What is Virginia Consumer Data Protection Act (CDPA) ?

The Virginia Consumer Data Protection Act (CDPA) law goes into effect on January 1, 2023. The law applies only to businesses with large amounts of consumer data and does not apply to employee or business-to-business (B2B) data. The CDPA also provides broad exemptions, including for financial institutions subject to the Gramm-Leach-Bliley Act (GLBA) and covered entities and business associates subject to the Health Insurance Portability and Accountability Act (HIPAA). Broad in scope, the CDPA incorporates aspects of the California Consumer Privacy Act (CCPA), the California Privacy Rights Act (CPRA), and the EU General Data Protection Regulation (GDPR).

Below are outlined some key aspects of the CDPA and have compared it to these other comprehensive privacy laws.

Who Must Comply with the CDPA?

Businesses are subject to the CDPA if both of the following criteria are met:

• They either conduct business in Virginia or produce products or services that are targeted to Virginia residents, and
• During a calendar year (i) control or process personal data of at least 100,000 consumers or (ii) control or process personal data of at least 25,000 consumers and derive over 50 percent of their gross revenue from the sale of personal data.

The Virginia law does not have a revenue threshold, and thus many large businesses that do not hold a substantial amount of consumer data will not be subject to the law. As noted below, the law explicitly excludes B2B and employee data from the definition of consumer, noting that “consumer” does not include individuals “acting in a commercial or employment context.”

Which Entities—and What Data—Is Exempt?

The CDPA does not apply to certain government agencies, financial institutions subject to the GBLA, covered entities or business associates governed by HIPAA, nonprofit organizations and institutions of higher education. The CDPA also exempts certain data, including data protected by federal laws like HIPAA, the GLBA, the Fair Credit Reporting Act, the Driver’s License Protection Act and the Family Educational Rights and Privacy Act. The CDPA further exempts data processed or maintained: (i) in the course of an individual applying to, employed by or acting as an agent or independent contractor of a controller, processor or third party, to the extent that the data is collected and used within the context of that role; (ii) as emergency contact information for an individual; or (iii) that is necessary to retain to administer benefits for another individual. Additionally, controllers and processors that comply with verifiable parent consent requirements under the Children’s Online Privacy Protection Act shall be deemed compliant with any parental consent obligations under the CDPA.

What is “Personal Data” Under the CDPA?

As with other comprehensive privacy laws, the CDPA defines “personal data” broadly as “any information that is linked or reasonably linkable to an identified or identifiable natural person.” Notably, the CDPA does not aim to capture Virginia residents in the employment and B2B context as the CCPA does. Instead, under the CDPA a “consumer” is defined as a natural person who is a resident of the Commonwealth “acting only in an individual or household context” and “does not include a natural person acting in a commercial or employment context.”

Similar to the GDPR and the CPRA, the CDPA regulates “sensitive data.” Sensitive data is defined as a category of personal data that includes: (i) personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation or citizenship or immigration status; (ii) genetic or biometric data for the purpose of uniquely identifying a natural person; (iii) personal data collected from a known child; or (iv) precise geolocation data. The protections for sensitive data are discussed further below.

How Does The CDPA Apply Differently to Controllers and Processors?

Like the GDPR, the CDPA differentiates between controllers (companies that are responsible for determining the purpose and means of processing personal data) and processors (companies that process personal data on controllers’ behalf). Under the CDPA, businesses who constitute “controllers” have more stringent obligations. In contrast, processors’ obligations are generally connected to their contracts with controllers. For instance, processors are required to follow controllers’ instructions; implement appropriate technical and organizational measures to help the controller respond to consumer rights; and provide the necessary information for controllers to comply with their data protection assessment obligations. Similar to the GDPR, the relationship between the controller and processor must be governed by a contract that includes certain specified requirements and obligations for the processor.

Obligations for Controllers

The CDPA places several responsibilities on controllers including:

• Limits on Collection and Use of Data. The CDPA requires that controllers limit the collection of personal data to what is adequate, relevant and reasonably necessary for the purpose for which the data is processed. Controllers may not process personal data for purposes that are neither reasonably necessary for nor compatible with the disclosed purpose for which such personal data is processed, as disclosed to the consumer, unless the controller obtains the consumer consent.
• Reasonable Security. Controllers must also establish, implement and maintain reasonable administrative, technical and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data. Such protections should be appropriate to the volume and nature of the personal data at issue.
• Consent for Processing Sensitive Data. Controllers are required to obtain the consumer’s consent before processing any sensitive data. Consent is defined similarly to the GDPR and the CPRA as a clear affirmative act signifying a consumer’s freely given, specific, informed and unambiguous agreement to process personal data relating to the consumer and may include a written statement, including a statement written by electronic means, or any other unambiguous affirmative action.
• Data Processing Agreements (DPAs). As noted above, the CDPA requires that controllers enter into DPAs with their data processors. These agreements must “clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties.” The CDPA provides specific terms that must be included in any DPA.
• Privacy Notice. Controllers must provide consumers with a reasonably accessible, clear and meaningful privacy notice that includes: (i) the categories of personal data processed by the controller; (ii) the purpose for processing personal data; (iii) how consumers may exercise their consumer rights, including how a consumer may appeal a controller’s decision with regard to the consumer’s request; (iv) the categories of personal data that the controller shares with third parties, if any; and (v) the categories of third parties, if any, with whom the controller shares personal data. This is similar to requirements for privacy policies under the CCPA and, to a more limited extent, under the GDPR.
• Notice of Sale. Controllers that sell personal data to third parties or process personal data for targeted advertising must clearly and conspicuously disclose such processing in its privacy notice and provide a manner in which a consumer may exercise his or her opt out right. Unlike the CCPA, the CDPA does not appear to specify the specific manner in which the controller must prove the opt out right (i.e., there is no requirement for a specific link or button).
• Consumer Request Process. Controllers must establish one or more secure means for consumers to submit requests to exercise their rights. Unlike the CCPA and CPRA, the CDPA is not prescriptive in how consumers must submit such requests, but provides that such means must take into account the ways in which consumers normally interact with the controller, the need for secure and reliable communication of such requests, and the ability of the controller to authenticate the identity of the consumer making the request.
• Data Protection Assessment. Controllers must conduct and document a data protection assessment for certain processing activities, including the sale of personal data, the processing of personal data for purposes of targeted advertising or profiling, the processing of sensitive data and any processing activities involving personal data that present a heightened risk of harm to consumers. These data protection assessments must identify and weigh the benefits to the business of processing consumers’ data against potential risks to consumers associated with such processing. In balancing those competing concerns, businesses should consider whether certain safeguards, such as using de-identified data, would mitigate risks to consumers, as well as consumers’ reasonable expectations and the relationship between the business and the consumer.

