Naavi.org

There is a need to flag the condemnable attitude of service providers including “WhatsApp” who have the temerity to approach the Indian Courts against Government regulations by treating India as a country whose regulations are ignored.

I call the attention of Mr Modi, Mr Amit Shah and Mr Rajeev Chandrashekar with good wishes for their re-election to take note of some of the web sites who set terms of service stating that the jurisdiction for dispute resolution for their consumers is in their country and not in India. While the services are rendered in India, the consumers are barred by a contract to approach Indian Courts.

Some websites have started providing supplementary terms recognizing the rights of EU citizens and Californian Citizens besides the country of the origin of the service. But no other country is mentioned.

While we can accept that any company has the freedom to set its own rules and is not bound to recognize the Indian sovereignty, it is our responsibility to ensure that our citizens are protected.

This can be done only through an omnibus protection provided to Indian users of foreign services through the DPDPA 2023.

Currently such users are considered “Data Fiduciaries” and are liable under the Indian law. Hence any contractual terms that sets the dispute resolution outside the legal mandate of ITA 2000 and DPDPA 2023 is ultra-vires and cannot be considered valid.

However it is better if the MeitY through its rules on DPDPA 2023 makes it clear that

“Clauses in the contracts with any Data Fiduciary, Indian or foreign, which are not in conformity with the Indian laws shall be considered as void and the dispute resolution provisions provided under ITA2000/DPDPA2023 shall prevail.”

Ignoring this and bringing pressure on Indian users to agree to online click wrap contracts should be considered as an attempt to deliberately over-rule the law of the land and should be made punishable.

The DGPSI supported Dispute Resolution Policy shall support introduction of such a clause.

In one of the websites I observed the following clause:

Applicable Law and Jurisdiction. These Terms of Use shall be construed in accordance with the laws of Singapore without regard to its conflict of laws rules. Any dispute arising out of or in connection with these Terms, including any question regarding existence, validity or termination of these Terms, shall be referred to and finally resolved by arbitration administered by the Singapore International Arbitration Centre in accordance with the Arbitration Rules of the Singapore International Arbitration Centre for the time being in force, which rules are deemed to be incorporated by reference in this clause. The seat of the arbitration shall be Singapore. The Tribunal shall consist of three (3) arbitrators. The language of the arbitration shall be English.

…It continues..

The following terms apply if you reside in the European Union:

Dispute Resolution. Notwithstanding the “Applicable Law and Jurisdiction” section of these Terms, if you are a “consumer” as defined under the EU Direction 83/2011/EU, any dispute, controversy or claim (whether in contract, tort or otherwise) between us and you, arising out of, relating to, or in connection with these Terms will be referred to and finally resolved by the court of your place or residence or domicile. You can also file a complaint at the online platform for alternative dispute resolution (ODR-platform). You can find the ODR-platform through the following link: https://ec.europa.eu/consumers/odr.

THE UNITED STATES

If you are a user of our Services in the United States of America, the below Additional Terms: (a) are incorporated into these Terms; (b) apply to your use of our Services; and (c) override the head terms of these Terms to the extent of any inconsistency.

If you are a user of the Services in the United States of America, the following terms expressly replaces the above “Applicable Law and Jurisdiction” section of these Terms.

California Resident. If you are a California resident, in accordance with Cal. Civ. Code § 1789.3, you may report complaints to the Complaint Assistance Unit of the Division of Consumer Services of the California Department of Consumer Affairs by contacting them in writing at 1625 North Market Blvd., Suite N 112 Sacramento, CA 95834, or by telephone at (800) 952-5210.

If you are a California resident, then (except to the extent prohibited by applicable laws) you agree to waive California Civil Code Section 1542, and any similar provision in any other jurisdiction (if you are a resident of such other jurisdiction), which states: “A general release does not extend to claims which the creditor does not know or suspect to exist in his favour at the time of executing the release, which, if known by him must have materially affected his settlement with the debtor”.

If such companies can selectively accept laws of EU and California, why should we not insist that they also take into account the laws of India. We need to protect Indian data principals against such clauses on the websites.

Suggestions are invited.

Naavi

The Web scrapping industry is one of the industries like the Digital Marketing industry which would be seriously affected by the Data Protection Authorities.

According to a report on Webscrapping from stellar the market for Webscraping software and services may grow at a CAGR of 133% from around USD $ 800 million at present.

However the emergence of Data Protection laws across the globe is likely to be a serious threat to the development of the industry.

