DECEMBER 21, 2020

By M G Kodandaram, IRS, Assistant Director (Retd), Advocate and Consultant

Data explosion

INDIA has been a major outsourcing destination for digital data processing for various entities of the developed nations like United States and Europe. India's popularity has increased day by day as it is one of the largest markets in the world. A varied number of business houses and organizations evince keen interest to do trade with India. In tune with the development in trade and commerce, the activities relating to collection, exchange, processing and analysis of data, including personal data, are taking place at a rapid pace across many entities situated in different countries of the world. The data related activities are carried out in virtual mode by employing various Information Communication Technology (ICT) tools and gadgets. The use of mobile technology as well as increase in density of smart phone users in India and around the world has further intensified the digital based activities in the cyber world. The quantum leap in use of social media applications, real time online deliberations etc., have added more volume to the generation of digital data. The adoption of work from home culture so as to safeguard against the pandemic has intensified the activities in the virtual regime by leaps and bounds.

The dangerous part of the digital technology is that it has no respect for geographical or political barriers. It is one of the 'global commons' accessible to the entire population, with little restrictions in place. The citizens, one may call them as netizens, communicate each other or amongst groups through high speed networks in real time. Huge volumes of data of all sorts and varieties are produced in inestimable measure every second. The data storage, due to availability of option in the form of cloud technology, does not indicate the location of such storage and this has turned out to be one of the potential threats to the security and sovereignty of the states with regards to governance, protection of citizens and crime combating. The popular statement that 'the Data is the new oil, attempt to create economic colonies using data mining is a reality' has become truer earlier than expected. It is turning out to be more valuable than oil, and one can certainly conclude that it is 'the new gold or platinum' in the market place.

This sort of technological explosion has given way for data related activities between netizens of different global locations and Nations with little barriers and control. These activities have resulted in a situation where the personal data of an individual could be gathered remotely and exploited for meeting the ulterior motives by the cyber criminals or by the enemy Nation. By virtue of dynamic development of computer technology and internet over the years, the problems of cyber crimes have assumed gigantic proportions. It has created an entirely new set of challenges to law enforcement agencies all over the world. It has equally become a cause of serious concern to every user, to find effective ways and means to prevent and combat the unregulated illegal flow of data worldwide. Therefore, there is need of suitable privacy protection laws on priority to enforce discipline and accountability much essential in respect of generation and exploiting of personal digital data in India as well as in other countries, so that such cyber crimes could be identified and contained.

Privacy concerns of an individual and society

The privacy of an individual as a right has become a matter of concern as more and more entities are using data pertaining to individual's life and activities, for illegitimate purposes and for money-looting missions. The rampant deployment of digital technology tools to collect such data belonging to a person on some pretext and commercially exploit the same for profit, without the consent or knowledge of the subject has lead to a frightening living to the individual and to the society at large. When such personal data through dark nets reaches the wider net work of criminals, the damage it can cause to one's personal life cannot be gauged. These breached personal data could be used by the criminals for committing various offences against the individual and organizations in the society.

As on date there are no specific laws for the protection of personal data of an individual. The need for such a law attained a larger proportion and significance, when the government started the 'Aadhaar project' that aimed at building a database of personal identity and biometric information covering every Indian. As on date the registration of a person under Aadhaar has become inevitable as this information is mandatory for filing tax returns, for opening bank accounts, for securing loans, for buying and selling of property and many more similar transactions. The concern in respect of non-government agencies engaged in gathering personal data is much more acute, as such collected data / information are being used for profiling an individual. Such data are also presented for sale by such agencies. These illegal activities are moving on top gear unabated and unregulated, heaving fears in the private life of a citizen.

Many countries around the globe including India have enacted their own criminal laws and computer laws, information technology laws, privacy laws (among other laws) to respond to the problem of cyber criminality. But considering the sheer international dimension of these crimes and concerns of evil designs, particularly where the crime relates to individual citizens of foreign countries, the laws in place in India are found to be inadequate. The internet as a global media may be accessed throughout the world and can be viewed in any part of the globe and therefore the applicability of particular country's law for the disputed transaction remain unresolved, as its reach marches ahead to a different sovereignty and differences in cyber legislations. In certain instances, it is reported that some States actively encourage and engage remotely in criminal activities and cyber-espionage, which further aggravates the problems. Such lapses provide the criminal undesirable advantage to cover-up the crime, directly at odds with interests of any civilized Nation.

