Naavi.org

We all know that the world around us is changing. Even to remain where we are, we need to keep running. Otherwise the world around us moves ahead and leaves us behind for no other fault of ours.

Transformation is therefore the key to professional success or even professional survival.

Naavi himself was once a Banker with relatively high expertise in accounting, tallying of books, customer service etc. Today I have moved through a marketing and advertising role , information security role, Cyber law role and landed up in the Privacy and Data Protection role. The journey has been exciting but changes were the essence of such journey.

With DPDPA 2023 in place, it is time for other professionals to also look at the need for transformation in their career. Whether they are experts in ISO 27001 or GDPR, whether they have certifications such as CISSP or CIPP, it is time to look at new horizons such as DGPSI and C.DPO.DA.

It is the duty of professionals who have made a few steps forward to try and take the others along this path of development irrespective of the competition that it could generate for themselves. Remember that a Cricket team requires both batsmen and bowler and specialist fielders in different positions. Even the batsmen and bowlers themselves are different by themselves. Likewise the Privacy and Data Protection Community requires multiple members to constitute a team. Unlike a cricket team with a limitation that only 11 players can plat at a time, Data Protection Profession can accommodate many more.

It is therefore necessary for organizations like FDPPI to assist professionals who are today in information security area or legal area or in Corporate Governance, to move into the area of Privacy and Data Protection. Some may aspire to be DPOs in companies and some may aspire to be “Data Auditors”.

One such community FDPPI is now addressing is the community of CERT IN accredited auditors. These audit firms are now engaged in different audit programs related to ITA 2000 and also whenever data breaches occur. With DPDPA coming into effect, the role of CERT IN auditors has undergone a change. Now data breaches need to be evaluated both for ITA 2000 and DPDPA 2023. IS audits have to be compliant both to ITA 2000 and to DPDPA 2023. With a penalty of Rs 250 crores plus, companies are keen that their DPDPA Compliance is in place. The buzzword therefore in the industry is “Compliance By Design” and “DPDPA Audit”. There will also be special “Conformity Assessment Certifications” that are required under DPDPA 2023.

FDPPI has therefore taken the first step to bring the CERT IN auditors into the domain of Data Audit and specially structured a Three Day offline program in Bangalore on September 27, 28 and 29 with the association of CERT IN.

This will be a first of its kind program that tries to engage experts in Information Security audit and make them take up a Techno Legal audit of DPDPA conformity.

The registration requests are being received now through email at fdppi4privacy@gmail.com

More information is available in the following brochure.

The program will cover DPDPA 2023, in particular and the data audit measures required . It is both for being DPOs and also for being Data Auditors in coming days. It will cover also essence of GDPR, ITA 2000, as related to Personal Data Protection and even cover CPA 2019 as required. In the audit section it will take off from ISO 27001 but focus on CSF of CERT In. The framework of DGPSI is already covering these aspects including draft BIS standard of Data Governance and Data Protection which also is a part of the coverage.

In summary the course will truly be the first of its kind and those professionals who want to be ahead of others should take up this opportunity without fail.

The 3 day course is priced at Rs 40000/- but CERT In accredited Auditors have a 20% discount and others will have early bird discounts and also other benefits of complimentary membership of FDPPI and other benefits.

Act today if you want to be ahead of others…. Drop an email to fdppi4privacy@gmail.com

Naavi

For More Information

As the industry expects the “Draft Rules for DPDPA” to be released within the next fortnight, the draft of the draft rules released some time back selectively by MeitY to organizations like Meta and Google for their views provide us a glimpse of what the rules could be when it is finally released.

With the option given to MeitY to disown the publication, the draft of draft rules related to DPDPA is available for discussion at www.dpdpa.in/dpdpa_rules.

In the 20 rules and 7 schedules published here, rules 2 (definitions) 3, 4, 5, 10 and schedule I specifically relates to Notice, Consent and Consent Manager including verifiable consent for minors. A model consent artifact is also provided in schedule I.

In this connection, Data Fiduciaries need to focus on a few challenges highlighted below.