DPDPA 2023 provides that if personal information is “Publicly made available by a data principal” the act may not apply to such data. A question therefore arises on whether personal data available on the web either in websites or sites like Linkedin, Twitter or FaceBook can be freely scraped and used by businesses.

Most of the platforms like LinkedIn have themselves made “Scraping” a licensable service and therefore any company which scrapes data from these platforms will be liable to the platform if it violates the terms of the contract. But the question whether the platform itself has the power to license scraping is debatable. This permission has to be part of the consent to be sought from the data principal. If the data principal has provided the data for a specific purpose, its use for any other purpose including monetization by further licensing should be considered as secondary purpose.

If the platforms are clear in their notice and seek explicit consent, “Consent to allow Scraping of data by any web crawler” can be considered as not part of the basic consent. It is likely that many data principals who use the platform may agree that their profile may be made visible to any visitor to the profile page but scraping it for use by another third party for its own monetization may not be permitted.

If this provision is strictly applied, the business of “Web scraping” may suffer adversely.

Also these platforms need to determine if they incorporate a default condition that permission from the data principals is required before scrapping.

DGPSI recommends that platforms conduct their own DGPSI audits and set appropriate compliance conditions applicable for different jurisdictions.

In this context we may note that many of the GDPR supervisory authorities are issuing guidelines for Webscrapping.

For example the April 30, 2020 guideline of CNIL states

 When individuals share their personal data with one data controller, it is not reasonably expected that they will receive direct marketing from another company – another company may re-use their data for such purposes only with the individuals’ consent.

Similarly, when a company re-uses publicly available online data of individuals in order to send direct marketing communications about its products and services by e-mail or through automated calling systems, the company must obtain the individuals’ consent before sending.

The guidelines therefore expect that Data Controllers before using web scraping tools should

• Verify the nature and origin of the data that will be scraped
• Minimize data collection
• Provide notice to individuals
• Manage the contractual relationship with the web scraping service provider
• Carry out a Data Protection Impact Assessment (“DPIA”) if necessary

Recently the Netherlands authority also issued guidelines stating the following.

The key takeaways from the guidelines are as follows.

1.Provides a clear definition and distinguishes between scraping and web crawling.
2. Discusses the stringent conditions under which scraping can meet the ‘legitimate interest’ basis, emphasizing that mere commercial interest is not sufficient.
3. Highlights the significant privacy risks associated with scraping, including the inadvertent collection of sensitive and criminal personal data, which often makes lawful processing challenging.
4. Advises on conducting a DPIA to assess risks and ensure compliance with GDPR before initiating any scraping projects.
5. Points out the complexities of using scraped data to train algorithms, stressing the need for ethical considerations to prevent biases and inaccuracies.

An english version of the guideline is available here

Naavi

The Dutch protection authority recently imposed a fine of Euro 10 million on Uber technologies for failure to disclose the full details of its retention periods to the drivers.

In this context one has to question the decision from the point of view of whether the “Uber Driver’s Data” is “Personal Data” or “Business Data” . If it is considered as “Business Data” then it should not come under the GDPR restrictions.

To answer this question, one has to see what is the relationship between a Uber driver and Uber. If the driver is under an employment contract then he would be treated as any other employee.

Otherwise if he is sharing a business commission, it is difficult to accept that the relationship is any thing other than B2B. The driver as an individual is doing business with Uber and in India we recognize him as a taxable entity different from the same individual for personal tax of non business nature.

The data of the driver that comes with the driving license should therefore be considered as “Business Contact Data” and “Mandatory statutory data to be retained under law”. As a Business contact data it is outside the scope of GDPR/DPDPA.  It could be considered as a mandatory data to be collected and  bound by the terms of agreement as a contract.

Any data collected by the driver of the passengers for the journey is data collected on behalf of Uber and it belongs to Uber and not the driver. The driver is a processor in this context.

DPDPA 2023 recognizes “Business Contact Data” as a concept in the context of the DPO and hence it accepts that a “personal looking data” may actually be shared for the “Business Purpose” which can be considered different from personal data shared for processing for a service.

For example, an Uber driver hiring another Uber car for reaching home is a customer of the second driver and his information shared is for the purpose of travelling and is like personal data. But his own data with the  Contract department is to be considered as “Business Data”. It is possible that Uber may run some welfare measures to the drivers “. In this context it may be considered similar to employee’s personal data.

The classification of data as “Personal” and “Non Personal” may therefore depend on the context and purpose. This needs to be identified during compliance. The process oriented classification of data under DGPSI addresses this.

Please let me know your views.