The legal frame work under IT act 2000

In India t he Information Technology Act, 2000 (hereinafter referred to as IT Act) is the primary legislation that regulates the use of computers, computer systems and computer networks as also the data and information in electronic format. This statute provides the necessary legal framework in regulation of the electronic applications, storage, processing, authentication as well as electronic contracts, e- commerce , cyber offences and liability of network service providers. This legislation also provides protection in respect of digital data or information concerning the privacy of an individual. The Sections 43, 43A, 72 and 72A of the IT Act provide the required legal framework for protection of all data in digital form, which includes the privacy and security breaches. The Information Technology (Reasonable security practices and procedures and sensitive personal data or information) (SPDI) Rules, 2011 is the specific provision as on date that covers the matters relating to sensitive personal data and its protection. Therefore, one can conclude that the IT Act does not exclusively deal with the right to privacy, but the SPDI Rules lay out a framework to govern the collection, management, use, and sharing of personal data or sensitive personal data or information. The said Rules do not recognise that a right to privacy applies to every individual. In other words, the subject provisions do not treat the personal and sensitive data as a separate set entitled for privacy as a fundamental right.

The IT Act provides civil remedies ¹ in case of unauthorised access, theft of passwords, login credentials, trespass, unauthorised copying, downloading and extraction of data, introduction of any contaminant or virus, unauthorised transmission, deletions or alterations of any information residing in a computer resource, resulting in violation. The Section 43A and the SPDI Rules apply to 'body corporate', requiring them to maintain reasonable security practices and procedures while possessing, dealing or handling data in a computer resource. The common yard stick of measure in respect of intermediaries engaged in such data related activity is limited to following due diligence principles. Further the 'body corporate' as defined under IT Act excludes any government agencies or non-profits entities. The Breach of confidentiality and privacy, and disclosure of information in a lawful contract are liable for criminal action under IT act ². The above findings categorically indicate that in the ever-growing digital society, there is no specific law that protects the privacy of an individual from the business entities who are involved either as perpetrators of crime or abettors of crimes, by way of unauthorised collection and processing of personal data and selling them like a commodity.

Privacy as a fundamental right

The extensive use of digital technology tools to collect privacy data of a person on some pretext or other, for commercial exploitation, without the knowledge of the subject, has created an environment of fear for the individual. In the year 2012, Justice K.S. Puttaswamy (Retd.) filed a  petition  in the Supreme Court of India challenging the constitutionality of 'Aadhaar Project' on the ground that it violates the right to privacy of an individual. The Supreme Court in the said case viz., Justice K.S. Puttaswamy v/s Union of India, passed the historic judgment on 24th August 2017 - 2017-TIOL-311-SC-MISC-CB wherein it affirmed the constitutional right of a citizen to protect her/his privacy. "The Right to Privacy is protected as an intrinsic part of the right to life and personal liberty under Article 21 and as a part of the freedoms guaranteed by Part III of the Constitution", the Apex court held. Treating the privacy rights as fundamental right, the Apex court protected the citizen from the clutches of an entity engaged in the business of data collection and process, without a valid consent of such person. Further, the Supreme Court clarified that the right to privacy is not an "absolute right", but may be subjected to reasonable restrictions in certain situations. For using such restrictions that (i) there must be existence of a genuine state interest; (ii) such restriction should be proportionate to the interest; (iii) and it shall be through valid legislations.

During the proceedings of the said case, the Indian government set up an expert committee, headed by Justice (Retd) B N Srikrishna, to devise a data protection legal framework. Based on the committee's report, the Union Government introduced the 'Personal Data Protection (PDP) Bill, 2019' in the Lok Sabha on December 11, 2019. This Bill proposes to provide a legitimate structure for protection of personal data of individuals and regulatory framework for collection and processing of such data by various agencies through establishment of a Data Protection Authority.  The said bill is under scrutiny by the JPC which is in its final stages of discussions with stake holders.