Firstly the Rules suggest that every consent shall carry the electronic signature of the data principal, the data fiduciary and the consent manager. Since the data principals may not have a digital certificate to enable such signature, and the onus of proof of consent is with the Data Fiduciary, the Data Fiduciaries need to make arrangements for the electronic signature like e-Sign.

While authentication of the consent is essential, provision should be made to use innovative but legally consistent methods to authenticate an electronic document without the use of electronic signature to reduce the cost incidence.

A positive aspect of the model consent artifact is an undertaking by the Data Fiduciary that the consent would be used only for the specified purpose. When this undertaking is also digitally signed, this constitutes a legal commitment.

The data fiduciaries need to ensure that they stand upto this commitment and introduce appropriate controls to ensure that the consent is automatically considered withdrawn as soon as the purpose expires and obtain fresh consent when the purpose is subsequently renewed. Otherwise they may be sued for “breach of Trust” under BNS 2023. (Refer Section 316 )

It is important to note that “Consent” is a document which has to be separately stored and may have to be retained for a period beyond the retention of personal data. In case of Consent Manager it may have to be retained for 7 years as per the draft of draft rules. Retention of consent for a data which itself is not retained is a vague concept and will lead to a dispute on what the consent is for. Hence the data fiduciary has to be meticulous to identify what data was part of a consent.

It is interesting to observe that the recognition that the “Consent” document is different from the data itself indicates that the ownership of the data lies with the data principal but the ownership of the consent lies with the Data Fiduciary and is not subject to the “Deletion” request from the data principal.

This supports our jurisprudential contention that “Data Ownership” of meta data lies with the platform and of transaction data lies jointly with the platform and the data principal.

It is doubtful how we can handle the issues such as when the data principal says “Consent is accepted but the data is erroneous and I did not give consent to this erroneous data”. This is another recipe for dark pattern usage.

The rules provide that the consent artifact is consistent with the DEPA framework provided by MeitY and every notice for consent has to be referred to the data principal and specific consent obtained. In such a scenario, the Data Principal is providing his signed consent and the role of the Consent Manager is only limited to the extent of forwarding the message to the data principal. This makes the role of Consent manager completely redundant.

There is a need to recognize the Consent Manager as similar to being a “Trustee” of a Data Principal and provide full rights to represent him for giving, modifying and withdrawing consent with an ability to assess the request for information against the purpose and challenge the Data Fiduciary on behalf of the data principal, monitor the use and demand deletion of the consent, the purpose of introducing the concept of Consent Manager is defeated.

It is at present not clear if the use of a “Consent manager” service is at the option of the data fiduciary or at the option of the data principal. This has to be clarified but requires the consent managers to be first set up and therefore a time line has to be indicated for adoption.

If the consent manager system is delinked from the current DEPA concept, the issues of digital signing, language issues, dark patterns in obtaining consent can be effectively handled. But this requires a complete re-thinking of the concept of Consent Manager by MeitY.

Further it is suggested that the Notice and Consent are structured in such a manner that “Purpose wise Collection of personal data elements” is enabled under one single consent. It would be more practical for the data fiduciaries to design different consent artifacts for different purposes rather than create one consent artifact for multiple purposes under one consent ID and dividing it into multiple permissions. The possibility of mis-application of permissions is very high in this system.

The model consent artifact is misleading and does not address the requirements properly. Hence it is preferable to delete the schedule I .

It is for this purpose that DGPSI recommends that Notice and Consent should be linked to different processes and managed process wise. In this system there would be multiple consents from a single data principal to a data fiduciary.

The next important challenge is to obtain the consent renewal for legacy consents. Since the rule in this regard is applicable to all previous data for which “Consent has already been obtained”, it does not apply to such cases where the data fiduciary may not be able to prove the existence of past consent. Hence all such data needs to be discarded.

It is therefore essential for data fiduciaries to use a “Legitimate Use” basis and current legal obligations to continue to hold the data in their archive while removing it from the processing activity.

