Indians have been provided a tragic reminder that car passengers not wearing seat-belts in the rear seat could make them vulnerable to the risk of fatalities in case of an accident. While we express our regrets on the recent tragedy where the precious life of Mr Cyrus Mistry was taken away,  and with due respects to the departed soul, we cannot but remind ourselves of the parallel in the Data Security scenario in India in terms of compliance.

For organizations trying to cover themselves against risk of regulatory backlash due to non compliance of data protection laws, GDPR Compliance was like the driver’s seat belt the need of which they were fully aware and were trying to be compliant with.

The PDPB 2019 compliance was like the front passenger seat belt about which people were aware and were trying to start using.

But just like rear seat passengers never thought it necessary to wear seatbelts since they did not perceive the risk of non compliance, Indian industry does not consider ITA 2000/8 compliance or CERT IN guidelines compliance as requirements that they should consider.

I hope they realize that some times non compliance of ITA 2000/8 and CERT IN guidelines could lead to serious injuries and start wearing the Compliance seatbelts from now on.

Naavi

.S: This series of articles is an attempt to place some issues before the Government of India which promises to bring a new Data Protection Law that is futuristic, comprehensive and Perfect. 

In our continued discussion on “The Shape of Things to Come”, we have so far discussed the following.

We now proceed further….

Naavi.org has been speculating many times that the opposition to the passage of Data Protection legislation in India mainly comes from those companies which are interested in “Data Laundering”. They are afraid that if the law comes in, they will be finding it difficult to continue their present practice of transferring data abroad for their commercial benefit.

This opposition is

a) Against Data Localization or even keeping a copy locally

b) Ensuring absence of malware in data processing devices and software

c) Maintaining KYC of subscribers to VPN kind of services

The Policy Bazaar data breach as reported at the 420.in highlights why all the above three requirements have a national security implications.

The policybazaar data breach is reported to have exposed the data of 50 million customers and the data involves sensitive and super sensitive data.

Some of the data exposed include

customers’ photo, full name, date of birth, complete residential address, email address, mobile number, credit report, PAN number, policy details including nominee details, family members’ policies details, bank account statements, income tax returns, Passport, immigration visa, records of country entry and exit, Aadhaar card (both sides), driving license, health records, payslips.

– sensitive details of defense personal who are Policybazaar customers

– copies of customers past policy documents

– copies of customers birth certificate

– copies of customers vehicle registration certificate

In case of the defence personnel, the data breach may include data of the following kind.

– Details of which specific branch of Indian defense forces someone is in like Indian Army, Navy, Air force, and even specifics if someone is in one of the Indian special forces like SPG, Black Cat commando, CoBRA, Anti Terrorist Squad.

– Current rank and designation in that defense force

– Current location of posting (which is very confidential many times)

– Details if someone is engaged in any hazardous activities, e.g. aviation, diving, parachuting, bomb disposal or special service groups, and length of service in those roles.

– Specific nature of role

– Details if someone in Indian defense is currently serving in or is under orders to proceed to any troubled area, or around border areas of India

– Details if someone handles weapons or explosives. If yes, details of such weapons and explosives.

It is needless to say that the data breach has a national security angle particularly the company is funded by Chinese investors and this information is of interest to the Chinese Government.

We had earlier pointed out “Data Laundering” arising out of Acquisition of CIBIL by TransUnion. The present data breach in Policybazaar is another instance where data laundering might have occurred through a deliberate back door. We have pointed out earlier also about the China Risk in Telecom sector, Manchurian Chips in POS machines and Mother boards from China etc..

It is now time to check if this Policybazaar data breach is also a case of Data Laundering. If “Data” is money, “Data Laundering” is also “Money Laundering”. We need stringent provisions in our Data Protection law to prevent such occurences and to take stringent action if such incidents take place.

