Naavi.org

Business leaders are often confronted with the dilemma… Should I make a move now….or Should I wait… Should I lead… or Should I follow…

Indian industry is flying on the wings of Technology and Data is driving the business. Data however is the new Commodity that is at the centre of a new regulatory mechanism called the Data Protection Act 2021.

It is natural for organizations to be uncomfortable with any new regulation and more so when the regulation requires  a re-structuring of some of the existing business architecture.

But there are certain regulations which are the global norms and are inevitable. They  can be delayed but not avoided. The Data Protection Regulation is one such legislation which is likely to arrive soon in the industry environment.

This is a regulation that holds a penalty risk of 4% of our turnover for non compliance. We can only ignore it at our peril.

So, irrespective of the media campaign against the immediate introduction of the bill DPB 2021 in the Parliament, industries need to look for ways to build the path towards compliance.

Come, let us discuss the Compliance View of DPA 2021 at the seminar in Chennai on April 23, 2022.

Contact FDPPI for more details.

Naavi

Digital Forensics is the art and science of discovering information. We often use this term related to a situation where we need to find information which is not clearly visible in the ordinary course of a transaction. The key aspect of  “Forensics” is that the information discovered through the process has to be  acceptable to an independent third party leading the investigation or judicial process. Hence the information discovered through a forensic process need to be capable of being an “Evidence” in a judicial process.

A Discovery that does not lead to an “Acceptable Evidence” is of limited use. In an investigation of a crime, Police often extract statements from the accused which are used for further investigation but are not admissible as evidence at the time of trial. However, a statement made before a magistrate may be acceptable as “Admissible Evidence” at the time of trial. Similarly, a technical extraction of information could be loosely called “Forensic Discovery” but for it to be respected as “Forensic Discovery”, it needs to be acceptable as “Evidence”.

How a piece of information becomes acceptable as “Evidence” is a mater determined by the “Law of the Land”. What is accepted as evidence in Courts in USA may not be acceptable as Evidence in a Court in India. Similarly, what is accepted in a Civil Court may not be accepted in a Criminal Court. What is accepted in a departmental enquiry or a Family Court or an Arbitration may not be acceptable in another forum.

Thus, a Forensic investigator needs to always keep in mind the objective of his forensic activity and ensure that the end result of his effort becomes useful as a “Forensic Evidence”.

Sometimes an investigator may acquire information through means which are not straight forward or may involve deception or even illegal methodology. In such cases, the Courts may hold different views about the admissibility of the evidence in the first place and on the liability of the investigator who has used unethical or illegal methods of acquisition of evidence.

In the case of Digital Forensics in India there are two specific laws that need to be taken note of by the Forensic investigator to ensure that his work is admissible as evidence in a Court without dispute or do not create a reverse charge of illegality.

First is the more familiar requirement of a Certificate under Section 65B of Indian Evidence Act 1872 as amended by the Information Technology Act 2000 effective from 17^th October 2000. According to this 20-year-old law, the forensic investigator presenting a report about information in electronic form has to be provide an appropriate description of the process through which the evidence was obtained, and the tools or devices used for observation along with his signature and certain warranties that the presented material (say in print out) is a faithful copy of what he observed, the computer used was working in a proper condition etc. As regards the legality of the forensic investigation, the investigator is required to hold an authorization from the person who is the owner of the device in which the observation was made. In this context it is immaterial who owns the data residing inside the computer resource as long as the permission is obtained from the person in charge of the device.

In case the owner of the data is different from the owner of the device and suffers a damage on account of the activity of the forensic investigator, he may make claim for compensation from the investigator but he may be indemnified from the liability in case he has a proper authorization. The vicarious liability for the damage if any falls on the device owner unless the investigator has exceeded the authority given to him by the device owner as regards what data he can observe and whether any collateral damage is properly indemnified.

In the coming days, another important law of the country is likely to have a significant impact on the activities of a forensic investigator and expected to add more complication to the above situation. This would be the “Data Protection Act of India” which is presently in the form of a Bill (DPB2021) in the Parliament and is expected to be passed in February of 2022.

The DPB 2022 is a law that is designed to protect the Right to Privacy of an individual which is recognized as a fundamental right of the citizens of India under Article 21 of the Constitution, subject to reasonable exceptions as enumerated in Article 19(2). A decision to this effect was provided by a Nine Member bench of the Supreme Court of India in its verdict on 24^th August 2017 in the now well known case referred to as Justice K S Puttaswamy Vs Union of India.