What Rights Do Individuals Have Under the CDPA?

Similar to the CPRA and the GDPR, consumers have the following rights under the CDPA:

• Right to access. Consumers have the right to confirm whether a controller is processing the consumer’s personal data and obtain access to such data.
• Right to correct. Consumers have the right to correct inaccuracies in the consumer’s personal data.
• Right to delete. Consumers have the right to delete personal data provided by or obtained about the consumer.
• Right to data portability. Consumers have the right to obtain a copy of the consumer’s personal data in a portable and readily usable format.
• Right to opt out of certain data processing. Consumers will have the right to opt out of the processing of personal data for purposes of: (i) targeted advertising; (ii) the sale of personal data; or (iii) profiling in further of decisions that produce legal or similarly significant effects concerning the consumer. A “sale” under the CDPA is defined more narrowly than under the CCPA or CPRA to mean the exchange of personal data for monetary consideration by the controller to a third party.

The CDPA does not provide for any hardship exemptions to these rights. Businesses must respond to requests within 45 days of receipt of the request and may extend where reasonably necessary for an additional 45 days if the consumer is notified within the first 45-day window. Businesses must establish procedures for consumers to appeal a failure to act on a rights request within a reasonable time period and inform consumers of how they can submit a complaint to the attorney general if the appeal is denied.

Who Enforces the CDPA?

The Virginia Attorney General has exclusive authority to enforce the CDPA and to impose a civil penalty of up to $7,500 per violation. Businesses may avoid an enforcement action, however, by properly remedying the violation. The CDPA’s right to cure allows businesses to correct any violation of the CDPA within 30 days of receiving notice thereof from the Virginia Attorney General. Unlike the CCPA, the CDPA does not provide a private right of action to consumers.

The CDPA also requires businesses to establish procedures for consumers to appeal any denial of their rights under the CDPA. This appeal right, coupled with the provision for enforcement by the attorney general and the possibility of hefty civil fines, may compensate for the lack of a private right of action in the CDPA.

Key Takeaways

Businesses subject to the CDPA will need to perform a comprehensive data inventory and update their external policies and internal procedures to come into compliance. The CDPA requires businesses to conduct data protection assessments for specified processing activities and to establish procedures by which consumers may appeal any denial of their CDPA rights. Businesses must also update their public-facing privacy policies to, among other changes, make a public commitment to not re-identify de-identified personal data and provide details on its data processing activities. The CDPA extends its protections to businesses’ contracts with service providers by requiring businesses to limit the service provider’s use and further distribution of personal data. Notably, the CDPA does not displace or change businesses’ existing obligations to report data breaches.

Whats more to come ?

The CDPA’s quick pace toward enactment may foreshadow its role as a blueprint for other states looking to enact comprehensive data privacy reform. The CDPA was designed to provide key protections for consumers and clearly define the obligations for businesses to ensure a smooth path toward compliance, without imposing overly burdensome requirements in a complicated statutory structure. As State Sen. David Marsden, who introduced the legislation, described, “This is a huge step forward. By creating this omnibus bill, we take the lead in data privacy in the United States. This omnibus bill is clear, concise, and holds companies accountable for protecting consumer data in providing protections for consumers.”

On the federal level, Lets wait for a US Federal Privacy LAW

IT Rules 2021 - Social Media & OTT Rules

Social media, OTT Platforms, online news websites regulation in india (Information Technology Rules, 2021 )

This are the Rules framed pursuant to the powers conferred by Section 79(2)(c) and Section 69A(2) of the Information Technology Act, 2000 provides for classification of films and other entertainment programmes, including web series, bring digital news platforms within the ambit of regulations covering print and electronic media and attempts to rein in social media intermediaries. 

Guidelines for intermediary and social media intermediary 

The Rules define 'significant social media intermediary' as social media with users above the threshold notified by the Central government. 

The Rules mandate that social media intermediary should 'enable the identification of the first originator of the information on its computer, as "may be required by a judicial or or an order passed by the Competent authority" and such an order shall only be passed for the purposes of prevention, detection, investigation, prosecution or punishment of an offence related to the sovereignty and integrity of India, the security of the State, friendly relations with foreign States, or public order.