In the light of the new Data Protection Act being designed, the incident indicates that the following provisions should be considered.

a) The provision for Data Processing devices and software to carry assurance certificate that they donot contain any malware (Refer Section 49(2)(o) of PDPB 2019) should not be withdrawn as demanded by some Big Tech Companies

b) Disclosure of the estimated value of data assets of an organization being acquired in a process of merger or acquisition must be disclosed to the authorities including DPA.

c) While processing of personal data during mergers and acquisitions may be exempt from consent as provided under Section 14 of PDPB 2019 (now withdrawn), the continuation of the processing by the merged entity must require a notification to the data principal and an option for opting out. 

d) Failure to inform the data principals of the transfer of beneficial ownership of the Data Fiduciary to a new entity must be considered as an attempt for Data Laundering and it should be one of the criminal offences that should be recognized under the Act.

Naavi

P.S: These discussions are presently for a debate and is a work in progress awaiting more inputs for further refinement. It is understood that the Government may already have a draft and may completely ignore all these recommendations. However, it is considered that these suggestions will assist in the development of “Jurisprudence” in the field of Data Governance in India and hence these discussions will continue until the Government releases its own version for further debate. Other professionals who are interested in participating in this exercise and particularly the Research and Academic organizations are invited to participate. Since this exercise is too complex to institutionalize, it is being presented at this stage as only the thoughts of Naavi.  Views expressed here may be considered as personal views of Naavi and not that of FDPPI or any other organization that Naavi may be associated with. 

P.S: This series of articles is an attempt to place some issues before the Government of India which promises to bring a new Data Protection Law that is futuristic, comprehensive and Perfect. 

In our continued discussion on “The Shape of Things to Come”, we have so far discussed the following.

We now proceed further….

Automated Processing and Automated Decision Making are two concepts which need some clarity in the law.

In the PDPB 2019, the term “automated means” was defined as under.

Section 3 (6) “automated means” means any equipment capable of operating automatically in response to instructions given or otherwise for the purpose of processing data;

One of the operational sections referring to “Data which is processed through automated means” is Section 19 which refers to Data Portability.

This section was as under.

“Section 19: Right to Data Portability

(1) Where the processing has been carried out through automated means, the data principal shall have the right to—

(a) receive the following personal data in a structured, commonly used and machine-readable format—…..”

As against this use of the term “Automated Means” in India  which applies to all forms of processing by the use of Computer devices, Article 22 of GDPR refers to “Automated Individual Decision making, including profiling” and states as under.

1. The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.

We can observe that GDPR refers to “Automated Decision Making” while PDPB  2019 referred to “Automated Means of Processing”. These two are different. The Indian definition refers to all forms of processing using a computer device while the GDPR definition restricts to situations where the processing leads to a certain decision which may have some consequence on the data subject such as providing or rejecting a service or changing the profile of a person to reflect an adverse view.

It is necessary to clarify both terms distinctly.

This is important even for the discussion on whether “personal data disclosed to a computing device but not to a human” should be considered as “Disclosure” or not, which we discussed in our earlier article on “Definition of Privacy”

where we added an Explanation as follows:

“Sharing” in the context above means “making the information available to another human being in such form that it can be experienced by the receiver through any of the senses of seeing, hearing, touching, smelling or tasting of a human in such a manner that the identity  of the individual to whom the data belongs may become recognizable to the receiver with ordinary efforts”.

In the above definition, we specified that only when a personally identified information is viewable by a human being, it would be considered as a “Disclosure”. If the information is processed by an automated system which provides an output which does not have personally identifiable information, the processing is an “Anonymized Processing”. Such processing would be a combination of two processes one of which is “Anonymization”, but both occur within the combined process so that no human views the output in an identifiable form.

The essence of the definition was that such processing did not require explicit consent and could be undertaken by the processor as part of his legitimate interest.

There is a parallel instance in the general legal environment also which we refer to as “Privileged Information”. Certain information disclosed to a Lawyer or a Doctor is considered as “Privileged Information” and is not disclosable to others under a special confidentiality agreement recognized in professional law and ethics.

