Share on facebook
Share on twitter
Share on linkedin

There is a Tide in the Affairs of Men…and Nations too

Three decades ago, the mobile revolution helped India overcome its communication challenges. Today, mobile phones have become a commodity in India. At least feature phones have, even if smartphones haven’t. But if you are old enough to remember India during the mid-1990s, you will know that India’s fixed line telephone density was very low at that time. Getting new telephone connections was tough, and involved waiting periods that often extended to several months. Due to ageing cables, making telephone calls was a challenge, and even when calls were connected, the quality was poor.  

Mobile communication technologies unleashed a powerful revolution that changed all this. Even far-off locations where laying fixed-line cables was a challenge got access to mobile towers and signals. So huge has been the transformative power of mobile technologies that an entire generation of regulatory reforms, business models and lifestyle paradigms all depend on the ubiquitous mobile phone.

Why is this relevant now?

Today, the world is on the threshold of a new breed of technologies such as AI/ML, Robotics, IIoT, Blockchain, Cloud, Analytics, Drones, Autonomous Vehicles, the Metaverse etc. Collectively and individually, these technologies have the potential to transform the world as we know it to a much greater degree. Indeed, the next decade may witness the greatest changes driven by technology in the recorded history of humankind.

The reason why it is important to be cognizant of this and take timely action. There are no established leaders in these areas because the sectors, their impact and tech are still evolving. India as a country has the technical and commercial savvy to harness these new technologies and drive innovations. What is needed is the educational and industrial framework to ensure that students get to acquire and sharpen their expertise in these new areas and start applying them to solving real-world problems. The National Education Policy is one step in this direction, but implementing it in the right way is key. Not just the curriculum, but the whole system of education must change. Internships must become more focused and integrated with the learning process, and not just a certificate-driven activity as it largely has been (and is).

It’s not just the central government that needs to act with alacrity and vision; state governments also need to formulate the right policies and rules to ensure that the country as a whole is able to take advantage of the massive disruption that is occurring all around us. Some states have woken up to this need and are putting in place plans to encourage entrepreneurs and attract investments into key sectors. The initial agreement to set up a chip-making facility in Karnataka is one example- but it’s early days yet, and many more hurdles need to be overcome.

The startup ecosystem, too, needs to readjust its approach to backing ventures in these new areas. Yes, the risk will be higher and the failure rate may be higher, but these ventures must be seen as proving grounds for technologies and ideas. Our private sector must also be ready to make the necessary investments to embrace these new technologies and lead innovation and adoption. Our large IT services industry must accelerate the shift to provide offerings built around these new areas. A lot is already happening, but the pace must pick up. India’s public sector, long regarded as a white elephant, can also play a key role by absorbing these technologies and innovatively deploying them in sectors of national importance, such as energy, agriculture, disaster recovery, infrastructure development, defence etc.

Achieving all this requires macroeconomic stability: inflation under control, relatively stable exchange rates and an adequate money supply. For a number of reasons that are outside the control of our government or individual companies, these conditions may not be met immediately. But as responsible citizens, business leaders, regulators, teachers and parents, each one of us has a role to play. Of course, the executive, the legislature and the judiciary also have their own roles to play.

To quote Brutus from Shakespeare’s play “Julius Caesar”,

“There is a tide in the affairs of men
Which, taken at the flood, leads on to fortune;
Omitted, all the voyage of their life
Is bound in shallows and in miseries.
On such a full sea are we now afloat,
And we must take the current when it serves,
Or lose our ventures”.

This is very much the situation that much of the world finds itself in at this time. If we in India can rise to the occasion, our continued ascendancy as a power is assured. But there is many a slip between the cup and the lip, and if we squander time and energy on needless and irrelevant issues, it is just as certain that we will not realise our potential. Let us make the right choice.

Image Credits: Photo by Pete Linforth from Pixabay 

Today, the world is on the threshold of a new breed of technologies such as AI/ML, Robotics, IIoT, Blockchain, Cloud, Analytics, Drones and Autonomous Vehicles, the Metaverse etc. Collectively and individually, these technologies have the potential to transform the world as we know it to a much greater degree. Indeed, the next decade may witness the greatest changes driven by technologies in the recorded history of humankind. The reason why it is important to be cognizant of this and take timely action. There are no established leaders in these areas because the sectors, their impact and tech are still evolving.

POST A COMMENT

Share on facebook
Share on twitter
Share on linkedin

CERT-IN's Cyber Security Breach Reporting: An Update

The Indian Computer Emergency Response Team (CERT-In) was constituted in 2004 under section 70B of the Information Technology Act, 2000. It is the national nodal agency that responds to cyber security threats within the country and is under the Ministry of Electronics and Information Technology, Government of India. Recently, CERT-In released a direction [1] relating to information security practices, procedures, prevention, response and reporting of cyber security threats.

Key Features of the Cyber Security Breach Reporting Directions 

 

Mandatory Reporting

The direction mandates all service providers, government organisations, data centres, intermediaries and body corporates to mandatorily report within 6 hours of noticing or being brought to notice of any cyber incident. Rule 12(1)(a) of the Information Technology (The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules, 2013 provides for a list of cyber security incidents that needed to be reported mandatorily by these entities mentioned above. The rules had previously listed 10 different types of cyber security incidents which need to be mandatorily reported. Apart from these 10 types, the new direction has also categorised data breaches, data leaks, attacks on IoT, and payment systems, fake mobile apps, unauthorised access to social media accounts and attacks or suspicious activities affecting software/servers/systems/apps relating to big data, blockchain, virtual assets, 3Dand 4D printing, drones as cyber security incidents which should be mandatorily reported. 

 

 

Point of Contact

All service providers, intermediaries, data centres, body corporates and Government organisations shall appoint a point of contact within their organisation, who shall ensure effective coordination with the CERT-In. The name and other details of the point of contact shall be sent to CERT-In and the entity should also ensure that it is updated every now and then when there is a change.

 

 

Log Retention and Data Localisation Requirement

The direction mandates all entities mentioned in the direction to mandatorily maintain and secure logs of their ICT systems for a period of 180 days. All such logs should be stored within the jurisdiction of the country and the same should be handed over to the CERT-In in the event of a cyber security incident or any order or direction from CERT-In.

 

 

Registration of Information

The direction has mandated data centres, Virtual Private Server (VPS) providers, Cloud Service providers and Virtual Private Network Service (VPN Service) providers to register certain information with CERT-In. All these entities are required to maintain such information for a period of 5 years or longer duration as mandated by law, even after the cancellation or expiration of the registration. The following information is required to be registered with CERT-In:

  • Validated names of subscribers/customers hiring the services.
  • Period of hire, including dates.
  • IPs allotted to/being used by the members.
  • Email address and IP address and time stamp used at the time of registration/on-boarding.
  • The purpose of hiring services.
  • Validated address and contact numbers.
  • Ownership pattern of the subscribers/customers hiring services.

 

KYC Requirement

This decade has witnessed the rise of cryptocurrencies across the globe and most countries, including India, still lack a dedicated framework to regulate this space. These new directions from CERT-In intend to regulate and streamline some aspects of this exponentially expanding sector. The directions mandate that virtual asset service providers, virtual asset exchange providers and custodian wallet providers to obtain KYC information from their customers. Further, these entities are also obligated to record all their financial transactions for a period of 5 years. Entities are also directed to maintain information about the IP addresses along with timestamps and time zones, transaction ID, the public keys, addresses or accounts involved, the nature and date of the transaction, and the amount transferred. 

 

 

Integration into ICT System

The direction calls on data centres, body corporates and government organisations to connect to the Network Time Protocol (NTP) Server of the National Informatics Centre (NIC) or the National Physical Laboratory (NPL) for synchronisation into the ICT system. Moreover, where ICT infrastructure of the entities are scattered in multiple locations, the entities are free to use accurate and standard time sources other than NPL and NIC.

 

Non-compliance

In the event that the above-mentioned entities fail to adhere or comply with these directions issued by CERT-In, they shall be punishable with imprisonment for a term which may extend to one year or with a fine which may extend to one lakh rupees or with both under subsection (7) of section 70B of the IT Act, 2000.

 

Conclusion

These new directions issued by CERT-In have acknowledged the concerns of end-users, who were kept in the dark regarding their data and the process undertaken by a corporate body in the event of a data breach or leak. The directions have also touched upon the latest technological developments like cloud services, virtual assets, and online payments, which are yet to be completely regulated by the government. When compared with the CERT rules 2013, the new directions have an expanded scope and applicability as well as a significantly increased compliance bracket for entities.

The European Union enacted the EU Directive on Security of Networks and Information Systems (called the NIS Directive), which supervises the cyber security of European markets. Unlike the present directive, the scope and applicability of the NIS directive are much larger. Certain critical sectors such as energy, transport, water, health, digital infrastructure, finance, and digital service providers such as online marketplaces, cloud and online search engines are all required to comply with these directives.

CERT-In has provided the entities with a 60-day window to comply with the directions. The increased compliance requirements and the added cost that comes along with such compliance will make smaller entities anxious. Hence, the effectiveness of these directions can only be judged with the passage of time. Significant concern can also be placed on the fact that these new directions will merely add to the compliance burden rather than improve the cyber security environment of the country.

References:

[1] https://www.cert-in.org.in/Directions70B.jsp

Image Credits: Image by Pete Linforth from Pixabay

These new directions issued by CERT-In have acknowledged the concerns of end-users, who were kept in the dark regarding their data and the process undertaken by a body corporate in the event of a data breach or leak. The directions have also touched upon the latest technological developments like cloud services, virtual assets, and online payments, which are yet to be completely regulated by the government. When compared to the CERT rules 2013, the new directions have an expanded scope and applicability and a significantly increased compliance bracket for entities.

