Naavi.org

The PDPB2019/DPA 2021 addresses several pro-active compliance requirements aimed at managing personal data by data fiduciaries and data processors with the intention of protecting the “Privacy” of an individual. Contraventions  result in civil penalties upto a maximum of 4% of the total worldwide turnover of the data fiduciary.

There is however one section (Section 83) of DPA 2021 which prescribes a criminal punishment with an imprisonment upto 3 years and a fine of upto Rs 2 lakhs or both. This offence is cognizable and non bailable but no court can take cognizance except with a complaint in writing  by the Authority.

Under Section 85, when the offence is attributable to a company, the section extends the offence to the persons  responsible for the conduct of the business of the company unless they can prove lack of knowledge and exercising of due diligence to prevent the commission of the offence. Such liability may extend to even the Directors of the organization.

In case of Government data fiduciaries, there would be an in house enquiry before any person is held liable.

Most of the “Offences” related to “Data” are presently covered by the Information Technology Act 2000. In fact, once “Privacy Protection” through protection of personal data becomes a law, the current provisions of ITA 2000 will automatically apply to offences related to data protection . As such the offences section in DPA 2021 is redundant and only restricts the powers of ITA 2000/8 rather than enhancing  the provisions therein.

For example, if “Reidentification of de-identified personal data” is an offence under DPA 2021, it is also covered under Section 43/66 of ITA 2000 as ” Diminishing the value of information residing inside a computer resource or affects it injuriously by any means” [Section 43(i)].

However, in view of the DPA 2021 having been defined as a special law overriding the current laws (Section 97), the re-identification as defined under Section 83 goes out of the scope of ITA 2000/8. But any other kind of “Injurious effect on personal data” remains within the provisions of ITA 2000.

Having established that DPA 2021 would be the sole law that addresses the issue of “Re-identification”, let us now see the wordings used in Section 83 and understand if it is clear and adequate to address the intention.

83: Re-identification and processing of de-identified personal data.

(1) Any person who, knowingly or intentionally—

(a) re-identifies the personal data which has been de-identified by a data fiduciary or a data processor, as the case may be; or
(b) re-identifies and processes such personal data as mentioned in clause (a),

without the consent of such data fiduciary or data processor, then, such person shall be punishable with imprisonment for a term not exceeding three years or with a fine which may extend to two lakh rupees or with both.

(2) Nothing contained in sub-section (1) shall render any such person liable to any punishment under this section, if he proves that—

(a) the personal data belongs to the person charged with the offence under sub-section (1); or
(b) the data principal whose personal data is in question has explicitly consented to such re-identification or processing as per the provisions of this Act.

As per this section, the “De-identification” is under the control of the Data Fiduciary or a Data Processor who originates the de-identification of the identified personal data. Any other person who is in possession of such de-identified data shall not re-identify the data except with the permission of the original de-identifying agency.

However  such permission may not be required if the re-identifier has an explicit consent of the data principal. If the data principal has already given consent to the de-identifying data fiduciary for use of identifiable information for any purpose, this automatically becomes capable of being transferred to the re-identifying data fiduciary.

But it appears that there could be a possibility that the re-identifying data fiduciary can also obtain “Explicit Consent” of a data principal and proceed with the re-identification. It is true that at the time the “Explicit Consent” is given by a data principal to an intending data fiduciary who would like to re-identify a data set which may “Discover” the personal identifiable data of the data principal, neither of them knows that such a personal data would be “Discovered”.

But it is possible to get such a “Discovery Consent” as per the provisions of this section. This provision is extremely important to all Data Analytics companies and Big Data Companies which may while offering any service to the data principals get an explicit consent to re-identify any information available with or to be collected by the Big Data Company from other data fiduciaries or data processors as de-identified data or publicly available data and use it to create data intelligence required for the provision of services to the individuals.

This provision opens up some exciting opportunities for Digital Marketing Companies who may consider retail services directed to data principals. Probably this benefit will go un noticed by a section of the market and evolve once the DPA confirms some related regulations.