If has also been provided that the significant social media intermediary "shall have a physical contact address in India published on its website or mobile based Internet application or both, as the case may be, for the purposes of receiving the communication addressed to it."

The rules and regulations, privacy policy or user agreement of the intermediary should inform the user of computer resource not to host, display, upload, modify, publish, transmit, store, update or share any information that is inter alia, obscene, pornographic, paedophilic, threatens the unity, integrity, defence, security or Sovereignty of India, friendly relations with foreign States, or public order, or causes incitement to the commission of any cognizable offence or prevents investigation of any offence or is insulting any foreign States. 

No such information should be published which is patently false and untrue, and is written or published in any form, with the intent to mislead or harass a person, entity or agency for financial gain or to cause any injury to any person.

Self-Regulatory Body

It has been notified that would be one or more self-regulatory bodies of publishers. Such a body shall be headed by a retired judge of the Supreme Court, a High Court or independent eminent person and have not more than six members. The concerned Regulatory body will have to register with the Ministry of Information and Broadcasting. This body will oversee the adherence by the publisher to the Code of Ethics and address grievances that have not be been resolved by the publisher within 15 days.

Disposing a grievance

It has been laid down that a self-regulating body while disposing a grievance or an appeal will issue guidance or advisories to the applicable publisher/entities: 

(a) warning, censuring, admonishing or reprimanding such entity; 

(b) requiring an apology by such entity; or 

(c) requiring such entity to include a warning card or a disclaimer; or 

(d) in case of online curated content, direct such entity to (i) reclassify ratings of relevant content; (ii)make appropriate modification in the content descriptor, age classification and access control measures; (iii) edit synopsis of relevant content; 

Code of Ethics and Procedure/safeguards for Digital/Online media

Part III of the Rules state that digital and online media will be governed by Code of Ethics. The Code of Ethics which in turn is given in the appendix make the Programme Code under under section 5 of the Cable Television Networks regulation) Act, 1995 and norms of Journalistic Conduct of the Press Council of India under the Press Council Act, 1978 applicable to digital media. 

The Code of Ethics is applicable to those entities who are operating within the territory of India and such entity conducts the systematic business activity of making its content available in India, which is targeted at Indian users. The code of ethics will cover the following entities:

• 1. Publishers of news and current affairs content; 

• intermediaries which primarily enable the transmission of news and current affairs content; 

• 2. Publishers of online curated content.

• intermediaries which primarily enable the transmission of online curated content.

Monthly compliance report

The rules require the concerned body/entity to publish a monthly compliance reportmentioning the details of complaints received and action taken on the complaints as well as details of contents removed proactively by the significant social media intermediary.

Such entities should not publish content which affects the sovereignty and integrity of India, jeopardises security of State or which is detrimental to India’s friendly relations with foreign countries. Further, online content should be classified based on the nature of the content 'U', 'UA', 'A' etc

They should also take into consideration India’s multi-racial and multi-religious context and exercise due caution and discretion when featuring the activities, beliefs, practices, or views of any racial or religious group.

A three tier structure has been notified to address the grievances made by various users. 

(a) Level I - Self-regulation by the applicable entity; 

(b) Level II — Self-regulation by the self-regulating bodies of the applicable entities 

(c) Level III - Oversight mechanism by the Central Government.

Establishment of "Grievance Portal"

It has been laid down that the concerned Ministry shall establish an online Grievance Portal, as the central repository for receiving and processing all grievances from the public in respect of the Code of Ethics, within three months of the commencement of the rules.

• If a person is having a grievance against any 'content published by an applicable entity'then the same may register its grievance on the Grievance Portal.

• The Portal shall generate and issue an acknowledgement of the grievance a the benefit of the complainant within 24 hours of its registration, and electronically direct the grievance to the applicable entity for addressing the grievance, and also refer such grievance to the Ministry and the self-regulating body for information and record.

Mandatory Notification by the Significant publishers and 'content' creators 

It has been stated that it shall be mandatory for 'significant publisher' of news and current affairs content to notify the Broadcast Seva that - it is operating in the territory of India, by furnishing the information that may be required on the Broadcast Seva by the Ministry, for the purpose of enabling communication and coordination with such publisher. 

The explanation reads that - for the purposes of this rule, a publisher of news and current affairs content shall be a significant publisher of news and current affairs content if it: 

(a) publishes news and current affairs content as a systematic business activity. 

(b) operates in the territory of India.

(c) has not less than five lakh subscribers, or fifty lakh followers on the services of any significant social media intermediary, as the case may be.

"Publisher/entities shall take into consideration India’s multi-racial and multi-religious context and exercise due caution and discretion when featuring the activities, beliefs, practices, or views of any racial or religious group.” reads out the general principles of the code of conduct 

Self-Classification of Content

The rules state that the OTT platforms, which have been regulating their content through various, would be self-classifying the content into five age based categories- U (Universal), U/A 7+, U/A 13+, U/A 16+, and A (Adult). The concerned online platforms would be required to implement parental locks for content classified as U/A 13+ or higher, and reliable age verification mechanisms for content classified as “A”.

My Views :

Government has played a carrot and stick, while adamant social media gets the stick as it gets in other countries too, OTT platforms and Online news gets the carrot of self regulation. Now, within 3 months, WhatsApp has too ready their software to pinpoint originator of message so fake news peddler’s will be behind the bars quickly . Now US IT behemoths like Google and Facebook need to appoint compliance officers responsible towards Indian law and enforcement and these officers can face jail like the impending Amazon Prime lady with any Anticipatory bail for tandav Web-series. I think next now we can wait for media bargaining code like the one in EU, UK and Australia . Indian cyberspace is now governed cyberspace moving an inch towards Internet Balkanisation, which remains inevitable .