POST A COMMENT

Share on facebook
Share on twitter
Share on linkedin

Cryptocurrency and Money Laundering: Deciphering the Why and the How

The financial sector continues to revel in the advancement of disruptive technological innovations. Due to the attractive rates and fees, ease of access and account setup, variety of innovative products and services, and improved service quality and product features, financial technology is attracting more customers and investors today.[1] Despite the numerous advantages of these sectoral transformations, it is impossible to deny that the digitization and ease with which the internet has enabled all of us to function effectively in our day-to-day work has also created a space for virtual crimes.

Amidst the pioneering fintech revolution, cryptocurrency has emerged as a modern financial technology that can be used to easily launder money. Despite rapid market fluctuations and an uncertain legal status, cryptocurrency continues to captivate Indian investors, who are undeterred and unbothered by the associated risks of cyber fraud.

This article will explore how the crypto market nurtures a convenient and fertile ground for money laundering activities.

 

Cryptocurrency and India

 

The Indian regulatory market has had a hot and cold relationship with cryptocurrency over the years. The RBI, vide Circular DBR.No.BP.BC.104/08.13.102/2017-18 dated April 06, 2018[2], restricted all crypto transactions. However, in 2020, the Supreme Court effectively struck down the ban. As a result, the RBI stated in Circular DOR. AML.REC 18/14.01.001/2021-22 that banks and financial institutions cannot cite the aforementioned circular to warn their customers against dealing in Virtual Currencies. However, it did state that, “Banks, as well as other entities addressed above, may, however, continue to carry out customer due diligence processes in line with regulations governing standards for Know Your Customer (KYC), Anti-Money Laundering (AML), Combating Financing of Terrorism (CFT) and obligations of regulated entities under the Prevention of Money Laundering Act (PMLA), 2002, in addition to ensuring compliance with relevant provisions under the Foreign Exchange Management Act (FEMA) for overseas remittances.”[3]

At present, while the talks of implementing comprehensive legislation governing cryptocurrencies have fizzled out, the Union Budget 2022 brought digital currencies under the tax net. As of 2022, the crypto asset market in India stands at an approximated evaluation of 45,000 Crores and 15 million investors[4].

However, it is pertinent to note that it is transactions, not investments, in the digital currency that pose an issue. In India, the Enforcement Directorate discovered over 4,000 crores of such illegal cryptocurrency transactions in 2021. As per the 2022 Crypto Crime Report by blockchain data firm Chainalysis[5], cybercriminals laundered $8.6 billion worth of cryptocurrency in 2021, $6.6 billion in 2020 and $10.9 billion in 2019. Furthermore, the study discovered that at the moment, darknet market sales or ransomware attack profits are virtually derived in cryptocurrency rather than fiat currency, thus significantly contributing to the data. 

Money laundering, terror financing, drug dealing, and other criminal activities are all done using cryptocurrency transactions. Although these transactions are recorded on a blockchain and are traceable, criminals use mixers and tumblers to make it difficult for a third party to track them.

 

The Laundering Mechanism

                           

                                    Eurospider Information Technology AG, “Mixers Tumbler Example,” fig.

For clarity, refer to the above image. Using the OHNE mixer, A sends 20 bitcoins to B, U sends 15 bitcoins to V, and X sends 5 bitcoins to Y. These are single-layer transactions that are simple to trace and identify.

The transaction takes place in a different way in the second image, where the MIT mixer is used. For the sake of brevity, let us consider a single layer of mixer being used. In real life, the number of mixers used is in the thousands. Here, A sends 20 bitcoins to M1, U sends 15 bitcoins to M2 and X sends 5 bitcoins to M3. In the next stage, B receives 20 bitcoins from M2, V receives 15 bitcoins from M1, and Y receives 5 bitcoins from M1. The difference we must notice is that B, V, and Y are receiving the same number of bitcoins as in picture one, but not from A, U and X, respectively. Because there is no information about A sending bitcoins to B, U sending bitcoins to V, or X sending bitcoins to Y, these transactions are not single-layered and are impossible to trace. Hence, making the transaction anonymous.

Criminals use a similar method to send money using cryptocurrencies. Consider the following scenario to gain a better understanding: A, B, C, and Z are cryptocurrency users who keep their coins in their digital wallets. They use the same mixing service to make transactions. A, B, and C are law-abiding citizens, while Z is a criminal involved in drug trafficking. A has to pay X a certain amount of money. X is paid, but the bitcoins he received were deposited by Z, a drug trafficker. When X received the payment, he had no idea that the bitcoins he had were dirty bitcoins and had been used for illegal activities. This is a straightforward explanation of how dirty bitcoins are making their way through the market, paving the way for money laundering. 

 

What can be done?

 

The International Monetary Fund (IMF) has released a report titled “Global Financial Stability Report”[6] which discusses the following details about how cryptocurrencies should be regulated, considering their increasing market capitalization and the growing exposure of banking and financial systems to crypto assets:

  1. Implementation of global standards applicable to crypto-assets should be the key focus area of national policies.
  2. Regulators should identify and control the associated risks of crypto assets, specifically in areas of systemic importance.
  3. Coordination among national regulators is key for effective enforcement and fewer instances of regulatory arbitrage.
  4. Data gaps and monitoring of the crypto ecosystem for better policy decisions should be prioritised by the regulators.

The report also discusses how stablecoins and decentralized finance pose a significant risk to the crypto market and the overall economy if they are not properly regulated and supervised by issuers.

  1. Regulations should be proportionate to the risk and in line with those of global stablecoins.
  2. Coordination is a must, to implement requisite recommendations in the areas of acute risks, enhanced disclosure, independent audit of reserves, and fit and proper rules for network administrators and issuers.

The report also discusses the importance of managing macro-financial risks through:

  1. Enactment of de-dollarization policies, including enhancing monetary policy credibility.
  2. Formulating a sound fiscal position with effective legal and regulatory measures and implementing central bank digital currencies
  3. Reconsidering Capital Flow Restrictions with respect to their effectiveness, supervision, and enforcement

However, according to the report, cryptoization would make finance more cost-effective, quick, and accessible.

There is also an intergovernmental organisation known as the Financial Action Task Force, which is constantly updating its recommendations to maintain legal, regulatory, and operational methods for combating money laundering, terrorism financing, proliferation, and other threats to the integrity of the international financial system. The Financial Action Task Force (FATF) recently released a compliance framework recommending that all anti-money laundering rules that traditional financial systems follow be applied to stable coins, cryptocurrency, and virtual asset service providers. Even though identifying the source of such funds and keeping track of who is the beneficiary of such funds is difficult, countries are still being encouraged to develop provisions that provide for due diligence, record keeping, and the reporting of suspicious transactions.[7]

 

The Legislative Way Forward for India

 

At present, there is no comprehensive legislative framework to govern fintech advancements encompassing blockchain and cryptocurrencies. At best, the present regulatory framework is a patchy, cross-networked arrangement that demands careful deliberations in alignment with the evolving technological innovations in the sector.

The Information Technology Act, 2000:

While the legislation successfully addresses issues like identity theft, hacking, and ransomware and provides a means to tackle the issue of extraterritorial jurisdiction, it is safe to conclude that the serpentine considerations of blockchain cannot be comprehended and addressed by the Act.

The Prevention of Money Laundering Act, 2002 and the Prevention of Money Laundering Rules, 2005

The offences listed in Parts A, B and C of the PMLA Schedule attract the penalties enumerated under the Act.

Part A categorises offences under: Indian Penal Code, Narcotics Drugs and Psychotropic Substances Act, Prevention of Corruption Act, Antiquities and Art Treasures Act, Copyright Act, Trademark Act, Wildlife Protection Act, and Information Technology Act.

Part B enlists offences under Part A with a valuation of Rs 1 crore or more.

Part C exclusively deals with trans-border crimes.

Recently, the Enforcement Directorate attached proceeds of crimes amounting to Rs 135 crores in 7 cases in which the usage of cryptocurrency for money laundering activities was flagged by the authorities.[8]

However, it is pertinent to note that the offences recognised under the respective parts of the schedule only comprise the offences under the current framework of legislation, which is at present not equipped to regulate any segment of cryptocurrency transactions and digital currency operations in the country. 

Foreign Exchange Management Act, 1999

Even though the Act specifies procedures to conduct cross-border and foreign exchange transactions, it fails to identify the role of technology as an instrumental enabler of such transactions at present. However, it is interesting to note that it empowers the RBI to establish a regulatory framework to address the same.

The Payment and Settlement Systems Act, 2007

The PSS Act was enacted with the objective of establishing a regulatory framework for banks and ancillary financial institutions, designating RBI as the nodal authority. Section 4 of the Act states that no payment system shall operate in India without the prior due authorization of the RBI.

Apart from the above-mentioned legislation, regulators like SEBI, Ministry of Electronics and Information Technology (MeitY), Insurance Regulatory and Development Authority of India (IRDAI), and Ministry of Corporate Affairs (MCA) have also undertaken initiatives to implement specialised guidelines. While these regulations deal with the contemporary issues of payments, digital lending and global remittances, none of them has managed to find a concrete ground for effectively supervising and regulating cryptocurrency transactions backed by blockchain in the current volatile ecosystem.