Naavi

“The concept of “Discovery Consent” or “Exploration Consent” is being presented for the first time here. This would be part of the Theory of Data extended for interpretation. More discussions on this would be presented in due course. Your Comments are Welcome”…Naavi

Other articles on DPA 2021

14. PDPA 2021: Concept of Discovery Consent

13. JPC Recommendations on SWIFT Alternative: Out of scope and Disruptive of Global Economic System

12. JPC recommendation on Children Data

11. JPC recommends DPA to watch on Incident Register

10. JPC comments beyond the Amendments-2: Implementation Schedule

9. JPC comments beyond the Amendments-1-Priority of law

8. Clarifications from the JPC Chairman on DPA 2021

7. Anonymisation is like Encryption with a destroyed decryption key 

6. PDPA 2021: The data breach notification regarding Non Personal Data

5. PDPA 2021: The Data Protection Officer is now in an elevated professional status

4. PDPA 2021: The nature of Data as an Asset and nomination facility

3. PDPA 2021: Regulating the human perceptions

2. PDPA 2021: Definition of Harm to include psychological manipulation

1. PDPA 2021: Should Big Data and Data Analytics industry be worried?

My previous article in which I highlighted my concerns about the Crypto Currencies and Ripple has naturally irritated many Crypto fans.

I thank one of the comments from Netizen Thes  made on this blog  which I would like to answer this point by point. (Comments of Thes in italics)

... Instead of complaining about Ripple, maybe you should encourage banks to innovate and give customers more value.

I agree with Thes that  “innovation” is a constant process of any service and Bankers need to keep on increasing the value of their service through innovation.

I have been supporting “Innovation” to strengthen the services while at the same time being in the forefront of urging Bankers to be “Responsible”  and “True to their responsibility to the society” while delivering their services. In the process I have been a pioneer in holding Banks liable for negligence in case of Banking frauds. In one of the cases, the Tribunal adjudged that “lack of security is passive assistance to a fraudster”.

I consider that “Security” of funds entrusted by a customer to the Bank is a major part of the contractual obligation of a Bank and any innovation cannot be reckless and an experimentation on the security of the customer’s money.

Innovation can be “Disruptive” but not “Destructive”. “Innovation” has a place in a “Sandbox” until it is proved that it is safe to be used in a customer live environment. Customers of a Bank or citizens of a society cannot be the Guinea pigs on which Banks can build their profits.

Some of the innovations in Banking including the “Cryptos” as suggested, indicate that there is no understanding of the role of Banking in the economy. It is as if these “innovators” are treating Business of Banking as a Computer Game where you can afford to die many times only to abort the game and re-start. In the real world there is only one loss of life and there are no cheat codes  to continue playing even after losing once.

Just because there is profit for the technologists, if we push reckless innovation, it should be considered as irresponsible and selfish.

….For years, traditional banks have taken advantage of customers by charging high fees for services such as loan management, and extremely high fees for international remittance

Need for improvement is not a justification for extermination of the Banking system. Exploitation of services and increase in price of commodities and services is a natural process of development and even Bankers are increasing their costs. We all justified technology as a means of better efficiency and lower cost. But with increased use of technology, Banking cost has inly increased and frauds are more disastrous. The “Innovators” have there fore failed the system and are also responsible for the increased cost. Today’s Bankers are Technologists and hence it is unfair to blame the Bankers for increased cost. Perhaps we need to blame it on the Technology providers for increasing the cost of Banking or accept it as part of the development process. If a Pizza 10 years back used to cost a fraction of what it costs today, we cannot only blame the Pizza makers for the increase in the cost and destroy all of them.

….Also, traditional banks have been hugely involved in money laundering. This is almost impossible with companies like Ripple since the blockchain is immutable, secure and transparent.

While honest and dishonest persons can be found everywhere including within the Ripple like system (Please treat this as a reference to the system and not a single company or the executives of a company), we are only discussing the system here and not individuals. If money laundering is possible in traditional Banking, it is the essence of the Crypto innovators and the system of exchanges based on the premise of “Decentralization” and delinking of traditional Bankers and Central Bankers..

The reliance placed on Blockchain to prevent money laundering is not realistic. Any blockchain, public or private or permissive, is as trustworthy as the participants. While in a Banking transaction there may be two authenticators supervised by a system, Blockchain may have more number of “Record keepers” and no “Authentication”. It can be more unreliable than the traditional system since there is no “Accountability” for authentication with a closely identifiable authenticators. Blockchain held in multiple copies may be immutable the same way as you may hold multiple back ups of your traditional data. Mere fact that more number of people are aware of a transaction does not necessarily make it more authentic. Transparency in block chain is a myth since “Privacy” is the basis of block chains systems maintained by private crypto currency issuers. I am not sure if Ripple is different.

