Banks should compensate account holder if customer loses money due to online fraud: National Consumer Court

The National Consumer Disputes Redressal Commission (NCDRC) has passed an important ruling in which it states that if hackers fraudulently withdraw money from a person’s bank account, the bank, would be responsible for the loss, not the customer.

The Commission blamed the bank for a mistake within their system while passing the judgment in one of the case in which the victim alleged that the money was withdrawn from her account by a hacker. The victim believed that the hacking was done due to a mistake in the bank’s electronic banking system.

It was observed by the commission that the bank could not present any such evidence, which showed that the credit card of the victim was stolen after which the commission ordered the bank to compensate the victim.

In one of the other cases, Jesna Jose, the complainant who lives abroad, will also receive around Rs 80,000 in interest and compensation. Jose had submitted the complaint before the district consumer forum in 2009. She said she procured the card in 2007 and the fraud took place in 2008. The commission rejected the bank’s claim that the woman had not taken care of the card and hence was liable for the fraud.

According to the RBI advisory, who will bear the loss will be decided by whose fault it is. If there is negligence or mistake on the part of the bank, then the entire loss will be borne by the bank. On the other hand, if the fraud is due to the negligence of the customer, then the customer will have to suffer the loss. In a situation where it is neither the fault of the customer nor the fault of the bank, then if the customer lodges a complaint with the bank within 3 working days of the fraud, then the customer will not be responsible for the fraud.

Loan Apps : How they loot the customers ?

Insta Loan fraud & mobile apps

These Insta Loan applications are developed in such a way that on installing these apps they get access to the contacts, mobile information and other data on the device. These applications collect the Id proofs, PAN card, KYC documents, and bank account details of the customers.

They check the genuineness of the documents and disburse small amounts in the form of a loan to their bank accounts by debiting the processing charges and GST ie, 25-30 per cent in advance. Loans are given for either seven days or 15 days.

After the due date, the company categorises the customers into various buckets - S-0, S-1, S-2, S-3, M2, M3, X etc. The customers in a lower bucket get a decent treatment but as the bucket category goes up the treatment gets harsher. The call centres of the company abuse the customers in filthy language and threaten them with dire consequences. They even go to the extent of accessing the contacts of the customers from their phone and start abusing and threatening the family members, relatives and friends with calls and messages. Using the stolen data, they threaten the customers with dire consequences like rape. In many cases, they created new WhatsApp groups using the victim’s phone book and sent lewd messages to the members.

They also blackmail innocent people by sending fake legal notices. Telecallers also suggest victims make the repayments by taking loans from their other loan applications. The customer falls into their trap by taking loans in the other loan applications as suggested by telecallers and end up paying huge amounts and get stuck in a never-ending cycle.

There are around 500 chinese such Apps, it’s time that India brings in a regulator for such Apps .

To protect yourself from such loan Apps fraud you must:

- use a different secondary mobile phone and instrument if you require a Insta loan .

- Never download any insta loan apps without verifying their licenses issued by government authorities.

- Go through the terms and conditions and verify the licenses of the companies that are offering loan and whether the licenses have been obtained from the concerned authorities like RBI, District Collector.

- Never download any app that asks to give access to the contacts, files, photo gallery, etc.

Criminal Investigation Robotics and Artificial Intelligence

Artificial Intelligence (AI) is the combination of algorithms designed with the purpose of creating devices that present capabilities similar to those of the human being. A type of technology that is beginning to be present in everyday life in the most common applications, even for home use such as Siri and Alexa cell phone assistants, or facial recognition applications such as those used by the Argentine government in systems such as ANSES (National Administration of Social Security “Administración Nacional de la Seguridad Social”) and the AFIP (Federal Administration of Public Revenue “Administración Federal de Ingresos Públicos”).

Authors Stuart Russell and Peter Norvig, two academic classics of Computer Science, defined the “types” of artificial intelligence according to their application in the following categories:

– Systems that “think” like humans (e.g., artificial neural networks).

– Systems that act like humans (e.g., robots).

– Systems that learn and generate new knowledge (e.g., expert systems).

Within the branch of systems that emulate the human way of thinking in the aforementioned categories, we find ourselves with two techniques that are increasingly used: Deep Learning and Machine Learning algorithms.

It can be said that Machine Learning has a side called Deep Learning. While both technologies refer to systems capable of learning on their own, Deep Learning is more complex and sophisticated, and it is also more autonomous, which means that once the system has been programmed, human intervention is minimal.

More dangerous than the famous ‘fake news’, the ‘deepfake’ are videos manipulated using artificial intelligence techniques such as those cited. The result is extremely realistic.

Another example is Deepfakeapp published as an application that allowed any computer novice to manipulate videos, a tool specially designed for those popularly known as ‘revenge porn’ (*), that is, the unauthorized and malicious publication of intimate images.

In 2018, a video in which an alleged Barak Obama called Donald Trump an imbecile circled the world. It was a fake recording in which actor Jordan Peele and Buzzfeed CEO Jonah Peretti were trying to raise awareness of the danger of unverified information and the Deepfake. In any case, one of the first steps when investigating the origin of a video or image is to verify the source: Who sent this? Who signs it? Is it reliable? Tracing the path of the so-called Deepfake, seeing where it was first shared, and who published it are some basic steps to take that don’t require advanced knowledge, just common sense.

In 2019, what was classified as the “first crime committed with artificial intelligence” was discovered in the United Kingdom and brought to justice in that country. In a short article published by The Wall Street Journal, explains the story of a group of cybercriminals who managed to impersonate the voice of the executive director of an energy company and demanded an urgent transfer of 243,000 euros and that worked for them as a deception method. The CEO of the company reportedly thought he was on the phone with the CEO of the parent company, who asked him for the money for a suspected supplier in Hungary. The cybercriminal made the request seem extremely urgent, saying the money needed to be transferred within an hour. The victim, in subsequent statements, said that she even heard her boss’s slight German accent, as well as the tone of her voice.