Naavi

After August 11, 2023, DPDPA 2023 or Digital Personal Data Protection Act 2023 has become a law in India. Though the notification of rules is pending, DPDPA 2023 as of today is considered “Due Diligence” and part of “Reasonable Security Practice” under Sections 43A and Section 79 of ITA 2000.

The provisions of the Act are therefore considered effective as of now though the penalty clauses may not be fully relevant. However the Adjudicator under ITA 2000 has the powers to impose penalties if there is an adequate cause of action and may use the penalty table under DPDPA 2023 as a guidance.

To be fair however, no Adjudicator in India may be aware of this power nor are inclined to use them. So the companies who want to procrastinate can breath easily for some more time. Assuming that the Modi Government comes back to power after the elections, the notification of rules may be in the First 100 day agenda.

Hence companies need to start working on compliance today.

If however we try to identify the accountability at corporate level on who has to raise the red flag first, it appears that only the CISOs/CIOs or GDPR aware CCOs/designated privacy officers are the first to recognize the potential impact of the DPDPA and trying to draw the attention of their Board into sanctioning budgets for next level action.

Ideally it should have been the “Independent Directors” or the “Company Secretaries” who should have brought it to the notice of the Board the need to initiate compliance action.

Given the importance of DPDPA compliance and the need to cover the potential penalty risk, associations of these professionals need to draw the attention of these professionals to start understanding their specific responsibility in this regard.

Naavi

DGPSI (Data Governance and Protection Standard of India which is the premier framework for DPDPA Compliance in India) focusses on compliance of Data Fiduciaries who process personal data collected from India. It includes compliance requirements under DPDPA 2023, ITA 2000 and BIS standard for Data Governance.

A Data Fiduciary often conducts its business with the assistance of software suppliers. may  supply products or software services. 

If the service provider is providing service as exactly prescribed by the DF, then he will  be a Data Processor whose obligations are only to follow instructions in the contract and the compliance obligations are borne by the DF.

In many practical instances, the service provider either does not reveal the complete details of the “Means of processing” either because he treats them as his trade secret or he is too big for the DF. Most cloud service providers fall into this category.

In such cases, the DF who determines the purpose of processing is not in control of the “Means of processing”.

Hence such data processors may have the responsibility of the Data Fiduciary (DF) under the law though we all may call them as  “Data Processors”. 

DGPSI addresses this issue by defining the role of the service provider as a “Joint Data Fiduciary” and makes him directly responsible for the compliance.

In many cases the service of the service provider is contracted through dotted line contracts and not through negotiated contracts. Hence the DF is forced to pick a service available on the web by simply clicking the “I accept” button for the terms of service along with the privacy policy of the service provider.

In such cases the DF is expected to at least send a proper notice to the service provider that the DF treats him as a Joint Data Fiduciary for the purpose of compliance of DPDPA 2023 and tries to get an acknowledgement.

Going further, some DFs may request the service provider to produce an assurance in the form of an audit such as ISO 13485 for medical devices or FDA CFR audit certification.

The same issue arises when an AI service is provided in the form of an algorithm or managed services.

DGPSI considers such sub systems as a “Compliance Entity” and expects them to separately be assessed for compliance of DPDPA as if that sub system is an enterprise by itself.

In such cases, the AI algorithm becomes the subject “Data Fiduciary” which is required to be compliant with the DPDPA 2023.

Hence the AI algorithm has to be evaluated on the basis of

1. Who is the owner of the algorithm
2. What personal data elements it collects and from where?
3. Is there a Consent or other forms of established legal basis for processing?
4. What is the evidence that there is a notice and consent?
5. Who accesses the personal data and why at the time of processing or storage as long as it is within the control of the algorithm
6. How does the “Rights of data principals fulfilled”?
7. How does security of data handled and  “Breach” gets recognized?
8. How does other obligations like handling of cross border restrictions, minor data handling and nomination handling etc addressed by the algorithm owner?
9. What does the contractual terms of use state in terms of inter-se obligations of compliance?

The Data Trust Score mechanism of DGPSI addresses an evaluation of these requirements against the parameters used for compliance and through some weightage system arrives at a score which is called the “DTS”. We have already discussed Web-DTS and AI-DTS as two concepts covering compliance of the website and an AI algorithm.

A similar system is now being applied for vendors of specific devices or services to evaluate whether during the lifecycle of the data processing that happens within the service, the obligations of DPDPA is complied with and if so how.

This evaluation can be done only if there is a specific context in which we are aware what type of data is collected and processed.