At present, key industry regulators and stakeholders should collaborate to understand the novelty, process and extent of the present disruptive fintech trends. Furthermore, initiatives should be taken to ensure transparency of such transactions, establish secure authentication transactions for the exchanges and tighten the legislative noose on cyber security systems in the country. Additionally, establishing a centralised statutory body and local self-regulatory bodies across the sovereign, and implementing an extensive centralised framework is also imperative. The current scheme of criminal activities in virtual space transcends geographical boundaries, hence it is crucial for global policymakers to implement mechanisms to ensure coordination and collaboration by institutionalising inter-governmental bodies.

References: 

[1] ‘The Current Landscape Of The Fintech Industry – Fintech Crimes’ (Fintech Crimes, 2022) <https://fintechcrimes.com/the-landscape-of-fintech-in-year-2020/> accessed 9 February 2022.

[2] https://www.rbi.org.in/scripts/FS_Notification.aspx?Id=11243&fn=2&Mode=0

[3] https://rbi.org.in/Scripts/NotificationUser.aspx?Id=12103

[4] https://timesofindia.indiatimes.com/business/india-business/union-budget-2022-no-crypto-bill-listed-this-budget-session/articleshow/89265038.cms

[5] https://go.chainalysis.com/rs/503-FAP-074/images/Crypto-Crime-Report-2022.pdf

[6] ‘Global Financial Stability Report’ (2021) <https://www.imf.org/en/Publications/GFSR/Issues/2021/10/12/global-financial-stability-report-october-2021> accessed 11 February 2022.

[7] ‘VIRTUAL ASSETS AND VIRTUAL ASSET SERVICE PROVIDERS’ (2021) <https://www.fatf-gafi.org/media/fatf/documents/recommendations/Updated-Guidance-VA-VASP.pdf> accessed 11 February 2022.

[8] https://economictimes.indiatimes.com/news/india/ed-investigating-7-cases-of-cryptocurrency-usage-in-money-laundering-attaches-rs-135-crore/articleshow/90200012.cms

 

Image Credits: Photo by Bermix Studio on Unsplash

At present, key industry regulators and stakeholders should collaborate to understand the novelty, process and extent of the present disruptive fintech trends. Further, initiatives should be undertaken to ensure transparency of such transactions, establish secure authentication transactions of the exchanges and tighten the legislative noose on cyber security systems in the country.

POST A COMMENT

Share on facebook
Share on twitter
Share on linkedin

Privacy Shield 2.0: Cue for EU-India Data Transfer Mechanism?

Since the implementation of GDPR standards across the EU, data transfer between other countries and the EU has become a widely debated complex issue across the world. Article 44 of GDPR permits the transfer of personal data outside the EU, only when the recipient country has an equivalent level of security to protect the personal data of EU citizens, as guaranteed by the General Data Protection Regulation (GDPR). The biggest dilemma that many countries across the globe face is that they either lack a national legislation on data privacy or if they do have one in place, it may not be considered at par with the standards set by GDPR. Such a situation creates a genuine legal obstacle to the transfer of personal data between the EU and those countries.

Conceptualization of the Privacy Shield

 

Over the years EU and various other countries have developed certain mechanisms to tackle these obstacles created by requirements mentioned under Article 44. Standard contractual clauses (SCC), binding corporate rules (BCR) are such instruments that the countries and corporates have adopted for the transfer of personal data.

The United States of America lacks a comprehensively dedicated legislation for data privacy.  However, the country has many sectorial legislation and regulations ensuring the privacy protection of individuals, yet, the EU has consistently ruled that the USA does not guarantee an equivalent level of protection.  Safe Harbour Framework, one such additional mechanism agreed upon between the Governments of the EU and USA defines a series of principles to be followed and adopted by companies for the transfer of personal data.

US companies were required to self-certify these principles mentioned under the safe harbour framework and the US regulators would in turn enforce such framework within their limits and jurisdictions.  In 2013, Edward Snowden rocked the world with some lethal revelations about various global surveillance programs run by the NSA. In light of such a disclosure, an Austrian citizen named Max Schrems filed a complaint stating that the US does not provide adequate protection of personal data against such mass surveillance undertaken by authorities. The European Court of Justice (“ECJ/ Court”), noted that the US could allow any national security, public interest argument and law enforcement requirement to prevail over the Safe Harbour framework. Hence, the ECJ concluded that the safe harbour decision was invalid, as it interfered with the fundamental rights of an EU citizen. This decision is widely known as Schrems I.

After courts invalidated the safe harbour decision, the European Commission and the US Department of Commerce came up with the Privacy Shield framework for the continued transfer of data from the EU to the US.  US Corporations who intend to receive personal data from the EU self-certify before the Department of Commerce that they will adhere to certain principles recognised in the Privacy Shield. These principles were developed by the US Department of Commerce in consultation with the European Commission.

This led Max Schrems to again file a complaint challenging the validity of the privacy shield and the use of SCCs by companies to bypass the requirements of adequate protection stipulated by Article 44 of the GDPR on the ground that US investigation agencies have unlimited access rights of personal data retained with USA corporations neither Privacy Shield nor SCCs prevents those rights. Accordingly, it was argued that Privacy Shield or SCCs does not ensure the privacy rights of EU citizens. This case soon came to be known as Schrems II. The Court of Justice of the European Union (CJEU) examined the US’s Foreign Intelligence Surveillance Act and the surveillance programmes that such provisions allow and found that US agencies have wider access rights on every data retained with USA corporations and Privacy Shield in any manner takes away these rights of USA investigative agencies.   CJEU accordingly invalidated the EU-US privacy shield mechanism. 

The judgment in Schrems II had led to a major deadlock between US-EU economic relations, particularly concerning the transfer of data. With no approved mechanism in sight, companies found it difficult to transfer data for achieving their business obligations. On 25th March 2022, the EU commission and US government announced that they had agreed in principle on a new framework for the purpose of cross border transfer of data, known as Privacy shield 2.0. The new framework promises to provide benefits to both sides of the Atlantic and ensure that a balance is created between the new safeguards and the national security objectives of the US, which will ensure the privacy of EU personal data.

The text of this new framework has not been released.  The press note released by the White House contains a few details that the framework might incorporate. It states that intelligence collection might be undertaken only where it is necessary to advance legitimate national security objectives and in no way should impact the protection of privacy and civil liberties[1]. In addition, the US intelligence agencies will adapt procedures to ensure effective oversight of new privacy and civil liberties standards[2]. Moreover, a proposal to set up an independent Data Protection Review Court has been mooted for EU individuals seeking claims and damages for breach of their personal data by the US Government. The proposal also details that the adjudicating members or individuals shall be chosen from outside the US Government.

If Privacy shield 2.0 does pass the test laid down by the European courts, experts believe that this could trigger an estimated $7.1 trillion economic relationship between the US and the EU. Hopefully, Privacy shield 2.0 will be able to provide a predictable, effective and lasting remedy for transferring personal data from the EU to the USA.

 

 

Data Transfer between EU and India

 

The above discussions and mechanisms have a significant relevance in relation to data transfer between the EU and India. The Indian investigation and intelligence agencies have similar powers to their US counterparts in terms of their right to access or demand or conduct searches in any Indian enterprises and collect all relevant data required.  The fundamental right to privacy recognised in the Puttuswamy case is not absolute. Further, as per Article 19(2) of the constitution, the state can impose reasonable restrictions on the exercise of fundamental rights in the interests of the sovereignty and integrity of India, the security of the State, friendly relations with foreign States, public order, decency or morality or in relation to contempt of court, defamation or incitement to an offence.

Moreover, Section 69, of the IT Act, 2000 provides the Central and State government with the power to intercept or monitor any information stored in a computer resource provided such information is required for:

  • In the interests of India’s sovereignty and integrity.
  • Defence of India,
  • State’s security,
  • To maintain friendly relations with other nations, or
  • To maintain public order, or
  • For preventing incitement to the commission of any cognizable offence relating to the above, or
  • For investigation purposes

The above provisions are similar to the rights available to US investigative agencies. For the same reasons, the Schrems II judgment and Privacy Shield mechanisms are relevant while considering EU-India data transfer.

Currently, there are no approved mechanisms for data transfer between the EU and India like the Privacy Shield framework. Hence, the European companies are justifiably reluctant to establish business relations with our country. Since India is a hub of IT-enabled services like BPOs and KPOs, it is desirable to have an efficient and clear legal regime for data transfer to foster a symbiotically advantageous economic relationship between the two sovereigns. Unfortunately, neither of the Governments has taken any urgency to initiate the formulation of rules similar to the Privacy Shield. It is worthwhile to consider whether the new Privacy Shield 2.0 could be considered and replicated in India.  If both the governments can demonstrate their intent, the groundwork for a contusive business environment for data transfer between the two sovereigns can be initiated. 

Currently, there are no approved mechanisms for data transfer between the EU and India like the Privacy Shield framework. Hence, the European companies are justifiably reluctant to establish business relations with our country. Since India is a hub of IT-enabled services like BPOs and KPOs, it is desirable to have an efficient and clear legal regime for data transfer to foster a symbiotically advantageous economic relationship between the two sovereigns. 

POST A COMMENT

Share on facebook
Share on twitter
Share on linkedin

India's Own Crypto Asset Regulations Soon: Plugging an Important Gap

Till last year, most people (at least in India) had probably only heard of cryptocurrencies such as Bitcoin and Ethereum; now, many other names such as Dogecoin, Solana, Polkadot, XRP, Tether, Binance etc. are being spoken of commonly in media. The global cryptocurrency market cap is estimated at over US$2.5 Trillion.