This act is applicable for “Personal Information” in most of its scope but has one provision regarding the need to disclose a data breach of even “Non-Personal Information”.

The organization which has the control on the personal data of an individual and determines its purpose of usage and means of usage is called the “Data Fiduciary” under the Act and is expected to take care of the right of privacy of the individual to whom the personal information relates. The act also recognizes that a Data Fiduciary may engage the services of a “Data Processor” under a contractual arrangement to whom the personal data may be entrusted for further processing. Such a data processor will be bound to follow the contractual obligations and to some extent also the provisions of the law during the process of process.

The Act has provisions to impose hefty fines upto 4% of the total worldwide turnover of an organization in case of any failure of the data fiduciary to comply with any of the provisions of the law. Some of the provisions also apply to the Data Processor who also may be liable for penalties. If an organization is projecting itself as a “Forensic Company” then the expectation is that the company has its own tools and methods of investigation (considered as “Processing” under the DPB 2021) and the contract with the data fiduciary cannot specify the complete details of how the process can be undertaken. In such circumstances the forensic company may take on the role of a “Joint Data Fiduciary” and cannot rely entirely on the contractual document with the Data Fiduciary which may have a clause indemnifying the investigator from any consequential liabilities.

In the case of an individual forensic investigator, if he is using his own tools and methods of investigation which is often the case, he would be also considered as a “Joint Data Fiduciary”.

In view of the above, the Forensic professionals need to be fully aware of the liabilities that may arise in the course of their professional activity and prepare themselves for compliance like a “Data Fiduciary” and ensure that the contract with the company appointing them as a forensic investigator is comprehensive and sufficient  to protect the interest of the investigating company as well as its investigators.

It may be noted that the essence of “Privacy” is keeping information “Confidential “and not disclosed except as “Permitted by law” or as “Consented” by the data principal to whom the personal information belongs to. On the other hand, the essence of “Forensic investigation” is to “dig for truth”. Often the investigator does not know what will come forth of his investigation.  Most of the times a successful forensic investigator will dig up such information which not only unravels the truth behind a transaction which he is appointed to investigate and is investigating, but also information which is not related to the designated investigation and many times information belonging to other  persons. Some of these may reveal what could be considered as misdemeanours or even cognizable offences.

In such a situation, the investigator would come under an ethical and legal scrutiny of whether he is obligated to keep the information confidential to himself or reveal it to his employers or reveal it to the company whose information is being investigated.  Even if he wants to keep the information confidential, he needs to decide how does he archive the information and keep it secure so that the information does not leak out from his custody unintentionally.

The Information Technology Act 2000 already has both civil and criminal penalties prescribed for acts that contravene the act. Though Courts do accept evidence as a revelation of truth even when it is obtained illegally, the persons who provides the evidence may not automatically be protected from the legal liabilities arising out of the illegal collection of the evidence.

Often Journalists engage in “Sting” operations which could be not legal and may even involve “Unauthorised access to information amounting to hacking”, they normally try to claim immunity because they do the sting operation in “Public Interest” and in the course of their journalistic activities. In the case of forensic investigators, there may or not be “Public Interest” in the primary investigation and whether there is public interest in disclosure or non disclosure of information unearthed during the investigation is left to the wisdom of the investigator. The investigator may have to exercise his mature judgement on whether the information has to be disclosed and if so to whom. If the disclosure was inappropriate, then it could cause damage to the reputation of some innocent persons and cause harm that could lead to penalties under the DPB 2021 besides ITA 2000.

The harm recognized under DPB 2021 is more complex than under ITA 2000 and without a proper understanding of the law, an investigator would be endangering his profession if he does not ensure that both the “Contract” and the “Conduct” are well within the legal boundaries.

DPB 2021 does provide certain exemptions whereby an organization may undertake fraud investigations or information security related activities involving processing of personal data without the specific consent of the data principal. Similarly, law enforcement and Judiciary may enjoy some exemptions. Further public interest and Medical emergencies may also be having exemptions from consent.

Where the activity of processing of personal information is not covered under exemptions, the investigator needs to be ready to face the liabilities either directly or under the shield of an effective indemnity built into the contract.

Since this subject is new and “Consent” for “information that a data principal or the data fiduciary does not know it exists” is not clearly addressed in law, the professional forensic investigator needs to arm himself with sufficient knowledge of data protection law and develop a proper methodology to address the compliance requirements.

