dial 1930 cyber crime

Exploiting Cyber Helplines: A Growing Concern

Cyber help line 1930

dial 1930 cyber crime

Hon. High Court Bombay, bench at Nagpur takes prompt action to provide relief to petitioner by issuing notice to concerned police station.

In recent past, lot of account holders are suffering from actions of debit freeze of their account or lien mark on their accounts. These debit freeze or lien mark instructions are directly passed by concerned police officers to nodal officers of the respective banks without intimating to the customers.Customers were made to run from post to pillar to get their account active again.

Central Government Ministry of Home Affairs has created one mechanism named as Citizen Financial Cyber Fraud Reporting and Monitoring System, which mandates any victim of Financial Cyber Fraud to Dial 1930, a helpline for reporting financial cyber fraud. Once Victim dials 1930, a ticket/complaint number is created online. Then this ticket gets escalated to Concerned Banks, Wallets, Merchants as per the reporting in complaint. Acknowledgement Number and NCRP link is then sent to victim for submission of complete details of fraud. In the mean, concerned banks/ wallets/ merchants receive this ticket from NCRP portal and they freeze the account if money is available in the account reported in complaint. If defrauded money has moved to another account, ticket gets escalated to other Bank / wallet / merchant and process repeats till money is saved.
The mechanism is designed with proper intension but since no Standard operating guidelines are framed yet, many times innocent citizen’s account also gets debit frozen or witnesses lien mark. In such situation, the innocent citizen remains remediless and clueless about what actions he should initiate to get his account functional again.

In many cases innocent citizen is not at all involved in any of the acts alleged to be carried out in complaint reported to online portal 1930 nor citizen’s account witnesses any credit amount from complainant but still his account remains debit freeze.Such debit freeze of account was challenged in writ petition before Bombay High Court Bench at Nagpur and bench of Hon Justice Vinay Joshi and Hon Justice Vrushali Joshi took cognizance of the sufferings petitioner and issued notice to the respondent Police Inspector, who instructed for debit freeze of the account.

The petitioner, before the court, runs a bar and restaurant, having valid licenses from various government departments and receives money from customers for services provided to various customers. In this era of digitalization many customers make online payment using various apps and payment gateways authorised and regulated by Government of India. Petitioner also avails services of authorised gateways and apps to receive the online payment. Petitioner was communicated by one of the vendors regarding return of cheque issued by petitioner and hence petitioner communicated with bank, to understand the reason behind cheque return when there was sufficient balance in account. On receipt of such communication, petitioner was informed by bank that they received directives from police to debit freeze the account.That subsequent communications with bank as well as police by petitioner to get the account operative produced no results and hence petitioner approached Hon High Court Bombay bench at Nagpur through Adv Dr Mahendra Limaye.

Hon High Court observed that, “We have come across similar type of other petitions, wherein we could see that for a meager amount, entire account of the traders, businessman have been freezed putting them into great financial difficulties. Rather the Investigating Officer would have adopted the course by informing the concerned bank to freeze the disputed amount only, but without application of mind, the entire bank account has been freezed with total disregard to the inconveniences caused to the account holders. We have sufficient reasons to right now defreeze the entire account by stalling Rs.900/- but we feel that before passing any order, we should give a hearing to the concerned investigating agency. Again, our experience speaks that, when the police stations are from other States, despite our repeated summonses and communication, there is no response at all.”

Thereafter Hon Court directed petitioner to communicate the order to concerned police officer and directed him to respond to this Court or to the office of Government Pleader of this Court. The court made it explicitly clear that it was adopting this method only to expeditiously elevate the agony of account holder, petitioner. This action of court is very effective step to provide justice to many such innocent citizen, whose account gets debit frozen or lien marked without their direct involvement in any criminal act.

The petition highlights issue of receiving online payment from unknown persons, without any verifying mechanism being devised by the government for the protection of receiver. Maximum people are using digital payments systems for making payment and many traders/businessman/shop owners are facing such situation of debit freeze of the account.

The petitioner has prayed for directions to Respondent Ministry of Home Affairs to amend the existing mechanism of freezing/marking lien of the beneficiary accounts by formulating proper standard operating procedures including providing reasonable and time bound opportunity to beneficiaries, whose accounts are likely to be affected, to prove their innocence and to frame proper guidelines to make time bound investigation by centralized law enforcement authorities in such instances, with single point of contact for grievance redressal so that innocent citizen should not be made to suffer due to communication with multiple authorities.

Adv Dr Mahendra Limaye represented the petitioner. ASG Nandesh Deshpande, waived notice for MHA

Why Deny Adequacy Status To India?

Why Deny Adequacy Status To India?

