Naavi.org

It is a common perception that Privacy and Personal Data Monetization cannot co-exist. GDPR is normally considered as the extreme left of centre approach to Privacy and would have a strong view against Personal Data Monetization. The US is a slightly liberal approach more favourable to industry with permitted data brokers and selling of personal data.

India needs to find a midway and the solutions have to be found within the framework of DPDPA 2023 and the forthcoming rules.

While we are set to discuss this topic in today’s seminar in Bengaluru as part of the International Data Privacy Day celebration at Infosys, some brief thoughts on the topic are shared here.

Monetization as a Concept may be defined as “Conversion of Data into a monetary value in cash or kind and includes processes preparatory to conversion of data into a financial reward for an organization”.

In other words the term “Monetization” is not limited to “Sale of a set of Personal Data” for cash. Even profiling of an individual which may be later used for advertising by the same organization should be considered as “Monetization”. If the advertising is provided as a service to other organization, it is obviously equivalent to “Monetization by Sale”.

In view of this use of Google Ads itself is to be termed as “Monetization”.

However most of the Advertising is done on the basis of “De-identified” or “Anonymised data principal” in which case there may be a debate if we need to be liberal and not consider “Anonymised profiling” as monetization. This view will hold if we are prepared to agree that “Meta Data” without the associated identify of a data principal is not “Personal Data”. This also is a debatable view particularly with the GDPR mindset.

We must understand that “Monetization” has to be viewed as part of a legitimate business as long as there is no infringement of Privacy. However for targeted advertising the identity of the data principal is required and hence anonymous profiling and advertisement based on such anonymised profiling would not suffice.

On the other hand, given a proper consent, a data principal should be capable of permitting the use of his personal data for marketing with or without consideration. Without such freedom, the exploitation of privacy will continue surreptitiously and as “Dark Patterns”. Transparent disclosure followed by an explicit consent is therefore the solution to “DPDPA Compliant Monetization”.

This sort of “Consent to Monetize” is recommended under DGPSI framework supported by a “Data Monetization Policy”. Such consent can also be considered as “Special Consents” and along with “Consent for discovery of purpose” can be mandated with a higher degree of diligence such as “Witnessing the Consent”.

Technology solutions may not be available at this point of time for “DPDPA Compliant Consent” but they are under development in the Naavi laboratory itself and will be released in due course.

Let us discuss these and other global practices during the seminar today…

Naavi

With the International Privacy Day today being celebrated in many professional fora in India, it has been a busy week for Naavi and FDPPI.

As we just completed the three day C.DPO.DA. training in Mumbai from 24th to 26th January along with a Republic day celebration in the Mumbai hotel and rushed back to Bangalore, we had the International Privacy event with the European Federation of Data Protection Officers on AI.

Today we have an event at Infosys in Bangalore followed by a virtual session in the evening organized for global professionals .

More to follow on 3oth…

It has been a virtual flood of events related to Privacy indicating the buzz that the publication of draft DPDPA Rules has created.

Interesting days are ahead of us…

Good wishes to all Privacy and Data Protection professionals on this International Data Privacy Day.

In a case of significant importance, like the Meta and Google, Open AI has become one more global tech company to challenge the sovereignty of Indian laws. It is disturbing to note that Open AI is supported by Microsoft.

Open AI is facing a legal battle in Delhi Court where ANI has accused it of violating Copyright laws by lifting content from its published sources.

Open AI has given several defences one of which is that it is not subject to Indian jurisdiction.

As per this article in Times of India, in an interesting defence, Open AI states that it is unable to remove it as demanded because it is required to retain it under the US law. In other words, it admits that it may have data which is infringing the copyright but since it is bound by the laws of US and not India, it is not obliged to meet the demand of the petitioner.

The argument is nothing different from that of a thief who says “Don’t question my possession of stolen property because my mafia wants it to be retained.”

In a way Open AI has admitted to the copyright infringement which in fact is an international obligation to which US is also a party. We should recall the aggressive pursual of the Dmitry Sklyrov case on Adobe E Book software where US courts arrested the Russian software professional. There are many cases on Jurisdiction where US has fought and held that “If a local resident of USA is adversely affected, the courts in USA can exercise jurisdiction”

The European Courts are already of the opinion that ChatGPT violates EU Privacy law.

In terms of operation, Chat GPT may also be forced to remove the disputed data from the active engine and archive it for the US law purpose.

Hence the argument of ChatGPT is untenable and must be rejected.

Naavi

It has been reported in some security circles that ICICI Bank has become a victim of a ransomware attack leading to compromise of personal data of customers.

Details

It is not clear what is the extent of the data breach. We need to await the notice to be issued by ICICI Bank. As at present there is no notice on the ICICI Website.

In the meantime it is to be noted that ICICI Bank is one of the notified Section 70 Companies under ITA 2000. Hence any attempt or unauthorized access to ICICI systems is considered as a serious offence leading to 10 years of imprisonment. It is also possible to consider this as a “Critical Digital Asset” and hence invoke Section 66F for Cyber Terrorism.

Under these sections, International cooperation for investigation should be available and the hackers should be traced and punished.

I hope the Government will take suitable action and not push it under the carpet by payment of any ransom even if ICICI Bank is prepared.

Let us wait and watch.