Foundation of Data Protection Professionals in India (FDPPI), an organisation that leads the data protection related activities in India and is lead by the author, has developed a standard called “Data Protection Compliance Standard of India (DPCSI) where an attempt is made to suggest some methodologies for compliance by the forensic investigating organizations. This is a pioneering effort on a global scale and also includes the evaluation of an organization for its maturity in implementing the data protection measures in the form of “Data Trust Score”. Forensic investigators need to make themselves equipped with the DPDPSI framework which is applicable not only for the Data Fiduciaries being investigated but also to the investigator himself to set up his own systems and practices.

Thus the advent of the new legislation in the form of DPB 2021 will make a significant change to the activities and operations of a forensic investigator and a professional forensic investigating agency. To preserve and promote the career in Digital Forensics it is required that professionals take efforts to be also proficient in the emerging legal changes in he country.

Naavi

We are  mostly informed from time to time about the GDPR fines imposed by supervisory authorities on different companies for non compliance. However GDPR also provides that a data subject may claim compensation on account of GDPR data breach through an action in the Court.

In this connection it is interesting for academic students of GDPR to follow the recent cases in Germany.

Article 82 of GDPR states:

Article 82: Right to compensation and liability

1. Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.

2. Any controller involved in processing shall be liable for the damage caused by processing which infringes this Regulation. A processor shall be liable for the damage caused by processing only where it has not complied with obligations of this Regulation specifically directed to processors or where it has acted outside or contrary to lawful instructions of the controller.

3. A controller or processor shall be exempt from liability under paragraph 2 if it proves that it is not in any way responsible for the event giving rise to the damage.

4. Where more than one controller or processor, or both a controller and a processor, are involved in the same processing and where they are, under paragraphs 2 and 3, responsible for any damage caused by processing, each controller or processor shall be held liable for the entire damage in order to ensure effective compensation of the data subject.

5. Where a controller or processor has, in accordance with paragraph 4, paid full compensation for the damage suffered, that controller or processor shall be entitled to claim back from the other controllers or processors involved in the same processing that part of the compensation corresponding to their part of responsibility for the damage, in accordance with the conditions set out in paragraph 2.

6. Court proceedings for exercising the right to receive compensation shall be brought before the courts competent under the law of the Member State referred to in Article 79(2).

One of the  issues that arise in implementing this provision is  whether  the data subject entitled to compensation even if they have not suffered any kind of material damage?

In 2019 a case had been filed by a customer of an organization who had received a marketing mail from a data controller claiming a compensation of EUR 500, in the Gulsar Local Court. The Magistrate Court rejected the claim ruing that he failed to show suffering of any relevant damage from the unsolicited email that met the “Minimal threshold of impairment”.

The complainant later made a complaint with the Constitutional Court arguing  that the Magistrate Court had wrongly applied its own interpretation of the law rather than referring to the ECJ the question of whether it is necessary to meet a de minimis threshold of impairment to be entitled to compensation of non-material damages under Article 82 GDPR.

The FCC (Federal Constitutional Court) agreed with Plaintiff, ruling that the Magistrate Court was indeed obliged to turn to the ECJ in accordance with Article 267 para. 3 TFEU. The  FCC  found, whenever a question of EU law arises in a proceeding to be decided by the national court unless (i) the court has determined that the question is not relevant to the decision, (ii) the provision in question has already been interpreted by the ECJ , or (iii) the correct application of the law is so obvious that there is no room for reasonable doubt .

The FCC referred the matter to the Magistrate Court, which is to hear it once again and is to decide on it, in particular on the referral to the ECJ.

On 14th January 2021,  the Constitutional Court of Germany held that the question has to be referred to the European Court of Justice. (Refer here)

In case the EUCJ holds that it is not essential for the data subject to prove suffering of a quantifiable damage to make claim of compensation, it is expected that there would be a flood of litigations from the public whenever a data breach occurs. The “Data Subject Compensation Risk” would be additional to the risk of penalty to be imposed by the supervisory authorities and will be an additional burden to the industry though it could be covered by an insurance policy.

In the meantime, there was another Regional Court of Munich order related to Scalable Capital which was ordered to pay non material damages of EUR 2500 to a data subject. (Refer here) The data breach through a cyber attack had been reported to the data subject on 19.10.2020. A total of 389,000 records of 33200 affected persons had been breached in this incident. Because data subject feared for identity theft and other fraud, they brought the action before Court and claimed compensation.

In this case of appeal against the compensation granted by the lower Court,  the personal information of the customers had been transferred to a data processor whose contract had been terminated  at the end of 2015. The company assumed that the data had been deleted but not verified it. The credentials of the data processor was used by the hackers for the attack.