India too is witnessing a surge in investment in cryptotokens – especially by millennials. There is a correspondingly increase in the number of advertisements for cryptocurrencies on national television as well as on various web sites; mainstream media reports extensively on the daily price movement of cryptocurrencies. One estimate puts the number of crypto investors in India at between 15-20 million, and the total holdings to be in excess of US$5.3Billion. 

This surge in unregulated cryptoassets is a matter of rising concern globally. Recently, PM Modi urged democracies around the world to work together to ensure that cryptocurrencies do not “end up in the wrong hands, as this can “spoil our youth”. His exhortation came just days after RBI Governor Shaktikanta Das spoke of “serious concerns” around cryptocurrencies.

The RBI’s 2018 blanket ban on cryptocurrencies was lifted by the Supreme Court in 2020. However, the time has now come for the government and regulators to act quickly, and there are indications that regulations are just around the corner. At the time of writing, the government has already announced its intention to table The Cryptocurrency and Regulation of Official Digital Currency Bill, 2021 in parliament in the winter session.

It is expected that through this legislation, the Indian government will seek to ban private cryptoassets. This means that those trade in such cryptoassets may be liable for penalties and/or other punishment. It is also expected that there will be tighter regulations around advertising such products and platforms where cryptoassets can be bought and sold. Another regulatory salvo could be around taxing cryptogains at a higher rate (although such notifications may have to wait for the next budget due to be announced in another three months). The bill is also expected to deny the status of “currency” to cryptoassets because the prevailing ones are issued by private enterprises, and not backed by any sovereign.

The government has also acknowledged the potential of sovereign digital currencies (or CBDC- Central Bank Digital Currency, as they are officially called) in the days ahead. Countries such as China and the USA, are at various stages of launching their own digital currencies, and experts predict that such CBDC will be the “future of money”. In this context, the proposed bill is expected to create a “facilitative framework” to pave the way for the RBI to launch India’s sovereign digital currency in the days ahead by. In fact, the RBI is already working on India’s CBDC, and some media reports suggest that such a launch may happen in the next couple of months (which may also explain the timing of tabling the The Cryptocurrency and Regulation of Official Digital Currency Bill, 2021, at this time). CBDCs too require crypto and blockchain technologies that are similar to those that underpin cryptoassets, so the bill is also expected to promote these technologies for specific purposes. Indeed, not doing so would be akin to throwing out the baby with the bathwater.

Given their wide global reach, cryptoassets arguably will have a role to play in the world’s financial system. However, countries such as India must ensure proper regulation because by their very nature, cryptoassets can easily be misused for various activities that can destabilize the nation. They will allow for free inward/outward remittances that will make it harder to trace; being encrypted, the origins of such wealth too will become easier to hide. All this will make cryptoassets even more convenient ideal for nefarious activities such as money laundering, terror-funding, drugs-financing etc. In the absence of appropriate regulations, the rising supply of cryptocurrencies can hobble the RBI’s ability to perform its basic role. Its ability to manage the Rupee’s value against global currencies too will weaken, as will its ability to use domestic interest rates as a means to balance the economy’s twin needs of inflation management and providing growth impetus. This is a scary scenario, but not one that could unfold in the short-term. Even so, India needs to be prepared.

PS: The Indian government’s announcement to regulate cryptoassets has already triggered a significant (8-10%) correction in the prices of various cryptoassets. It’s therefore a good idea for resident Indians holding cryptoassets to sell them. They can decide on their future course of action once there is clarity on the specific regulatory impact of the proposed bill.

 

Image Credits: 

Photo by Worldspectrum from Pexels

Given their wide global reach, cryptoassets arguably will have a role to play in the world’s financial system. However, countries such as India must ensure proper regulation because by their very nature, cryptoassets can easily be misused for various activities that can destabilize the nation.

POST A COMMENT

Share on facebook
Share on twitter
Share on linkedin

Intermediary Guidelines and Digital Media Ethics Code: Shifting Paradigm of Social & Digital Media Platforms

It has been just over six months since the IT (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 (the “Rules“) have been notified. However, these six months have been nothing short of a roller coaster ride for the (Internet) Intermediaries and Digital Media platforms, especially Social Media platforms who have tried to muddle through the slew of compliance obligations now imposed through these eccentric Rules. Notwithstanding, some of them had to face the wrath of the Government and even Courts for the delay in adherence.

On this topic, we are trying to stitch together a series of articles covering the entire gamut of the Rules, including their objective, applicability, impact, and the key issues around some of the rules being declared unconstitutional, etc.

In our first article, we analyse the timeline, objectives, and applicability of these Rules through some of the definitions provided under the Rules and the IT Act.

Tracing the Roots of the Digital Media Ethics Code 

The initiation of this endeavour can be tracked down to July 26, 2018, when a Calling Attention Motion was introduced in the Rajya Sabha on the misuse of social media and spread of fake news, whereby the Minister of Electronics and Information Technology conveyed the Government’s intent to strengthen the existing legal framework and make social media platforms accountable under the law. Thereafter, the first draft of the proposed amendments to the Intermediary Guidelines, The Information Technology (Intermediary Guidelines (Amendment) Rules) 2018, was published for public comments on December 24, 2018.

In the same year, the Supreme Court in Prajwala v. Union of India[1] directed the Union Government to form necessary guidelines or Statement of Procedures (SOPs) to curb child pornography online. An ad-hoc committee of the Rajya Sabha studied the issue of pornography on social media and its effects on children and the society and laid its report recommending the facilitation of identification of the first originator of such contents in February 2020.

In another matter, the Supreme Court of India on October 15 2020, issued a notice to the Union Government seeking its response on a PIL to regulate OTT Platforms. The Union Government subsequently on November 9 2020, made a notification bringing digital and online media under the ambit of the Ministry of Information and Broadcasting, thereby giving the Ministry the power to regulate OTT Platforms.

On February 25, 2021, the Union Government notified the much-anticipated Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, bringing various digital entities under its purview and imposing new compliances to regulate them.

 

Objectives of the Digital Media Ethics Code

The rising internet and social media penetration in India raises concerns of transparency, disinformation and misuse of such technologies. The Rules address these concerns and bring accountability to social and digital media platforms by mandating the setting up of a grievance redressal mechanism that adheres to statutory timeframes. The Rules also address the legal lacuna surrounding the regulation of OTT platforms and the content available on them and introduces a three-tier content regulation mechanism.

Key definitions and the applicability of the Digital Media Ethics Code

The Rules add on extensively to the 2011 Intermediary Guidelines and also introduce new terms and definitions. To understand the Rules and the compliances thereunder in a holistic manner, it becomes imperative to learn the key terms and definitions. This also addresses concerns of applicability of the Rules to different entities, as they prescribe different sets of compliances to different categories of entities.

Key definitions:

Digital Media as per Rule 2(1)(i) are digitised content that can be transmitted over the internet or computer networks, including content received, stored, transmitted, edited or processed by

  • an intermediary; or
  • a publisher of news and current affairs content or a publisher of online curated content.

This broadly includes every content available online and every content that can be transmitted over the internet.

Grievance as per Rule 2(1)(j) includes any complaint, whether regarding any content, any duties of an intermediary or publisher under the Act, or other matters pertaining to the computer resource of an intermediary or publisher as the case may be.

Intermediary has not been defined in the Rules, but as per S. 2(1)(w) of the IT Act, intermediary, with respect to any particular electronic record, is any person who on behalf of another person receives, stores or transmits that record or provides any service with respect to that record and includes telecom service providers, network service providers, internet service providers, web-hosting service providers, search engines, online payment sites, online-auction sites, online-market places and cyber cafes.

The first part of the definition lays down that an Intermediary with respect to an electronic record, is any person that receives, stores or transmits that electronic record on behalf of another person.

An entity becomes an intermediary for a particular electronic record if that record is received by, stored in or transmitted through the entity on behalf of a third party. However, as the clause does not use the term “collect” with respect to an electronic record, any data that entities may collect, including IP Addresses, device information, etc., do not fall within the definition’s purview. Hence the entities would not be considered as intermediaries for such data.

Moreover, the second part of the definition lays down that those entities that provide any service with respect to an electronic record would be intermediaries. However, what constitutes “service” has been a key point of discussion in prior cases. In Christian Louboutin Sas v. Nakul Bajaj[2], the Court not only held that the nature of the service offered by an entity would determine whether it falls under the ambit of the definition, but also went on to hold that when the involvement of an entity is more than that of merely an intermediary, i.e., it actively takes part in the use of such record, it might lose safe harbour protection under S. 79 of the Act.

The definition also includes telecom service providers, network service providers, internet service providers, web-hosting service providers, search engines, online payment sites, online-auction sites, online-market places, and cyber cafes as intermediaries. In Satish N v. State of Karnataka[3], it was held that taxi aggregators like Uber are also intermediaries with respect to the data they store. Therefore, Telecom Service Providers like Airtel, Vi, Jio, etc., Network Service Providers like Reliance Jio, BSNL, MTNL, etc., Internet Service Providers like ACT Fibernet, Hathaway, etc., Search Engines like Google, Bing, etc., Online Payment gateways like Razorpay, Billdesk etc., Online Auction Sites like eBay, eAuction India, etc., Online Market Places like Flipkart, Amazon etc. are all considered intermediaries.

Social Media Intermediaries as per Rule 2(1)(w) is an intermediary which primarily or solely enables online interaction between two or more users and allows them to create, upload, share, disseminate, modify or access information using its services. This includes platforms like Tumblr, Flickr, Diaspora, Ello, etc.

