Naavi.org

The recent observations made by a judge of Supreme Court in the Court hall appears to have have crossed all limits of judicial propriety and created an environment of fear amongst the citizens of the country that Supreme Court does not protect the citizens of the country against the threats from terrorists.

The observations were made in front of the media and gave a justification to a terrorist act by linking it to the remark made by the petitioner in a TV debate. This was in the mould of the Rajiv Gandhi statement that the riots of 1984 was justified because of the assassination of Indira Gandhi.

Judges have the freedom to say what they want to say in their judgements but making observations particularly when press is around who could report it with a twist is completely unacceptable. This is irresponsible and indicates that the observation was made deliberately with an intention to get it reported and have consequential impact on others in the society.

I would have appreciated if the judge had made the same observations as a part of a reasoned judgement and recorded it. But making a remark for the gallery shows immaturity of the concerned judge or other motives to be explored.

The current developments indicate that the concerned Judge was guilty of gross impropriety and the Chief Justice of India need to take suitable action to remove him from any political cases. The Government of India should also take steps to impeach him since he has destroyed the respect for Judiciary through his remarks.

I may recall that we had a similar situation recently in the Madras High Court where the judge made some observations which were considered avoidable. However the affected parties decided to gloss it over as an indiscretion and avoided a possible confrontation.

Courts expect a high level of decorum from the Advocates and visitors to the Court room and it must be stated that the public also expect the Judges to follow certain decorum.

It is time for the CJI to respond to this crisis of confidence in Judiciary created by the incident.

Naavi

If media reports are to be believed, Meity is looking like a Mohamad Bin Tughlaq changing its stand again and again…. and again. It appears that there is no clarity on what is to be done in respect of the data protection law in India.

This is the inference one can draw from the article which has appeared in Hindustan Times under the title “Non Personal Data likely to be dropped from new data law”under the byline of Deeksha Bharadwaj.

There is every possibility that the report might have been planted by the vested interests who donot want the law to be passed, which includes the top Tech Companies and is an attempt to project Indian Government as indecisive.

The inclusion of two amendments  in the Act namely one which included “Non Personal Data including Anonymised Personal Data” under applicability and the “Reporting of Non personal data breach to the regulator” were suggested by the Joint Parliamentary Committee.

If these two amendments are dropped, there will be no serious effect on the law. It may even be considered as a welcome move. CERT IN will take care of the data breach report of Non Personal Data and the concept of “Anonymisation” which is an irreversible process subject to a standard approved by the regulator keeps the ITA 2000 and data protection law different.

The other consequential change that will be required would be the dropping of the change of name of the Act from DPA 2021/22 back to PDPA2022.

The need to include non personal data was felt because of the opposition to Section 92 which states

“The Central Government may, in consultation with the Authority, direct any data fiduciary or data processor to provide any personal data anonymised or other non-personal data to enable better targeting of delivery of services or formulation of evidence-based policies by the Central Government, in such manner as may be prescribed.”

This is an enabling provision and with or without the law considered as a legitimate right  of the sovereign Government. Even if it remains in the statute there is going to be no impact on the constitutionality of the law though the Andolan Jeevies” may continue to raise their  voice.

All the dilly dallying by the MeitY is indicative of complete lack of conviction on its part on how to go about the law. MeitY needs proper guidance to take decisions which are routine but are needlessly portrayed as “Controversial”.

Government must accept  that as long as Andolan Jeevies are alive, any thing done by the Government would be challenged in the Court and this is now part of the law making process. Hence expected objections from them cannot be excuses for the Government to look like a spineless body.

I hope that the views expressed in Hindustan Times is not indicative of Meity’s reluctance to pass the law and the issues referred to there in would be suitably factored into the current draft whether the act  is called PDPA 2022 or DPA 2022.

Naavi

While a discussion is going on on the CERT-In Guidelines and the Data Protection Act in India, the United States  Cloud Act (2018) is said to offer an approach to enabling law enforcement agencies in India accessing data stored by US Service providers.

According to this article in orfonline.org foreign law enforcement agencies may be able to  access evidence directly from US service providers in case of investigation of “serious crimes”, through an executive agreement drawn up by the two countries for the purpose.

To enter such an agreement with the US, a foreign country must meet certain procedural and substantive requirements, including having protections against surveillance and safeguards against unbridled government access to data. It also requires the partner country to show a commitment to an open and interconnected Internet, and to free flows of data across borders. This is like the adequacy clauses in the GDPR.

It is stated that the United Kingdom (UK) was the first country to have entered into a CLOUD Act agreement with the US, in 2019.

Probably this consideration may be kept in mind by the MeitY while passing the PDPB2019.

Naavi

On 28th April 2022, the Government of India notified certain requirements under Section 70B of ITA 2000/8 regarding information security practices to be followed by all IT system owners.

Subsequently, a detailed FAQ was also published by CERT IN.

These regulations were applicable to all service providers, intermediaries, data centers, body corporates and Government organizations.

The regulation were to come into effect 60 days from the date of the notification. In other words, the regulation became effective from the morning of 27th June 2022.

Now the CERT-IN has notified that in respect of MSMEs as defined under the notification of the MSME ministry dated 1st June 2020, the regulations shall become effective only from 25th September 2022.