The Court held that , when assessing the amount of the non-material damages, it must be taken into account that the data in dispute has obviously not yet been misused, at least not to the detriment of the plaintiff, and therefore at most a more or less high risk can be assumed. However, the deterrent effect of the damages intended by the legislator must also be taken into account – as mentioned above. Weighing up all these aspects, the court considers (non-material) damages in the amount of 2,500 euros to be appropriate.

It appears that in this case the need for ECJ reference was not insisted for certain technical reasons. The Court said in this reference

“Insofar as the defendant believes that a preliminary ruling by the ECJ is mandatory, which was recently established by the BVerfG, decision of 14.1.2021 – 1 BvR 2853/19, it overlooks Article 267 (3) TFEU.* Whereas in the facts underlying the aforementioned decision, neither the appeal complaint had been reached nor the Local Court had allowed the appeal, this is undoubtedly given in the present case (cf. section 511 (1), (2) no. 1 of the Code of Civil Procedure), so that no decision of last instance is given.”(Decision published on 21.12.2021”

(Comments are welcome)

Naavi

• Article 267(ex Article 234 TEC)

  The Court of Justice of the European Union shall have jurisdiction to give preliminary rulings concerning:

  (a) the interpretation of the Treaties;

  (b) the validity and interpretation of acts of the institutions, bodies, offices or agencies of the Union;

  Where such a question is raised before any court or tribunal of a Member State, that court or tribunal may, if it considers that a decision on the question is necessary to enable it to give judgment, request the Court to give a ruling thereon.

  Where any such question is raised in a case pending before a court or tribunal of a Member State against whose decisions there is no judicial remedy under national law, that court or tribunal shall bring the matter before the Court.

  If such a question is raised in a case pending before a court or tribunal of a Member State with regard to a person in custody, the Court of Justice of the European Union shall act with the minimum of delay.

Reference:

Article in lexology.com

Article in gdprhub.eu

I would like to remind professionals that the next training program on the Data Protection Regulations in India would be conducted by FDPPI-Cyber Law College online as Week end batch. Tentative dates are April 30, May 1,7,8,14.

1. The program is leading to the Certification of FDPPI -“Certified Data Protection Professional-Module I” and is part of the larger “Certified Data Protection Compliance Management System Auditor/Consultant” (CDPCMS Auditor/Consultant). This program includes includes two other modules namely Module on Global Laws (Module G) and another on Audit (Module A).
2. The program is based on the new JPC approved version of the Data Protection Bill. It will be conducted online on Zoom platform.
3. Appropriate reading material would be provided during the course.
4. At the end of the course a multiple choice an online examination of 90 minutes would be available. Those who are successful will get a certification “Certified Data Protection Professional-Module I”.
5. The course content would be as follows

1. 1. Evolution of Privacy Laws in India
   2. Applicability
   3. Obligations of a Data Fiduciary
   4. Rights of Data Principal
   5. Exemptions
   6. Restrictions on Data Transfer outside India
   7. Penalties and Offences
   8. Data Protection Authority
   9. Adjudication and Cyber Appellate Tribunal 
   10. Data Audit
   11. Data Protection Compliance Management System (DPCMS) and Data Protection Compliance Standard of India (DPCSI)

Registration can be done here.

6. The fees for the course is Rs 12,000/- plus GST of Rs 2160/- . Total Rs 14160/-.

7. Those who attended the FDPPI-IACC seminar on April 4th  are entitled to a discount of Rs 2000/- and the fees payable to them would be Rs 10,000/- plus Rs 1800/- (GST). Total Rs 11800/-. (An email has already been sent to all the registered participants of the program)

8. The registrants will also be provided a complimentary “Basic Membership” of  FDPPI which otherwise costs R 4000/-.

9. For further clarifications if any contact Naavi

Naavi

Naavi was adopted by me as a name as an short version of my Kannada name Nagaraja Rao Vijayashankar.

The website naavi.com was launched on 14th December 1998 as a personal website and later converted into a Cyber Law website.

We can extract the first looks of the website from the Wayback machine where the earliest available page is 12th October 1999.

The first looks of the website look interesting though very archaic now.

When I launched my first book in 1999 “Cyber Laws for Every Netizen in India”, the name was published as the name of the author of the book.

While adopting naavi as my popular name, the word “Navi” was avoided because it phonetically could be spoken as in Navi Mumbai and also Navi was a registered trademark of Nokia and otherwise in Japan.

When the film “Avtar” was launched the first clash with phonetic “Naavi” was felt and a trademark application was formally launched.