Admission & Confession in Cyber Crime Cases

Admission & Confession in Cyber Crime (IT Act,2000) Cases

Digital evidence: reliability When one examines the issue of reliability of digital evidence there arises a number of questions. Should forensic software (digital evidence) be entitled to a judicial presumption of reliability? When, if ever, should courts compel non-party forensic software vendors to reveal proprietary source code to party experts in order to assure a fairer trial? And what does reliability mean in the context of digital evidence anyway? 

The term ‘Admission’ means stating something or admitting something other than guilt. So now the question is does confession also meant the same. The answer is no, as there is a very thin life difference between confession and admission. The word ‘confession’ means acknowledgement of guilt made by a person after an offence has been committed.

ADMISSION (Sec. 17-23, 31)

According to sec. 17 of the Indian Evidence Act,

“An admission is a statement, oral or documentary or contained in electronic form, which suggests any inference as to any fact in issue or relevant fact, and which is made by any of the persons, and under the circumstances, as described under Indian Evidence Act.”

Admission is a substantive piece of evidence but not conclusive proof also it waives or dispenses the production of evidence by concealing that the fact asserted by the opponent is true. 

In the case, Raja Pratap Bahadur Singh v. Raja Rajgan Maharaj Jagatjit Singh [1936 Lucknow] it was held that admissions are a very weak kind of evidence and the court may reject the same if it is satisfied from other circumstances that they are untrue. Hence it shifts the onus to the maker on the principle that what a party himself admits to being true may be reasonably presumed to be true so that until the presumption is rebutted the fact admitted must be taken to be true.

In English Law, the term ‘admission’ is used only in civil cases but in Indian laws, it is used in both civil as well as criminal cases. The statement is a genus; admission is the species and confession is the sub-species. Admission will lose its effect if not made voluntarily.

WHO CAN MAKE ADMISSION

Sec. 18 of the Indian Evidence Act allocates classes of person who all can make an admission-

• Party to the proceeding

• Agent authorized by such party [but the statement of agent will be binding only during the term of agency and before proving admission by the agent he has to prove his agency]

• Party suing or sued in a representative character making admission while holding such character [it will include trustees, executors, administrators, managers, etc.]

• Person who have a proprietary or pecuniary interest in the subject matter of the proceeding

• Person from whom parties have derived the interests in the subject matter of the suit

Admission of a fact made by a pleader in the conduct of the suit on his client’s behalf is binding on the client. But a party is not bound by a pleader’s admission in an argument on what is a pure question of law.

An exception to Sec. 18 of IEA

Sec 19 – Admissions by persons whose position must be proved as against party to suit

Sec. 19 states that any third party gives such a statement that proves the liability and right against any party to the suit will be admissible. The object of this section is not to lay down that certain statements are relevant or admissible but merely to add the category of a person by whom a statement made before considered to be an admission within the terms of the act.

Sec. 20- Admissions by persons expressly referred to by party to suit

When the party expressly refers to the third person for some information in reference to the subject matter which is in dispute then the statement made by the third person will be admissible.

Sec. 19 and Sec 20 are exceptions to the rule that statements made by strangers to a proceeding are not admissible within the terms of the act.

It is a general rule that admission cannot be proved on or on behalf of a person who makes it but sec. 21 is an exception to this general rule. Sec. 21 has three clauses which state that-

• Person making the admission was dead and hence his admission made earlier during his lifetime will be admissible (Sec. 32)

• When the statement is about the existence of any state of mind, body, or about the time when such state of mind or body existed and accompanied by the conduct then that statement will be held admissible (sec. 14)

• When the fact is not otherwise relevant to become relevant (Sec11)

ORAL ADMISSION-

Admission can be made either orally, documentary or in electronic form as mentioned in Sec.17. But sec. 22 and Sec. 22 A deals with when oral admission as to contents of document or electronic form will become relevant.

Oral admissions as to the contents of a document are not relevant, unless and until the party proposing to prove them shows that he is entitled to give secondary evidence of the contents of such document under the rules hereinafter contained, or unless the genuineness of a document produced is in question.

For Example- Sunil executed a deed of the mortgage against Sheela. Later Sheela files a suit for possession of the property but during the trial, Sunil denied the existence of any such deed. So, in this case, Sheela Can’t prove by oral evidence that she has before some men admitted that Sunil mortgaged a deed. She has to produce the original deed in a court of law.

ADMISSION IN CIVIL CASES- Sec. 23

In civil cases if it appears to the court that parties to the suit have mutually agreed together that evidence should not be given or made upon an express condition the evidence not to be given then any admission made related to it will be irrelevant. But this section will not discharge any barrister, advocate, attorney, pleader from giving evidence which he is compelled to give u/s 126 of Evidence Act.

This section gives effect to the maxim ‘interest reipublicae ut sit finis litium’ which means it is for the interest of the state that there should be an end to litigation.

ADMISSION ACT AS AN ESTOPPEL

Sec. 31 of the Indian Evidence Act states that Admissions are not conclusive proof but they act as estoppel.