Significant Social Media Intermediaries as per Rule 2(1)(v) is a social media intermediary having number of registered users in India above such threshold as notified by the Central Government. Currently, the threshold is 5 million users. Platforms that fall under this category would be Facebook, Twitter, Instagram, YouTube, Snapchat, LinkedIn, WhatsApp, Telegram etc.

News & current affairs content as per Rule 2(1)(m) includes newly received or noteworthy content, including analysis, especially about recent events primarily of socio-political, economic or cultural nature, made available over the internet or computer networks, and any digital media shall be news and current affairs content where the context, substance, purpose, import and meaning of such information is in the nature of news and current affairs content. Therefore, news pieces reported by newspapers or news agencies, shared online, on social media, or on digital media platforms are news & current affairs content. This includes contents of such nature created by any person and shared through social media platforms like WhatsApp, Facebook, Twitter etc. Digital content discussing news and the latest happenings will also come under the purview of this definition.

Newspaper as per Rule 2(1)(n) as a periodical of loosely folded sheets usually printed on newsprint and brought out daily or at least once in a week, containing information on current events, public news or comments on public news. Newspapers like The Hindu, Times of India etc. will fall under this category.

News aggregator as per Rule 2(1)(o) is an entity performing a significant role in determining the news and current affairs content being made available, makes available to users a computer resource that enable such users to access such news and current affairs content which is aggregated, curated and presented by such entity. This includes platforms like Inshorts, Dailyhunt etc.

Online curated content as per Rule 2(1)(1) is any curated catalogue of audio-visual content, other than news and current affairs content, which is owned by, licensed to or contracted to be transmitted by a publisher of online curated content, and made available on demand, including but not limited through subscription, over the internet or computer networks, and includes films, audio visual programmes, documentaries, television programmes, serials, podcasts and other such content. This includes movies and shows available on OTT platforms like Netflix, Prime Video, Disney+Hotstar etc.

Publisher of News and Current Affairs Content as per Rule 2(1)(t) includes online paper, news portal, news aggregator, news agency and such other entities, which publishes news and current affairs. This would include websites/apps such as The Wire, The News Minute, Scroll.in, Dkoding.in, The Print, The Citizen, LiveLaw, Inshorts etc.

While the Rules do not include the regular newspapers or replica e-papers of these newspapers, as they come under the Press Council Act, news websites such as Hindustantimes.com, IndianExpress.com, thehindu.com are covered under the Rules, and the Union Government clarified the same on June 10, 2021. The clarification stated that websites of organisations having traditional newspapers and digital news portals/websites of traditional TV Organisations come under the ambit of the Rules.

This does not include news and current affairs reported or posted by laymen or ordinary citizens online, as the scope is limited only to news publishing agencies.

Publisher of Online Curated Content as per Rule 2(1)(u) is a publisher who performs a significant role in determining the online curated content being made available and enables users’ access to such content via internet or computer networks. Such transmission of online currented content shall be in the course of systematic business or commercial activity. This includes all OTT platforms, including Netflix, Prime Video, Voot, Lionsgate, Disney+Hotstar, etc.

The Digital Media Ethics Code Challenged in Court

Part III of the IT Rules has been challenged by many persons in various High Courts. News platforms including The Wire, The Quint, and AltNews moved to the Delhi High Court, alleging that online news platforms do not fall under the purview of Section 87 of the IT Act, under which these Rules are made as the section is only applicable to intermediaries. Section 69A is also limited to intermediaries and government agencies. It is alleged that since such publishers are not intermediaries, they do not fall under the purview of the IT Rules.

A similar petition was moved by LiveLaw, a legal news reporting website before the Kerala High Court, alleging that the Rules violated Articles 13, 14, 19(1)(a), 19(1)(g), and 21 of the Constitution and the IT Act.[4] The petitioners contended that the Rules had brought Digital News Media under the purview of the Press Council of India Act and the Cable Television Networks (Regulation) Act, 1995, without amending either of the two legislations. They also alleged that the rules were undoing the procedural safeguards formed by the Supreme Court in the Shreya Singhal[5] case. In this regard, the Kerala High Court has ordered that no coercive action is to be taken against the petitioner as interim relief.

Recently, the Bombay High Court in Agij Promotion of Nineteenonea v. Union of India[6] delivered an interim order staying Rules 9(1) and 9(3), which provides for publishers’ compliance with the Code of Ethics, and the three tier self-regulation system respectively. The Court found Rule 9(1) prima facie an intrusion of Art. 19(1)(a).

Legality & Enforceability of the Digital Media Ethics Code

Even though six months have passed since the Rules came into force, the legality and enforceability of the Rules are still in question. While most intermediaries, including social media and significant social media intermediaries, have at least partly complied with the Rules, the same cannot be said for publishers of news and current affairs content and online curated content. This will have to wait until the challenges to its legality and constitutionality are settled by Courts.

References:

[1] 2018 SCC OnLine SC 3419.

[2] 2018 (76) PTC 508 (Del).

[3] ILR 2017 KARNATAKA 735.

[4] https://www.livelaw.in/top-stories/kerala-high-court-new-it-rules-orders-no-coercive-action-issues-notice-on-livelaws-plea-170983

[5] (2013) 12 SCC 73.

[6] Agij Promotion of Nineteenonea v. Union of India, WRIT PETITION (L.) NO.14172 of 2021.

Image Credits: 

Photo by Jeremy Bezanger on Unsplash

 

Even though six months have passed since the Rules came into force, the legality and enforceability of the Rules are still in question. While most intermediaries, including social media and significant social media intermediaries, have at least partly complied with the Rules, the same cannot be said for publishers of news and current affairs content and online curated content. This will have to wait until the challenges to its legality and constitutionality are settled by Courts.

POST A COMMENT

Share on facebook
Share on twitter
Share on linkedin

Income Tax Returns for AY 2020-21: Ready Referencer

With the extended time limit for filing of Income Tax Return (for AY 2020-21), u/s. 139(1), without late fees, for Non-Audit cases and for Non-Corporate assessees of 31st December 2020 fast approaching, given below is a quick guide for ready reference of some key changes that have been made in the respective Income tax return forms for this year.

Further, the conditions and features for eligibility of forms that are applicable for filing the correct income tax returns are also specified as follows:

Key Procedural Changes:

  • ITR 1 to ITR 4 can be filed using PAN or Aadhar by Individuals.
  • The submitted ITR forms display the ITR-V with a watermark ‘Not Verified’ until the same is verified either electronically by EVC or by sending the same via post after manual signing.
  • The unverified form ITR-V will not contain any income, deduction and tax details. The unverified form will only contain basic information, E-filing Acknowledgement Number and Verification part.
  • The unverified acknowledgement is titled as ‘INDIAN INCOME TAX RETURN VERIFICATION FORM’ & final ITR-V is titled as ‘INDIAN INCOME TAX RETURN ACKNOWLEDGEMENT’.
  • Return filed in response to notice u/s. 139(9), 142(1), 148, 153A, and 153C must have DIN.
  • There is a separate disclosure for Bank accounts in case of Non-Residents who are claiming income tax refund and not having a bank account in India.

COVID related Changes:

  • The Government had extended the time limit for claiming tax deduction u/CH VIA to 31st July 2020, and the details of the same need to be reported in Schedule DI (details of Investment).
  • The time limit for investing the proceeds or capital gains in other eligible assets, so as to claim exemptions u/s 54/ 54B/ 54F/ 54EC, had been extended to 30th September 2020.
  • Penal interest u/s. 234A @ 1% p.m., where the payments were due between 20-03-20 to 29-06-20 and such amounts were paid on or before 30-06-20, had been reduced to 75%, vide ordinance dated 31-03-20.
  • Period of forceful stay in India, beginning from quarantine date or 22-03-20 in any other case up to 31-03-20, is to be excluded, for the purpose of determining residential status in India.[1]

Consequences of Late filing of Return of Income:

  • Late Fees u/s. 234F of INR. 5,000 up to 31.12.20 and INR. 10,000 up to 31.03.21. In case of total income up to 5 Lacs, the penalty is INR. 1,000.
  • Penal Interest u/s. 234A @ 1% per month
  • Reduced to 75%. vide Ordinance dated 31.03.20, where the payments were due between 20.03.20 to 29.06.20, and such amounts were paid on or before 30.06.20.
  • Vide CBDT Notification dt 24.06.2020, no interest u/s 234A if Self-Assessment tax liability is less than 1 Lac and the same has been paid before the original due date.
  • In case of a belated return, loss under any head of Income (except unabsorbed depreciation) cannot be carried forwarded.
  • Deduction claims u/s. 10A, 10B, 80-IA, 80-IB, etc would not be allowed.

Consequences of Late filing of Return of Income:

  • Late Fees u/s. 234F of INR. 5,000 up to 31.12.20 and INR. 10,000 up to 31.03.21. In case of total income up to 5 Lacs, the penalty is INR. 1,000.
  • Penal Interest u/s. 234A @ 1% per month
  • Reduced to 75%. vide Ordinance dated 31.03.20, where the payments were due between 20.03.20 to 29.06.20, and such amounts were paid on or before 30.06.20.
  • Vide CBDT Notification dt 24.06.2020, no interest u/s 234A if Self-Assessment tax liability is less than 1 Lac and the same has been paid before the original due date.
  • In case of a belated return, loss under any head of Income (except unabsorbed depreciation) cannot be carried forwarded.
  • Deduction claims u/s. 10A, 10B, 80-IA, 80-IB, etc would not be allowed.

