Newsletters

The setting up of a Data Protection Authority (DPA) has to be seen in the perspective of one basic hypothesis in the proposed Bill. This hypothesis is about treating personal data as a matter of trust. If something has to be treated as a matter of trust and not as property then surely there is a need of an adjudicating authority. It is this assumption that led to the proposal of setting up a Data Protection Authority at the center with a large staff selected from the government and judiciary.

At the outset, very proposition of setting up of a new Data Protection Authority seems to assume that existing institutions are incapable of handling the work involved. All violations of personal data, barring a few, which have been made criminal offences, are to be enquired into by this authority. The DPA also has powers of search and seizure and can requisition police officers in case of need. It is proposed to be manned by persons from judiciary and bureaucracy. The retirement age of members has been set at 65 years, which, in addition to other ramifications, clearly promotes a ‘post retirement’ benefit plan for many senior bureaucrats who are nearing their superannuation in government.

The moot question is, whether this DPA is really required at all? The European Union's (EU) General Data Protection Regulation (GDPR), which seems to have had a great influence on this proposed Bill, treats personal data as property and applies the same rules as would be applicable to any other loss of property. Surprisingly, while most sections of the proposal are complete copies of GDPR, this very basic attribute of personal data has been diluted in the present Bill. In hindsight, this appears to have been done on purpose. As, without this, the civil nature of adjudication would not have arisen and the need of authority would not be there.

Even if one accepts the proposal for a separate authority, there is probably a constitutional flaw here. The Bill in its present form takes away the supervision of the High Courts in matters emanating out of the Appellate Tribunals.

Appeals against Appellate Tribunals will lie only in the Supreme Court. No one can deny that personal data relates to personal privacy. Right to Privacy is a fundamental right, which is enforceable by High Courts of the States. This Bill somehow proposes to take away the supervision of High Courts on such a basic and fundamental issue, which relates to the right of privacy of individuals.

This assumption flows from the fact that the Bill does not even mention the authority of the State. Policing is a state subject as per the Constitution of India. It appears that there has been a clear attempt to keep the States out of the picture in this Bill. The proposed Authority is proposed as a Central government institution and there are no state bodies recommended. It is surprising that the elite members on the drafting committee of the Bill looked at the issue of personal data as a central subject, when it is clearly in the domain of the States. This was probably overlooked as police was not involved in the drafting the Bill.

The proposed Bill also envisages a minimal role for the police. This stems from two facts. One, that personal data was treated as trust and not as property. Second, that DPA is envisaged as a central government body while policing is a state responsibility and hence there would be no role for the police.

This is no to deny that there are certain provisions where police officers do figure. The proposed Bill deems certain violations as criminal offences. These offences have been made non-bailable and cognizable. Police officers of the rank of inspectors and above are proposed to be given powers to investigate such offences. However, since the vast chunk of violations are not made criminal offences and are under the DPA, the role of the police in securing protection of personal data is indeed minimal.

Dilution of personal data to the status of mere trust and overlooking the role of the state and the original jurisdiction of the High Courts are issues that need to be addressed. If left unattended, in its present shape, the proposed Bill will lead to creation of yet another elite authority, which will remain out of reach of ordinary people.

(Sanjay Pandey, an IPS officer from the 1986-batch, is Director General of Police and Commandant General, Home Guards and Director, Civil Defence, Maharashtra)

Published in Moneylife

In Oct 2016, almost 3.2 million debit cards, issued by major banks in India were allegedly compromised due to the presence of malware in affected ATMs. Website of a major depository in India was hacked in the same month. Reacting to the compromise of cards, issuing banks responded by blocking the cards and reporting the details to RBI. The depository reported the incident to CERT-in (Computer Emergency Response team under Ministry of Electronics and Information Technology) and later to SEBI. Public, who are the actual stake holders, whose money was in the banks and stocks were with the depository, probably got to see this only through the news reports. Regulators too were probably not informed in time. It was due to the delayed reporting that RBI directed the banks to report such incidents in space of two to 6 hours. SEBI directed the depository to report any such breach within a reasonable time. Directions to inform the public however, are still missing.