It’s surprising that India has not been granted adequacy status under GDPR since long and our entire Industry is satisfied that it is due to India not having strong Data Protection Laws in place.
An adequacy decision is crucial from business perspective because adequacy status permits cross-border data transfer outside the EU, or onward transfer from or to a party outside the EU without further authorisation from a national supervisory authority and in turn boosts the economy and could provide advantage to Indian companies dealing with EU. The Adequacy status will boost Indian economy further and will make dream of Hon Prime Minister regarding India becoming 5 trillion economies in coming future, a reality.
I strongly believe that India’s case for Adequacy was not properly argued on merits and Industry left it to the mercy of EU authorities for granting such status rather than commanding the same.
Let us first check relevant provisions of GDPR for adequacy.
Art. 45 GDPR speaks about Transfers on the basis of an adequacy decision
1A – transfer of personal data to a third country or an international organisation may take place where the Commission has decided that the third country, a territory or one or more specified sectors within that third country, or the international organisation in question ensures an adequate level of protection.
India is having Information Technology Act in place since 2000 and section 43A was introduced after amendment in 2008. Section 43A was more than sufficient of fulfilling this requirement of adequate level of personal data protection.
Section 43A – Compensation for failure to protect data. –
Where a body corporate, possessing, dealing or handling any sensitive personal data or information in a computer resource which it owns, controls or operates, is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person, such body corporate shall be liable to pay damages by way of compensation to the person so affected.
“Reasonable security practices and procedures” were defined as security practices and procedures designed to protect such information from unauthorised access, damage, use, modification, disclosure or impairment, as may be specified in an agreement between the parties or as may be specified in any law for the time being in force and in the absence of such agreement or any law, such reasonable security practices and procedures, as may be prescribed by the Central Government in consultation with such professional bodies or associations as it may deem fit.
(iii) “Sensitive personal data or information” means such personal information as may be prescribed by the Central Government in consultation with such professional bodies or associations as it may deem fit.
So careful reading of section 43A reveals that requirement of GDPR regarding adequate level of protection was already catered. The organisations were mandated to follow the reasonable security practices either framed by Government of India or Best practises in the industry. Also, by defining Sensitive Personal Data there was no ambiguity in understanding what was the focus of the provision. The focus was to provide adequate protection to sensitive personal data by organisations who were involved in handling/procession or storing of that data. Additionally, the Indian Law has made provision for monetary compensation in case any organisation failed to protect the data and hence the provisions for data protection were properly and adequately addressed.
It was also clarified by GDPR that when assessing the adequacy of the level of protection, the Commission shall take account of the following elements:
1) The rule of law 2) Respect for human rights and fundamental freedoms 3) Relevant legislation, both general and sectoral, including concerning public security, defence, national security and criminal law 4) The access of public authorities to personal data, as well as the implementation of such legislation 5) Data protection rules 6) Professional rules 7) Security measures, including rules for the onward transfer of personal data to another third country or international organisation which are complied with in that country or international organisation 8) Case-law, as well as effective and enforceable data subject rights and effective administrative and judicial redress for the data subjects whose personal data are being transferred.
If these additional 8 principles are also analysed, in my views India does not fall short in complying with all these requirements. Being largest democracy in world and its track record for last 75 years shows that Rule of Law in supreme in India. India is also a signatory to the Universal Declaration of Human Rights. The Indian constitution is greatly influenced by the Universal Declaration of Human Rights, 1948.
As regards availability of sectoral and general regulations, The Information Technology Act was in place since 2000 and Section 43A, which specifically addressed Data Protection was present since 2008. Section 69,69A and 69B dealt with interception of messages, decryption of messages for Public Safety and National Security.
Section 43A was adequate to provide Data Protection framework. The Information technology (Reasonable security practices and procedures and sensitive personal data of Information) Rules, 2011 added more provisions for Data protection and hence the IT Act became more stronger as regards to Data Protection.
The Adjudicating Officers as well as appellate authorities in form of TDSAT were well placed and hence judicial framework was also in place.
So, it can be well argued that as regards to Adequacy Status, India has fair or comparatively higher chances to attain the same.
As regards to the existence and effective functioning of one or more independent supervisory authorities in the third country or to which an international organisation is subject, with responsibility for ensuring and enforcing compliance with the data protection rules, including adequate enforcement powers, for assisting and advising the data subjects in exercising their rights and for cooperation with the supervisory authorities of the Member States, I see no reason why this procedural requirement could not be complied for?
Had India offered the EU Commission for Adequacy assessment, I am sure that India would have and can still attain the same. And even after its assessment, there could be some suggestions regarding the adequacy level of protection which could have been easily implemented.
So, it’s my humble submission that Indian I T Industry has not made out a strong case for Adequacy Status, for reasons best known to them only.

The comments/ debates are welcome for better understanding of one and all.

Dr Mahendra Limaye
The author is having Doctorate in Law and practices in specialised domain of Cyber Litigation and is FDPPI certified Daat Privacy Professional.