Open Letter to Minister Ashwini Vaishnav

To Honourable Minister of IT, Government of India, New Delhi

Dear Sir

I refer to the Business Standard news today stating that the DPDPA rules is expected in another month, my first reaction was that this could be a fake news. Refer here:

 We have heard this “One Month” phrase so many times and this time it comes with the extension of public consultation period from 30-45 days to 45-60 days. Any AI news robot can generate such news articles periodically and we feel this could be one such AI created news.

If  MeitY is expecting that Meta and Amazon or Google will give their approval before MeitY releases the draft,  I am afraid it will never happen. Probably their head offices will not approve the draft till their Presidential elections are over. We have waited for our elections to be over and now we have to wait for elections in US to be over.

I am also not aware why MeitY tries to consult the same companies who file cases against MeitY for any rule or law published. It is a shame that we see the lawyers of FaceBook and WhatsApp challenge the Intermediary Guideline in the Court in the morning and MeitY invites them in the afternoon for discussions on the next set of laws on DPDPA which we know they may challenge in the Court.

It is a tragedy that there is a feeling that  MeitY lacks self confidence about its capability of functioning without consulting the vested interests.

Kindly change this perception.

We as professionals are embarrassed at the procrastination, which was the hall mark of the MMS Government and we do not want it to be inherited by Modi 3.0. You were once a professional and hope would understand our predicament when we interact with peers from other jurisdictions. I suppose you are as embarrassed if not more to say again and again that the rules will come next month.

We have lost all our excuses of why Modi Government is unable to give effect this law since 2018. Kindly give some reasons for the delay rather than giving new timelines.

Naavi

Posted in Cyber Law | Leave a comment

Do we Need a “Sandbox Law”?

It is a common adage to say that “Law is always behind the Technology” ..and also to add, “like the traditional Hindu wife”. But all of us know that the “Tradition” has changed. Modern wife drives the bike while the husband sits on the pillion. DPDPA refers to “She” and “her” instead of the traditional “he” and “him” when referring to an individual in terms of a pronoun. This is the indication that times have changed and we need to change with the times.

In the field of law, we used to recognize that “Ethics” comes first and is converted into “law” in due course. Today we have the concept of “Due Diligence” built into many laws which is nothing but “Ethics” as “Self adopted law”.

Partitioners of Technology however defy “Ethics” and support the concept of “Innovation” at any cost. Technologists want to be exempted from legal bindings so that they can “Innovate” without hindrance. This attitude breeds trouble which we have called “Technology Intoxication” in the past.

One compromise solution the industry that has developed at present to prevent the adverse effect of bad software release is to enable a “Sandbox” where a new software can be tested in controlled environment before it is released to the open.

Despite the availability of this “Sand Box” concept and “Beta Releases” which was a norm earlier, it is common to see that Software normally carry “Zero Day Vulnerabilities”.

Some organizations try to provide “Bug Bounty” programs so that vulnerabilities observed after release can be reported, rewarded and corrected. However there are many companies who donot show even this courtesy.

Also the rewards of Bug Bounty are not good enough to meet the competition from the hacking community where the vulnerability information is sold in dark web for much larger value than the Bug-bounty rewards.

In this context a time has come to discuss if there should be a mandatory sandbox routine before any software is released to the market for direct consumption by the consumers. “Beta Testing” cannot be an option and if so it will always be abused or neglected.

Hence we need to debate a suggestion to create a new “Sand Box Law” to mandate that every software has to go through a “Sand Box” cooling period. It will be necessary for this purpose to create the required infrastructure both by the Government and the industry.

In case of software which is used by the industry as a B2B product, the responsibility for vulnerabilities should be borne by the user (Buyer or licensee) who can get himself indemnified by the developers.

The Consumer protection laws need to be strengthened for this purpose if required.

Advent of AI

Now with the advent of AI, we are aware that all Cyber Crimes have started using AI for making the crime more sophisticated. The information on the Internet today has become completely unreliable since fake news is becoming extremely common. Whether it is political news or war news, nothing seems to be true unless otherwise proved. This is a very sad state of affairs.

India is now considering regulations of AI. Hence this is the right time to consider whether the concept of “Mandatory Sandboxing” is extended to the AI law.

The Government of India has already given an advisory that AI developers and users need to register with the MeitY. But probably this has been ignored by the industry.

The consequences of not complying with the advisory would become a “Lack of due diligence” and loss of “Section 79-ITA 2000” protection or “Non Compliance of the obligations of a data fiduciary” under DPDPA 2023.

To make the law more effective, the deterrence available under the laws need to be highlighted in such context. ITA 2000 has the criminal provisions and depending on the adverse consequence, an AI user organization and the AI developer organization may be liable for upto life imprisonment which can be extended to the executives of the organization. Simultaneously the civil penalties under both ITA 2000 and DPDPA 2023 may also become effective.

We suggest that instead of Naavi.org releasing the note of warning, CERT IN should release a notification in this regard. We can then expect that the industry takes note of this provision. People say, unless there is at least a few cases of imposition of penalties, industry will not respect law and therefore CERT In should order some prosecution in some cases so that people become aware of their responsibilities.

Call for a Debate

I therefore call upon a debate on how “Innovation Can be Bound within a mandatory Sandbox law” with severe penalties both civil and criminal for the consequences arising out of software.