….It is ridiculous to say “Crypto Currencies are the currency of the corrupt and corruption is all over our country”.

I disagree. Crypto Currencies are “Digital Black Money” and the most prominent use of Crypto is for Criminal activities. I accept that traditional money is also used for criminal activities and Cryptos can also be used for good activities but the essence of Cryptos is to remain outside the radar of law enforcement and this means that it is the preferred system of value exchange for the corrupt and the criminal. Even if we consider Bitcoins as “Assets” we can say that  most of the assets in circulation have a tainted past having passed through the hands of a criminal. Since they are outside the regulatory radar, they are used  for all criminal activities.

…You sound like you are trying hard to stop innovation so that traditional banks continue to operate freely taking advantage of their customers, or maybe you just not smart enough to know what you are talking about.

…..So because you do not have the ability to compete, you are pleading with people to destroy the innovation.

No. I only support innovation as long as it is not destructive. The CBDC is a concept of innovation which is not destructive. But CBDC cannot be a Bitcoin and hence Crypto fans would  not accept it as innovation. You may also note that I was the pioneer to suggest Digital Value Imprinted Instrument system (DVIIS) as a replacement of many of the Banking instruments much before the modern day innovators came up with the idea of mobile payments and cryptos. My innovative suggestions have always tried to be “Cyber Law Compliant” and not meant as instruments for the criminals. DVIIS systems for which a patent application was pending in the USPTO when the twin towers were destroyed by the terrorists is being adopted today after 2 decades by the modern day innovators.

….Just like with the invention of the internet, there will be winners and losers,

Internet was a fundamental platform which could be adopted by all. Similarly, blockchain is a technology that can be adopted by all. I have no issue with such innovations which can be adopted by others and some will win and some will lose.

However, a specific service that runs on the acceptable innovative platform such as a Bitcoin or Ripple has a different impact. When Napster started the peer to peer service for sharing of music, I was in favour of the technology but traditional music companies shot it down. It was a service which was useful but if the society adopts IPR as an accepted principle, Napster had to yield space.

Similarly Blockchain as a technology is acceptable. But creating a network to destroy the fiat currencies or to destroy the sovereign Central banks needs to be looked at in a different perspective.

At one point of time there was only one Bitcoin. It was fun and appreciable innovation. Today Crypto currencies are in thousands. There are ICOs, NFTs, Tokenized  virtual real estate and currencies of popular computer games and so on. The market capitalization of all these crypto assets not under any kind of governance by a sovereign Government is substantial and cannot be ignored.

If some innovators think that why should there be a system governed by a sovereign government, then they are advocating the Chaotic pre-historic world.

Today we may disagree with one sovereign government or the other, one leader over the other but the world is working under some order.

If we want to destroy this order and say that Government should not have control on the economic system, then such persons should not expect any other service from the Government including security of life and property.

When there is a crypto crime, the victim should not ask for the help of the law enforcement.  When you want to buy a computing device, donot expect any   Government to support the demand and supply or pricing or raw material supply. Donot expect the Government to mine silicon and give it to the chip makers. Let the innovative technologist develop his own organic method of developing the innovative technology.

I am sure the innovators would not like this. They want all the benefits of a civilized society and then enjoy the freedom not to contribute to the society by way of taxes or otherwise. This is hypocrisy of the highest order.

….My advice to you and your fellow banker friends is innovate and find ways to compete with companies that seem to be doing what you are doing better than you

My advice to all the “Destroy the traditional systems” is that you find a way of creating and living entirely in the Meta Society, eating Meta Food, using Meta Currency, enjoying the Meta Economic system. Have as much chaos as possible in your “Alternativelife.com” as long as you donot want a cross society interaction with the Physical society.

If you want to have the benefits of cross society interactions, earn in Bitcoins and pay for your Physical, eatable Pizza in Sterling Pounds or INR, then respect the existence of the physical society and avoid trying to destroy it for your selfish reasons.