Provision should be made for release of notice through public notices and continue secure archival for a reasonable time before deletion. Since “Deletion” could result in unintentional violation of other laws it is recommended that the Government should notify a “National Archival of Personal Data” and after a limitation period in which the personal data is securely archived at the Data Fiduciary, it may be transferred to the new National Archival created.

The next problem arises regarding the rule which requires “Verifiable Consent” for minors. Most Data Fiduciaries are considering that this would apply only if their services are directed to minors. However Section 9 of DPDPA applies to Minors and Disabled persons and the first verification required is whether the data principal is a minor or disabled person or not. This means that in every consent there has to be a “Due Diligence Verification” that the person is not a minor or mentally disabled person. Then there has to be another verification of who is the guardian. A third verification is required when the person attains majority when the now turned adult has to be identified and consent switched back to him.

In case of Minors, it may be possible to use the “Age Pass” created by checking with UIDAI but the identification of disabled persons requires a new judicial process to be introduced.

Yet another challenge is to understand the concept of “Legitimate Use” for processing personal data.

It must be remembered that a Data Fiduciary is by nature a “Trustee” and not a “Manger” of data appointed by the Data Principal. Hence irrespective of the consent, a Data Fiduciary should independently evaluate the legal basis and take a view in the interest of the “Data Principal”.

Legitimate use can be applied by non-Government agencies when the data principal has provided the data “Voluntarily” or when it is required for employment purpose or obligation of any law or for medical emergency.

There is no specific manner in which its “Voluntary” action of the data principal can be effectively recognized. Every collection of personal data is for a purpose and the purpose is to deliver a “Consideration”. Hence the question of providing any data “Voluntarily” does not arise. If this is not clarified, this will be a provision which is grossly abused. The illustrations provided are irrelevant. The provision essentially boils down to an automatic “Opt-in” without any indication of a positive intention.

In the illustration provided in the Act, (pharmacy), the primary service of the pharmacy is receiving the money without service and the augmented service is receipt of money with acknowledgement. Hence the Data Principal is actually opting for the augmented service for which the additional data is being provided and not “Voluntarily”. Similarly, in the second illustration of the real estate broker, the broker provides a service to receive the additional data which the data principal has to share .

These are purpose oriented collections and donot have a “Voluntary” nature. Even the “Publicly made available personal data” provision is potentially liable to be misused and the rules fail to provide the required clarifications.

Use of personal data for legal obligation is a genuine requirement but the Data Fiduciary needs to have a policy support and case to case authorization from the legal department before discarding the consent mechanism for establishing legal basis. DGPSI provides for this.

The legitimate use in employment circumstances relate to safeguarding the data fiduciary and is a genuine need. However the data fiduciary needs to understand that there is a relationship in employment which starts before the person is onboarded and after he is terminated. These have to be structured into the controls besides establishing on a case to case basis how the processing safeguards the data fiduciary. DGPSI provides for this.

In summary, the “Consent” is a challenge and unless an organization understands the full implications of how to take a valid consent, retain it for reference and retrieve it when required and how to use the consent manager service and whether the use of consent manager is optional etc.

Naavi

Strategy war rooms of companies have been discussing the impact of AI on their business and how they need to leverage the new technologies. In the past they have also discussed how to leverage certification of ISO 27001/27701 in the context of Privacy. Now is the time to discuss DPDPA Compliance as the new challenge. It is in this context that DGPSI is emerging as the TINA option for the organizations. Yes, There is No Option or more appropriately “There is No Better Option”.

The options that are before companies is ISO 27001 (2022) which is incomplete and inadequate for Compliance of DPDPA. Even if ISO 27001 is modified or implemented with ISO 27701, the make shift combination will not be recognizable as specific to DPDPA compliance.

The next option is to adopt the DSCI Privacy Framework which is constructed to protect the Privacy of Personal Information from unauthorized use, disclosure, modification or misuse.

This is a three layer framework with Privacy Strategy and Processes at the foundation of the pyramid, Information usage, access, monitoring and Training as the body of the framework and Personal Information Security at the top of the pyramid. However this framework was developed at a time before DPDPA and does not focus on DPDPA compliance. It is more generic and needs to be adapted for DPDPA.