Similarly information disclosed to a “Process” may be considered as “Privileged Communication” and should not require specific consent even when it contains identifiable information. However, the “Process” is not empowered to disclose the identified information after processing. In the human scenario, the compliance is left to the integrity of the individual while in the case of a process, the compliance is a factor of integrity of the software which can be audited at code level and certified or a suitable assurance provided.

The concept of “Privileged Communication” can be extended to parts of “Legitimate Interest Disclosure” such as when identifiable personal information is disclosed to law enforcement personnel.

With this in view the following definition may be added in the definition clause.

Automated Means:

“Automated means” means any equipment capable of operating automatically in response to instructions given or otherwise for the purpose of processing data;

Automated Decision Making:

“Automated Decision Making ” means a process through which a decision is arrived at by  without any human involvement as a part of the process.

Privileged Communication

Privileged Communication means disclosure of identifiable personal information to another human or a device with enforceable restrictions on further disclosure of the information in a processed form to another human being.

Explanation:

Disclosure of identifiable personal information to a technical process which processes the information and creates an output in anonymised form is a privileged communication to the device.

Disclosure of identifiable personal information or de-identified or pseudonymised information to another human being such as a law enforcement person with an enforceable further restriction of disclosure in identifiable manner is also a privileged communication.

P.S: These discussions are presently for a debate and is a work in progress awaiting more inputs for further refinement. It is understood that the Government may already have a draft and may completely ignore all these recommendations. However, it is considered that these suggestions will assist in the development of “Jurisprudence” in the field of Data Governance in India and hence these discussions will continue until the Government releases its own version for further debate. Other professionals who are interested in participating in this exercise and particularly the Research and Academic organizations are invited to participate. Since this exercise is too complex to institutionalize, it is being presented at this stage as only the thoughts of Naavi.  Views expressed here may be considered as personal views of Naavi and not that of FDPPI or any other organization that Naavi may be associated with. 

In the absence of Data Protection Authority as envisaged under the PDPB 2019 (Since withdrawn) , the regulation of Data Security under the general provisions of Information Security as envisaged under Information Technology Act 2000 as amended in 2008 assumes greater importance. Though the MeitY has also indicated that it would like to revise ITA 2000/8, we presume that they would not scrap ITA 2000 before a new law is passed as they did in withdrawing the PDPB 2019. 

Hence until the new “Comprehensive” and “Perfect” “Digital India Act” (NDPAI) is passed into a law and notified, ITA 2000/8 will continue to be the ruling law on Data Protection in India and  compliance of ITA 2000/8 continues to be the requirement  for all IT Users.

ITA 2000/8 has three regulators namely “Adjudicators appointed under Section 46 of ITA 2000”, “Director General- Indian Computer Emergency Response Team” designated under Section 70A of ITA 2000/8 and the Police as per powers under Section 80 of ITA 2000/8.

All these agencies have  Suo Moto powers of investigation . Police have the powers under cognizable offences. CERT IN has a duty to exercise monitoring of national cyber security and therefore accompanying suo moto powers. Though Adjudicators normally start acting on the basis of a complaint from a cyber crime victim, they also have the suo moto powers under the notifications of MeitY if they chose to exercise. 

Hence all IT organizations who may be feeling comfortable with the withdrawal of PDPB 2019 may be under a false sense of security since ITA 2000 has more powers than what was envisaged under PDPB 2019 for the Data Protection Authority since ITA 2000 applies both to the handling of personal information and non personal information, both sensitive or otherwise and covers both civil penalties and imprisonment. Penalties may not be expressed in terms of 4% of global turnover but there is no upper limit. At the same time, criminal punishments can go upto life imprisonment.

Hence compliance of ITA 2000/8 becomes more onerous than compliance of PDPB 2019.

In the light of the above, the recent CERT In Guidelines assume greater importance since it indicates that the sleeping giant called CERT-In might have woken up to its duties, responsibilities and powers.

We therefore consider it necessary for organizations to work on compliance of ITA 2000 in general and CERT IN guidelines in particular are essential for compliance in the Corporate circles.