Vide CBDT Notification dt 24.06.2020, no interest u/s 234A if Self-Assessment tax liability is less than 1 Lac and the same has been paid before the original due date.

  1. Section 5A: Apportionment of income between spouses governed by the Portuguese Civil Code.
  2.  115BBDA: Tax on dividend from companies exceeding Rs. 10 Lakhs; 115BBE: Tax on unexplained credits, investment, money, etc. u/s. 68 or 69 or 69A or 69B or 69C or 69D.
  3. Inserted in sec 139(1) by Act No. 23 of 2019, w.e.f. 1-4-2020:

Provided also that a person referred to in clause (b), who is not required to furnish a return under this sub-section, and who during the previous year:

  • has deposited an amount or aggregate of the amounts exceeding one crore rupees in one or more current accounts maintained with a banking company or a co-operative bank; or
  • has incurred expenditure of an amount or aggregate of the amounts exceeding two lakh rupees for himself or any other person for travel to a foreign country; or
  • has incurred expenditure of an amount or aggregate of the amounts exceeding one lakh rupees towards consumption of electricity; or
  • fulfils such other conditions as may be prescribed,

Shall furnish a return of his income on or before the due date in such form and verified in such manner and setting forth such other particulars, as may be prescribed.

4. Section 57: Deduction against income chargeable under the head “Income from other sources”.

5. Schedule DI: Investment eligible for deduction against income (Ch VIA deductions) to be bifurcated between paid in F.Y.19-20 and during the period 01-04-20 to 31-07-20.

6.High-value Transaction: Annual Cash deposit exceeding Rs. 1 crore or Foreign travel expenditure exceeding Rs. 2 Lakhs, Annual electricity expenditure exceeding Rs. 1 Lakh.
7.Schedule 112A: From the sale of equity share in a company or unit of equity- oriented fund or unit of a business trust on which STT is paid under Section 112A.

8. 115AD(1)(iii) proviso: for Non-Residents – from the sale of equity share in a company or unit of equity-oriented fund or unit of a business trust on which STT is paid under Section 112A.
9. Section 40(ba): any payment of interest, salary, bonus, commission or remuneration paid to a member in case of Association of Person (AOP) or Body of Individual (BOI).

10. Section 90 & 90A: Foreign tax credit in cases where there is a bilateral agreement; Section 91: Foreign tax credit in cases of no agreement between the countries.

[1] Circular No 11 of 2020 dated 08th May 2020.

References

Image Credits: Photo by Markus Winkler from Pexels

POST A COMMENT

Share on facebook
Share on twitter
Share on linkedin

The Admissibility of Electronic Evidence

With constant technological innovation and dynamic transformation of related laws happening worldwide, the jurisprudence regarding reliance on evidence in electronic form is also evolving. Judges these days have demonstrated considerable perceptiveness towards the intrinsic ‘electronic’ nature of evidence, which includes insight regarding the admissibility of such evidence, and the interpretation of the law in relation to the manner in which electronic evidence can be brought and filed before the court.

The term   record has been defined under Section 2(t) of the Information Technology (IT) Act as under:

data, record or data generated, image or sound stored, received or sent in an electronic form or micro-film or computer-generated micro fiche”

Further, Electronic records have also been given an overarching legal recognition through Section 4 of the IT Act which provides that:

“Any law provides that information or any other matter shall be in writing or in the typewritten or printed form, then, notwithstanding anything contained in such law, such requirement shall be deemed to have been satisfied if such information or matter is– (a) rendered or made available in an electronic form; and (b) accessible so as to be usable for a subsequent reference.”

Moreover, Section 79A while authorizing the Central Government to notify the Examiner of Electronic Evidence also explains what would be called “electronic form evidence” as under:

“Electronic form evidence means any information of probative value that is either stored or transmitted in electronic form and includes computer evidence, digital audio, digital video, cell phones, digital fax machines.”

In addition, Section 3 of the Indian Evidence Act, 1872 was also amended to include electronic records as documentary evidence and now it reads as follows:

“all document including electronic records produced for the inspection of the Court, such statements are called documentary evidence”

In the case of State (NCT of Delhi) vs. Navjot Sandhu[1], the Supreme Court had held that courts could admit electronic records such as printouts and compact discs as prima facie evidence without notification.

However, oral admission as to the contents of electronic records is not relevant unless the genuineness of the record produced is in question.[2]

In cases of cybercrime, a suggestive list has been provided by the National Cyber Crime Reporting Portal on the type of information that would be considered as evidence while filing any complaint related to cybercrime:

  • Credit card receipt
  • Bank statement
  • Envelope (if received a letter or item through mail or courier)
  • Brochure/Pamphlet
  • Online money transfer receipt
  • Copy of email
  • URL of webpage
  • Chat transcripts
  • Suspect mobile number screenshot
  • Videos
  • Images
  • Any other kind of document

Admissibility of “Electronic Evidence”

Sections 65A and 65B of the Evidence Act particularly deal with the information contained in electronic records. The marginal note to Section 65A indicates that “special provisions” as to evidence relating to electronic records are laid down in this provision. The marginal note to Section 65B then refers to “admissibility of electronic records”.

Section 65B (1)[3] states that if any information contained in an electronic record produced from a computer has been copied onto an optical or magnetic media, then such electronic record that has been copied ‘shall be deemed to be also a document’ subject to conditions set out in Section 65B (2)[4] being satisfied.

Section 65B (2) provides some conditions which are to be satisfied in order to accept electronic records as evidence, which are briefly provided below –

  • the computer was used by a person to store or process information for carrying on any activity regularly over a period of time and has lawful control over the use of such computer,
  • such information must have been regularly fed into the computer in the ordinary course of the said activities. Throughout the material part of the said period, the computer was operating properly, and even if not operating properly, it does not affect the electronic record or accuracy of its contents and
  • information in the electronic record reproduced / derived from information fed into the computer in the ordinary course of the said activities.

In Anvar P.V. vs. P.K. Basheer and ors[5] , the Court has interpreted sections 22A, 45A, 59, 65A & 65B of the Indian Evidence Act and held that secondary data contained in a CD, DVD or a Pen Drive are not admissible without a certificate under section 65 B(4) of the said Act. In the case, it was said that electronic evidence without a certificate under section 65B cannot be proved by oral evidence and also the opinion of the expert under section 45A of the said Act cannot be resorted to make such electronic evidence admissible. After this case, it was clarified that the only way to prove an electronic record/evidence is by producing the original media as primary evidence and the copy of the same as secondary evidence under section 65B of the Indian Evidence Act, 1872.

Thereafter, the Supreme Court in Shafhi Mohammad[6] case, held that the requirement of producing a certificate under Section 65B(4) is procedural and not always mandatory. A party who is not in possession of the device from which the document is produced cannot be required to produce a certificate under Section 65B (4). The Court was of the view that the procedural requirement under Section 65B(4) is to be applied only when electronic evidence is produced by a person who is in control of the said device, and therefore in a position to produce such a certificate. However, if the person is not in possession of the device, Sections 63 and 65 cannot be excluded.

Recently, the Supreme Court in the decision of Arjun Panditrao Khotkar vs. Kailash Kushanrao Gorantyal and Ors.[7]has settled the controversies created by previous judgments as to whether certificate under Section 65B of the Indian Evidence Act is a condition precedent for admissibility of any Secondary electronic record, and at what stage the same may be produced. This judgment arose from a reference by a Division Bench of the Supreme Court, which found that the Division Bench judgment in Shafhi Mohammad v. State of Himachal Pradesh (supra)  required reconsideration in view of the three-judge bench judgment in Anvar P.V. v. P.K. Basheer(supra).Some of the key takeaways from the decision are as follows –

  1. Section 65B differentiates between the original information contained in the “computer” itself and copies made therefrom – the former being primary evidence, and the latter being secondary evidence. Required certificate under Section 65B(4) is unnecessary if the original document itself is produced. This can be done by the owner of a laptop computer, computer tablet, or even a mobile phone, by stepping into the witness box and proving that the concerned device, on which the original information is first stored, is owned and/or operated by him. In cases where the “computer” happens to be a part of a “computer system” or “computer network” and it becomes impossible to physically bring such system or network to the Court, then the only means of providing the information contained in such electronic record can be in accordance with Section 65B(1), together with the requisite certificate Under Section 65B(4).
  2. If the certificate is not issued or refused, the Court may order production of the certificate by the concerned authority.
  3. Evidence aliunde given through a person who was in-charge of a computer device in the place of the requisite certificate is not allowed.
  4. The decision in Anvar P.V. cited above has been upheld and the judgment in Tomaso Bruno v. State of U.P.[8] has been overruled.

The person who gives this certificate can be anyone out of several persons who occupy a ‘responsible official position’ in relation to the operation of the relevant device, as also the person who may otherwise be in the ‘management of relevant activities’ spoken of in Sub-section (4) of Section 65B. Also, it is sufficient that such person gives the requisite certificate to the “best of his knowledge and belief.”

These directions issued by the Supreme Court are welcome as they will improve the efficacy of criminal and investigative proceedings.

When should the certificate be produced?

Although not expressly provided for under the Indian Evidence or the Information Technology Act, the Anvar P.V. case and the Arjun Panditrao case cited above have shed adequate light on the stage at which such certificate must be furnished to the court.

