Naavi.org

In our previous post, The Zugzwang won the challenge wee had raised some concerns of a DPO that arise when we receive a Data Access Request. This was discussed during an event in Bangalore yesterday and I share some of the thoughts that came up for discussion during the event.

Data Access Request is one of the first rights that a law like DPDPA provides to the data principal. Essentially it provides a right to a data principal to get a summary of how the data fiduciary is processing his personal data.

The DSAR request can be sent to the company through an e-mail and does not cost much effort to the data principal. But for the Data Fiduciary this is a ticking bomb and if not defused could explode with disastrous consequences.

Hence an organization needs to put in place a robust mechanism to handle the request.

DGPSI, (Data Governance and Protection Standard of India), the framework that addresses DPDPA compliance provides a right framework for meeting the challenges that the DSAR presents.

The challenges of DSAR under DPDPA include

a) Recording the request received

b) Acknowledging the request

c) Verification of the identity of the requester, his authority for the request and matching it with an existing data principal with whom the Data Fiduciary has a relationship

d) Extracting the related consent associated with the processing of the personal information of the requester

e) Extracting all the data elements that the Data Fiduciary has received and used in respect of the data principal.

f) Ensuring that the data is within the scope of the DPDPA

g) Identifying all the processes in which different elements of the data of the data principal are being processed

h) Identifying the external data processors involved in the process and the data shared with them.

i) Identifying if the data principal is not a minor or a nominee and if so identifying the related consent from the guardian and the nomination details along with the procedure for settlement.

j) Handling the grievance redressal along with the adjudication at the adjudicator of ITA 2000 or DPB.

lk Handling the data erasure process both at the level of the Data Fiduciary and the associated Data Processors.

l) Handling the data breach notification requirements

m)Handling the exceptions such as when the request applies to a legacy information for which a new consent was required.

Probably the above list is not exhaustive. But DGPSI is a system which asks the relevant questions and creates a foundation from which all these questions can be answered.

For example, DGPSI follows a data classification that tags the jurisdiction, focusses on the processes, recommends centralized data storage, recommends data valuation, set up a grievance redressal mechanism, ensure that the top management has considered and approved risks that cannot be mitigated and has to be absorbed, ensures that distributed responsibility addresses identification of data and proper documentation of all compliance requirements. Even when the cause of breach is through an AI, DGPSI has a necessary process to address the same.

If you are DGPSI Compliant you are ready to address all of the above requirements .

Naavi

Mr Gukesh became the youngest World Chess champion by winning the FIDE word championship by cornering Mr Ding in a Zugzwang position where White (Ding) had to make a move but any move would have led to loss. This zugzwang position is common in Chess especially with the pawn and king ending.

A similar situation is confronted by Data Fiduciaries in certain circumstances when they have to comply with DPDPA.

Take the example of an email received by a Data Fiduciary in Bangalore from jr2024@protonmail.com which stated

“My name is R. Jhonny, residing at Lucknow . Under the provisions of ITA 2000 read with DPDPA 2023, kindly provide me the following information.

•Do you process  any of my personal data?

•If so, for what purpose and how did you obtain it?

•Please share the copy of the consent I have given if any?

•Please let me know with whom all you have shared it, the purpose of sharing.

•In case I donot receive the information within 3 days from receipt of this email, I shall be constrained to take necessary steps to recover compensation from your end for wrongful processing of my personal data”

This looks a simple question but it takes lot of effort in the first place and even thereafter, may lead to many challenges. Whatever move you make, you may continue to deteriorate your position until you are checkmated.

This problem is set to be discussed by Naavi in today’s event in Bengaluru at LTIMindtree.

Naavi

In October 2024, Meity declared IOB, RBL Ltd, IndusInd Bank ltd, Federal Bank and Bank of Maharashtra as “Protected Systems under ITA 2000”

Notifications:

IOB

RBL

IndusInd Bank

Federal Bank

Bank of Maharashtra

The implications are two fold.

Any attempt to access such computers other than the permitted persons noted below will be considered as an offence that can carry imprisonment of 10 years.

Who can access

(a) any designated employee of the Bank authorised in writing by the Bank to access the protected system;
(b) any team member of contractual managed service provider or third-party vendor who have been authorised in writing by the Bank for need-based access; and
(c) any consultant, regulator, Government official, auditor and stakeholder authorised in writing by the Bank on case-to-case basis.

Any other person accessing the system will be liable for imprisonment of 10 years.

Further under Section 70(4) The Central Government shall prescribe the information security practices and procedures for such protected system. (Inserted vide ITAA 2008).

