Naavi.org

yesterday, I had an opportunity to experience the perspective of Law Students on the DPDPA in the Moot Court Competition held by KLE Law College which discussed the issues of a data breach and how the lawyers could argue the incident in the Court in days to come and how the Judges may react.

I am not fully aware of the problem statement but it was clear that the problem was that there was a website providing medical services belonging to the Government sector where a breach of the personal data of customers was observed through an AI algorithm used by the payment gateway. The arguments centred around the compensation payable to the individuals whose personal data was lost and the liability of the website.

It was good to see many interpretations of the provisions of the Act presented by the students which represented the investment they have made in understanding this new law.

However, many of these interpretations appeared to need correction as otherwise the data protection Jurisprudence may get corrupted in near future.

In particular, it was amusing to see the tendency of the community to use Section 35 exemption from personal prosecution of Government officials as a ground to ask for scrapping of the section like the scrapping of Section 66A of ITA 2000.

We we have repeatedly pointed out that this decision of the Supreme Court arose because of a mis interpretation of the term “Transmission” of electronic information as “Publishing” of electronic information and a desire of the Supreme Court to show its power by scrapping a provision instead of helping in clarification through a “Reading down” of the provision.

Law students should realize that their glory is not in scrapping down a law enacted by the Parliament but to bring clarity to the law. Even the prayer to the Courts in such cases should be in improving the system rather than bringing down the system. Perhaps even the Courts need to appreciate this.

The community appears to be mis-interpreting DPDPA and focussing on being critical of the administrative powers of the DPB rather than focussing on the basic objective of the Act. It was also seen that some students were drawing the objectives of GDPR into interpretation of the act without understanding the applicability. The community appeared to be unable to appreciate that DPDPA is a compliance related law and has to work with ITA 2000 for personal remedy. It was surprising that in the discussions no body remembered the remedy available under Section 46 of ITA 2000 for the victims of a data breach while the power of the court to grant compensation in such cases was remembered from the Bhopal Gas tragedy.

It is interesting to note that during the next week’s IDPS 2024, we will be discussing “Adjudication as a remedy for Data Breach Compensation” in a Key Note as well as the “Grievance redressal mechanism” in the focussed group discussion. Hope the legal community would benefit from these discussions.

We need a “Nachiketa debate” on DPDPA with the Judiciary to ensure that DPDPA or any of its provisions does not get scrapped but the Judiciary assists in improving the interpretation of the Act.

Naavi

DPDPA 2023 expects that “Consent” is the legal basis for processing of personal data. Consent requires a contract between the data principal and the data fiduciary. A Contract is a combination of an “Offer” and an “Acceptance”.

What we normally find on websites today are “Privacy Policy” which is a declaration of the organization that this is what we do to protect your privacy. This is in the form of a “Disclosure”.

When the disclosure is presented as a “Offer” and is confirmed as “Accepted”, the “Consent” is actualized. This leads to the action of the data principal in providing the necessary information, for the data processor to process the data as per the consent.

Perhaps to put the DPDPA 2023 into proper compliance framework, we need to change the “Disclosure Format” of Privacy policy to an “Offer” format of a Notice.

One of the implementation challenges is to make the consent contract non repudiable with proper authentication. The ITA 2000 indicates that the authentication of an electronic document is valid only if it is supported by a digital/electronic signature. As a result to enable a “Perfect Consent”, the Privacy Notice has to be accepted with an electronic signature. Since all data principals donot have a digital signature, the Aadhar based E-Sign is an option to explore. If however, e-sign has to be used for every consent, withdrawal of consent, modification of consent etc. it will be an expensive proposition for the data fiduciary.

How does DGPSI try to address this? or how should MeitY facilitate this? is a point of debate…

….Let us discuss your views on this in IDPS 2024 at Bengaluru, on November 30 and December 1…

Register today..at www.idps2024.in

DPDPA envisages two key professional roles for driving compliance.

The DPO is responsible for for DPDPA compliance within the organization while the Data Auditor is an independent auditor who checks the implementation.

FDPPI has recognized these roles and created the C.DPO.DA., or Certified Data Protection officer and Data Auditor as a Certification program.

In the upcoming IDPS 2024 on November 30 and December 1 at KLE Law College Auditorium in Bangalore (also available virtually), you can discuss the impact of DPDPA on the professions of DPO and Data Auditor.

Be there, participate and contribute. Register today at www.idps2024.in

Naavi

As India moves ahead into the era of DPDPA, there is a rush for professionals to occupy the role of “DPO” in an organization. It is some times easy to grab a title but difficult to retain it and feel deserving to hold it. Hence those who aspire to be DPOs need to have and develop the credentials necessary to be a DPO.

When FDPPI was formed in 2018, one of the first objectives set for itself was to build an “Empowered” community of “Knowledgeable”, “Efficient” and “Ethical” Data Protection Professionals who contribute to the development of a “Secure Information Society” by lawful means.

The “Empowerment” comes from the “Ethical Attitude” which is as often absent in our approach to modern life. The knowledge we have, the skills we possess are meaningful only when they are applied with a noble objective. It is not enough if as a DPO we guide our organizations to be law abiding and meticuously follow the “Rules” when published. We need to be also “Ethical” in our approach and fulfil our duties as a ” Guardian of Privacy” of the “Data Principal”. A DPO is himself/herself is a “Fiduciary” and needs to be guided by the needs of the “Data Principal” when designing the compliance in an organization.