In terms of general procedure, the requisite certificate must accompany the electronic record pertaining to which a statement is sought to be given in evidence when the same is produced in evidence i.e. in a criminal trial, the prosecution is obligated to supply all documents upon which reliance may be placed to an accused before commencement of the trial. Therefore, the electronic evidence, i.e. the computer output, has to be furnished at the latest before the trial begins. The reason is not far to seek; this gives the Accused a fair chance to prepare and defend the charges levelled against him during the trial.

However, the Court may in appropriate cases allow the prosecution to produce such certificate at a later point in time. If it is the Accused who desires to produce the requisite certificate as part of his defense, this again will depend upon the justice of the case discretion to be exercised by the Court in accordance with the law.

Position across the globe

The Indian law relating to electronic evidence has adopted the language of Section 5 of the UK Civil Evidence Act, 1968 to a great extent, however this provision had already been repealed by the UK Civil Evidence Act, 1995 and even Section 69 of the Police and Criminal Evidence Act, 1984 which related to the admissibility of computer evidence in criminal cases was revamped to permit hearsay evidence. Therefore, in UK currently, no special provisions have been made in respect of the manner of proof of computerized records.

In USA, a person seeking to produce an electronic record has more than one option to do so under the Federal Rules of Evidence (FRE). A person can follow either the traditional route under Rule 901 or the route of self-authentication under Rule 902 whereunder a certificate of authenticity would elevate its status. This is a result of an amendment introduced in the year 2017, by which sub-rules (13) and (14) were incorporated in Rule 902.

In Canada, the position is similar to India although the Canadian law takes care of a contingency where the electronic document was recorded or stored by a party who is adverse in interest to the party seeking to produce it. Section 31 of the Canada Evidence Act, 1985 deals with electronic evidence and the application of the ‘best evidence rule’.

The future holds definite challenges as far as electronic evidence is concerned and constant legal overhaul and vigilance of judiciary are anticipated but the legislature also needs to take a proactive step in making laws consistent with the changing technology environment.

References

[1] State (NCT of Delhi) vs. Navjot Sandhu (2005) 11 SCC 600.

[2]Section 22A of Indian Evidence Act

[3] Indian Evidence Act, 1872.

[4] Ibid

[5] Anvar P.V. vs. P.K. Basheer and ors  AIR 2015 SC 180, [MANU/SC/0834/2014]

[6] (2018) 2 SCC 801

[7] 2020 SCC OnLine SC 571

[8] [(2015) 7 SCC 178]

 

Image Credits:  Photo by Maxim Ilyahov on Unsplash

Though the Amended Act endeavours to address issues related to the land acquisition process being faced by industrialists for causing industrial development in Karnataka, ambiguity remains as to what extent the Amended Act shall be able to achieve ease of land acquisition process for tangible industrial development in the state.

POST A COMMENT

Share on facebook
Share on twitter
Share on linkedin

Telemedicine in India: Doctor’s Consultation is just a Phone call away!

India is making some major headway towards providing universal health coverage. However, a significant challenge is the limited number of qualified doctors and other healthcare professionals available in our country. Telemedicine is a solution to this limitation as it allows consultation, diagnosis, and treatment by healthcare professionals from remote locations with the help of technology

The requirement of telemedicine was starkly visible during the current COVID-19 pandemic and the resultant lockdown. It significantly helped in reducing hospital visits, waiting periods, and long travel to and from the hospital. Other benefits of telemedicine include timely and faster access to healthcare services, convenience, cost-saving, and adequate documentation of health records. Until recently, there was no legislation or guidelines on how telemedicine could be practiced in India. In view of the current pandemic, the Government of India has timely come up with the Telemedicine Practice Guidelines on 25th March 2020.  This guideline forms a part of the Indian Medical Council (Professional Conduct, Etiquette and Ethics) Regulations, 2002, and is numbered Appendix-5. With this, there is now some legitimacy attached to the service and the guidelines would pave the way for statutory legislation on the same lines in the future.

Evolution of Telemedicine in India

From the constitution of a Telemedicine Taskforce in the year 2005 by the Ministry of Health and Family Welfare, India has gradually progressed in telemedicine by budgeting for it, setting up various institutions, connecting Regional Cancer Centers with peripheral centers across India through the ONCO-NET India Project and networking of states and district headquarters and premier institutes as part of Integrated Disease Surveillance Project (IDSP).  The Government has further facilitated it through the establishment of the National Rural Telemedicine Network, mother, and child tracking system (MCTS), the establishment of National Telemedicine Network, National and Regional Resource Centers etc. Various indigenous software has also been developed to provide telemedicine solutions.

Scope of the Telemedicine Practice Guidelines, 2020

The Telemedicine Practice Guidelines introduced on 25th March 2020 provide norms and protocols pertaining to physician-patient relationship; issues of liability and negligence; evaluation, management, and treatment as well as informed consent. The provisions also deal with continuity of care; referrals for emergency services; medical records; privacy and security of the patient records and exchange of information; prescription; health education and counseling. These guidelines also provide information on technology platforms and telemedicine tools available to medical practitioners and how to integrate them into these technologies.

Guidelines for Registered Medical Practitioner

  • Information Exchange: A Registered Medical Practitioner (“Doctor”) is empowered by these guidelines to provide telemedicine consultation to patients from any part of India, and the same professional norms, ethics, and standards apply. All physical examinations cannot be done via video/audio/text messages. Therefore, it is left to the Doctor’s professional judgment as to whether he/she can provide a technology-based consultation or an in-patient consultation. In addition, doctors are restrained from providing telemedicine when the physical examination is critical for consultation. Doctors are also mandated to uphold the same standard of care as in-patient consultation. Both Doctors and patients are required to provide their identification to the other as may be deemed appropriate.   Since prescriptions are based on the age of the patient, a Doctor is required to explicitly ask for the age, and if necessary, seek proof thereof.  In the case of a minor, teleconsultation can only be done when the minor is accompanied by an adult whose identity is also required to be verified.
  • Informed Consent: Patient consent is mandatorily required for a telemedicine consultation. Consent is implied when telemedicine is initiated by the patients themselves. If it is initiated by a health worker, another Doctor, or caregiver, explicit consent of the patient must be procured and recorded.  Health education, counseling, and prescription of medicines can be done through telemedicine. If a caregiver is not present with the patient and does not have authorization, Doctors cannot provide telemedicine consultation. In the case of a health worker, he/she should have obtained informed consent from the patient to obtain consultation from Doctor.
  • Prescription of Drugs: The guidelines categorize drugs into four lists, List O (over the counter medications), List A (can be prescribed during the first consultation and has relatively low potential of abuse), List B (when an in-patient consultation is already done, and drugs have to be prescribed in follow up consultation), Prohibited Drugs (high potential for abuse). Doctors cannot prescribe prohibited drugs. Doctors can only prescribe List A drugs if the consultation is done through video as it involves the first consultation. If the gap between two successive consultations is more than 6 months or if the consultation is for a different health condition, it would be construed as a first consultation. Signed prescription or e-prescription can be sent to the patient digitally (or to the pharmacist after the explicit consent of the patient).
  • Confidentiality, Privacy and Data Protection: Doctors are required to abide by their professional conduct regulations, IT Act, Data protection and privacy laws in India, and other applicable rules. The guidelines specify a certain inclusive list of actions constituting misconduct by Doctors such as insisting on telemedicine when a patient is willing to travel, misusing patient data, prescription of medicine from the restricted list, and solicitation of telemedicine. Further, doctors will not be held responsible for breach of confidentiality if there is a piece of reasonable evidence to believe that patient’s privacy and confidentiality has been compromised by a technology breach or by a person other than the Doctor. However, doctors should ensure that a reasonable degree of care is undertaken during hiring such services. Penalties for violation would be as per the IMC Act, ethics, and other prevailing laws.
  • Documentation: Doctors are required to maintain digital trails and documentation of the telemedicine consultation such as logs of telemedicine interaction; patient records, reports, diagnostic data, etc., utilized during telemedicine consultation, and prescriptions for such period prescribed from time to time. Fees for telemedicine consultation should be treated in the same way as in-patient consultation, and a fee receipt should be provided to the patient.

 

Guidelines for Technology Platforms

It is the responsibility of technology platforms such as websites, mobile apps, etc., assisting in telemedicine services to:

  1. Ensure that the telecommunication is with a Doctor who is duly registered with the national or state medical councils.
  2. Conduct Due Diligence before listing Doctors in online portals. The technology platform should provide the name, qualification, registration number, and contact details of every Doctor.
  3. Report any non-compliance to the Board of Governors of MCI.
  4. Ensure that Artificial intelligence or machine learning is not utilized to counsel patients. However, such technologies can be used to assist Doctors in inpatient evaluation, diagnosis, management, and prescription.
  5. Ensure that the technology platform has a proper mechanism to address the queries and grievances of patients.

Any violation by the Technology Platform would lead to blacklisting of them by the Board of Governors or MCI, and thereafter, no Doctor shall use such a platform to provide telemedicine services.

Conclusion

In the wake of the coronavirus pandemic and the heavy toll it is taking on the healthcare sector across the world, the telemedicine guidelines had to be brought in to limit hospital visits and avoid the transmission of diseases significantly. The guidelines are designed to regulate unauthorized use and assist Registered Medical Practitioners to provide their services in an uninterrupted manner and to remote locations.  The provision for blacklisting technology platforms that do not abide by these guidelines is a welcome step to ensure due care from their end and was necessary to inculcate faith in these platforms. However, it is unjust on the part of the Government of India to only empower doctors who practice modern medicine to provide telemedicine services and not bring practitioners of Indian Medicine under its ambit.  As the definition of Registered Medical Practitioner in the guidelines state, it is only for doctors enrolled in the State Medical Register or Indian Medical Register as per the Indian Medical Council Act 1956.  Practitioners of Ashtang Ayurveda, homeopathy, Siddha, Unani, Tibb, or Sowa-Rigpa who are registered under other enactments have been overlooked.