Additionally the Information Security rules under the notification of 22nd May 2018 should apply to such systems (Refer here). Kindly check details here

Hope each of the Banks comply with the directions contained in the May 22 security guidelines.

Naavi

P.S: For records we note that

1. CAMS was also notified on 2nd February 2024 . It is known more as a Registrar handling securities.
2. KFin Technologies Private Limited was also notified on 1st February 2024.
3. NIA was notified on 26th February 2024

In recent days the menace of Digital Arrest related scams have assumed alarming proportions. There are instances of people losing crores of Rupees to this scam and some of these matters are coming for discussion in Courts.

Naavi has been a long time follower of “hypnotism” and has attributed some of thee otherwise illogical behaviour of Cyber crime victims such as the children who succumbed to the Blue Whale game and also held out some analysis in the case of old people succumbing to Phishing frauds. (Refer here).

A time has come to once again look back on the science of Hypnosis and understand whether there is an instance of “Cyber Hypnosis” that can explain some of the irrational behaviour of victims of Digital Arrest.

The aged persons living alone are psychologically vulnerable for friendly suggestions even if it is from strangers. People with Dissociative identity disorder, People who have a history of childhood abuse or other trauma, could be more vulnerable than others to fall prey to cyber hypnosis.

Hypnosis as a traditional theory suggests that a human brain has a sub conscious part which the hypnotist awakens and establishes contact, putting part of the conscious part including the rational part to sleep. As a result the hypnotist is able to give suggestions that the subject finds it difficult to ignore and he becomes a puppet doing what is suggested.

Under this state of “Trance”, the ability of the individual to take rational decisions is side lined and therefore any contractual commitments done during the time are invalid. It is like the “Persons in intoxicated state of mind” or “Occasionally insane” , being held not fulfilling the conditions of a “Free Consent” for a contract.

The fact that two Banks recently were capable of identifying this state of the customer and talk him out of the fraud is an indication that the state can be identified by an alert bystander. It is like a person in the hypnotic trance exhibiting a blank vision which looks out of ordianry.

It is therefore necessary for law to take into account that contracts undertaken under this trance is not a valid contrct.

It is a fact that in digital transactions the Bank which executes the instructions of this customer may not find it easy to identify the abnormality of the situation but if the amount involved is large and not commensurate with the usual habit of the customer, the requirement of “Adaptive Authentication” mandated by RBI requires the Banker to identify the transaction as requiring some caution. Otherwise it should be considered as “Negligence”.

There is no doubt that the Banker on the side of the fraudster is directly involved in the fraud as the Banker of the fraudster with apparent failure of KYC. The Banker at the customer’s end being part of the Banking Chain cannot fully absolve himself of the responsibility for money laundering in this type of fraud.

Since the privity of the contract between the victim is with the Bank at his end, it is natural that the relief to the customer should come from him. Later this Banker can recover the money from the banker at the fraudster’s end. This is an extension of the “Contributory” negligence and “Intermediary responsibility” that the Banks should be held liable for.

This should be the jurisprudence in matters related to Digital Arrest and I hope Courts take cognizance of this menace of “Cyber Hypnotism” and provide appropriate relief to the victims.

Naavi

The two day event Indian Data Protection Summit 2024 came to a successful conclusion with the valedictory function where Dr Bharat Panchal of Bhima Sugam gave the valedictory address. Mr Abhishek Solanki, senior scientist from CERT-In was a gues of honour along with Mr Yashvantha Kumar of Cyber Crime Division Bangalore and Dr A Nagaratna of NLSUI.

During the two days, more than 56 speakers participated in the program including 13 from outside the country. The 8 key notes, 7 panel discussions and 4 Focus Group discussions made the conference a wholesome event. With an excellent organizational support from the KLE, and special efforts of Suresh Balepur, and Ashok Kini, managing the hospitality, the event was memorable.

The publication of the book “DGPSI-The Perfect Prescription for DPDPA compliance” during the event marked a significant development of FDPPI’s efforts to facilitate DPDPA compliance in the industry. Hopefully this would also be a significant milestone in the development of Data Protection Compliance in India.

The set of these twin books would server the purpose of providing the information on Privacy as a Fundamental right, the DPDPA as an act, the Governance aspects related to Data protection and the practitioner’s guide for implementation and audit. Though the rules are yet to be notified for DPDPA, the DGPSI booklet serves presently as a Jurisprudential exposition that tries to identify how each of the DPDPA provisions may be implemented.

A detailed report of the event will be available later and the registered delegates would also get a link to the videos to be published virtually.

Naavi