On the other hand the DGPSI framework was developed exclusively for compliance of DPDPA and DGPSI-Lite focusses only on 36 requirements required for DPDPA Compliance. It is a “Framework for Compliance by design” where as other privacy frameworks claim themselves to be frameworks for “Privacy by design”. “Compliance by design” is inclusive of “Privacy by Design” and “Security by design” and focussed on mitigating the risk of non compliance of DPDPA.

The Data Governance and Protection Management System (DGPMS) constructed under DGPSI framework is an inclusive framework that can be identified as PIMS for DPDPA, ISMS for PII (based on Cert In CSF framework which is also compatible to ISO 27001framework) and further adds the Personal Information management aspects enumerated in ITA 2000, Consumer Protection Act 2019 and BIS draft standard for Data Protection.

DGPSI is therefore more comprehensive and more goal specific. DGPSI-Full version with 50 implementation specifications capture the essence of the requirements of these multiple laws and multiple governance frameworks.

In this perspective DGPSI is not just the better option but is the only option for DPDPA Compliance. Hence DPDPA can claim the tag of “TINA option for DPDPA Compliance. “

Naavi

In 2016, we saw a case being filed on TCS in USA (Tata America International Corp) when EPIC Systems filed a suit to recover uS$940 million. The US Supreme Court upheld the claim of Epic to the extent of $140million. Finally, in 2023, TCS did make a provision for liability of around $125 million (Refer : 1. Even when my client is negligent, the liability can be on me : 2: Press Release from TCS )

In the TCS case it was alleged that an employee of TCS had downloaded some information from EPIC servers and it was used by TCS eventually for developing a commercial product resulting in a copyright violation.

Now another software giant of India is facing a case in US, this time for a dispute raised by another Indian company itself. This is the case filed against Infosys by Cognizant TriZetto in a US Federal Court.

(P.S: This is a developing information and information referred to here is based on other published reports. It may be corrected as required if new information comes in).

Cognizant offerings include TriZetto’s Facets and QNXT, which healthcare insurance firms use to automate tasks. Now it is the version of Cognizant that Infosys misused Trizetto’s software to create “Test Cases for Facets” and re-packaged its data into an Infosys product.

Rajesh Varrier	Rajesh Nambiar

It is unfortunate that two Indian Software Companies are fighting in US Courts while the dispute relates to activities which occurred perhaps in the Indian geography.

In such cases we expect NaSSCOM to intervene and mediate a solution. But the fact that the Case has been filed soon after a former Infosys executive Mr Rajesh Varrier as the global head of operations and India Chairman and Managing Director and the movement of Mr Rajesh Nambiar from Cognizant to NASSCOM as its president is to be noted. Under the current circumstances it appears that NASSCOM is not in a position to intervene.

Both Mr Rajesh Varrier and Rajesh Nambiar can be presumed to be aware of the dispute before their movement and are part of the decision for the case being filed.

We hope wiser counsels prevail and the two organizations come to a mediated settlement and withdraw the case. MeitY should intervene and try to settle the case without the litigation in the US Courts.

Essence of the Dispute

The allegation of Trizetto is that Infosys unlawfully extracted data from its databases and used it to build and market competing software. The Complaint filed by Cognizant Trizetto Software Group INC seeks damages and injuctive relief for misappropriation of trade secrets, breach of contract and unfair competition.

The two companies were under a Non Disclosure Agreement where Infosys had access to proprietary information of Cognizant and the dispute now is that this contractual terms have been violated. More than the Trade Secret issue, the dispute is one of violation of Contractual agreement.

The respondent is named in India and it is understood that the major development center of Trizetto is also in India. Hence the jurisdiction for settlement could have been India. The petition tries to establish that jurisdiction exists in US but does not mention the jurisdiction clause in the NDA. We need to check the NDA to understand if the jurisdiction clause was mentioned there as India or US. However it is clear that Cognizant did not want to fight the case in India and chose the US forum specifically.

It appears that Infosys in this case is an authorized user of Facet and had a contract with some clients of Trizetto for testing. These were known to Trizetto also. Trizetto has its own published Test Cases which Trizetto claims as its “Trade Secrets”.