Estoppel has been defined in Sec. 115 of the evidence act. The bare reading of section 115 of the said act is-

“When one person has, by his declaration, act or omission, intentionally caused or permitted another person to believe a thing to be true and to act upon such belief, neither he nor his representative shall be allowed, in any suit or proceeding between himself and such person or his representative, to deny the truth of that thing”

CONFESSION

Confession has not been defined anywhere in the Act. A ‘confession’ is an admission made at any time by a person charged with a crime, stating or suggesting the inference that he committed the crime. It is also said that every confession is an admission but every admission is not a confession. 

The substantive law of confession is contained in Sec. – 24 to 30 of the evidence act and the procedural laws in Sec. 164, 281, 463 of the Criminal Procedure Code. It is presumed that a person will not make an untrue statement against his own interest. 

It has been held in Palvinder Kaur v. State of Punjab[ AIR 1952] that confession must either be accepted or rejected as a whole and the court is not competent to accept only the inculpatory part while rejecting the exculpatory part as incredible. Moving towards the further procedures of confession, let’s see what are the laws related to it.

WHEN CONFESSION WILL BECOME IRRELEVANT (Sec. 24-26)

Sec. 24- Confession caused by inducement, threat or promise, when irrelevant in a criminal proceeding.

Sec. 24 of the Indian Evidence Act states that—A confession made by an accused person will become irrelevant in a criminal proceeding, if it appears to the Court that the confession has been caused by any inducement, threat or promise, having reference to the charge against the accused person and such inducement, threat, promise has proceeded from a person who is in authority and is sufficient, in the opinion of the Court, to give the accused person grounds, which would appear to him reasonable, for supposing that by making it he would gain any advantage or avoid any evil of a temporal nature in reference to the proceedings against him.

Here authority is not merely a police officer or a judicial magistrate but every such person who reasonably holds sway over investigation or trial.

Sec. 28 make this section relevant only if the threat, promise, or inducement is fully removed before recording the confession.

Sec. 25 – Confession to a police officer

A confession made to a police officer shall not be proved against an accused who made it and this confession will be held as inadmissible. The reason behind this is police officers are often regarded as untrustworthy.

But in the case Sita Ram v. State of UP [AIR 1966 SC], a confession was written to a letter and signed by the accused and addressed to a police officer was held to be admissible as the letter was not written in the presence of police officer.

Sec. 162 of CrPC also enacts that no statement made by any person to the police officer in the course of an investigation shall if taken down in writing, be signed by the person making it, then such writing will not be used as evidence.

Sec. 26 – Confession in police custody

A confession made by any person in the custody of police will be held inadmissible unless it shall be recorded in the immediate presence of the Magistrate.

The object of Sec. 25 and 26 is to prevent the practice of torture by the police for the purpose of extracting a confession from the accused person. A confession made by any person in the custody of police is held inadmissible in law because it is against the rule of natural law. The presence of the Magistrate secures the free and voluntary nature of confession.

HOW MUCH OF INFORMATION RECEIVED AGAINST ACCUSED MAY BE PROVED

Sec. 27 of the act states that if the confession of the accused is supported by the discovery of a fact then it may be presumed to be true and not to have been extracted and it comes into operation only if-

• When certain facts are deposed to as discovered in consequence of information received from an accused person in police custody.

• If the information relates distinctly to the fact discovered.

This section is an exception to Sec. 25 and 26. The object of this section is to admit the evidence which is relevant to the matter under inquiry namely the guilt of the accused and not to admit the evidence which is not relevant to that matter. The very first condition to bring sec. 27 into operation is the discovery of a fact in pursuance of information received from the accused. Where the accused made the disclosure statement leading to the discovery of offence then the statement of the accused will be admissible.

CONFESSION OTHERWISE RELEVANT NOT TO BECOME IRRELEVANT

Sec. 29 of the Indian Evidence Act states that, if the confession is made under a promise of secrecy or in consequence of deception which has been practised on the accused, or when he was drunk, or when it was made as an answer for a question which the person making it is not supposed to answer or if he was not warned that he was bound against his confession, for the purpose of obtaining it then such confession will not become irrelevant.

Sec. 164 of CrPC provides the formalities to be undergone by a Magistrate in recording confession. The magistrate has a duty to explain the pros and cons. Of confession to a person making it. But the abovementioned section does not make a confession irrelevant because the accused was not warned that he was not bound to make it.

Sec. 30 of the act states that when more than one person is jointly accused of the same offence and if one of the co-accused makes a confession regarding himself and some other such persons, the court will take that confession into account against the accused and his co-accused. In Kashmira Singh v State of MP (AIR 1952 SC159), the court held that the confession of an accused person against a co-accused will not run evidence as it does not come within the meaning of evidence contained in sec.3 of the evidence act.

CONCLUSION

After all the terms “confession and admission” were coined for evidentiary use, courts have endeavored to draw clear distinctions between them. Conclusively, it can be said that the admission has a vast scope than confession, as the hindmost comes under the ambit of the former. Hence, every confession is an admission, but the reverse is not true.

The major difference between these two is that in the case of confession, the conviction is based on the statement itself, however, in the case of admission, additional evidence is required, to support the conviction.

The distinction between a confession and an admission is not based upon a practical clarification but is based upon the substantive differences of the character of the evidence extrapolated from each. This is to say, a confession is a direct acknowledgment of guilt, on the part of the accused, and by the very definition of it, ostracized an admission which of itself is a statement, oral or documentary, that enables the court to recollect a conclusion as to any relevant fact or fact in issue. It will be meticulously to say that every confession, is an admission but every admission doesn’t necessarily amount to a confession. In other words, a confession is an admission provided that a person charged with a crime, standing or suggesting the inference that he committed the crime, makes it at any time.