Even this one sided reporting, almost neglecting the true owners of assets, i.e. the citizens, lacks any legislative sanction. This however is not how cyber incidents are reported and handled internationally. European Union in April 2016 adopted General Data Protection Regulation (GDPR). As per this regulation, failure to report within 72 hours of the breach could lead to fine up to 2% of the annual turnover of the entity involved. Almost all states in Unites states of America except Alabama, New Mexico, and South Dakota have security breach laws. Proposed CERT-Fin, to be effective, will require the backing of legally mandated data breach reporting norms for disclosure of security breaches both to itself, regulators and the public.

Besides making the reporting of security breaches mandatory, CERT-Fin will be best served if each reported security breach leading to loss of public money is also reported to the Police. As of now in absence of any law requiring compulsory reporting, most such cases are probably neither reported nor criminally investigated. Most cases involving intricate technology details, enquiries end with detailed reports of internal/external auditors and technical committees. Recently in an alleged misuse of High Frequency Trading option in one of the stock exchanges, probably only internal enquiries/audit by the exchange and the regulator were done. If a breach or misuse of resource provided wrongful advantage to some and wrongful disadvantage to others, it requires being criminally investigation. In cases like these, proposed CERT-Fin will possibly play a pivotal role in providing much needed technical support to investigating agencies.

Building this background of legislative framework for proposed CERT-Fin is also not too difficult. This can be achieved by amending the existing Information Technology Act, 2000. Section 43A of IT Act already provides for compensation to be provided for failure to protect data. Same section can be amended to include time frame in which a security breach has to be reported, both to the concerned regulator/law enforcement agency as well as to the concerned citizens. Punitive action in case of failure to report can also be included in the amendments.

With these changes in existing laws, proposed CERT-Fin will help not only in prompt disclosure of cyber security incidents to the public and regulators, but will also provide much needed technical support to financial institutions in case of future cyber incidents.

After the demonetisation many of the 661.8 million debit card holders in India, used their cards for the first time. Quite a few of these persons had no or little knowledge of security requirements in usage of these cards. This happened while India, in October 2016, was grappling with the fact of nearly 3.2 million debit cards issued by some of its major banks having been compromised due to malware in some ATMs. As a precautionary measure, Banks had sent out an advisory that people should use only bank owned ATMs. After the demonetisation announcement, this was undone. People were told to withdraw money from any bank’s ATM. If this has had any adverse effect is yet to be reported, but vulnerabilities associated with cards remain.

Most cards in use are still non-EMV (Europay, Master and Visa) cards. These non-EMV cards are inherently vulnerable and are prone to letting account related information being read by hacked ATMs. Process to change to EMV chip and pin-based cards in spite of RBI directives in this regard, has been slow.

Besides non-EMV cards and malware prone ATMs robustness of Point of Sale (POS) machines is another concern. BIS prescribes standards for these machines which are imported. To meet the growing demand new POS machines are being purchased without BIS labeling till March 2017. Possibilities of rogue machines mixed with genuine imports cannot be ruled out.

Along with increasing use of cards, online transactions using apps and digital wallets have grown too. As per RBI figures, mobile banking transactions grew 175 percent, while money transacted using mobile banking grew 369 percent in a period between October 2015 to October 2016, when compared to similar period in earlier years.

These digital wallets and apps are regulated by RBI, however, RBI’s, 1 July, 2015 circular, does not clearly spell out security requirements for these payment apps and digital wallets. It’s not too surprising that frauds have started to happen. Paytm’s, recent complaint regarding cheating of around Rs 6.15 lakhs is surely a wakeup call. With government sponsored Bhim app in market and growing usage of digital wallets and payment apps, security measures need to be clearly defined.

Scary as they may sound, these issues are not too difficult to tackle. RBI has already directed replacement of non EMV cards. There is a need to strictly enforce these directions and educate the public regarding security hazards of non-EMV cards. ATMs may be periodically examined by National Payment Corporation of India (NPCI) and labeled secure for use. Benchmarking of POS terminals as per BIS norms may not be relaxed to meet the demand. And lastly, digital wallet service providers need to mandatorily use assigned encryption levels for transactions as well as for storing customer data.

Once these basic steps are taken, only then, surprise audits by RBI and routine audits mandated to the Banks will help in sustaining this digital push year after year.

The author is currently Additional Director General Home guards, Mumbai and former Controller, Legal Metrology, Maharashtra.