We the inhabitants of the physical society have a right to demand that technology cannot be used to destroy us. Just as scientific inventions are welcome to create a nuclear energy source but not for making nuclear bombs, innovation in technology is welcome as long as it is supportive of life in physical society and not when it is used as a destructive force.

The Crypto Currencies and the Ripple network of exchanges outside the Central banks of different countries and mixing of Private Crypto Currencies and legit currencies is a monstrous suggestion which needs to be dismantled before it starts destroying the world.

Naavi

P.S: Kindly note that my comments above are against the system of Private Crypto Currencies and the system of global exchange system that bypasses the Central banks. It is not directed at any specific company. A reference to Ripple is made since it is the center of discussion now as a suggested alternative to SWIFT in some circles.

I am an Ex-Banker. My views are only of academic interest. Do Current Bankers and RBI have any views on the above? If so…Please share… If you remain quiet now, you will be pushed to the oblivion.

(Comments are welcome)

To

All Bankers, Economists in India

Dear Friends,

I have been highlighting the ill effects of Bitcoins and Private Crypto Currencies through these columns and urging the Government  to use the Crypto Currency Bill to ban all private Crypto currencies.

However, Crypto Currencies are the currency of the corrupt and corruption is all over our country and hence voices of people like us get drowned amidst the power of voices financed by corruption. Crypto Currencies have corrupted our Bureacracy, politicians, businessmen and even the Judiciary. Hence it is difficult to expect that a rational decision would be taken by the Government on the Crypto Currency Bill.

As a result the Government is prevented from even presenting the Crypto Currency Bill in the Parliament.

Now I am seeing an even greater danger which can  cause Holocaust or Pralaya in the financial systems. This is the emergence of Ripple and the Crypto Currency XRP.

While smaller Crypto exchanges are trying to make our Banks like SBI or ICICI Bank or HDFC Bank redundant and leading to their eventual closure, Ripple has set it sights on destroying the RBI and all other Central banks of the globe.

Ripple has set up a network of institutions which can send and receive money outside the network of SWIFT which means outside the regulation of the Central banks. Since XRP is convertible to any private crypto currency, Ripple is already capable of providing a global exchange and settlement for digital black money. Once this settles down, the RBI’s would be redundant, FEMA would not work and the global financial system would accelerate to its death.

My views are based on being an Ex-Banker and I want qualified economists and Bankers of the day to take a serious look at the impact  that can be caused by the Ripple system and how we can protect this catastrophe.

This is as important preventing global warming which can cause a watery grave for the earth.  I feel that India is in the cusp of an opportunity to take global leadership in ensuring that the Private Crypto Currencies and the exchanges like Ripple are effectively neutralized through our own Crypto Currency law and setting up a global group of countries to protect the financial holocaust.

Kindly respond before it is too late.

Naavi

Refer : JPC recommendation on SWIFT..

One of the surprising inclusions in the recommendations of the JPC on PDPB is related to the SWIFT network.  The recommendation 8 states

“The Committee observe that data protection in the financial sector is a matter of genuine concern worldwide, particularly when through the SWIFT network, privacy has been compromised widely. Indian citizens are engaged in huge cross border payments using the same network.

The Committee are of the view that an alternative to SWIFT payment system may be developed in India which will not only ensure privacy, but will also give boost to the domestic economy.

The Committee, therefore strongly recommend that an alternative indigenous financial system should be developed on the lines of similar systems elsewhere such as Ripple (USA), INSTEX (EU), etc. which would not only ensure privacy but also give a boost to the digital economy.”

Clearly, this recommendation is extraneous to the subject on hand and the committee could have avoided this topic which was more appropriate for Cyber Security.

There was a section of the industry which was insisting that “Financial Information” should not be considered as “Sensitive personal Information”. At the same time, the MHA was highlighting the Cyber Crime investigative requirements which were being frustrated by some Privacy issues. This also would have surfaced during the discussions on Data Localization.

In this discussion on Cyber Frauds and need for enabling law enforcement to have investigative freedom, some recommendation has been sneaked in regarding “Alternate system for SWIFT” which otherwise is outside the scope of the JPC’s mandate.

