it legally went for some compromised solution and accepted the classification.

Now is a time for correcting this bad decision if your Government can think in terms of understanding the business.

The business chain always consists of different layers of service from producers to consumers. There are farm brokers, transporters, Mandi Merchants, Wholesalers, Retailers etc all of whom have a role to play. As long as they collect remuneration commensurate with the value addition they bring to the business, each is entitled to their profits.

Cab aggregators fall into this category of “Intermediaries” whose job is to bring together the cab operators with the consumers on an online platform and make it easy for the service to be consumed.

They work for their service charges and the benefit for the produce (In this case the transport service by a car or an auto given to  the consumer) goes to the producer (Driver/auto or car owner).  The aggregator also acts as the collector of money on behalf of the driver and passes it onto the driver.  (Ideally, the receipt of money can be split straight away on  and credited to the driver’s account if required).

If the Cab aggregator is cheating on the driver and exploiting him with excessive commission, it has to be checked. But a reasonable commission should be allowed. (I consider 15% as reasonable and not 30% which the Uber/Ola are now charging).

The system brings transparency to the collection system and all cab/auto owners would be happy that the drivers cannot cheat them on the total collection of the day.

At the same time the consumer is happy that he need not bargain with the driver which is the biggest headache which all Bengaluru Consumers are aware and were relived of with the introduction of Uber/Ola services.

The auto drivers who were demanding their own price in excess of the meter may be unhappy that they now have to ply according to the fixed rates . But many honourable auto drivers would be happy with the system which gives them a fair return without the botheration of waiting for a customer and demanding double the meter, refuse plying to a stated destination, get abuses constantly. They can operate intermittently from their home, respond only to calls on the App, switch off the App when they want to spend time with their family and have a good work-life balance.

The most important aspect of this service is that consumers need not go out into the street to look for the auto, wait and keep waving at the moving autos. In case there is any luggage to carry, there is to send an errand boy to go and fetch an auto to take them to the railway station.

I am sure that you and your family must have experienced these difficulties when you were younger and before you became the Chief Minister.

The current decision will now put Bangalore consumers of auto service back to the 70’s and 80’s and make it extremely difficult to commute. Senior citizens living alone are the most affected since they cannot get the autos to their doors.

You are therefore snatching away this door step auto service.

Now coming to the allegation of collection of Rs 100 instead of Rs 30. If only Rs 30 is charged, then do you expect the aggregator to charge no fees?

If you think the commission of Rs 70 is unreasonable and it ought to be not more than Rs 20, I may agree with you just as the 30% commission charged by Uber/Ola is considered double the reasonable figure of 15%.

You have the right to regulate this and through the transparent system of money flow that occurs ensure that the aggregators follow the rule of 15% commission with a minimum of Rs 20/-. You can also either disallow the “Surge charges” or more appropriately allow it with a higher rate of commission of say 25% at level 1 and 30% at level 2 depending on a criteria to determine the level 1 and level 2 situations. If the available supply is too low and below a critical level, surge commission can be made even higher.

Instead of regulating the pricing in such a manner that the driver gets a reasonable return on his efforts and the consumer gets a reasonable price, you are denying them of the service itself.

This will be creating a backlash on your Government and the first signs should be in the BBMP elections when BJP is going to lose heavily.

I therefore urge you to immediately suspend the decision of the Transport ministry and form a “Pricing Committee” for aggregators to fix a more appropriate price structure as indicated above.

The Government now have access to the Open Network for Digital Commerce (ONDC) as an available platform where all the auto drivers can register themselves and ONDC can fix a fair commission for itself and give an outlet for the autos. This will also bring down the competitors Uber and Ola to a more reasonable price structure. If required I thinks you can also use MYn which otherwise would be a disastrous failure. You can also request philanthropic organizations like Tata Neu to start cab aggregation platform (If you donot insist that they will be considered Taxi operators but only Intermediaries under ITA 2000), they and many more technology companies may oblige. Even Amazon would be happy to start a channel for autos.

If you take a decision in this direction, it will bring revolution to the Bengaluru transport system.

I think Mr Tejasvi Surya brought a problem to your attention but your solution was worse than the problem. Even Mr Tejasvi Surya should accept the proposal made above and you can show your statesmanship in retracting the 2014 order of equating the Aggregation business to Taxi business which was bad in law.

If the order is properly challenged by the operators in a Court of law they have a fair chance of winning in their argument as it is discriminatory on the city transport system and spares all other types of intermediary service providers being taxed like the end producer.

Please think over and act wisely to preserve the BJP electoral chances in the coming elections.

Naavi