The predictions about this type of attack are not very encouraging: the voice recordings necessary to train the algorithm in high-profile people are very easy to obtain: in television interviews, radio, social networks, and WhatsApp audios, have enough minutes of recording so that the algorithm is in a position to replace any voice tone with that of the person you want to impersonate.
How will we validate false “confessions” made with these techniques? How will we argue that someone did not say what we are hearing? Will the videos that prove the alleged presence of a person in a place to try to exonerate them be valid from these techniques?

In the framework of a criminal investigation, we must begin to request the technical opinion of experts from the Scientific Police. We can no longer rely solely on the image and the video to consider them, alone, proof. In our prospective analysis, we must include the acquisition of forensic imaging and video tools, in the same way that today practically all investigative agencies are clear that it is necessary to have tools for the analysis of mobile devices.

And what happens when we apply these techniques to Robotics?

How do we deal with the “responsibility” or “attribution” of a crime when the one who commits it is a Robot? A robot is neither more nor less than a machine (hardware) that contains an operating system (software) and that performs operations through different algorithms. Since the first robotic arms used to handle materials, much progress has been made.

One aspect of this area that worries the field of law most is civil liability. That is, the obligation to indemnify a third party that arises from damage caused involuntarily. The problem that arises is that, under current legislation, a robot cannot be responsible for acts or omissions that may cause harm to third parties. Judges judge people, not robots, let alone algorithms.

It seems reasonable that the responsible party is “the manufacturer”, but as observed in different legal discussions on this topic in international settings, producers will be responsible for the damages caused by their products only in the case where they are defective.

Therefore, what happens if the damage caused is not a consequence of a manufacturing defect? What happens if it is damage caused by a rule that the robot learned with Deep Learning and Machine Learning techniques? What happens if someone “teaches” or, as we said above, “trains” the algorithm for unwanted behavior by the manufacturer and causes damage? What if the robot suffers a cyber attack and its learning and inference rules change?

Different options are evaluated in the world when determining what type of “legal status” should be applied to a robot and an algorithm. As an example of these proposals, regarding possible “legal natures” we can cite the opinion made by María José Santos González, coordinator of the Legal Department of the National Institute of Cybersecurity in Spain, which based on existing legislation in Europe she makes a very interesting rundown and analysis of the well-known figures, summarized for the Ibero-American Legal News Review:

a) “(…) Robot as a natural person. This possibility does not seem adequate given that article 30 of the Civil Code determines that live birth is necessary to acquire personality. Therefore, this cannot happen in a robot. “
b) “Robot as a legal person. Nor does it seem appropriate to endow robots with this type of personality because robots can interact directly with the environment and even cause damage, while, in the case of a legal person, it will always be the company’s representatives who make the decisions in the last resort and will therefore be responsible. “
c) “Robot as an animal. The fact that a robot has no biological or genetic basis or the fact that a robot today cannot have feelings makes it impossible to equate a robot to an animal. “
d) “Robot as a thing. For the Civil Code, concretely in article 333, a thing is an inanimate being, devoid of life, characteristics that a robot does not have, given that it can move and interact with the environment (…)”

Given that both a robot and an algorithm do not fit into any of these categories, will a new legal framework be necessary for these issues? Should we rethink the concept of life as some propose?
Let’s imagine for a moment a Robot or an algorithm as a subject of law. What would be the penalty? Who applies it? Where is the data stored to “turn it off”?

The liability problem could supposedly be solved partially; either by introducing a civil law supervisory duty for the owner of the AI or by granting legal personhood for AI’s and thus create AI criminal liability. None of these solutions are sufficiently correcting the liability problem, though. But, a supervisory duty for the owner would be the most suitable solution of these two. It has the possibility to qualify the defendant’s behaviour as wrong when he or she breaches the civil law duty and the AI as a consequence causes (foreseeable) harm. The conclusion could be that criminal law may not be the best branch of law to solve these problems, and the liability problem with AI in criminal law remains yet to be discovered.

 

FIR : All you want to know about in a criminal case

FIR - What is? 

The first information report is a report giving information of the commission of a cognizable crime, 

which may be made by the complainant (the term “Complainant” has been used herein the popular 

sense) or by any other person knowing about the commission of such an offence. It is intended to set 

the criminal law in motion. 

A First Information Report is the most important document and forms the basis of the case for 

prosecution. The word „First Information Report‟ has not been defined in the CrPC. By practice it has 

come to mean the information disclosing commission of a cognizable offence and recorded under Sec. 

154 CrPC.  

The principal object of FIR is only to make a complaint to the police officer to set the criminal law in 

motion while the secondary objective is to obtain early information of an alleged criminal activity and 

to record the circumstances before there is time for such circumstances to be forgotten or embellished.  

FIR:   Its Characteristics: 

¾ It must disclose the commission of a cognizable offence.  

¾ It should be given to the OC of a police station.  

¾ It should be earliest in point of time.  

FIR:  Other Features: 

¾ It may be in writing. 

¾ If given orally, it shall be reduced to writing by the police officer.  

¾ It should be signed by the person giving it.  

¾ A copy of it should be delivered to the informant free of cost.  

¾ It may be made by any person, whether or not he has the first-hand knowledge about the crime 

reported except in certain specified cases. 

¾ Delay, if any, in making the FIR should be explained in the FIR itself.  

¾ Strictly speaking, the Telegrams and telephonic messages cannot be treated as FIR, because 

they are not given in writing duly signed by the informant nor they are reduced to writing by the 

police and read over to the informant. Moreover, there is hardly any guarantee as to their 

genuineness / authenticity. 

¾ Refusal by Informant to sign the FIR is punishable u/s 180 IPC.   

FIR:  Its Basic Objects: 

¾ To set the criminal law in motion through the agency of the police.  

¾ To furnish to the police early information of an alleged criminal activity. 

Value of the FIR: 

¾ It is valuable because it gives the earliest version of the occurrence.  

¾ It is not a substantive piece of evidence.  

¾ It can be used for the purpose of corroboration u/s 157 Indian Evidence Act.  

¾ It can corroborate the maker if he is called as a witness.  

¾ It may be used for contradiction u/s 145 Evidence Act against the author thereof.  

Some Other Uses of the FIR: 

¾ As a conduct u/s 8 I.E. Act, if lodged by the accused. 