It is true that most of the SWIFT frauds were associated with the identity theft of the officials authorized to operate SWIFT account as in the case of the Bank of Bangladesh/City Union Bank frauds or failure of basic information security principles as in the case of PNB-Nirav Modi case. But these were related to compromise of  “Business Credentials” through  Cyber Criminals and not directly related to “Privacy” of the Bank officials as individual data subjects.

It is therefore intriguing that the JPC was made to add this extraneous comment with the words “Strongly recommend”. This direction is addressed to the RBI and the Ministry of Finance and is not related to the implementation of PDPB 2019.

It is intriguing therefore to ponder why this extraneous recommendation was brought into this JPC report and whether there was some manipulative hands behind this recommendation. I consider that most of the member would not have recognized that this recommendation is related to the destabilization of the country’s economy which is being attempted through the discussions on the Crypto Currency regulation and not to PDPB.

I see a clear motive behind this recommendation to provide a support to the Crypto Currency system with this recommendation for dismantling of the SWIFT system and would like to draw the attention of the chairman of the JPC that the committee was perhaps mislead into adding this recommendation in this report.

For example, the INSTEX EU was a Special Purpose Vehicle (SPV) created by a few members of EU to ensure transactions with Iran outside the regular Banking system  because of the US sanctions. Since SWIFT could not be invoked for transfers of money for these trades, an alternative to bypass the sanctions was devised through INSTEX. This is a limited private network for financial settlements for humanitarian aids to one country affected by the sanctions of USA.

RippleNet is another system more directly related to bypassing an established currency exchange system by enabling a peer to peer money settlement system.

Ripple is a protocol is a blockchain based exchange system which presently works for exchange of legit currency. But it is intended to be a monetary system which is decentralized as compared to SWIFT. It creates a layer of money transfer enablement outside the network of Central banks of different countries which SWIFT represents. Use of RIPPLE could violate FEMA but like the Crypto currencies which violate the RBI act, would be adopted by many institutions as an alternative to the use of SWIFT. This system can support the Crypto Currency systems for international drug and arms trade more efficiently than the Crypto exchanges that prevail now. As a result the Crypto currencies would soon be added into the  RIPPLE settlement system and it would become one big global financial systems which will eliminate the role of Central Banks and behind that the currency system prevailing in the world.

Once the control of international monetary exchange is removed from the Central banks, the path would be clear to use the same network for exchange of the Digital Black money such as the Crypto Currencies.

Hence this recommendation of the JPC to provide respect to Ripple is a dangerous proposition about which most of the JPC members might not have been aware.

While legitimization of Private Crypto Currencies would destroy the economic system of one country, recognition of Ripple would at one stroke destroy the Global economic system as we know of.

This planting of the idea in an unrelated JPC discussion indicates that the proponents of “Global  Economic Destruction System” have their tentacles in several places silently working on sabotaging the established economic system.

The RTGS/IMPS/UPI system used in India is a successfully working real time peer-to-peer settlement system within the regulatory structure of the Central Bank and can be extended globally within the control of the consortium of the Central Banks of the Sovereign  Governments to address any inefficiencies of the SWIFT system. However  the risks of Cyber Crimes remain whether the system of settlement is SWIFT or Extended RTGS or RIPPLE.  Hence the recommendation to replace SWIFT with RIPPLE is a completely undesirable intrusion into the JPC recommendation and must be ignored.

It is necessary to red-flag this recommendation which fortunately has no relation to any of the amendments in the PDPB2019. Many of the Privacy activists may even fail to recognize the implication of this proposition in a JPC.

But let it be on record that Naavi.org is concerned about this inclusion of anti-SWIFT recommendation in the JPC report on PDPB 2019. We consider the Ripple as a destructive mechanism for the Global Financial System and every effort should be taken to bring down the system as it could unite all the private crypto currencies into a monstrous system the impact of which cannot even be imagined.  India now has an opportunity to outlaw Ripple as part of the Crypto Currency bill and we must take the lead to enlighten the world about the dangers of Ripple and Crypto currencies. 

Naavi

Reference Articles:

Ripple pilots a Private Leger for Central Banks launching CBDCs

The Future of CBDCs

The end of Privacy? Central Banks plan to launch digital coins

Why Governments are wary of Bitcoins

Is Ripple for real? A closer look at the company behind the third most valuable digital currency

Meet Ripple & XRP, Cryptocurrency for Banks

SEC Charges Ripple and two executives with conducting $1.3 billion unregistered securities offering

Ripple Vs SWIFT; Who is going to dominate Inter-Bank Money Transfers?