I am also reminded of the Radiant Software issue (also refer here)several years back where the training company was accused by Oracle of misusing a user license for training. At that time, we had pointed out that whenever an instance of oracle was used by Radiant Software, it was to train people on Oracle software and the skill was meant to be used only with clients of oracle who had a licensed usable software. Hence use of Oracle installations by Radiant in its training center on multiple computers were actually promoting the use of Oracle by licensed buyers. That case was filed in Madras High Court but was not contested since it was withdrawn.

In the Trizetto case, Infosys has been involved in testing Trizetto software for Trizetto customers and was assisting both the customers and the Trizetto itself to resolve any implementation issues. Trizetto claims that in the process, Infosys developed a repository of its own test cases which was a violation of the agreement and misuse of the trade secret.

Trizetto claims that the repository created by Infosys includes some of the test cases created by Trizetto and are presented deceptively as Infosys test cases.

It is noted that the test cases are directly related to Trizetto software and any benefit that Infosys could gain is related to testing Trizetto software already sold by Trizetto to its customers for which Infosys has also created its own Test Cases. These Infosys developed test cases are used for the benefit of Trizetto Customers and hence Infosys is benefitting the customers of Trizetto though this is a commercial service for which Infosys has been charging its own fees.

It is not clear if Trizetto is feeling that its own commercial opportunity to charge for “Testing” has been eroded because Infosys is a competitor for the “Testing” business.

It is alleged that another software QNXT adapter was developed by Infosys which has used confidential and proprietary information of Trizetto to develop a competing product called Helix.

Presently the complaint will be evaluated by a Jury team and thereafter the outcome would be determined.

Considering that Infosys and Cognizant has relationship of over a decade and the manpower expertise of Infosys has also contributed to the growth of Cognizant, it is necessary that the business leaders of both companies sit together without their legal counsels and arrive at a business settlement. MeitY should urge both companies to settle the dispute under a mediation in India rather than going to US courts. I hope MeitY tries to appoint Mr Rajeev Chandrashekar to mediate in this issue.

Naavi

P.S: The dispute is a developing information and if there are any errors in the information provided from the public sources, kindly let me know so that it can be corrected.

One of the hallmarks of DGPSI (Digital Governance and Protection Standard of India) is that it recommends a “Process Based Approach” to compliance and an aggregation to arrive at the “Enterprise Level Compliance”.

In other words, the DGPMS (Digital Governance and Protection Management System) is an aggregation of Process1, Process 2 etc where process n refers to a technology process where applicable personal data is an input or a product of generation or is being stored, modified or disclosed.

One example of this approach, is the website compliance. In this approach, a “Corporate Website” is a process and Compliance as per DPDPA applies to personal data collected during the visit of a data principal to the website serving corporate information. The purpose of the website is serving of corporate information and the collection of personal data should be limited to the purpose, retained for the required purpose, secured during the purpose etc. DGPSI discourages use of “Omnibus Privacy Notices” and recommends process specific privacy notice and consent”.

Similarly, under this principle, AI enabled Data Analytics can be considered as a “PII Process” which requires to be compliant to DPDPA and can be assessed separately and certified for compliance.

DPDPA Compliance (DP.COM.) for AI Enabled Data Analytics can be a combination of “DP.COM for AI algorithm” used and “DP.COM for Data Analytics algorithm” used. AI itself can be defective due to BIAS and HALLUCINATION and along with Data Analytics, which may ignore notice and consent requirements and therefore, there could be doubling (Squaring) of the DPDPA risks.

During the last week’s ETCIO conference in Bengaluru, the presentations of many companies indicated an aggressive use of AI Enabled Data Analytics to draw different “Insights” into the behaviour of customers and for generating automated decisions that could persuade the customers of a service towards a desired objective of purchase on the e-commerce website.

While, as an ex-Marketing professional, I do agree that Business should have the ability to profile their customers and direct their marketing efforts to bring maximum customer satisfaction even on the “Post Purchase Experience”, as a Privacy an Data Protection professional, I am constrained to point out that a “Consent” is required from the customer before his personal data is collected deceptively and manipulated to conclude a sale.