Naavi and Ujvala Consultants Pvt Ltd are therefore working on a framework for Compliance Rating under CERT In Guidelines similar to the DTS-GDPR and DTS-DPA 2021 which had been released earlier under the Data Protection Compliance  Standard (DPCSI).

The details will be published shortly. The rating will be called CMR-CERT-IN.

Special Note

We would like to emphasize  that this is a voluntary exercise from Naavi and CERT-In has no role as an organization in this CMR development.

Naavi/Ujvala does not have any accreditation with CERT In for this purpose. However, Compliance is a voluntary exercise and we hope and believe that CERT In should be happy if organizations start complying voluntarily without the wielding of stick by CERT In.

A good rating under this scheme does not legally mean compliance of CERT IN guidelines though it is meant exactly for the purpose.

It may be noted that Naavi has been the Compliance evangelist since 2000 and had floated the idea of CERT-In in private sector 4 years prior to the formation of CERT IN as a division of the Ministry of IT.

The new avatar of Black Money and Corruption is NFTs and Crypto Currencies. The Meta Verse as a technology platform is also being used to promote NFTs and Crypto Currencies just as the Block Chain platform.

This is for the attention of those conspirators who are trying to get Crypto Currencies and NFTs legitimized through the “Technology Innovation” argument and to draw the attention of Mr Narendra Modi that his fight against Black Money is not complete without taking it to the Digital Black Money.

Here is an interesting article on NFTs and how they can be used for money laundering from Chainalysis blog.

https://blog.chainalysis.com/reports/2022-crypto-crime-report-preview-nft-wash-trading-money-laundering/

Naavi

IRCTC has many customer complaints and even the undersigned has pointed out several deficiencies in their services some times on this website itself. However this does not mean that we need to oppose whatever IRCTC does.

We therefore need to highlight that IRCTC has been unfairly targeted in the last one week and its attempt to consider “Data Monetization” was nipped in the bud.

It was not surprising that the Government which recently withdrew the Privacy Bill for irrational reasons perhaps under the pressure of vested interests wanted to put up a show that it has “Privacy Concerns” and pressurized IRCTC to withdraw the tender to find a consultant for exploring data monetization.

It was amusing that the reason given out for withdrawal was that the Privacy Bill had been withdrawn. IRCTC being under the Ministry of Railways and there is a common minister for Railways and IT meant that Mr Ashwini Vaishnaw did not  want the controversy to snow ball into a discussion on the irrational withdrawal of the Bill.

If the Government was really concerned about the Privacy, it would not have withdrawn the Bill in the first place. Even if it wanted to withdraw, it could have kept the bill hanging and replaced it with the new Bill in one shot so that the pressure for compliance on the industry would have kept up.

But the Ministry chose to withdraw the Bill with a promise that a new bill will be introduced which no body believes.

What IRCTC tried to do was to explore the possibility of generating revenue out of its data assets. Part of the tender (Project A) was for conducting a study on monetization possibilities. It was only the second part (Project B) which had the implementation of the project on BOT basis where there was a possibility of data being shared with the implementation partner.

A more logical approach could have been to defer Project B and continue with Project A only.

It is the duty of every data rich organization to know the value of its data assets and to generate revenue for its share holders. In the case of public sector organizations, the duty is to  protect a sovereign asset and ensure that the Government assets are harnessed for the benefit of the people of the country.

Today there are thousands of Public Sector organizations who have vacant lands, unused buildings and surplus manpower  all contributing to a national wastage of resources. In the same vein, the non-harnessing of data assets is also a criminal wastage of national resources. Harnessing of data does not mean infringing the privacy of individuals. It may involve use of non personal data or anonymized ( not de-identified) personal data.

We are all aware that the hackers target Government agencies for stealing data just like targeting the  Banking organizations for stealing money. The reason is that criminals know where the valuable data assets reside.

The Privacy activists who are today objecting to IRCTC efforts to study the monetization possibility include those agents of those commercial organizations who want exclusive rights to exploit citizen’s data for themselves and donot want the Government to make the money of the same assets.