WhatsApp Chats as evidence in courts: Case Laws in India

Whatsapp is an instant text messaging application, as of October 2020 it is used by more than 2 billion users in more than 180 countries. Its use has become so prevalent that it has become a primary mode of communication for many individuals. Many parties now use Whatsapp even for business purposes, such as communicating with clients, sending documents or even negotiating contracts.

As a cyber lawyer, one of the questions I get asked frequently is whether Whatsapp messages can be adduced as evidence in court.  Some clients think that because of its “informal” nature, Whatsapp messages would not be admissible as evidence. However, this assumption is inaccurate since there have been many instances where the Indian Courts have allowed Whatsapp messages to be adduced as evidence. 

In January 2021, the Punjab and Haryana High Court had observed that WhatsApp messages will have no evidentiary value unless they are certified as per Section 65B of the Indian Evidence Act (Rakesh Kumar Singla vs Union Of India) .

In State of Haryana Versus Hardik Sikri & Ors, On May 24, 2017 the haryana state trial court recognized WhatsApp chat as evidence and sentenced the three former law students of OP Jindal Global University in Sonepat – 20 years imprisonment to main accused Hardik Sikri and his friend Karan Chhabra for gangraping and blackmailing a junior management student for two years, and seven-year jail term to third accused Vikas Garg. 

“The WhatsApp chats running into pages is so abusive and vulgar that the extracts of the same cannot be explained and put into the judgment and what only can be concluded through the WhatsApp chat is that the prosecutrix (victim) was totally under control and dominance of the accused, Hardik,” additional sessions judge (ASJ) Sunita Grover

In Ambalal Sarabhai Enterprise Ltd v KS Infraspace LLP Limited and Another, the Supreme Court, while hearing a petition challenging an injunction order made a reference to the Whatsapp chats produced as evidence in the case. "The WhatsApp messages which are virtual verbal communications are matters of evidence with regard to their meaning and its contents to be proved during the trial by evidence - in - chief and cross-examination. The emails and WhatsApp messages will have to be read and understood cumulatively to decipher whether there was a concluded contract or not".

There is a recent order of the Gujarat High Court as well, which referred to Whatsapp conversations to form a prima facie opinion regarding grant of bail (Chirag Dipakbhai Sulekha vs State Of Gujarat)

The Delhi High Court in a case has held that a Whatsapp forward message, without an unknown source, cannot be treated as evidence (National Lawyers Campaign for Judicial Transparency and Reforms v Union of India). The Court held that such a forwarded message, without its original, cannot be regarded as a 'document' under the Evidence Act.

In Nivrutti Gaikwad Versus State of Mah. & Pooja Gaikwad (2020(2) Criminal Court Cases 735 (Bombay)

 It was held that Exchange of messages on personal account of two persons, Not public place - However, if messages are posted in Whatsapp Group then it is public place as all members of the group have access to those messages.

SBI Cards & Payments Services Pvt Ltd. Versus Rohidas Jadhav Hon. Justice Patel of Bombay High Court was of opinion that "The Respondent to the Execution Application has been evading service of this Notice under Order XXI Rule 22 of the Code of Civil Procedure 1908. He was served by an authorized officer of the Claimant, Ms Fatema Kalyanwala by sending a PDF and message to his mobile number as a WhatsApp message. For the purposes of service of Notice under Order XXI Rule 22, I will accept this. I do so because the icon indicators clearly show that not only was the message and its attachment delivered to the Respondent’s number but that both were opened." A Bluetick was considered as acknowledgment. 

The NCLAT in the matter of Bhandari Hosiery Exports Ltd. & Ors vs. In-Time Garments Pvt. Ltd., Company Appeal (AT) (Insolvency) No. 143 of 2019, decided on 1 March 2019,  took on record a text message sent over WhatsApp messenger by a corporate debtor to an operational creditor complaining about the quality of goods supplied. On basis of this WhatsApp message, the Court held that there was a ‘pre-existing dispute’ under Section 9 of the Code and accordingly Insolvency Application could not be admitted on account of a pre-existence dispute.

Moreover, Hon. Supreme Court of India, vide Order dated 10.07.2020 in Suo Moto Writ Petition (C) No. 3/2020 in 'Re: Cognizance For Extension of Limitation' had allowed the service of summons via electronic mode including WhatsApp. 

Liability of Group Admin

WhatsApp group admin can’t be held liable for member’s post unless common intention shown held by Bombay High Court :Alleged Crime was under Section 67 of the IT Act, 2000 (related to obscenity)

Kishor v State of Maharashtra [2021] GCtR 787 (Nagpur, Bombay HC) 01/03/2021 in Criminal Application (APL) 573/2016 .

MADRAS High Court Another Judgement 

If the petitioner had played the role of a group administrator alone and nothing else, then while filing final report, the petitioner's name shall be deleted. If some other material is also gathered by the first respondent so as to implicate the petitioner, then of course the petitioner will have to challenge the case only on merits."