DGPSI as a framework of DPDPA Compliance recognizes this role of a DPO. As a guardian of Privacy of the Data Principal, the DPO is responsible to identify the Privacy Risks of the Data Principal and ensure that the risk is mitigated to the extent feasible, informed to the data principal and consent recorded.

In fulfilling this role, DPO will have a natural conflict with the business objectives of the organization which he has to navigate through. This requires leadership skills, persuasive communication skills and also empathy with the Data Principal. DPO also being a first respondent to the Data Principal needs the skill to negotiate and resolve disputes. Interpersonal skills to work harmoniously with the peers, superiors and regulators is also a desirable credential of the DPO.

Want to know more about the credentials of a DPO?….

Attend IDPS 2024…Details at www.idps2024.in …Register today.

It appears that on behalf of MeitY, National E Governance Department (NEGD) has started an awareness campaign on DPDPA to the industry professionals.

A few days back NEGD conducted a physical conference in Delhi and today they hosted a one hour webinar from Advocate Supratim Chakraborthy of Khaitan Associates.

It was a well conducted webinar and useful to the industry professionals.

Hope many more such discussions will be conducted by NEGD.

In the meantime, FDPPI will conduct about 20 hours discussion on DPDPA and other global Data protection laws and the interaction with the recent developments in technology in the two day conference in Bangalore on November 30 and December 1, under the Indian Data Protection Summit 2024. (IDPS 2024).

Check for details on www.idps2024.in and be there physically or virtually.

Naavi

When FDPPI started its IDPS series with IDPS 2020, it was the first such program in India focussing entirely on Privacy and Data Protection. As we run into the 5th year of the series with IDPS 2024 on November 30 and December 1, India is reverberating with the sound of DPDPA as much for the law passed as also for the Rules not having been notified. Professionals all over India are keen to debate the impact of DPDPA on their organizations and their professions.

In the last three days, I had the privilege of attending two large conferences on Cyber Law, Cyber Security and Data Protection in Delhi . One was the 11th year international conference on Cyber Law, Cyber Crime and Cyber Security from Pavan Duggal Associates and the other was the first conference of DPO Club titled Bharath Privacy Conference.

It was heartening to see professionals and academicians from several organizations in India and abroad and also officials from Government participate enthusiastically in the deliberations. It appears that there is no dearth of “Awareness” in the industry about DPDPA and its importance. There may still be need for awareness amongst the public who are the focus of this legislation but the awareness in the organizational level seems to be fairly high.

However, whether the current awareness is adequate or needs to be refined is a matter of discussion.

The corporates in India are approaching DPDPA with the lens of GDPR and there may be a popular perception that GDPR is the golden standard and India can only copy and paste the provisions of GDPR. We at FDPPI have been crying hoarse that understanding of DPDPA needs certain unlearning of GDPR. It was heartening to note that the eco system is slowly accepting the concept that “DPDPA is different and if we are GDPR Compliant, it does not mean that we are DPDPA Compliant”. This is a big step in the creation of awareness in the professional circles and we are firmly in this zone of awareness.

When it comes to “Compliance” there is still some confusion on how to address different provisions and the challenge seems to be encouraging some companies to find an excuse to start compliance by pointing to MeitY not having notified the “Rules”.

MeitY officials were tight-lipped on the status of the release of the Rules but indicated that a draft rules will be released for public comments and when passed will provide substantial time for implementation. This could have to some extent brought comfort to the industry and reduced the tension of Rs 250 crore penalty hanging against their heads.

There was a small section of industry professionals who felt that Rs 250 crores penalty instead of turnover based penalty is more to appease the large organizations like Meta but at the same time threatening to the MSMEs.

There was a popular debate on what should be the credentials of a DPO but one encountered a number of “CISO Cum DPO” s in the congregation. It was evident that many professionals are looking at “DPDPA Compliance” from the eyes of a CISO and find it difficult to see the raise of a DPO as a designation that may be on par with CISO or slightly higher than CISO. This requires a more in depth debate.

There was no discussion on “Nomination”, “Right to Personal Remedy”, “Children Data Processing”, “Disabled Data Processing”, “Consent Manager”, “Grievance Redressal” and “Data Auditor”. Though a mention of “Nomination” “Handling of unstructured Data” and “Children Data” came up for discussion during Bharat Privacy Conference, no discussions happened. Due to multiple channels in the Cyber Law conference I missed a session on “Authentication” where the CCA was present and another session on “Cyber Psychology” which was a subject of personal interest to me. Need to check if recordings are available.

It was interesting to note that all discussions revolved around AI as much as around DPDPA and it was as if it was a movement around a binary star.

One of the common discussions was around “How to Define the Role of an organization as a Data Fiduciary or a Data Processor?”. Other discussion were centred around , “Data Access Rights” , “Handling of legacy data” etc.

It was clear that just as “Unlearning of GDPR is required to understand DPDPA”, “Unlearning of the ISMS principles is essential to understand the compliance framework for DPDPA. Many are still thinking that ISO 27001 :2022 version is still an applicable standard for DPDPA compliance.

However when we follow some of the discussions, it was clear that the professionals are already expressing the need for many of the DGPSI principles such as “Process Based Approach”, “Data Classification approach of DGPSI” etc.

Now that IDPS 2024 has the responsibility for answering some of the unanswered questions. Let us see how much of the aspirations can be fulfilled.

Incidentally IDPS is a hybrid conference and I invite all the attendees of the two Delhi Conferences to also attend IDPS 2024 either physically or Virtually. Let us make this a continuation of the discussion from the other conferences.

Naavi