Personal Data Protection Bill

In the Preamble, the stated objectives of the Bill are: "… to provide for protection of the privacy of individuals relating to their personal data, specify the flow and usage of personal data, create a relationship of trust between persons and entities processing the personal data, protect the rights of individuals whose personal data are processed, to create a framework for organisational and technical measures in processing of data, laying down norms for social media intermediary, cross-border transfer, accountability of entities processing personal data, remedies for unauthorised and harmful processing, and to establish a Data Protection Authority of India for the said purposes..." It further asserts that, "the right to privacy is a fundamental right and it is necessary to protect personal data as an essential facet of informational privacy. The growth of the digital economy has expanded the use of data as a critical means of communication between persons and therefore it is necessary to create a collective culture that fosters a free and fair digital economy, respecting the informational privacy of individuals …." At present, the Bill is referred to a joint parliamentary select committee for scrutiny and report, after suitable consultation with all stake holders. It is pertinent mention here that the flow and usage of personal data create a relationship of trust between persons and entities processing, which shall be protected by such entities, in a unique trustee relationship, which is different than the one advocated in IT act.

Data and personal data under PDPB

In the PDP Bill, data ³ has been defined to include representation of information, facts, concepts, opinions or instructions suitable for communication, interpretation or processing by digital (automated) or non-digital (paper-pen) ways. Even the information, facts, concepts etc., capable of being communicated in traditional form, by way of writing on paper or in any similar manner are treated as 'data'. The IT act defined the data ⁴ to consist of information, facts etc., that are stored or processed in digital way only which is much narrower as compared to data as per PDP Bill.

If such data is "personal data" ⁵ about or relating to a natural person who is directly or indirectly identifiable, having regard to any characteristic, trait, attribute or any other feature of the identity of such natural person are protected under PDP Bill. The natural person to whom the personal data relates is named as the Data Principal ⁶, treating each such person as the owner of her / his personal data. Under PDP provisions mere data itself will not create any right to the principal unless there is an element (unique to such a Data Principal) that connects such data to the principal. If such relationship is not forthcoming, then no breach ⁷ of personal data could be alleged to have taken place under PDP Bill. Further such personal data should be pertaining to the group of 'sensitive personal data' ⁸ viz., financial data, health data, official identifier, sex life, sexual orientation, biometric data, genetic data, transgender status, intersex status, caste or tribe, religious or political belief or affiliation etc., of the principal, to seek protection under the proposed Act. For example, in a hypothetical situation, in places like a reception hall or office premises, certain personal data may be collected manually with identifiers like telephone number, mobile number, email address etc. of individual(s) through the use of visitors' books and such information of a natural person (principal) is said to be in a non-digital format. In such instances, caution must be exercised to guard such personal information, as breach of such information without the consent or knowledge of the Principal may result in violation of provisions under PDP Bill.

Any person ⁹, including the State, a company, any juristic entity, a firm, a HUF or any individual who alone or in conjunction with others determines the purpose and means of processing of personal data are termed as the Data Fiduciary ¹⁰. Therefore, the Government, in the role of a fiduciary is also treated as a person who should adhere to the legal framework under PDP Bill. The fiduciary may permit the processing of such personal data on his behalf by any person, including the State, a company, any juristic entity or any individual etc., who processes data on behalf of a fiduciary are called a Data Processors¹¹. Such activities will also be present in GST digital regime as all stake holders are involved in collection and process of the personal data and therefore all such entities should be mandated to follow the PDP norms as a fiduciary and / or a processor.

It is important to note that the provisions of PDP Bill will not be applicable to the data other than personal data of an individual. The data that have an identity of a Company or such entities or general business data, which does not include personal information with identity of such person, remain outside the purview of the PDP Bill. Further any personal data, when converted to form an Anonymized data, are not covered under the ambit of PDP Bill. Only the personal data with an element of identification of an individual are treated as Non- Anonymized Data and are covered under the ambit of PDP Bill.

The Anonymization ¹² in relation to personal data, means 'such irreversible process of transforming or converting personal data to a form in which a data principal cannot be identified, which meets the standards of irreversibility specified by the Authority'. Hence the Data anonymisation refers to the removal of identifiers, either direct or indirect, by some form of an irreversible process, which must be a standardised process approved by the authorities. This means that the data still exists, but the link between the data and the data principal is converted or transformed in such a way that the data principal cannot be identified from such data and such anonymised data cannot be attributed back to the person by any means by any one. Such data which has undergone the process of anonymisation are called as "anonymised data ¹³".