However there will be some instances where a device or a system supplier would kike to claim that “When you use our products, you can meet your regulatory obligations”. This would be like evaluating a product for “Compliance Readiness When in use”.

This compliance ready evaluation has to assume a context which is representative of the most relevant use case and makes an assessment.

“Compliance Ready-when in use” is evaluation is  a DTS evaluation that represents the maturity of the product or service which addresses this issue. We may simply call them “Product-DTS” for easy reference.

When it comes to evaluation of AI algorithms, the DGPSI will draw from the EU-AI act to define the risk etc. Similarly when it comes to medical devices, DGPSI will draw from ISO 13485. With such an approach, DGPSI will remain the unified approach for compliance not only at the “Data Fiduciary” but also at the “Joint Data fiduciary” who is a contract partner of the Data Fiduciary .

Attend FDPPI training programs to discuss this further.

(Comments are welcome)

Naavi

As expected Congress has used a “Fake video” of Mr Amit Shah to falsely claim that Mr Amit Shah has stated that if it comes to power, BJP will remove reservations to SC/ST etc. Actually he had said that BJP will remove the unconstitutional reservation given to Muslims on the basis of religion.

This was not a simple fake video like the Rakshita Mandanna case which was a case of personal reputation damage to a celebrity. In another instance, Rahul Gandhi’s video was modified to remove words about “Hindustan’s Ka …” when he was referring to redistribution of wealth .”Removal of some portions of the video” is also a fake video meant to alter the meaning of the electronic document.

On the other hand the Amit Shah video included removal of a portion and re-arrangement to some extent.

I am certain that before the election is over, we will have an even more dangerous fake video in the name of Mr Modi himself which may be created for the purpose of filing a complaint with the election commission. We will come to know only if such videos come to public but if they are being circulated in private circles of voters, we will ever come t know.

It is important that NIA should take over the Amit Shah case and investigate since this is a gross violation which includes Section 66, 66C, 66D and 66F of ITA 2000 besides some IPC sections. It also involves conspiracy since it was distributed. Section 79 and Section 85 may also be invoked to fix the liabilities of the intermediaries who facilitated the distribution of the video.

Mr Revant Reddy may not be directly responsible, but is definitely carrying the vicarious liability and should co-operate in the investigation.

The investigation should be carried out immediately (as is being done) so that culprits are put behind bars before the next phase of elections.

In this context I want to recall the Mumbai High Court judgement in the case of Kunal Kamra where one judge did not see the danger of the fake news and did not uphold the right of the Government to at least call out fake news distributed in respect of the Government bodies.

Judges have their own biased views and often their judgements are not based on neutral evaluation. The judgement on Kunal Kamra case was one such instance which was however saved to some extent by one of the judges taking a right stand. But this was sufficient for the Supreme Court to stay further action by the Government and the media to keep blaming the Government.

Now the WhatsAPP case is before the Government and the lawyers are already speaking falsehood and creating the ground for the Judges to give wrong judgements. I wish the Judges be aware that technology is being not only misused by people but are also mis represented in the Courts.

For example, WhatsApp is arguing that if they agree to “Identification of the original forwarder of a message”, it has to break the encryption and therefore the Privacy of the message. This is falsehood and the petitioners have to be castigated for making such wrong claims.

Adding a header information to an encrypted message is not breaking the encryption of the message. It may require some technology changes but is not to be considered as impossible. Hence the Court should not accept this false argument.

Instead, Court should ask WhatsApp why their grievance redressal system requires customers to go to US courts/Arbitration and not settle it within the Indian jurisdiction and why they have different privacy policies for EU, US and India?

If WhatsApp threatens to leave India, it only shows their arrogance. To some extent Courts are responsible for this arrogance since the Supreme Court and several High Courts have honoured WhatsApp in the past with recognition of the blue tick etc. and become dependent themselves.

The dependency of India on WhatsApp as a messaging platform is not desirable and is a national risk. Just as there was movement against Zoom at one point of time (which was not justified fully), monopoly of WhatsApp must be broken by encouraging indigenous solutions.

This should be possible even with the preservation of end to end encryption from the user to user which is more effective than the device to device encryption currently used by WhatsApp (with an ability for itself to decrypt if required.).

The messaging platform needs to become a carrier of message only and whether the payload is encrypted or not should be the choice of the messaging parties. Use of two key encryption should be actually more effective than the current device to device encryption.

Hopefully the Courts will treat these technology related cases with an admission of their own ignorance and offer apologies when they make a mistake. One such apology is due from the Mumbai judge who did not foresee the dangers of fake news.

Naavi

Also read:

We Want License to Misinform?