¾ As an admission u/s 21 I.E. Act, if lodged by the accused. 

¾ As a dying declaration, if lodged by the deceased whose death is in issue. 

¾ As an entry by a public servant in the discharge of his official duties u/s 35 I.E. Act.  

Refusal by the Police to Record FIR: 

¾ Remedy is provided by Section 154 (3) CrPC. The person aggrieved can send to the 

Superintendent of Police the substance of the information by post. The Superintendent of Police 

of the district may investigate the case himself or direct any officer subordinate to him for 

investigation. 

¾ Further the informant can file petition before Ld. Magistrate who will forward the same to the 

OC of the concerned PS with direction to treat the same as FIR u/s 156(3) CrPC. 

The immediate duty of the Officer-in-Charge of PS on receipt of such information: 

Any information relating to the commission of a cognizable offence (if given orally) is required to be 

reduced to writing by the Officer-in-Charge of police station which has to be signed by the person 

giving it and the substance thereof is required to be entered in a book to be kept by such officer in such 

form as the State Government may prescribe in that behalf. A copy of the FIR is required to be sent 

forthwith to the magistrate empowered to take cognizance of such offence. 

The duty of the Officer-in-Charge of the police station after recording the FIR: 

After recording the FIR, the Officer-in-Charge of the police station is obliged to proceed in person or 

depute one of his subordinate officers not below such rank, as the State Government may, by general 

or special order, prescribe in that behalf, to proceed to the spot to investigate the facts and 

circumstances of the case and if necessary, to take measures for the discovery and arrest of the 

offenders.  

The practice of sending away complainant, who wishes to make an oral report to go and bring a 

written one, should be discouraged. Each report should bear a consecutive number in the order of its 

arrival at the police station. 

It is well settled that a first information report is not an encyclopaedia, which must disclose all facts 

and details relating to the offence reported. It is enough if the police officer on the basis of the 

information given suspects the commission of a cognizable offence and not that he must be convinced 

or satisfied that a cognizable offence has been committed. 

Delay in lodging FIR: 

¾ Delay, in lodging the FIR, if not sufficiently explained, creates suspicion.  

¾ Delay, without any explanation may be fatal to the prosecution.  

¾ Delay in lodging the FIR cannot be used as a realistic formula for doubting the prosecution case 

and discarding the same. Delay in filing FIR in the case of rape does not mitigate the 

circumstance for the accused.  

¾ It cannot be used as a ritualistic formula to discard the prosecution‟s case.  

¾ The court must look for reasons for delay whether offered or not. 

If offered, it should see whether the reasons justify the delay. 

¾ Delay in lodging the FIR in a case of rape of a minor girl, where reputation of a family was 

involved and where her father was called from another place, delays in such cases by family 

members are usual features. 

Delay in lodging – May be Fatal:  

Delay in lodging the FIR often results in embellishment, which is a creature of an 

afterthought. On account of delay, the FIR not only gets bereft of the advantage of spontaneity, danger 

also creeps in the introduction of a coloured version or exaggerated story. 

BUT 

¾ Delay in filing FIR cannot be a ground for suspicion at all instances. 

¾ It can only be said to raise suspicion when the delay is unexplained.  

The following are the ingredients of FIR: 

¾ The information should be first in point of time. 

¾ It should be definite and responsible information and not merely rumour or village gossip or 

hearsay of an indefinite variety. 

¾ It must have been given to an officer-in-charge of a police station. 
¾ It should relate to the commission of a cognizable offence. 
¾ It should be the information which set the police on their investigation. 
¾ It should be given in writing or should be reduced to writing. 
¾ It should have been read over to the person who made it and signed by such person. 
¾ It should be entered in a book kept for the purpose. 

FIR: 11 Ws & 1 H 

1st     W – What information do you want to give?  

2nd    W – What capacity?  

3rd    W – Who committed?  

4th  W – Against whom (victim)? 

5th W – When?   

6th    W – Where?   

7th    W – Why? 

8th    W – What they carried away? 

9th    W – Who witnessed? 

10th  W – What they left? 

11th  W – Why delay? 

12th  H – How? Modus operandi (How they arrived etc.)?  

How to record FIR: 

¾ The FIR should be promptly recorded as any delay leads to suspicion and vitiates the FIR. 

However if there is a delay it should be explained in the FIR. 

¾ The FIR should be recorded in plain and simple words. 

¾ Accuracy is the watchword. It may be detailed but not unnecessarily lengthy. 

¾ Time of occurrence should be noted. 

¾ Modus operandi should be elicited and mentioned in the FIR. 

¾ The FIR should be a truthful account-neither minimized nor exaggerated. 

¾ Do not interpolate or insert anything after the FIR has been written. 

¾ Avoid scoring out what has been written. In unavoidable circumstances a line should be drawn 

across the word/s to be scored out still keeping it legible and the officer recording the FIR 

should initial it. 

¾ Note injuries found on the person of the informant or the witness and mention the same in the 

FIR. 

¾ Value of property stolen or damaged or lost should be mentioned correctly. Do not lessen the 

value to improve your statistics. 

¾ The special identifying marks, if any, on the items stolen or lost, together with their detailed 

description should be clearly noted. 

By intelligent questioning, the identity of the accused, the type or weapon used, if any, the language 

spoken, etc. should be elicited and mentioned in the FIR. The circumstances of identification must be 

clearly brought out, e.g. the condition of light, the line of visibility, the distance from which the 

identification was made etc.  

The names of the suspects, if any or any accused recognized during the occurrence, should be 

specified. If a particular person is suspected, the facts on which the suspicion is based should be 

clearly specified. The informant should be able to distinguish between what he saw, knew and heard.  

The names of known/suspected/unknown accused persons with full particulars should be entered 

serially in the FIR (WBP Form No. 27). The names of the eye witnesses and to those whom the 

complainant or informant reported the names of the accused immediately after the occurrence should 

be obtained and recorded for the purpose of corroboration. If such information though available first 

hand is not noted, the defense may term it as fabrication and afterthought. The original FIR should be 

sent to Magistrate having jurisdiction. (FIR should be sent to court without delay – PRB 246). 