I also call upon a debate on penalizing and punishing those security researchers who identify a vulnerability and sell it to the dark web instead of handing it over to the company simultaneously reporting to the authorities.

In such cases, the Government itself should impose penalties which should be shared with the security researchers as “Incentives” which should reduce the incentive for selling the same in the dark web.

I am certain that this thought is considered revolutionary and perhaps even revolting. But the need for ending the irresponsible behaviour of software developers who have today converted the internet into a large Fake Information factory, which is percolating into AI software because of machine Learning is urgent.

If this is not controlled, AI will kill whatever little trust remains on the Internet. Just as people deride the “WhatsApp University”, the time is not far off when people start deriding “Google University”.

Software industry should for their own existential reasons become more responsible and stop claiming that “Innovation is our job, Protecting the Society is somebody else’s job”.

Innovation that hurts the society has no place and has to be thrown out if not voluntarily, by a new set of laws.

Let’s Debate.

Naavi

Posted in Cyber Law | Leave a comment

Time for Professional Transformation-1

Professional life is dynamic. We need to keep running even to stay in the same place. At different points of time in our professional life, opportunities pass by. If we are wise, we need to catch the opportunities. Otherwise they will fly past and we will be only spectators.

One such important change is coming to the professionals who are today thriving as Legal Eagles or Information Security Titans or Veteran Auditors. If we don’t recognize, we will be overtaken by others.

DPDPA 2023 is that key opportunity that is flying past us. If it hits us when we are not prepared, it can destroy us. If it flies past as we look on, we stay where we are while the rest of the world moves forward. If we can take a ride on the opportunity, we will perhaps see a new world ahead.

It is now one year since DPDPA 2023 became a law. Many of us have faith that the MNCs will lobby with the Government and delay the implementation further. But… are we sure? Will Mr Jitin Prasada oblige the Meta, Amazon and Google and delay the already delayed notification of the rule?…. It does not seem likely.

It is strongly believed that the draft rules modified with all new changes suggested by the industry is getting ready to be released.

Be with FDPPI to be the the early starters into the world of DPDPA 2023.

Naavi

Posted in Cyber Law | Leave a comment

DPDPA 2023 Discussion held at MMA Chennai on August 24, 2023

Dear Friends

Last year, we held an even at Chennai on August 24, 2023 in which we discussed DPDPA 2023 just after it was passed on August 11,2023.

The discussions held on that day is relevant even today and hence we are re-publishing he same here for reference.

In the meantime, even after one year the rules are yet to be notified. We expect the rules to be officially notified any time during this week.

However, a few weeks back, the MeitY had discussed a version of rules with select industry players which indicates roughly the thoughts of the Ministry. The organizations which had the privileged access to this document were the likes of FaceBook and (Meta), Amazon, Google etc who are all globally renewed for their business. The passage of the law will definitely impact these organizations adversely and hence there is a vested interest for them to delay the implementation of the law and dilute it to the extent possible. These MNCs are also those who will go to the Court immediately to challenge the law and the notification. But the MeitY trusts them by sharing the draft rules with them with the hope that there will be a consensus.

Unfortunately, there is unlikely to be any consensus and the “Non Privileged” part of the industry who are the organizations who will really comply with the law are waiting for the law endlessly with the fear of “Rs 250 crores” penalty hanging over their heads.

In this context this copy of “Business Mandate”, the magazine of MMA, which I had the privilege of contributing a column long time back, and a video of the panel discussion that captures the DPDPA 2023 as an Act is available here.

On July 27, 2024, FDPPI conducted an event in Bangalore where the draft rules referred to above was discussed with industry leaders and a feedback from thee industry was gathered and submitted to MeitY with the hope that some of these suggestions can be incorporated in the rules when notified next for public comments. The program was a paid event and the entire proceedings are available in video form in FDPPI’s Jnaana Bhandar which is available on subscription basis.

I invite professionals to subscribe to this Jnaana Bhandar and also join the community of FDPPI as a “Member” so that they can contribute to the developments in Data Protection in India. FDPPI is a participative movement in which every data protection professional should participate. Whether you are a designated DPO or not, whether you are a just a Lawyer interested in Privacy, a Manager worried about Data Governance or a Technology person who is in Information Security area, FDPPI is open to participation.

You can download the Membership brochure here: You can also visit www.fdppi.in for more information.

Now Naavi is recording a separate video of his views on the draft rules and it will be shortly available here. The objective is to keep the professionals ready to pass proper comments when the Government wants their views.

Naavi

Posted in Cyber Law | Leave a comment

Invite Influencer Titans to be also Guardians of Privacy

Recently Mr Gaurav Batra, Founder & CEO of CyberFrat got together 100 professionals as “Influencer Titans” under the banner of CF 100.

This unique group consists of Lawyers, Police Officers, Information Security Professionals, etc.

It is the desire of FDPPI to invite this entire team to be also the “Guardians of Privacy” so that they can exercise their influence in the emerging field of Data Protection.

Towards this end, FDPPI would like to organize a Grand Round Table of all these professionals and discuss certain key differentiators for being “Guardians of Privacy”.

Watch out for more information on this.

Naavi

Posted in Cyber Law | Leave a comment

Posted in Cyber Law | Leave a comment