Other articles on DPA 2021

14. PDPA 2021: Concept of Discovery Consent

13. JPC Recommendations on SWIFT Alternative: Out of scope and Disruptive of Global Economic System

12. JPC recommendation on Children Data

11. JPC recommends DPA to watch on Incident Register

10. JPC comments beyond the Amendments-2: Implementation Schedule

9. JPC comments beyond the Amendments-1-Priority of law

8. Clarifications from the JPC Chairman on DPA 2021

7. Anonymisation is like Encryption with a destroyed decryption key 

6. PDPA 2021: The data breach notification regarding Non Personal Data

5. PDPA 2021: The Data Protection Officer is now in an elevated professional status

4. PDPA 2021: The nature of Data as an Asset and nomination facility

3. PDPA 2021: Regulating the human perceptions

2. PDPA 2021: Definition of Harm to include psychological manipulation

1. PDPA 2021: Should Big Data and Data Analytics industry be worried?

In designing the Data Protection regulations, problem areas have been

a) Deceased data principals

b) Legacy holdings of personal data

c) Personal data of minor children.

Having adopted “Consent” as a basic form of establishing lawfulness of processing, it is essential that the “Consent” itself should be lawful.

As we have repeatedly held, a “Consent is a contract” and its validity expires on the death of the person.  hence personal data of a deceased person moves out of the contours of a data protection law. This is also reasonable since the basic purpose of such legislation is to protect the privacy of a citizen of a country and I presume that it is not in the citizenship act to recognize a deceased person to have rights equivalent to a living citizen.

In the pdpa 2021, an attempt has been made to introduce a concept of “Nomination” where in the data principal can record his instructions for handing over the personal data to the nominated person.  The legality of such nomination would be debated separately by experts. At present, we consider that this is only an operational instruction and does not amount to legal inheritance of the deceased digital assets by the nominee.  This issue needs a more serious consideration than what has been done now in the form of a minor modification of Section 17 . (Recommendation 39).

This recommendation suggests that a legal heir or legal representative may be nominated by the data principal to exercise the right to be forgotten, or to append the terms of agreement with regarding to processing of personal data in the event of death of such data principal.

This provision is ultra-vires the ITA 2000 and survives only because DPA 2021 is a more recent special law. But it presumes that “Data” is a “Property” the rights of which survive death and can be transferred to another person. Section 17(4) does not specifically mention that the right is limited to carrying out some duties towards bringing back the data asset for the use of legal heirs and not to enjoy the benefits of the data by the nominee.

Further “Right to Processing of data” by consent is like transfer of a “Right to use” for a limited purpose and similar to an “Assignment”. The nomination is therefore an exercise of the right of assignment already exercised. This clarity is also not present in the amendments.

However, presence of 17(4) does provide an outlet for data of deceased persons to be brought to open.

On the treatment of legacy holding of personal data and how to handle it after the new act comes into effect, the recommendations are not clear.

However, an indication of the thinking of the committee is available in the suggestions related to the handling of the consent in respect of the children. While the consent for a child (person of less than 18 years of age) is to be obtained from the parent, 3 months before the personal attaining the majority, the Data Fiduciary should start making an attempt to get a fresh consent from the erstwhile minor. But this consent can be obtained effectively only after the minor completes 18 years. Hence sending of a notice 3 months in advance can only to prepare the parent to give up his consent.

In the contingent event that no renewal of consent is received, the section 17(4) DPA 2021 suggests that the “Discontinuity of service should be avoided”. This is a contradiction since this would mean that the consent provided earlier would continue to be held valid even after the minor attains majority and not specifically opted in.

This however may be considered as a practical decision to ensure that “Mere silence” of the minor should not be considered as “Withdrawal of consent”.

If this principle is extended to cases of personal data collected and processed before the law comes into existence, it appears that there is a case to argue that

“In the case of legacy personal data in which valid consents are available from data principals (though  under notice issued prior to DPA 2021), a notice for renewal with a new notification has to be sent and after three months  if there is no opt out request, the processing may continue”. … (This is only an interpretation of Naavi)

We can await if the DPAI gives any clarity on this interpretation.