A police officer should not defer drawing up the FIR on the plea of verifying the truth of the 

complaint. If a person gives a deliberate false information in regard to a cognizable offence, the 

informant is liable for prosecution under sec. 182 or 211 IPC. A police officer has power to refuse 

investigation in a cognizable case under provisions of Sec. 157(2) but has no power to refuse the 

registration of a cognizable case under section 154 CrPC.  

Refusal to record FIR on the ground that the place of crime does not fall within the territorial 

jurisdiction of the police station amounts to dereliction of duty. It is the duty to record a case and 

forward the same. (AIR- 1993 SC – 2644: 1993, Cr.LJ – 3684: 1994, SCC (Cri) 734.) 

FIR by the accused: 

If the accused gives information of the offence, the officer-in-charge must record it. Any confession 

which may form part of such an FIR will be inadmissible under section 25 Evidence Act, but those 

facts, which do not amount to a confession and merely go to show the motive, preparation or 

opportunity for the crime or give the information leading to the discovery of a fact, can certainly be 

provided on behalf of prosecution under sec.7, 8 and 27 of the Evidence Act. 

First information: Referred by the Magistrate: 

When a Magistrate directs the Police to investigate a complaint or a cognizable case filed before him 

and in regard to which no previous information has been given to the Police, the written information 

sent by the Magistrate should be treated as the basis of FIR. 

Disposal of FIR: 

An FIR once started, shall on no account be cancelled by the officer in charge, nor it is permissible for 

a Magistrate or any other Police officer to do so. Recording of FIR means starting of an investigation 

of a cognizable case which can only be concluded in any of the following ways: 

¾ By refusing investigation under sec.157 (b) CrPC 

¾ By transferring it to a different police station on question of jurisdiction.  

¾ By submitting a final report after such an investigation or, 

¾ By submitting a charge sheet after an investigation.  

Value of FIR: 

The FIR is not a substantive piece of evidence. It is relevant in judging the veracity of the prosecution 

case and value to be attached to it depends on the facts of each case. It is used either to corroborate or 

to contradict the oral evidence of the maker of the FIR during trial of the case.  

Quashing of FIR: 

FIR drawn up on the basis of information which does not disclose any offence or discloses only non-

cognizable offence can be quashed by the High Court by invoking power under Art. 226 of the 

Constitution of India or under Sec. 482 CrPC. 

Concept of ZERO FIR: 

“There is a concept of “Zero-FIR”. It means that a FIR can be filed in any police station 

(i.e.irrespective of place of incident/jurisdiction) and the same can be later transferred to the 

appropriate Police Station. 

There are two rulings of the Supreme Court in Satvinder Kaur vs Govt. of NCT of Delhi on 5/10/1999 

(AIR 1999, 1031) and in Ramesh Kumari vs Govt. of NCT Delhi on 21/2/2006. In the former case, the 

Court held that at the stage of investigation, the material collected by an investigating officer cannot 

be judicially scrutinized for arriving at a conclusion that the police station officer of particular police 

station would not have territorial jurisdiction. That apart, section 156(2) of the CrPC contains an 

embargo that no proceeding of a police officer shall be challenged on the ground that he has no 

territorial power to investigate the case. In the latter case, the Court held that a police officer is duty 

bound to register the case on the basis of such information disclosing a cognizable offence u/s 154(1) 

of the CrPC. The legal position stated above expects that the police shall register an FIR upon receipt 

of information of the commission of a cognizable offence. Further, if after registration of FIR, upon 

investigation, it is found that the subject matter relates to the jurisdiction of some other police station, 

the FIR may be appropriately transferred to the police station in which the case falls. Moreover, if at 

the time of registration of FIR, it becomes apparent that the crime was committed outside the 

jurisdiction of the police station, the police should be appropriately instructed to register a „Zero‟ FIR, 

ensure that the FIR is transferred to the concerned police station u/s 170 of the CrPC. It should be 

clearly stated that the delay over the determination of the jurisdiction leads to avoidable wastage of 

time which impacts on the victim and also leads to offenders getting an opportunity to slip from the 

clutches of the law. 

Some Important Rulings related to FIR 

1. Criteria for registering First Information Report: 

The condition, which is sine qua non for recording FIR is that there must be an information and 

that information must disclose cognizable offence. It is, therefore, clear that if any information 

disclosing a cognizable offence is laid before officer in charge of a Police Station transpiring the 

requirements of Section 154 (1), the said official has no other option than to enter the substance 

thereof in the prescribed form and register a case on the basis of such information. 

[State of Haryana vs. Bhajan Lal, AIR 1992 SC 604] 

2. Delay in lodging FIR – Criteria for evaluation: 

(i) The deceased is a newly married girl. The maternal uncle of the husband of the deceased 

informed the father of the deceased of the fact of committing suicide by the deceased on June 

25, 1983 at about 5.30 P.M. The father of the deceased immediately rushed to the hospital with 

members of his family where his daughter was brought. He stayed there the whole night with 

his wife and other members of the family near the dead body of his deceased daughter and on 

the next day till the dead body was handed over to him after completion of post mortem in the 

afternoon. The Asstt. Inspector of Police of Ajnala Police Station reached the hospital on the 

next day i.e. on June 26, 1983 and got the statement of father of the deceased recorded there. 

This statement was treated as FIR. In the circumstances, it cannot be said that there has been 

any delay in reporting the incident to the police station. 

[Gurbachan Singh vs. Satpal Singh and others, AIR 1990 SC 209] 

(ii) There was delay of two days in reporting the incident to the police in a case under Section 376 

of IPC. It is held by the Supreme Court that the victims of rape ordinarily consult relatives and 

are hesitant to approach police since it involves the question of morality and chastity of women. 

The woman and her relatives have to struggle with several situations before deciding to 

approach police, more so when the culprit happens to be relative. In such case, the delay is 

understandable and hence merely on that ground the prosecution version cannot be doubted.  