The journalists who donot understand the intricacies simply use words such as “Selling of data” without understanding the difference of “Monetization” and “Selling”.  We have pointed out earlier that in the case of UIDAI tender for “Social Media Monitoring”, even the Supreme Court came out as an ignorant body and shot down a proposal for “Reputation Management” mistaking it for “Surveillance”.

The same Supreme Court or the Standing Committee of Parliament, Privacy Activists and the Journalists as well as the ED or CBI were no where to be seen when Naavi.org highlighted how CIBIL Data worth lacks of crores of rupees were transferred to the custody of a foreign company.

Where were these agencies when Naavi.org pointed out how NFTs and Crypto Currencies could be used for money laundering or how the JPC on PDPB went out of the way to recommend Ripple over SWIFT?

If these agencies had really understood how money laundering can occur with “Data Laundering” , they would have acted swiftly when NCLT declared Net4India insolvent despite over Rs 100 crores of data assets being in its possession or when Banks transferred their share holdings in CIBIL to Trans Union resulting in shift of 500 million sets of sensitive financial data of Indian Citizens which had been provided to CIBIL under trust as a financial agency with a responsibility to reduce NPAs in the country.

The IT Standing committee summoning IRCTC on the tender issue and IRCTC chickening out of the project indicates that these agencies have no appreciation of the value of data.

The study under Project A of the tender would have established a method of identifying the value of data and in the process would have opened the eyes of IRCTC that their present data protection efforts are not commensurate with the risks. This opportunity was lost with the complete withdrawal of the project.

If a custodian of a valuable asset thinks the value of the asset is Rs 100 where as it’s real value is Rs 1 crore then the effort on securing the asset would be that much more robust.  For this purpose every data driven organization must be aware of the value of data in its hands. Hence this exercise would have opened the eyes of the IRCTC management and that of the Government in general about how to discover value in Data. This would have ushered in a revolution in the Data Governance practices in the Government.

Now what has happened is that this “Value of Data” is known only to organizations like Face Book and Google and others lost an opportunity to understand the treasure that is hiding behind the walls of ignorance  in IRCTC and elsewhere.

I am reminded of an earlier incident when Google offered Mysore University free scanning and digitization of all ancient scripts in its library without realizing that sharing of the data with Google is like how the British looted the palm leaves from Tanjavoor temples when they left the country. I will now not be surprised if Google or Face Book associated Data Science companies approach IRCTC and offer a “Free Service” for “Data Re-organization” outside the need for a tender (since it is a free service) and get access to all these data.

We know that the Ministry of Finance is trying to privatize NPCI the same way CIBIL was sold out. Hence there is every possibility that a similar “Acquisition strategy” would be mounted by some interested Big Data Company to take over the data assets of IRCTC in a different manner.

I anticipate and forecast that there could be “Privatization” thoughts floated by the vested interests to assume control over IRCTC data assets through share acquisition. We note that Trans Union started as a 10% share holder in CIBIL for its data science expertise and raised its share holding from 10% to 92.1% through private share deals with the Indian Banks. Similarly some Big-Data Entity can get into IRCTC  with a minority share holding to help it improve its data related revenues and later quietly buy over the shares (In CIBIL issue, it was Trans Union ).

The same journalists who are now objecting to IRCTC tender which was a transparent way to find out the value of its data assets, will remain silent when such plundering of Indian national assets take place.

We must remember that even Mr Arnab Goswami ignored the CIBIL data loot and his competitors also did not spot the opportunity for breaking news. It is unlikely that they will now flag the possible ulterior motive in stopping the IRCTC data monetization project.

Naavi

Also refer:

“Supreme Court Slams UIDAI”.. Is it a fake news created by Economic times?

Regulation of Monetization of Data in NPDAI and IRCTC issue: Shape of Things to Come..13 (Monetization)

IRCTC Should not become another scam like CIBIL

Vidwat Sabha on IRCTC Issue