That said, several initiatives by the Government of India on providing greater bandwidth connectivity, optical fiber connectivity, and National Knowledge Network connecting more than 800 institutions including medical institutions would encourage Telemedicine and Telehealth significantly. With people across the country in isolation and quarantine, Telemedicine is a viable alternative for patients to get immediate medical attention for minor health issues. With the assistance of technologies like fitness trackers, smartwatches, and plasters that are capable of monitoring heart rate, breathing rate, body temperatures, and generating ECG reports, it is time to harness Telemedicine for faster and timely access to healthcare services.

 

Image Credits: Photo by National Cancer Institute on Unsplash

In the wake of the coronavirus pandemic and the heavy toll it is taking on the healthcare sector across the world, the telemedicine guidelines had to be brought in to limit hospital visits and avoid the transmission of diseases significantly. The guidelines are designed to regulate unauthorized use and assist Registered Medical Practitioners to provide their services in an uninterrupted manner and to remote locations.  The provision for blacklisting technology platforms that do not abide by these guidelines is a welcome step to ensure due care from their end and was necessary to inculcate faith in these platforms.

POST A COMMENT

Share on facebook
Share on twitter
Share on linkedin

Bulk Data Sharing & Procedure Notification - A Data Breach?

In this digital era, data has become one of the most valuable assets to own. Elections have been won and international alliances have toppled because of support that could be garnered by utilizing data analytics. While heated debate surrounding data breaches by private entities baffles the world, at home, it is accused that the Indian Government has monetized from sale of personal data of Individuals, in the pretext of public purposes” under a notification released by the Ministry of Road Transport and Highways in March 2019 titled “Bulk Data Sharing & Procedure”.

In July 2019, a parliamentary debate pertaining to “sale of data” by the State was raised because the Government had provided access to databases containing driving license and vehicle registration details to private companies and Government entities and generated revenue out of them.  The two databases of Ministry of Road Transport and Highways named Vahan and Sarathi were under discussion.  These databases contained details such as vehicle owner’s names, registration details, chasis number, engine number, and driving license related particulars of individuals.  These details amount to personal information by which an individual could be identified (“Personal Data”).  

The sale of data was pursuant to a notification released by the Ministry of Road Transport and Highways in March 2019 titled Bulk Data Sharing & Procedure wherein a policy framework on sale of bulk data relating to driving license and vehicle registration was introduced.  Among other things, this writeup discusses whether such sale of Personal Data for revenue generation is acceptable in light of privacy as a fundamental right and the Data Protection Bill 2018? and whether such access constitutes data breach? 

 

Bulk Data Sharing & Procedure Notification 

The “Bulk Data Sharing & Procedure” notification by the Ministry of Road Transport and Highways states the purpose for which bulk data access would be  provided: 

it is recognized that sharing this data for other purposes, in a controlled manner, can support the transport and automobile industry.  The sharing of data will also help in service improvements and wider benefits to citizens & Government. In addition, it will also benefit the country’s economy”.  

As per the notification, only such entities that qualify the eligibility criteria would be provided access to bulk data.  The eligibility criteria are that an entity should be registered in India with at least 50% Indian ownership, such bulk data should be processed/stored in Servers/Data Centers in India, and the entity should have obtained security pre-audit report from CERT-In empanelled auditor.  The bulk data access would be provided for a price.  

Commercial organizations could have such data for an amount of INR 3 crores and educational institutions could have them for 5 lakhs.  As per the notification, the bulk data will be provided in encrypted form with restricted access.  Such entities would be restricted from any activity that would identify individuals using such data sets.  The entities would be required to follow certain protocols for data loss prevention, access controls, audit logs, security and vulnerability.  Violation of these protocols is punishable under the Information Technology Act, 2000. 

The Ministry of Road Transport and Highways has in accordance with this policy framework provided database access to 87 private companies and 32 government entities for a price of 65 crores resulting in Personal Data of all individuals being accessible to them.  The Data Principal (the individual whose information is in the database) has no knowledge or control over any use or misuse of his/her information.   

In any data protection framework worldwide, the Data Principal’s consent should be sought stating the purpose for which data ought to be used.  It is only pursuant to Data Principal’s consent that any information can be processed.  On the contrary, providing access to Personal Data to third party private companies without any consent of the Data Principal will keep them out of effective control.  This is against the basic principles of data protection. 

 

Proposed Legislation for Data Protection 

India is on the verge of a new Data Protection Act as the bill is being placed in the Parliament.  The Data Protection Bill, 2018 contains certain provisions to address the above-mentioned issues.  Section 5 of the Data Protection Bill states when personal data can be processed.  Personal Data shall be allowed only for such purposes that are  clear, specific, and lawful.  Section 5 is extracted below: 

  1. Purpose limitation— (1) Personal data shall be processed only for purposes that are clear, specific and lawful. (2) Personal data shall be processed only for purposes specified or for any other incidental purpose that the data principal would reasonably expect the personal data to be used for, having regard to the specified purposes, and the context and circumstances in which the personal data was collected.

Moreover, the relevant enactment regulating driving license and vehicle registration i.e. Motor Vehicle Act does not explicitly permit the State to sell or provide third parties access to Personal Data for generation of revenue.  Therefore, there is no clear, specific, or lawful indication of such access in the enactment.  The question arises whether access to bulk Personal Data can be interpreted as an “incidental purpose” that “data principal would reasonably expect”.  The data principal has provided this information only for the purpose of grant of motor vehicle license and vehicle registration.  The Data Principal ought not have expected his/her data to be sold by the Government. 

Section 13 of the Data Protection Bill is also of relevance here because it authorizes the State to process Personal Data for provision of services, benefit or issuance of certification, licenses or permits.  Section 13 is extracted below: 

Section 13 – Processing of personal data for functions of the State. — Personal data may be processed if such processing is necessary for excise of the functions of the State authorised by law for: (a) the provision of any service or benefit to the data principal from the State. (b) the issuance of any certification, license, or permit for any action or activity of the data principal of the State. 

 

By this section, the State is authorized to use Personal Data for grant of license or permits or to provide any benefit or service.  However, whether the State is authorized to give access to Personal Data to third party private companies is unclear. 

Section 17 of the Data Protection Bill tries to shed some light on this anomaly.  The section states that Personal Data may be processed for “reasonable purposes” after considering if there is any public interest involved in processing the same.  What constitutes reasonable purpose is yet to be specified by the Data Protection Authority to be constituted.  Section 17 is extracted hereunder: 

  1. Processing of data for reasonable purposes. — 

(1) In addition to the grounds for processing contained in section12 to section 16, personal data may be processed if such processing is necessary for such reasonable purposes as may be specified after taking into consideration— 

(a) the interest of the data fiduciary in processing for that purpose; 

(b) whether the data fiduciary can reasonably be expected to obtain the consent of the data principal; 

(c) any public interest in processing for that purpose; 

(d) the effect of the processing activity on the rights of the data principal; and 

(e) the reasonable expectations of the data principal having regard to the context of the processing. 

(2) For the purpose of sub-section (1), the Authority may specify reasonable purposes related to the following activities, including— 

(a) prevention and detection of any unlawful activity including fraud; 

(b) whistle blowing; 

(c) mergers and acquisitions; 

(d) network and information security; 

(e) credit scoring; 

(f) recovery of debt; 

(g) processing of publicly available personal data; 

(3) Where the Authority specifies a reasonable purpose under sub-section (1), it shall: (a) lay down such safeguards as may be appropriate to ensure the protection of the rights of data principals; and (b) determine where the provision of notice under section 8 would not apply having regard to whether such provision would substantially prejudice the relevant reasonable purpose. 

 

Section 17, therefore, clarifies that when there is any public interest involved, the State may provide access to publicly available personal data to third parties.  This read with Section 13 indicates that State is not required to get the consent of Data Principal in order to provide services and benefits.   

 

Whether the State has provided access to personal data for public interest or to provide services and benefits? 

The Bulk Data Processing & Procedure notification states that the purpose of providing access of bulk Personal Data is to “support the transport and automobile industry” & “help in service improvements and wider benefits to citizens & Government”.  Supporting the transport and automobile industry and improving services may qualify as public interest, whereas, mere revenue generation will not.  However, there is no clarification from the Government as to how these private companies to whom database access is being provided assist in public interest.  Further, whether all driving license and registration details related data can be classified as publicly available information is again contentious and questionable as the information provided therein is intended to be provided only to license holders & vehicle owners and is partially masked. 

In the event if this Personal Data is not construed as public data or these public companies have been given access to personal data in the absence of any public interest, it would result  in personal data breach by the Government Departments where the head of Department will be held liable as per section 96 of the Data Protection Bill. 

It is quite preposterous to note that on the one hand Data Protection Bill is being tabled in parliament and on the other, the Government is selling Personal Data of the general public for economic gains.  Whether it results in the exploitation of personal and private data on the pretext of public interest without an individual’s consent needs to be ascertained. 

Image Credits:

Photo by Markus Spiske on Unsplash

 

It is quite preposterous to note that on the one hand Data Protection Bill is being tabled in parliament and on the other, the Government is selling Personal Data of the general public for economic gains.

POST A COMMENT