[State of Rajasthan vs. Narayan, AIR 1992 SC 2004] 

3. Delay in lodging FIR – Criteria for rejection: 

Unless there are indications of fabrication, the court cannot reject the prosecution version as give 

in the FIR. Where names of the accused were constantly mentioned throughout, there was absolutely 

no ground to hold that the FIR was brought into existence subsequently during investigation and the 

mere delay in lodging the report by itself cannot give scope for an adverse inference leading to 

rejection of the prosecution case outright. 

[Tara Singh & Others vs. State of Punjab, AIR 1991 SC 63] 

4. FIR for offence committed beyond local jurisdiction of PS: 

The police constable at the police station refused to record the complaint presented to him on the 

ground that the said PS. had no territorial jurisdiction over the place of crime. It is certainly a 

dereliction of duty on the part of the constable, because any law of territorial jurisdiction could not 

have prevented the constable from recording information about the cognizable offence and forwarding 

the same to the PS. having jurisdiction over the area in which the crime was said to have been 

committed.  

[State of AP vs. Punati Ramalu and others, AIR 1993 SC 264] 

5. Delay in transmission of FIR – Effect of: 

(i) Mere delay in Despatch of FIR to magistrate is not a circumstance, which can throw out the 

prosecution case entirely. 

[Pala Singh & vs. State of Punjab, AIR 1992 SC 2679] 

(ii) The delay is not necessarily fatal particularly when it has been recorded without delay and no 

suspicion is attached to its recording. 

[State of MP vs. Gokaran, AIR 1966AIR SC 131] 

(iii) Delay in sending FIR to Magistrate forthwith gives rise to the suspicion that the report was 

recorded much latter than the stated date. Obviously delay needs to be explained satisfactorily.  

[Ishwar Singh vs. State of UP, AIR 1976 SC 2423] 

 

The FIR is not a substantive piece of evidence, it is only relevant in judging the veracity of 

prosecution case and the value to be attached to it depends on the facts of each case. Only the essential 

or broad picture need be stated in the FIR and all minute details need not be mentioned therein. It is 

not a verbatim summary of the prosecution case. It need not contain details of the occurrence as if it 

were an “encyclopedia” of the occurrence. It may not be even necessary to catalogue the over acts 

therein. Non-mentioning of some facts or vague reference to some others are not fatal. We should also 

bear in mind that the FIR was given by an illiterate lady soon after the occurrence, when she should 

have been very emotional and in a disturbed state of mind. In this case, the evidence of the author of 

FIR is substantially in accord with FIR and the Court below was justified in placing reliance on FIR 

and the evidence of the maker of FIR.  

[Baladev Singh vs. State of Punjab, AIR 1996 SC 372] 

Brazilian LGPD & European GDPR Compared

Brazilian LGPD & European GDPR Compared 

Brazilian LGPD & European GDPR Compared Brazilian General Data Protection Law (Lei Geral de Protecao de Dados or LGPD), a law with many similarities to the European Union’s General Data Protection Regulation (the “GDPR”) is now effective.  On April 29 of this year, Brazil’s President issued Provisional Measure 959 that, amongst other things, postponed the effective date of the LGPD, which was originally set to be effective August 2020, to May 3, 2021.  Brazil’s Chamber of Deputies amended the measure so that the LGPD would take effect in December 2020.  The Senate then decided that any postponement was void because the effective date had already been decided by Congress.  The amended measure was sent to the President for his signature, providing him with the date of September 17, 2020 to sign the measure, which would make the law effective as of the original effective date, or veto it.  The President sanctioned the law and the LGPD is now effective.  Although the law has taken effect, the LGPD’s enforcement provisions take effect August 1, 2021 (in Portuguese), and the provisions will be enforced by Brazil’s data protection authority, a Autoridade Nacional de Proteção Dados Pessoais (the “ANPD”), which the President established by decree in August (in Portuguese).  However, the LGPD’s private right of action for violations of data subjects’ rights is effective now.  Businesses should continue to take steps to comply with the statute given its effective date and private right of action and should prepare now for when administrative sanctions become enforceable next year.

Businesses that are GDPR compliant may be well on their way to achieving compliance with the LGPD given the similarities between the legal frameworks.  Yet, businesses should be mindful of several differences that may impact how they adjust their GDPR compliance programs to meet the requirements of the LGPD to the extent that businesses process data applicable to both regimes.

At a glance. This post highlights some of the material provisions of the LGPD and compares them to their equivalents in the GDPR.

Applicability.  Similar to the GDPR, the LGPD applies broadly to a wide range of data processing activities, data subjects, and their information.

• The GDPR applies to the processing of personal data if such data is processed in the EU or if the purpose of the processing is to offer goods or services to or monitor the behavior of EU residents.  Arts. 2 and 3 GDPR.
• The LGPD applies to the processing of personal data if such data is processed in Brazil, the purpose of the processing is to offer or provide goods or services to Brazil residents or the personal data processed belongs to Brazilian residents or was collected in Brazil.  Art. 3 LGPD.

Lawful Processing of Non-Special Categories of Personal Data.  Businesses likely will be able to process data under the same legal bases provided under the LGPD and the GDPR.

• Under the GDPR, the processing is lawful if the data subject has consented or processing is necessary to perform a contract, comply with legal obligations, protect a natural person’s vital interests, act in the public interest, or achieve a legitimate interest of the controller or third party under certain conditions.  Art. 6 GDPR.
• The LGPD includes all of the legal bases for processing listed under the GDPR.  In addition, the LGPD provides that controllers may process personal data specifically to exercise rights in judicial, administrative or arbitration procedures and to protect credit.  Art. 7 LGPD.

Lawful Processing of Special or Sensitive Categories of Personal Data.  Although the LGPD and the GDPR share several legal bases for processing sensitive information, the LGPD does not allow businesses to process such data under the bases identified under GDPR for legitimate activities of nonprofit entities and public data.