However naavi.com was cyber squatted and later sold to a company in Australia. But Naavi.org which was hosted as a mirror site for Naavi.com remained in my custody and continued to host my content.

The Trademark registration in India for service marks were not available when the website naavi.com/naavi.org was launched and also the system of Trademark registration is steeped in inefficiency.

Now Sachin Bansal of the Flipkart fame has applied for trademark on Navi and the trademark office would perhaps grant it.

On the other hand I can record that for my trademark application of CEAC, the trade mark officer raised objections on CEAT  and several other marks which had no relation to the trademark category. Similarly the trademark application of  Cyber Law College was objected to and trade mark application of Naavi was not attended to for ages. With my experience I can state that the Trademark registration is only for those with deep pockets who can manage the corruption in the system and not for those who pursue it only as a legal right.

Anyway now it is interesting that Honda has launched a vehicle in the name “Navi” but phonetically the videos speak of “Naavi”.

Sensing  this type of disputes, I had submitted a patent application and launched the service Verify4lookalikes.com which is now hosted under lookalikes.in. The services I envisaged here are now implemented by many others in the world and I could not take the patent application beyond getting the approval of the PCT.

It is too late now for getting disappointed about these failed encounters with Trademarks and Patents and sit back and enjoy that the name “Naavi” reverberates with the sound of the Honda motorcycle.

Naavi

[Discussions here are part of the Naavi’s Theory of Data]

Data Governance in an organization requires identification of what is data, how data can be created or collected,  what is its value, who is the custodian, who is the owner, who will have access?, What are the permitted uses?, What are the permitted ways of modification that creates new data assets, how the data can be shared or how it can be destroyed.

A detailed discussion of these are part of Naavi’s discourse on the Theory of Data for an academic discussion at some other time.

We have already discussed the concept of “Nuclear theory of Data” in the context of personal data in the following articles.

1.Fission and Fusion of data elements

2.Atomic structure of Data

In the recently released Draft India Data Accessibility and Use policy, the Government has set an objective to draw up an inventory of data assets in each of the Ministries and Departments and in this context, I would like to place a discussion on how do we classify “Non Personal Data” in a similar atomic model.

The “Atomic Model” of data envisages that

1. 1. There is a core element of identity of the data
   2. There are peripheral associate elements that give depth and width to data

In the Personal data context, the Name is like the proton but does not constitute a stable atom on its own. If it is associated with another stabilization element such as say the Aadhaar number or PAN card or Social Security number which gives a “Unique Identity” atleast within a large enough universe (Eg: Aadhaar is a unique identity in India but may not be considered so in another country). This combination of the Name and one or more unique identity factors form the nucleus. But Nucleus alone does not give the property of the atom. We need a set of electrons that revolve around like the other information such as the email address or mobile number etc which together give shape to the data set as a stable atom. When two such atoms combine together there can be a molecule and when more molecules get bonded, we may get a compound or a complex organic molecule.

In the non personal data, (NPD) defining a data set requires identification of a core identity element for the data set and then the associated information. NPD does not have the name of an individual to whom the data relates. But it could have an “event” or an “Object” to which the data relates. For example, data about a company or about a market research or about a cricket match are “NPDs but related to a core activity or object”. This core object is the defining sub atomic particle of the NPD element.

The depth and width of the element is determined by how may neutron like core elemental particles and how many electron type peripheral particles are associated.

A NPD data set can be a PDF document or a video or an entire data base. A document about a cricket match or a video about the same cricket match can eb considered as two distinct data sets. They can be combined with information on  several cricket matches in a data base in which case the data base is an NPD set.

When an inventory is being created, we need to identify and define the data set, give it an identity tag so that it can be accessed by users. In such an inventory, the data set has to exist in some stable form such as a video clip of atleast a few seconds for the data to have any meaning. The PDF document and the Video clip can be considered as stable data sets. They can be included in a data base an access may be defined either to specific stable elements or to a larger document depending on the requirement.

When a search facility need to be created, the search term has to be for a stable data element. For example, while we can do a text search for “sta” and index it, the more useful search term would be “stable”. Similarly the “Searchable component” of a data set could be such a term that can be useful to the person trying to locate the document.

These concepts need to be debated and refined further to enable “Data Governance” around “Non Personal Data Sets” generated, created, collected, used, disclosed and destroyed by an organization whether it is a Government department or a Private Company.

Industry representatives may comment if this concept has any relation to the way they define a data set under their control for Data Protection requirements under GDPR or other similar laws.

Naavi

Reference Articles:

Atomic model of Data
Fission and Fusion of Data

Theory of Dynamic personal data

The new theory of data