At the same time, data centers, VPS providers, cloud service providers, and VPN companies to have been given additional time (till September 25) for the implementation of mechanisms relating to the validation aspects of the subscribers/customers’ details.

According to the definition of MSME under this notification, it refers to

i) A micro enterprise where the investment in Plant and Machinery or Equipment does not exceed one Crore rupees and turnover does not exceed Rs 5 crore rupees

ii) A small enterprise where the investment in Plant and Machinery or Equipment does not exceed ten crore rupees and turnover does not exceed fifty crore rupees.

iii) A medium enterprise where the investment in Plant and Machinery or Equipment does not exceed fifty crore rupees and turnover does not exceed two hundred and fifty crore rupees.

It may be recalled that the guidelines require the following to be in place:

1. All entities shall ensure that their time source is synchronized to the NC/NPL time source
2. All entities report data breach within 6 hours
3. Act in accordance with the directions of CERT-In if any
4. Enable logs of all ICT systems and maintain them securely for a rolling period of 180 days
5. Shall preserve the service registration information for a period of 5 years or longer as mandated by law after termination of registration and such information shall include
   1. Validated names of subscribers/customers hiring the services
   2.  Period of hire including dates
   3.  IPs allotted to / being used by the members
   4.  Email address and IP address and time stamp used at the time of
      registration / on-boarding
   5.  Purpose for hiring services
   6.  Validated address and contact numbers
   7.  Ownership pattern of the subscribers / customers hiring services
6. The virtual asset service providers, virtual asset exchange providers and custodian wallet providers (as defined by Ministry of Finance from time to time) shall mandatorily maintain all information obtained as part of Know Your Customer (KYC) and records of financial transactions for a period of five years so as to ensure cyber security in the area of payments and financial markets for citizens while protecting their data, fundamental rights and economic freedom in view of the growth of virtual assets.

For more details kindly refer to the FAQ document.

Naavi

A committee headed by a retired Judge  Justice K Chandru constituted by the TN Government has provided its report to the TN Government on the need for regulating online games.

The committee had an IIT Professor, a retired ADGP and a Psychologist also in the panel.

We are looking to go through the detailed report but the media reports suggest that the committee has recommended that the State government insist on the Union government enacting a national-level law against online gaming with stakes under Article 252 of the Constitution. It also recommended that the State government expedite its appeal in a related case pending before the Supreme Court.

It is also reported that the committee has recommended that the Tamil Nadu government ban online games with stakes as well as advertisements that encourage people to play such games, by promulgating an ordinance.

The state Cabinet is expected to take a view on the same. According to the report, based on the report, an ordinance could be promulgated, though legislation banning online gaming was enacted by the Tamil Nadu Assembly in February last year, the Madras High Court struck it down in August that year. The appeal preferred by the Tamil Nadu government in the Supreme Court in November last year is yet to be taken up for hearing.

The legislation enacted by other States, including Karnataka and Kerala, were also struck down by the respective High Courts.

In the meantime, a report has also emerged that the “Union Government is committed to fostering innovation and Start-ups including gaming” according to a statement attributed to Mr Rajeev Chandrashekar, MOS of MeitY.

We may also recall that DPA 2021 defines “psychological manipulation which impairs the autonomy of the individual” as a harm and it is considered that online gaming does manipulate the mind of the gamer to the extent that many games induce the gamer into committing suicides. Some of these suicides may relate to loss of money but games like the PubG and Blue Whale relate to psychological manipulation.

I also draw the attention of the readers to an article written by me in 2017 on “Cyber Hypnotism” where the possibility that games may be silently hypnotizing the gamer (Especially children).

It is also well known that many gamers support “Crypto Currencies” and the entire “Meta Verse” industry has a very close relationship to gaming.

There is therefore a need to give a serious thought to Gaming Regulation in India. Naavi.org has several times pointed out the dangers of Online Gaming and urged for setting up of a “Gaming Regulator” to provide certification for safe games that can be distributed to the public.

The new definition of “Harm” in the DPA 2021 as well as the discussions on Neuro Rights in the global scenario will trigger more discussions on the harmful effect of addictive games.

We are aware that “Gaming” is a big business domain in the world and also a source of technical innovation. But it does not mean that it should not be monitored and regulated.

Probably the Justice K Chandru Committee could start a new discussion in this regard.

Naavi

Ujvala Consultants Pvt Limited has developed an online Data Protection Compliance Assessment Tool which can assist in generating a DTS score for an organization.

DTS or Data Trust Score is a measurability of the extent of data protection compliance of an organization. A Complete assessment of DTS requires an audit, a methodology for converting the audit findings into a score and an assessment by an experienced auditor.

However, as a preliminary measure of assessment, an online assessment tool has been developed by Ujvala Consultants Pvt Ltd.

The tool can be used by any DPO to check the preparedness of the organization before a formal audit may be invited. It is also a tool to be used by Ujvala Auditors to develop the Gap assessment.

The tool has been developed on the basis of DPCSI (Data Protection Compliance Standard of India) as a framework and Naavi’s methodology for DTS calculation.

Ujvala Consultants would be using this tool for its Data Protection Compliance audits.

Naavi