• Under the GDPR, the processing of special categories of personal data is prohibited unless (i) the data subject has consented; (ii) data is processed under certain conditions in the course of legitimate activities of nonprofit entities in connection with their purposes; (iii) processing relates to data made public by the data subject; or (iv) processing is necessary to comply with employment, social security or social protection law, to protect the vital interest of natural persons, to exercise or defend legal claims or for public interest reasons, including those related to public health or research purposes.  Art. 9 GDPR.
• The LGDP allows processing of sensitive categories of personal data if the data subject consents or processing is necessary for (i) the controller to comply with a legal obligation; (ii) shared processing of data when necessary by the public administration for the execution of public policies; (iii) research purposes, (iv) exercising rights, including in connection with a contract and in a judicial, administrative and arbitration proceeding, (v) protecting vital interests of a data subject or a third party, including health in a medical procedure, or (vi) preventing fraud and protect the security of the data subject.  Art. 11 LGPD.

Data Subject Rights.  The LGPD provides to data subjects the right to data anonymization in addition to the other rights provided under the GDPR and requires businesses to respond to rights requests within fifteen (15) days.

• Under the GDPR, data subjects have the right to access, rectification, erasure, restriction, data portability, and objection, and the right against automated decision-making.  Chp. 3 GDPR.
• In addition to the rights provided under the GDPR, the LGPD provides data subjects the right to request that their data be anonymized.  Art. 18 LGPD.  However, in response to a request to delete under the GDPR, controllers may anonymize data because, similar to the LGPD, anonymized data is not considered personal data under the GDPR.

Children’s Personal Data.  The LGPD has a broader requirement than the GDPR to obtain consent for processing children’s personal data and extends heightened protection to children whose personal data is processed similar to the GDPR.

• Before collecting personal data of children who are younger than sixteen (16) years of age, the GDPR requires controllers to obtain the consent of a child’s legal guardian subject to certain exceptions.  Any information directed to children should be provided using clear and plain language.  Art. 8 GDPR.
• The LGPD broadly requires controllers to obtain the consent of a legal guardian before processing children’s data.  Information directed towards children needs to be appropriate for the children’s understanding.  Art. 14 LGPD.

International Transfer of Data.  The LGPD provides similar mechanisms to the GDPR for transferring personal data to third countries and international organizations.  Unlike the GDPR, the LGPD does not provide a list of specific derogations but many are covered by the law.

• The GDPR allows the transfer of personal data to a third country or an international organization on the bases of (i) an adequacy decision, (ii) appropriate safeguards such as binding corporate rules, standard contractual clauses, and approved codes of conduct and certification mechanisms, (iii) an international agreement; and (iv) derogations for specific situations, which includes when the transfer is made from a register intended to provide information to the public or by any person on the basis of legitimate interests.  Chp. 5 GDPR.
• The LGPD allows the international transfer of personal data on the bases of (i) an adequacy decision, (ii) compliance with the LGPD as shown through contractual clauses, global corporate rules, and stamps, certificates and codes of conduct, (iii) international agreements and cooperation, (iv) the vital interest of the data subject or a third party; (v) ANPD approval, (vi) public interest; and (vii) data subject consent.  Art. 33 LGPD.  Unlike the GDPR, the LGPD does not provide for international transfers on the basis of a register intending to provide information to the public or legitimate interests as provided under the GDPR.

Controller and Processor Obligations.  Generally, the LGDP has similar controller and processor obligations to the GDPR with differences in data record maintenance, data protection impact assessment, and the appointment of data protection officers.

• Under the GDPR, controllers and processors are required to maintain records of processing data activities; implement appropriate and technical measures, including data protection policies, to protect personal data; conduct data protection impact assessments in certain circumstances; provide notice of data breaches to supervisory authorities and data subjects; and designate a data protection offer under certain conditions.  Chp. 4 GDPR.
• Similarly, the LGPD requires controllers and processors to maintain processing records; adopt security, technical and administrative measures to protect personal data; conduct data protection impact reports upon the ANPD’s request; provide notice of certain security incidents; and appoint a data protection officer.  Chp. IV §§ I and II; Chp. VII §§ I and II; and Art. 41 LGPD.

Security Breach Notifications.  The LGPD has a lower threshold than the GDPR for providing notice of security incidents and a potentially longer timeframe than the GDPR in which to provide notice to regulators.

• Under the GDPR, controllers are required to provide notice (a) to supervisory authorities within seventy-two (72) hours unless the security incident is unlikely to result in a risk to data subjects and (b) to data subjects without undue delay if the security incident is likely to result in a high risk to the data subjects.  Arts. 33 and 34 GDPR.
• The LGPD requires businesses to notify within a reasonable amount of time the ANPD and affected data subjects if the incident may cause harm to data subjects.  Art. 48 LGPD.

Administrative Sanctions.  The LGPD imposes significantly less severe fines than the GDPR since they are based on businesses’ revenue in Brazil as compared to fines based on businesses’ revenue worldwide as provided under the GDPR.

• Under the GDPR, controllers and processors may be subject to a fine of two percent (2%) of worldwide revenue up to 10,000,000 EUR for lower-level violations and four percent (4%) of worldwide revenue up to 20,000,000 EUR for higher-level violations.  Art. 83 GDPR.
• Under the LPGD, controllers and processors may be subject to a fine of up to two percent (2%) of revenues in Brazil up to a total of R$ 50,000,000.  Art. 52 LGPD.

Law enforcement

In the case of Brazilian law, the supervisory authority is referred to as the ANPD (National Data Protection Authority) (Article 55). In the case of GDPR, it's the European Data Protection Board (Article 68).

To Conclude

In practice, if your company is already GDPR compliant, it can easily be LGPD compliant as well; and vice versa. There's a very visible convergence between LGPD and GDPR. But a Privacy Expert Lawyer or Law firm needs to evaluate your legal risk and compliance based on emerging case laws. Also, the fact is that both laws still need time to gain maturity and to be better evaluated. 

For training on LGPD in comparison with GDPR or any privacy or Data Protection Laws with case studies around the World email: info@cyberlawcosulting.com

 

What’s changed in the CPRA ? The California Privacy Rights Act of 2020

What’s Changed in the CPRA? The California Privacy Rights Act of 2020 

The California Privacy Rights Act of 2020 (CPRA) is the law now. With some exceptions, the CPRA expands privacy protections afforded under the current California Consumer Privacy Act of 2018 (CCPA), giving consumers more rights over their personal information and requiring greater transparency and obligations from businesses. Beyond new rights, the CPRA establishes a privacy enforcement agency - the California Privacy Protection Agency - that would be the first of its kind state agency dedicated to privacy enforcement. The CPRA also reaches areas of digital privacy untouched by the CCPA, including dark patterns, behavioral advertising, and profiling.