Naavi

Other articles on DPA 2021

14. PDPA 2021: Concept of Discovery Consent

13. JPC Recommendations on SWIFT Alternative: Out of scope and Disruptive of Global Economic System

12. JPC recommendation on Children Data

11. JPC recommends DPA to watch on Incident Register

10. JPC comments beyond the Amendments-2: Implementation Schedule

9. JPC comments beyond the Amendments-1-Priority of law

8. Clarifications from the JPC Chairman on DPA 2021

7. Anonymisation is like Encryption with a destroyed decryption key 

6. PDPA 2021: The data breach notification regarding Non Personal Data

5. PDPA 2021: The Data Protection Officer is now in an elevated professional status

4. PDPA 2021: The nature of Data as an Asset and nomination facility

3. PDPA 2021: Regulating the human perceptions

2. PDPA 2021: Definition of Harm to include psychological manipulation

1. PDPA 2021: Should Big Data and Data Analytics industry be worried?

One of the recommendations (Recommendation 4) of the JPC regarding DPA 2021, is that the “Authority should ask the data fiduciaries to maintain a log of all data breaches (both personal and non-personal data breaches) to be reviewed periodically by the authority, irrespective of the likelyhood of the harm to the data principal.

This provision means that the Incident Register maintained by the Data Fiduciary should be made available to the DPA from time to time. Since the normal Incident register of an organization may contain many issues which cannot be classified as “Data Breach”, it becomes necessary to maintain the incident register separately for “Data Breach Incidents” and if possible “Personal Data Breach Incidents” separately from “Non Personal Data Breaches”.

The possibility of the DPA having access to the Incident register could mean that if there is a delay between the “Getting the knowledge of a data breach” and the “Reporting of the data breach” then the DPA may be able to penalize the company. The committee suggests that if harm is caused on account of the delay in reporting of the breach, the data fiduciary would be responsible.  However, in the event the data breach is reported despite precautions and arising out of business rivalry or espionage, the DPA may consider a temporary reprieve to the data fiduciary regarding reporting of the data breach to the data principal.

While the suggestion of the committee on the sharing of the incident register is appreciated as a measure to ensure prompt reporting, the practicality of the DPA being able to make proper use of this “incident Watch” for the thousands of data fiduciaries coming under its watch is a challenge to say the least. At best these become issues to be considered when there is a data breach report to be investigated.

If we remember, under the CERT IN guidelines for Cyber Cafes, it was stated that monthly reports of the Cyber Cafe server activity has to be shared with the authorities. But it remained an impossible provision completely forgotten by all. This “Incident Report” to be shared with the DPA is also likely to be one such non starter.

However, since this is not part of the actual act, it remains a part of the wish list and is unlikely to be implemented.

Under recommendation 2 it is suggested that the DPA will consider regulations on Non Personal data to be issued in due course. However for several more years, it is unlikely that the DPA will be able to catch up with the burden of regulation of the personal data and the multitude of regulations that needs to be issued from time to time. Hence there would be no time for the DPA to consider regulations on the Non Personal Data. Hence the “Non Personal Data Regulation” is likely to remain only an empowerment for the time being and not likely to be taken up in the first two or three years.

( To be continued…)

Naavi

Other articles on DPA 2021

14. PDPA 2021: Concept of Discovery Consent

13. JPC Recommendations on SWIFT Alternative: Out of scope and Disruptive of Global Economic System

12. JPC recommendation on Children Data

11. JPC recommends DPA to watch on Incident Register

10. JPC comments beyond the Amendments-2: Implementation Schedule

9. JPC comments beyond the Amendments-1-Priority of law

8. Clarifications from the JPC Chairman on DPA 2021

7. Anonymisation is like Encryption with a destroyed decryption key 

6. PDPA 2021: The data breach notification regarding Non Personal Data

5. PDPA 2021: The Data Protection Officer is now in an elevated professional status

4. PDPA 2021: The nature of Data as an Asset and nomination facility

3. PDPA 2021: Regulating the human perceptions

2. PDPA 2021: Definition of Harm to include psychological manipulation

1. PDPA 2021: Should Big Data and Data Analytics industry be worried?