R. Rajendran v. The Inspector of Police & Kathirvel

Case No: Crl.O.P.(MD)No.8010 of 2021 & CRL.M.P.(MD)No.4123 of 2021

Forse v Secarma Ltd , Wells and Solari v PNC Global Logistics, Darren Case v Tai Tarian are some of the foreign case laws 

Conclusion :

The general principle is that Whatsapp messages in the form of print outs  or the mobile device showing chats can be admissible as evidence.  This is especially where there is no dispute as to the authenticity of the Whatsapp message, and no dispute as to the identity of the parties to the Whatsapp conversation.  Bearing in mind the findings of the cases above, parties who intend to adduce Whatsapp messages as evidence in their court cases should still ensure that:

• the snapshots of their discussions contain the necessary information to identify the sender/recipient of the messages.
• The owner of the phone or laptop or computer from where the WhatsApp chats are extracted/printed should produce a signed IEA section 65B certificate.
• they don’t wholly rely on Whatsapp messages to build their case, especially when there are other documents available that would be able to conclusively prove the facts in issue.
• If the print out of chat is produced with IEA section 65B certificate it will be considered as secondary evidence, if the phone or laptop or computer is produced it will be considered as primary evidence

Advocate (Dr.) Prashant Mali is a practicing Cyber Lawyer and is considered Authority in Electronic Evidence matters.

Banks should compensate account holder if customer loses money due to online fraud: National Consumer Court

The National Consumer Disputes Redressal Commission (NCDRC) has passed an important ruling in which it states that if hackers fraudulently withdraw money from a person’s bank account, the bank, would be responsible for the loss, not the customer.

The Commission blamed the bank for a mistake within their system while passing the judgment in one of the case in which the victim alleged that the money was withdrawn from her account by a hacker. The victim believed that the hacking was done due to a mistake in the bank’s electronic banking system.

It was observed by the commission that the bank could not present any such evidence, which showed that the credit card of the victim was stolen after which the commission ordered the bank to compensate the victim.

In one of the other cases, Jesna Jose, the complainant who lives abroad, will also receive around Rs 80,000 in interest and compensation. Jose had submitted the complaint before the district consumer forum in 2009. She said she procured the card in 2007 and the fraud took place in 2008. The commission rejected the bank’s claim that the woman had not taken care of the card and hence was liable for the fraud.

According to the RBI advisory, who will bear the loss will be decided by whose fault it is. If there is negligence or mistake on the part of the bank, then the entire loss will be borne by the bank. On the other hand, if the fraud is due to the negligence of the customer, then the customer will have to suffer the loss. In a situation where it is neither the fault of the customer nor the fault of the bank, then if the customer lodges a complaint with the bank within 3 working days of the fraud, then the customer will not be responsible for the fraud.

Loan Apps : How they loot the customers ?

Insta Loan fraud & mobile apps

These Insta Loan applications are developed in such a way that on installing these apps they get access to the contacts, mobile information and other data on the device. These applications collect the Id proofs, PAN card, KYC documents, and bank account details of the customers.

They check the genuineness of the documents and disburse small amounts in the form of a loan to their bank accounts by debiting the processing charges and GST ie, 25-30 per cent in advance. Loans are given for either seven days or 15 days.

After the due date, the company categorises the customers into various buckets - S-0, S-1, S-2, S-3, M2, M3, X etc. The customers in a lower bucket get a decent treatment but as the bucket category goes up the treatment gets harsher. The call centres of the company abuse the customers in filthy language and threaten them with dire consequences. They even go to the extent of accessing the contacts of the customers from their phone and start abusing and threatening the family members, relatives and friends with calls and messages. Using the stolen data, they threaten the customers with dire consequences like rape. In many cases, they created new WhatsApp groups using the victim’s phone book and sent lewd messages to the members.

They also blackmail innocent people by sending fake legal notices. Telecallers also suggest victims make the repayments by taking loans from their other loan applications. The customer falls into their trap by taking loans in the other loan applications as suggested by telecallers and end up paying huge amounts and get stuck in a never-ending cycle.

There are around 500 chinese such Apps, it’s time that India brings in a regulator for such Apps .

To protect yourself from such loan Apps fraud you must:

- use a different secondary mobile phone and instrument if you require a Insta loan .

- Never download any insta loan apps without verifying their licenses issued by government authorities.

- Go through the terms and conditions and verify the licenses of the companies that are offering loan and whether the licenses have been obtained from the concerned authorities like RBI, District Collector.

- Never download any app that asks to give access to the contacts, files, photo gallery, etc.

Criminal Investigation Robotics and Artificial Intelligence

Artificial Intelligence (AI) is the combination of algorithms designed with the purpose of creating devices that present capabilities similar to those of the human being. A type of technology that is beginning to be present in everyday life in the most common applications, even for home use such as Siri and Alexa cell phone assistants, or facial recognition applications such as those used by the Argentine government in systems such as ANSES (National Administration of Social Security “Administración Nacional de la Seguridad Social”) and the AFIP (Federal Administration of Public Revenue “Administración Federal de Ingresos Públicos”).

Authors Stuart Russell and Peter Norvig, two academic classics of Computer Science, defined the “types” of artificial intelligence according to their application in the following categories:

– Systems that “think” like humans (e.g., artificial neural networks).

– Systems that act like humans (e.g., robots).

– Systems that learn and generate new knowledge (e.g., expert systems).

Within the branch of systems that emulate the human way of thinking in the aforementioned categories, we find ourselves with two techniques that are increasingly used: Deep Learning and Machine Learning algorithms.

It can be said that Machine Learning has a side called Deep Learning. While both technologies refer to systems capable of learning on their own, Deep Learning is more complex and sophisticated, and it is also more autonomous, which means that once the system has been programmed, human intervention is minimal.