In addition to these remarkable changes, the CPRA significantly amends existing rights and responsibilities presently enforced under the CCPA. The CPRA’s amendments serve to clarify ambiguous areas of the CCPA and, if passed, will better align the law’s text with its intent. By understanding these changes now – and not waiting until the new law takes effect – businesses will gain a leg up on meeting their existing compliance obligations under the CCPA while priming themselves for the future of privacy enforcement under the CPRA.

So, what’s new in the CPRA? A lot more than you think. Definitions are a good place to start. 

New Definitions

The CPRA adds new defined terms and clarifies existing ones.

New Terms added

Among the new terms added in the CPRA – and not currently defined in the CCPA – are:

• Consent
• Contractor
• Cross-context behavioral advertising
• Dark pattern
• Household
• Intentionally interacts
• Non-personalized advertising
• Profiling
• Security and integrity 
• Sensitive personal information
• Sharing

A few of these new terms warrant a closer look, in order of significance. 

Sharing. The most significant addition might be the inclusion of “sharing,” defined as the disclosure of personal information to a third party for purposes of cross-context behavioral advertising (itself a new defined term), also known as targeted or interest-based advertising. “Sharing” therefore includes activity commonly viewed as fitting the definition of a “sale” under the current CCPA, although this has been a gray area of the law. CPRA helps resolve this ambiguity by regulating the activity in its own right, and, as explained below, granting consumers identical rights as they have with regard to a “sale” of their personal information. A business that has sat on the sidelines during the initial months of CCPA enforcement and declined to call this type of sharing a “sale” is well-advised to treat it as such given that CPRA makes clear that consumers are entitled to have a say when their personal information is used for this purpose.

Contractor. Perhaps easily overlooked, “contractor” may not mean what you think it does. Under CPRA, a contractor is similar to a service provider in that a contractor is not a third party, and it is bound by a written contract limiting its use of personal information that a business discloses to it. However, rather than processing information for the business, a contractor is a person to whom the business makes available personal information for a business purpose. The significance of this seemingly subtle distinction is not immediately apparent. But the big takeaway is that the cast of characters under CPRA would include: the consumer; the business; services providers; contractors; and third parties. 

Sensitive personal information. One of the most significant changes in the CPRA is that it adds an entirely new category of personal information – sensitive personal information – the collection of which triggers new rights and obligations described below. Sensitive personal information includes the contents of a consumer’s mail, email and text messages (unless the business is the intended recipient of the communication), a consumer’s genetic data, racial or ethnic origin, and personal information collected and analyzed concerning a consumer’s sex life or sexual orientation, among others. This change will better conform to California’s privacy law to GDPR, which similarly recognizes a special class of highly sensitive personal data. 

Profiling. “Profiling” relates to automated processing of personal information used, for example, to analyze or predict aspects concerning a person’s performance at work, economic situation, personal preferences, and more. Like sensitive personal information, the regulation of profiling – which will be forthcoming as the CPRA only references, but does not establish, the new rules – would likewise conform California privacy law to more robust protections afforded by GDPR.

Dark pattern. Along with the newly defined term “consent” - a term relevant any time an opt-in is required, such as for selling or sharing the personal information of consumers under 16 years old - is the prohibition on obtaining consent through manipulation via the use of “dark patterns,” or user interfaces designed to impair user autonomy.

Changes To Existing Terms

In addition to adding new definitions, the CPRA amends defined terms that already exist in the current CCPA. Of these changes, the following are most significant.

Business. The thresholds for a business to be subject to regulation under the law would include buying, selling or sharing the personal information of 100,000 or more consumers or households. This amends - and relaxes - the previous threshold related to 50,000 or more consumers, and clarifies that (1) collection alone does not trigger this threshold, and (2) devices do not count toward the number of consumers, as they did under CCPA. Notably, the amended definition of “business” also expressly contemplates voluntary self-certification with – and agreement to be bound by – the CPRA for businesses that do not meet any of the threshold requirements. Self-certification might become a future badge of honor for businesses of all sizes – and consumers may come to expect compliance, regardless of annual revenue.

Business purpose. The CPRA’s amendments somewhat clarify the CCPA’s vague reference to “short-term, transient use” and add a new business purpose of “providing advertising and marketing services.” The new purpose expressly excludes cross-context behavioral advertising, meaning that such advertising is not considered a “business purpose” under the law.

Deidentified. The CPRA substantially revises this definition to address that de-identified information cannot be used to make inferences about the consumer. The new definition requires a public declaration by the business that it will maintain and use the information in the deidentified form and contractually requires any recipients to comply with this.

Personal information. This definition is largely the same except that, as amended, it applies to information that is “reasonably capable of being associated with” a consumer, which weakens the required connection between the consumer and the information. Practically speaking, however, this change is unlikely to have a big impact. The amended definition also, of course, includes the additional category of sensitive personal information described above.

Significantly, the CPRA excludes certain additional information from “personal information”:

• Lawfully obtained, truthful information that is a matter of public concern. This exclusion appears to exempt speech protected under the First Amendment. 
• In addition, “publicly available” information excluded from the definition of “personal information” would include – in addition to information lawfully made available in government records – information that a business has a reasonable basis to believe is lawfully made available to the general public by the consumer or from widely distributed media, or information made available by a person to whom the consumer has disclosed the information if the consumer has not restricted the information to a specific audience.

Under these new exclusions, it appears that a business would no longer disclose when it collects widely available information such as a consumer’s social media handle or online profile.

Sell. The definition of “sell” includes several changes, but the most notable is the removal of the service provider exception. That exception, however, no longer appears necessary, as the definition now only pertains to disclosures of information involving third parties – and therefore, not service providers or contractors. It still is not clear under the CPRA whether all disclosures of information to third parties necessarily constitute a “sale” of information. Arguably they would not, as the definition retains the requirement of “monetary or other valuable consideration.”