Data Principal and personal data processing

The PDP Bill ¹⁴ states that, 'no personal data shall be processed by any person, except for any specific, clear and lawful purpose'. One more important factor to be noted is that the protection under this proposed legislation is limited to the personal data. The definition of personal data covers any inference drawn from personal data for the purpose of profiling since such inference typically leads to indirect identification of a natural person, called " Data Principal ¹⁵".

The entities that collect and / or process a data relating to a principal are called as "Data Fiduciary ¹⁶" and a ny person, including the State, a company, any juristic entity or any individual, who processes personal data on behalf of a data fiduciary called as data processor ¹⁷ are covered under the PDP Bill. The "Processing ¹⁸" in relation to personal data, means an operation or set of operations performed on personal data, and may include operations such as collection, recording, organisation, structuring, storage, adaptation, alteration, retrieval, use, alignment or combination, indexing, disclosure by transmission, dissemination or otherwise making available, restriction, erasure or destruction.

The "Data Principal and Data Fiduciary" relationship is a kind of a mixed and unique one, a blend of essentials features of a contract as well as of a Trust. The Data Fiduciary can be termed as a Special trustee as the relationship with Data Principal is not a simple "Principal and Agent" contract.

PDP Bill defines two kinds of Data Fiduciaries namely (i) the Significant Data Fiduciary, to be notified by Data Protection authority [DPA] based on the volume and sensitivity of data processed as well as the risk of harm; and (ii) the Guardian Data Fiduciary, who operates any commercial website or online services. The definition of "Data Processor" includes any person including a State which processes personal data on behalf of a data fiduciary and the definition of processing includes all operations including storage and retrieval of information.

Obligations of data fiduciary

The Bill allows the processing of data by Fiduciaries only after the due consent is obtained from  the individual / Principal. For obtaining the consent of a Principal for collection or processing of personal data there is need of issue of a notice by the fiduciary to such person, stating the reasons in clear, concise and easily comprehensible terms. The procedure for issue of notice to the principal, at the time of collection of data ¹⁹, for obtaining the consent is elaborate and due care to be taken to devise digital tools for meeting the requirements. In the notice the Principal should be informed about the purpose, nature and categories data being collected. The identity and contact details of the data Fiduciary and the contact details of the data protection officer are also to be informed to the Principal. Such Principal should be informed of the procedure to withdraw his consent in the mandated way. Therefore, the facilities in GST Digital Regime may have to gear up for implementing this provision for each of such individual with whom personal information are gathered. Such consent should be obtained in respect of existing personal data of the principal existing in the GST digital regime once the PDP law comes into effect.

A personal data can be processed only for specific, clear and lawful purposes. The Data Fiduciary shall not retain any personal data beyond the period necessary to satisfy the purpose for which it was processed and shall delete the personal data at the end of processing. The personal data may be retained for a longer period only after the data fiduciary gets necessary consent from the Data Principal.

In certain circumstances for performance of any function of the State as authorised by law the personal data may be processed without the consent ²⁰ of the Principal. Thus, explicit consent by data principal may not be taken in circumstances where data is processed (i) for providing any service or benefit to the Data Principal; (ii) for the issuance of any certification, licence or permit; (iii) for any action or activity, under any law for the time being in force made by the Parliament or any State Legislature; (iv) for compliance with any order or judgment of any Court or Tribunal. Some of the above reasons could be applied to the activities in GST digital regime, which needs to be further explored.

Under clause 14(1) of the PDP Bill, the personal data may be processed without obtaining the consent of the principal, like in public interest for reasonable purposes ²¹, which could be surveyed for applicability of certain activities of the GST digital regime.

The Bill mandates that a data fiduciary is required to formulate a 'privacy by design ²²' policy that ensures (a) Managerial, organizational, business practices and technical systems designed in a manner to anticipate, identify, and avoid harm to the data principal, (b) above listed obligations towards protection of personal data, (c) technology used is in accordance with commercially accepted or certified standards, (d) legitimate interests of businesses including any innovation is achieved without compromising privacy,(e) protection of privacy throughout the processing, from the point of collection to deletion of personal data, (f) processing of data in a transparent manner and (g) interest of the data principal at every stage of processing of personal data. The data fiduciary should submit its Privacy by Design Policy to the Authority for certification by DPA and display such certified document in their websites.

Each company classified as significant data fiduciaries will have appoint a  Data Protection Officer (DPO)   who will liaison with the DPA for auditing, grievance redressal, recording, maintenance and more. In addition to the above stipulations, all fiduciaries should periodically undertake certain transparency and accountability measures. Therefore, they are required to: (i) implement data security safeguards ²³, such as data encryption and preventing misuse of data; (ii) Set up grievance redressal mechanisms to address complaints of individuals. 