It is not correct to only object “Data Subject Manipulation” when Cambridge Analytica uses personal data for creating ads for Election Campaign and ignore an e-Commerce entity make you buy things which you do not want.

When I pointed out that AI+Data Analytics has the negative intelligence probability, I was indicating that “Dark Patterns” and “Deceptive Marketing” is legally not allowed. This could become a non compliance issue and lead to DPDPA fines.

In this connection, I want to draw the attention of the audience on the Consumer Protection Act 2019 and the notification on Dark patterns issued on 30th November 2023 which states

“dark patterns” shall mean any practices or deceptive design pattern using user interface or user experience interactions on any platform that is designed to mislead or trick users to do something they originally did not intend or want to do, by subverting or impairing the consumer autonomy, decision making or choice, amounting to misleading advertisement or unfair trade practice or violation of consumer rights;

For details of the Consumer Protection Act and penalties refer here:

The rules also provide a list of practices that may be considered as “Dark Pattern Practices” which include “False Urgency”, “Basket sneaking”, “Confirm shaming”, “Forced action”, “Subscription trap”, “Interface interference”, “Bait and Switch”, “Drip Pricing”, “Disguised Advertisement”, “Nagging”, “Trick question”, “SaaS billing”, “Rogue Malware”, etc.

Under DPDPA 2023, the “Fiduciary” who is a trustee of the Data Principal is obligated to process the personal data only for a “lawful purpose”. The intention of the Consumer Act and the above rule is to indicate that it is not lawful to use “Dark Patterns” and it could lead to a penalty of upto Rs 250 crores under DPDPA.

I request all the Tech Experts to review the AI Enabled Data Analytics patterns used by them and check if they are not “impairing the consumer autonomy, decision making or choice and trick users to do something they originally did not intend doing.

DGPSI therefore recommends that there is a need to audit the use of AI enabled Data Analytics, and ensure that it is in compliance to DPDPA requirements. DGPSI also tecommends a specific policy for “Monetization” as well as “Discovery consent”.

I suggest that the interesting equation that ETCIO coined for their conference needs to be modified as

where i is the complex number representing the DPDPA impact.

(P.S: Sorry to use Complex Number theory in explaining the concept. Ignore if you want)

If you disagree, please let me know why? If you agree, please let me know how you are going to meet the compliance gap when DPDPA becomes effective whenever the Government notifies the date of effect for penalties.

Naavi

Today I came across an interesting observation related to Government Gazette Notifications issued in electronic form.

The notifications are signed by different officials of a department authorized to issue a direction. The PDF files issued as Gazette Notifications are however signed by an official such as “SURENDER MAHADASAM”.

The digital certificate is issued by (n)code Solutions CA 2014 valid at the time of signing and notes that Mr Surender Mahadasam is carrying an email surender.mahadasam@gov.in, Directorate of Printing, Government of India Press.

This practice of digitally signing the Gazette Notification by the publication department and not the original signatory of the electronic record raises an important legal issue of how the content of the electronic record may be considered authenticated.

It is my suggestion that the Publication department must add a certificate of assurance that

” I Certify that this is a faithful reproduction of a signed paper document with the authenticated signature of the relevant authorized person authorised to issue this notification and has been produced using the SOP…….. of the Department of Publications and may be considered as a True Copy”.

Though this certification may not exactly meet the Section 63 of BSA 2023, the SOP referred to which needs to be developed can contain narration that meets the requirements of Section 65B of IEA upto 30th June 2024 and Section 63 of BSA2023 there afterwards.

This procedure is directly related to Naavi63 certification suggested by the undersigned for validation of Consents under DPDPA 2023. (Refer Rule 2(1) (f) of the draft).

P.S: Naavi63 is a system where the online privacy notice confirmed by a data principal is authenticated by a repository owner (eg: CEAC Dropbox), though this is a private offering and not a Government function.

Comments invited from Cyber Law Specialists.

Naavi