Service provider. Under CPRA, service providers can be legal or natural persons - a change from CCPA, which applies the term only to legal entities. The amended definition expressly precludes a service provider from selling or sharing personal information a business discloses to it – a change that harmonizes the law’s text with its clear intent – and prohibits service providers from combining information received from a business with the information they receive from another business or from the service provider’s interaction with the consumer. The amended definition, however, references future regulations that will allow for certain exceptions to this rule for limited business purposes.

New Rights

It’s no secret that the CPRA creates several new privacy rights for consumers. Here they are:

Right to Correct Inaccurate Information. This right is self-explanatory, but notably the law endeavors to balance the consumer’s right with burdens on businesses by simply requiring businesses to use “commercially reasonable efforts to correct the inaccurate information.”

Right to Access. This is actually a right that already exists under the CCPA - the right to know specific pieces of information a business has collected about a consumer - but the CPRA introduces the new “access” terminology, which helps distinguish a request for specific information from a general request for categories of personal information.

Right to Opt-Out of Sharing. Along with the new concept of “sharing” information for purposes of cross-context behavioral advertising is the consumer’s right to opt-out of such sharing.

Right to Limit Use and Disclosure of Sensitive Personal Information. Alongside the establishment of “sensitive personal information” is the consumer’s right to limit a business’s use of such information specifically where the information is used to infer characteristics about a consumer. This new right would not apply when a business uses sensitive personal information for purposes other than inferring characteristics.

New Responsibilities

The CPRA makes numerous changes to the compliance obligations of businesses. Here’s a rundown of the more meaningful ones.

Privacy Principles

• Like the guiding principles of the GDPR, the CPRA injects certain reasonableness and proportionality standards into the law. Specifically, a business’s collection, retention, and disclosure of personal information must be necessary and proportional to achieve the intended purpose for collecting and processing it.

Notice at Collection

• The CPRA clarifies that if a business involuntarily accesses personal information, it need not provide notice of that collection at or before the point of collection.
• If a business collects sensitive personal information, it must disclose that fact.
• A business must disclose not only the business purposes for which it collects personal information, but also the purposes for which it sells or shares it.
• A business must disclose the length of time it intends to retain information collected, or, if not feasible to do so, the criteria used to determine the length of time.

Contractual Requirements

• CPRA imposes obligations on businesses to have in place contractual agreements with not only service providers and contractors, but also third parties to whom the business sells, or with whom the business shares, personal information.
• The law makes clear that a business generally will not be liable for any violations committed by these other parties if such agreements are in place.
• The CPRA requires that the contract cover several grounds, including compliance with CPRA and granting the business the right to ensure that the service provider, contractor, or third party is using personal information in a manner consistent with the business’s obligations under the CPRA. In this way, the CPRA contemplates annual audits and similar automated or manual checkups by businesses.

Security Procedures

• The CCPA currently includes a private right of action for security breaches and references definitions and rules set forth in a different part of the Civil Code – Section 1798.81.5. CPRA adds a new requirement for businesses that collect personal information: they must implement reasonable security measures to prevent unauthorized access or disclosure of personal information in accordance with Section 1798.81.5. This change more closely links the law’s affirmative requirements with the private right of action it establishes.

Handling a Request to Delete

• Businesses are required to notify not only service providers and contractors, but also third parties, about deletion requests - triggering those parties’ obligation to delete information in their possession, and directing their service providers and contractors to do the same - unless it proves “impossible or involves disproportionate effort.”
• The CPRA removes the general, catchall exception to deletion that currently exists under the CCPA at Section 1798.105(d)(9). Arguably, this exception was overbroad, unnecessary, and abuse-prone to begin with.

Handling a Request to Know

• Under the CPRA, a business may comply with a consumer’s request to know when it seeks categories of information regarding collection by including such disclosures in its online privacy policy, so long as the information would be the same as for the requesting consumer. 
• However, it does not appear that a business can satisfy its right to know obligations related to sharing and selling (if the business sells or shares personal information) via its online privacy policy only. The business must still respond to individualized requests.
• In response to individual consumer requests, a business must disclose categories of third parties involved in selling or sharing, and also categories of service providers and contractors. This clarifies an ambiguous area of the CCPA, which appears to require that businesses categorize third parties only.

Handling Opt-Outs

• As noted above, businesses that “share” information must respect the same consumer opt-out rights that exist for a “sale” of personal information under the CCPA. Relatedly, the CPRA also requires businesses to include a “Do Not Sell or Share My Personal Information” link on their homepage where consumers can exercise this right.
• Similarly, a business that collects sensitive personal information must also provide a clear and conspicuous link titled “Limit the Use of My Sensitive Personal Information.”
• Significantly, the CPRA gives businesses an alternative manner of satisfying these “conspicuous link” requirements: they can allow consumers to opt-out through an opt-out preference signal sent with the consumer’s consent by a platform, technology, or mechanism based on forthcoming technical specifications to be published by the Office of the Attorney General.

Exemptions

• The CPRA adds new provisions permitting exemptions from the law where necessary to comply with court orders, subpoenas, and directions from law enforcement, including in emergency situations.
• The CPRA clarifies how the exemption for the Fair Credit Reporting Act applies and adds an exemption for the Federal Farm Credit Act of 1971.
• It also adds exemptions for discrete circumstances involving education information and where a business has incurred a financial expense in reliance on a consumer’s consent to create a physical object, like a yearbook, or where compliance with a request to delete or opt-out would not be commercially reasonable.
• Importantly, the CPRA makes clear that the B2B exemption - which CPRA would extend to January 1, 2023 - would not apply to opt-out or non-discrimination rights.

Passage of the CPRA is sure to trigger a new set of compliance questions, such as how to meet CCPA obligations until CPRA is enforced, what to do until new regulatory guidance is issued, and how a business can navigate through differences in the two laws.

For training in CPRA, GDPR, or in any Privacy / Data Protection Laws across the world with certifications from CLC email : info@cyberlawconsulting.com