The primary objective of the Bill is to safeguard the right to privacy of the citizen /principal. The principal, in respect of the personal data pertaining to him/her, has rights namely, (i) right to confirmation and access to the personal data with the fiduciary;(ii) right to seek correction of inaccurate, incomplete, or out-of-date personal data;(iii) right to have personal data transferred to any other data fiduciary in certain circumstances [Data portability];(iv) right to restrict continuing disclosure of their personal data by a fiduciary, if it is no longer necessary or consent is withdrawn;(v) right to receive the data from the fiduciary in a machine-readable format. These rights of data principal need to be noted carefully by the fiduciary. Every data fiduciary shall by notice inform the Authority about the breach ²⁴ of any personal data processed by the data fiduciary where such breach is likely to cause harm to any Data Principal.

The data fiduciary shall not engage, appoint, use or involve a data processor ²⁵ to process personal data on its behalf without a contract entered into by the data fiduciary and such data processor. Further, such appointed data processor shall not engage, appoint, use, or involve another data processor in the processing on its behalf, except with the authorization of the data fiduciary and unless permitted. The data processor, and any employee of the data fiduciary or the data processor, shall only process personal data in accordance with the instructions of the data fiduciary and treat it confidential.

Other important contents of the Bill

The PDP Bill, 2019 consists of 98 clauses and one schedule, distributed among 14 chapters. Other important features of the bill are as follows:

Administrative mechanism by Government: The Bill proposes for setting up of a Data Protection Authority ²⁶ (DPA) who may, (a) take steps to protect interests of individuals; (b) prevent misuse of personal data; and (c) ensure compliance of concerned with the Bill. It will consist of a chairperson and six members, with at least 10 years' expertise in the field of data protection and information technology.  Orders of the Authority can be appealed to an Appellate Tribunal.  Appeals from the Tribunal will go to Supreme Court.

The central government may exempt any agency ²⁷ from the applications of the provisions of the Act for meeting certain specified needs that are (i) in the interest of security of state, public order, sovereignty and integrity of India and friendly relations with foreign states, and (ii) for preventing incitement to commission of any cognisable offence relating to the above matters. Processing of personal data ²⁸ is also exempted from provisions of the Bill for certain specific purposes such as: (i) prevention, investigation, or prosecution of any offence; (ii) personal, domestic; or (iii) journalistic purposes.  However, such processing must be for a specific, clear and lawful purpose, with proper safeguards. For use of personal data found necessary for activities like such as research, archiving, or statistical purposes, the DPA subject to certain conditions may notify ²⁹ such class of activities for a particular fiduciary as an exempted category.

It is important to note that any data principal who has suffered harm as a result of any violation of any provision by a data fiduciary or a data processor shall have the right to seek compensation ³⁰ from the data fiduciary or the data processor, as the case may be. The Data Principal may seek compensation under this section by making a complaint to the Adjudicating Officer in the prescribed manner to be notified.

Whenever there is personal data breach, it creates the scope for an offence under the proposed bill. The personal data breach ³¹ is defined as any unauthorised or accidental disclosure, acquisition, sharing, use, alteration, destruction of or loss of access to, personal data that compromises the confidentiality, integrity or availability of personal data to a data principal. Stated offences under the Bill include, (i) processing or transferring personal data in violation of the stated law and (ii) failure to conduct a data audit. The processing or transferring personal data in violation of the Bill is punishable with a fine of Rs 15 crore or 4% of the annual turnover of the fiduciary, whichever is higher. The failure to conduct a data audit is punishable with a fine of five crore rupees or 2% of the annual turnover of the fiduciary, whichever is higher. The Officers in the DPA are vested with the power to call persons concerned for inquiry into fiduciaries, assess compliance, and determine penalties on the fiduciary or compensation to the principal. The Adjudication decisions, which are quasi judicial in nature, can be appealed in the appellate tribunal and appeals from the Tribunal will go to the Supreme Court.