More dangerous than the famous ‘fake news’, the ‘deepfake’ are videos manipulated using artificial intelligence techniques such as those cited. The result is extremely realistic.

Another example is Deepfakeapp published as an application that allowed any computer novice to manipulate videos, a tool specially designed for those popularly known as ‘revenge porn’ (*), that is, the unauthorized and malicious publication of intimate images.

In 2018, a video in which an alleged Barak Obama called Donald Trump an imbecile circled the world. It was a fake recording in which actor Jordan Peele and Buzzfeed CEO Jonah Peretti were trying to raise awareness of the danger of unverified information and the Deepfake. In any case, one of the first steps when investigating the origin of a video or image is to verify the source: Who sent this? Who signs it? Is it reliable? Tracing the path of the so-called Deepfake, seeing where it was first shared, and who published it are some basic steps to take that don’t require advanced knowledge, just common sense.

In 2019, what was classified as the “first crime committed with artificial intelligence” was discovered in the United Kingdom and brought to justice in that country. In a short article published by The Wall Street Journal, explains the story of a group of cybercriminals who managed to impersonate the voice of the executive director of an energy company and demanded an urgent transfer of 243,000 euros and that worked for them as a deception method. The CEO of the company reportedly thought he was on the phone with the CEO of the parent company, who asked him for the money for a suspected supplier in Hungary. The cybercriminal made the request seem extremely urgent, saying the money needed to be transferred within an hour. The victim, in subsequent statements, said that she even heard her boss’s slight German accent, as well as the tone of her voice.

The predictions about this type of attack are not very encouraging: the voice recordings necessary to train the algorithm in high-profile people are very easy to obtain: in television interviews, radio, social networks, and WhatsApp audios, have enough minutes of recording so that the algorithm is in a position to replace any voice tone with that of the person you want to impersonate.
How will we validate false “confessions” made with these techniques? How will we argue that someone did not say what we are hearing? Will the videos that prove the alleged presence of a person in a place to try to exonerate them be valid from these techniques?

In the framework of a criminal investigation, we must begin to request the technical opinion of experts from the Scientific Police. We can no longer rely solely on the image and the video to consider them, alone, proof. In our prospective analysis, we must include the acquisition of forensic imaging and video tools, in the same way that today practically all investigative agencies are clear that it is necessary to have tools for the analysis of mobile devices.

And what happens when we apply these techniques to Robotics?

How do we deal with the “responsibility” or “attribution” of a crime when the one who commits it is a Robot? A robot is neither more nor less than a machine (hardware) that contains an operating system (software) and that performs operations through different algorithms. Since the first robotic arms used to handle materials, much progress has been made.

One aspect of this area that worries the field of law most is civil liability. That is, the obligation to indemnify a third party that arises from damage caused involuntarily. The problem that arises is that, under current legislation, a robot cannot be responsible for acts or omissions that may cause harm to third parties. Judges judge people, not robots, let alone algorithms.

It seems reasonable that the responsible party is “the manufacturer”, but as observed in different legal discussions on this topic in international settings, producers will be responsible for the damages caused by their products only in the case where they are defective.

Therefore, what happens if the damage caused is not a consequence of a manufacturing defect? What happens if it is damage caused by a rule that the robot learned with Deep Learning and Machine Learning techniques? What happens if someone “teaches” or, as we said above, “trains” the algorithm for unwanted behavior by the manufacturer and causes damage? What if the robot suffers a cyber attack and its learning and inference rules change?

Different options are evaluated in the world when determining what type of “legal status” should be applied to a robot and an algorithm. As an example of these proposals, regarding possible “legal natures” we can cite the opinion made by María José Santos González, coordinator of the Legal Department of the National Institute of Cybersecurity in Spain, which based on existing legislation in Europe she makes a very interesting rundown and analysis of the well-known figures, summarized for the Ibero-American Legal News Review:

a) “(…) Robot as a natural person. This possibility does not seem adequate given that article 30 of the Civil Code determines that live birth is necessary to acquire personality. Therefore, this cannot happen in a robot. “
b) “Robot as a legal person. Nor does it seem appropriate to endow robots with this type of personality because robots can interact directly with the environment and even cause damage, while, in the case of a legal person, it will always be the company’s representatives who make the decisions in the last resort and will therefore be responsible. “
c) “Robot as an animal. The fact that a robot has no biological or genetic basis or the fact that a robot today cannot have feelings makes it impossible to equate a robot to an animal. “
d) “Robot as a thing. For the Civil Code, concretely in article 333, a thing is an inanimate being, devoid of life, characteristics that a robot does not have, given that it can move and interact with the environment (…)”

Given that both a robot and an algorithm do not fit into any of these categories, will a new legal framework be necessary for these issues? Should we rethink the concept of life as some propose?
Let’s imagine for a moment a Robot or an algorithm as a subject of law. What would be the penalty? Who applies it? Where is the data stored to “turn it off”?

The liability problem could supposedly be solved partially; either by introducing a civil law supervisory duty for the owner of the AI or by granting legal personhood for AI’s and thus create AI criminal liability. None of these solutions are sufficiently correcting the liability problem, though. But, a supervisory duty for the owner would be the most suitable solution of these two. It has the possibility to qualify the defendant’s behaviour as wrong when he or she breaches the civil law duty and the AI as a consequence causes (foreseeable) harm. The conclusion could be that criminal law may not be the best branch of law to solve these problems, and the liability problem with AI in criminal law remains yet to be discovered.