While most social media sites freely use user’s data, WhatsApp is different. WhatsApp as its policy in 2009, stated that it will never share any user data with any one. WhatsApp’s founder, Jan Koum on 2014 had said that in spite of the merger with Facebook no user data will be shared with Facebook. With this background, in spite of WhatsApp giving an option to users to opt out of sharing of data within 30 days of the announcement, concerned citizens are alleging compromise of user rights.

Sharing of data with Facebook will reveal users’ phone numbers. It will also disclose friends with whom a person interacts. Facebook may use close to one billion user data of WhatsApp in multiple ways. With the available phone numbers it can send more informed friend suggestions. It will be able to send more targeted ads based on user interactions. It can also let businesses directly contact users based on the ads that get viewed by the users. It is this sharing of phone numbers and their use for advertisements is what is causing grave privacy concerns.

While it may be compromising user privacy, present Indian laws may not be able to provide any relief for these concerns. Reasons are not far to seek. Privacy issues in electronic media are addressed in the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules 2011 under Information Technology Act. These rules in case of WhatsApp, will not be of much use as there exists a contractual agreement between the users and WhatsApp. This agreement is signed at the time of opening a WhatsApp account. Though this agreement guaranteed user data privacy, in current announcement of WhatsApp, users still have a choice to opt out of this disclosure. Due to this, litigation may not result in any great outcome.

Whatever be the outcome of the current PIL, citizens feel tricked. They have been using WhatsApp freely under the promise of secrecy (through end to end encryption) and privacy as vouched for by WhatsApp. Now that they are stuck on the platform they find no way of going back. They are also unsure whether this, opt out policy too, will change in future. More worrisome is the fact that while the rules under Information Technology Act provide for safeguards, compliance of the same and their enforcement is a weak area. Going forward, mandatory compliance to the current Information Technology Act rules ensuring complete privacy of citizen rights may alleviate current helplessness.

Dealing a deadly body blow to the card industry and proprietary digital wallet industry are two indigenous innovations. One is the purported move to have Aadhar chip embedded in smart phones which support Iris scans. And the other is the launching of Unified Payment Interface by National Payment Corporation of India.

In current scenario when a purchase is made using a card it is swiped on the point of sale machine and a pin is entered to authenticate the card. This affects money transfer from the customer’s bank to the account of the merchant. In cases where money has to be transferred using a digital wallet, it is done using the digital wallet app. Money from one digital wallet can be transferred to another digital wallet provided they subscribe to the same provider i.e. PayTm, HDFC Chillr etc. This scenario is now set to change.

Iris scan supported Aadhar card enabled smart phones provide for authentication through the mobile phone. Process is simple. If a transaction has to be made once the Iris is scanned, Aadhaar chip embedded in the phone will communicate with Aadhaar servers and provide instant authentication. Once the authentication is done money transactions can be done. There will be no need of either a point of sale machine or a card for the purposes of transaction.

Alongside proposed Aadhaar enabled mobile phones, Unified Payment Interface, launched by National Payment Corporation of India with Reserve Bank of India is revolutionizing the way digital wallets get used and transactions are made.

Using UPI app persons can create their digital wallets and have a virtual private address. This Virtual private address could either be the Aadhaar card number of just the mobile phone number of the person. In case of any transfer to be affected it can be done from one VPA to another without the restriction of these digital wallets being of the same bank or the same provider. Money in case of UPI enabled wallets always remains with the banks and transactions involving transfers are free. This is unlike the current digital wallets where money gets out of the banking system and in case money has to be sent to the bank there are charges for the same. With this ease of use and freedom to transact across participating banks it’s only a matter of time that Unified Payment Interface enabled apps will replace proprietary digital wallets.

Unified Payment Interface is also enabling person to person (P2P) transactions besides person to merchant (P2M) transactions. In P2P persons transact among themselves using UPI enabled digital wallets. Once this happens even the 2.1 lakh ATMs may become redundant. Each mobile will become a payment device both accepting and making payments.

Making this a reality, are the current 371 million mobile internet users (35% of the population as of June 2016) in India, and approximately 108 Crore Aadhaar card holders (as per UIDAI). These numbers coupled with an estimate 50 Million internet users getting added each year; Prime Minsters’ wish for a cashless economy may well get realized much sooner than anticipated.

(First published in Firstpost)