The way forward

Data Protection refers to the set of privacy laws, policies and procedures that aim to minimize intrusion into one's privacy caused by the collection, storage and dissemination of personal data. Personal data generally refers to the information or data which relate to a person who can be identified from that information or data whether collected by any Government or any private organization or an agency. The provisions relating to obtaining consent of the principal to collect personal data may have to be followed in a scrupulous manner so that the stringent compliance of the stated law is adhered to. The entities classified as data fiduciaries should determine the purpose and means of processing personal data in a fair manner as stipulated in the law. Organisations will have to undertake a great deal of technical changes in engineering the existing architecture  to modify business processes to meet the requirement of the proposed law. They need to place limits on data collection, processing and storage and similar responsibility they owe to the principal. There is need of proper encryption of personal data along with technical security safeguards, including de-identification, preventing an individual's identity to be inadvertently revealed so as to prevent instances of data breach.

Under IT Act, a body corporate is considered to have complied with reasonable security practices and procedures, if they have implemented security practices and standards along with having a comprehensive documented information security program and information security policies such as ISO 27001:2013, duly approved by the central government. In view of the wider and distinctive scope of provisions of PDP Bill it is opined that global standards of data protection contained in stated standards are inadequate to meet the privacy requirements of the said Bill. Therefore, such standards are to be reviewed and revised by the concerned authorities to meet the requirements and endorsement under the PDP Bill. Though PDPA, 2019 has adopted several principles of Privacy Protection from global documents including the GDPR (General Data Protection Regulation of the European Union), the compliance requirements in India regarding Information Privacy Protection is distinct and therefore the revisions of the standards are essential.

It is important to mention here that while calling for quotations for outsourcing any activity involving sharing or exchanging of personal data for any purpose, there must be a condition inserted to the effect that such vendors should be compliant to provisions of PDP laws. Only then they should be considered for working with the GST Digital Regime. This action and care should be initiated in respect of existing stake holders also as soon as the PDP law comes into force.

As countries around the globe start to  enact and implement personal data governance regimes, this Bill will have an immensely vital role in shaping the regulation governing today's increasingly data-driven geopolitical landscape. It tries to address some of the major issues faced in privacy protection landscape by heralding fundamental changes in the way data is gathered, processed, stored and deleted by different parties with access to such invaluable data. The Bill contains some elements of the protectionist data policies that are similar to other statutes made or in pipe-line around the world, so as to curtail the global and open internet, which has become a cesspool of exploiters of such data waiting to prey on their next victim of cybercrime.

The Bill contains some elements of the protectionist data policies that are similar to other statutes made or coming up around the world, so as to curtail the global and open internet, which has become a centre of exploiters of such data for committing cyber crimes. Data localisation will help enforcement agencies to access data for investigations and enforcement. Also, the responsibilities mandated on the fiduciary to protect personal data will, in a way, pave way for regulating and ushering some order in the cyber society. In the interest of addressing the citizen's privacy concerns it is expected that JPC completes the assigned task in a faster mode.

[The views expressed are strictly personal.]

Abbreviations

ICT Information and Communication Technology

Cl clause

Sec section

PDPB Personal Data Protection Bill, 2019

PDP Bill Personal Data Protection Bill, 2019

IT Act (Indian) Information Technology Act, 2000/2008

¹ Sec.43,IT act

² Sec 72, 72A, IT act

³ Cl3(11),PDPB

⁴ Sec 2(o),IT Act

⁵ Cl3(28),PDPB

⁶ Cl3(14),PDPB

⁷ Cl3(29),PDPB

⁸ Cl3(36),PDPB

⁹ Cl3(27),PDPB

¹⁰ Cl3(13),PDPB

¹¹ Cl 3(14),PDPB

¹² Cl 3(2),PDPB

¹³ Cl 3(3),PDPB

¹⁴ Cl 4,PDPB

¹⁵ Cl 3(14), PDPB

¹⁶ Cl 3(13), PDPB

¹⁷ Cl 3(15), PDPB

¹⁸ Cl 3(31),PDPB

¹⁹ Cl 7, PDPB

²⁰ Cl 12,PDPB

²¹ Cl 14(2),PDPB

²² Cl 22,PDPB

²³ Cl 24, PDPB

²⁴Cl 25, PDPB

²⁵ Cl 31,PDPB

²⁶ Cl 41,PDPB

²⁷ cl 35,PDPB

²⁸ Cl 36,PDPB

²⁹ Cl38,PDPB

³⁰ Cl. 64 (1), PDPB

³¹ Cl 3(29),PDPB