There is a demand from some quarters that the Government should consider “Data breach Reporting under DPDPA 2023” from a retrospective date though the rules are yet to be formally notified. This appears to be a fit case for DPB and CERT In to analyse.

Naavi

After the previous post and during my visit to Delhi over the last two days, I have been asked a question by a few why is that I have called C.DPO.DA. as the “Crown Jewel” of Privacy Certifications in India when there are other national and international certifications which claim the backing of some reputed and some new organizations. Some have even queried why should not the certification be as expensive as it is.

It is my duty to answer these queries without specifically mentioning any specific program. I am aware of other international organizations who are conducting Privacy Certifications. Many HR persons know only these certifications and often specify it as a requirement for recruiting DPOs or related positions in India. I donot blame the HR personnel for this mismatch but it is like a T20 cricket team selector asking “Only those persons who have scored 3 or more centuries in Tests are eligible to apply. Double centurions and Triple Centurions are preferred”.

These international certifications were developed for GDPR and DPDPA is not GDPR. A DPDPA-DPO is a different entity than DPDPA-GDPR though both relate to privacy and data protection. After all both tests and T20 is game of cricket and a century at test level is a century in a cricket game. It is more likely that a person who is well versed in GDPR often is unable to unlearn the EU principles and adapt to Indian requirement.

I therefore consider that until these organizations come up with an Indian version, they are not comparable.

The second set of certifications which we need to see are the programs conducted by consultants in India some of whom are trying to provide certification at throw away prices. I respect every professional for his knowledge and such programs are always welcome so that price is not a barrier to learning. However, if we know the value of ISO 27001 or ISO 9001 audits which are available off the shelf at a throw away price, we can guess what could be the value of the programs where certifications are easy to obtain without an evaluation of the learning.

At FDPPI we not only provide the training for which a Participation Certificate is provided, the complete certification is provided only after an online exam. The real test of proficiency is in getting through this online examination.

FDPPI has offered other Certified persons to also take up this exam at a grossly discounted rate (One set of people were given an opportunity to attempt it free). We will continue to do so in the future as FDPPI intends to develop itself only into a Certification Body and leave the training to other training partners who may either charge or provide free training.

At present since the trainings are yet to mature particularly since FDPPI programs donot end up with the coverage of law but extend to implementation of compliance with the DGPSI framework, FDPPI continues to conduct its own training programs. Other organizations donot have a framework like DGPSI to recommend and hence have to base their implementation suggestions on other frameworks including ISMS frameworks or GDPR related frameworks

While in due course some of these training organizations adopt DGPSI as one of the frameworks to discuss or develop a framework on their own, at this point of time there are no such frameworks and Certifications based on such frameworks in place.

It is in this context that I have called C.DPO.DA. (Certified Data Protection officer and Data Auditor) as the crown jewel of Privacy certifications. Presently the program addresses both the DPO requirements as well as the Data Auditor requirement. In the coming days when it is found necessary, it may be dub divided into two channels one exclusively for DPOs with an internal implementation focus and the other exclusively for Data Auditors with a focus on Data Audit.

I hope all professionals understand this approach of FDPPI and if they are interested, they can register themselves as “Master Trainers” for DPDPA certifications so that their trainees can automatically take the FDPPI examination and qualify for FDPPI accredited certification. It is the commitment of Naavi to keep the cost of the exam to such persons as low as feasible.

Together, let us all work towards creating a culture of DPDPA Compliance in India, the starting point of which is the Certification of professionals. If there are more Certifiers, it is better for the market. The unification of their understanding can be achieved by the common examination which FDPPI would like to offer.

Any request for further clarification in this regard is welcome.

Naavi

CERT-IN was commissioned in 2004 as part of the Ministry of IT with an objective of securing Indian Cyberspace. It is empowered under Section 70B of ITA 2000 as a Nodal Agency for Cyber Security Incident Response. As a part of its activity it has empanelled nearly 200 organizations who conduct Information Security audits in critical sectors.

Now a time has come when all IS auditors need to upgrade and expand their services to include DPDPA audits. CERT In has recognized this and sent a circular to all its empanelled auditors to take note of the certification programs like what FDPPI is conducting in Mumbai on January 24,25 and 26, leading to C.DPO.DA. certification.

Till end of today an early bird discount was available for all participants since the program was meant for even those professionals who are not empanelled with CERT IN. The early bird discount will end today but the registrations will continue.

As per our arrangement with CERT IN, the empanelled auditors will continue to get a discount and a special price.

We wish all interested professionals will take advantage of this opportunity and register themselves without delay since the number of seats will be limited.

Organizations which want more than one member to participate may contact our Mumbai Chapter President Mr Bondiah Adepu for nulk discount.

All participants will get a participation certificate , one year free membership, Books worth Rs 5000/- and also an entry to the C.DPO.DA. exam . If they complete the online exam successfully, they will be able to get the full certificate.

We hope all professionals in Mumbai and around take advantage of this Certification Program which is a “Crown Jewel of Privacy Certifications in India”

The program will cover DPDPA Act and Rules, ITA 2000 (to the extent necessary) and the DGPSI implementation and audit framework. Program will be inaugurated by Mr Abhishek of CERT In and the sessions will be conducted by Naavi as the lead faculty.

Some feedback from the previous program conducted in Bengaluru is available below.

Naavi