Naavi.org

India enacted ITA 2000 (Information Technology Act 2000) with effect from 17th October 2000 and amended it in 2008 with effect from 27th October 2009. The provisions of ITA 2000/8 included legal recognition for a binary expression which we refer to as an “Electronic Document”, and how such electronic documents can be used and the consequences of its mis-use.

In the amendments of 2008, the act was sharpened with the introduction of how sensitive personal data is expected to be protected through a “Reasonable Security Practice” and the consequences for negligence in the process.

The Personal Data Protection Act (PDPB 2021) and the Crypto Currency Regulation bill which are presently being considered in the Parliament for passage have opened up some discussions on what is the legal nature of some special kinds of electronic documents.

Arguments in the context of Crypto Currency bill revolve around the need to ban Crypto currencies from private entities since it could destroy the legit economy by undermining the central bank currency. However when it comes to the legal status of a Crypto Currency, it has its recognition as an “Electronic Document” and hence one argument is that it should be considered as a separate Asset Clause and allowed to be traded in the stock markets like a “Commodity”.

The now abandoned draft Bill DISHA (Digital Information Security for Health Act) had provided that “Health Data” is owned by the health data subject as if it was a “Property”.

The PDPB 2021 considers “Personal Data” as a special kind of data and ascribes a whole lot of regulations on how it can be collected, used and disposed along with the consequences of contravention of the provisions.

In perception, Personal Data is a separate asset clause in the Corporate Data Asset store and to be compliant with PDPB 2021, an organization needs to recognize its “Personal Data Asset”, classify it as Personal, Sensitive personal, critical personal etc, create an inventory tag it with the country of origin of the data principal, the notice and consent associated with its collection and usage and so on.  The personal data is not a single piece of data and is often an aggregation of data elements from different sources at different points of time. It has depth and width. It also has a quality tag and an erosion of quality over a period of time.

In view of the fact that personal data like all data has an economic value to the user organization, different types of personal data have different values and the “Data Valuation Standard of India” (refer www.dvsi.in/wp) has developed a tentative methodology for valuing the data in the control of organizations and bring it to the books of account.

However, in the midst of these activities, the treatment of the data of “Deceased” data principals has been an issue that required attention. Under several articles in naavi.org (Refer here)we have discussed this issue in the past.

One of the issues discussed there in is whether ITA 2000/8  Section 1(4) Schedule can be amended to include the feasibility of a “Will” for data assets. The other option is to provide for a “Nomination” facility under law.

In financial assets there is both the provision of a “Will” through which the financial assets can be passed on to legal inheritance as well as nomination of Bank accounts.

The nomination facility for Bank held assets were brought in through section 45Z (introduced in 1985) of the Banking regulation Act which states as follows:

45ZA. Nomination for payment of depositors’ money.—

The legal jurisprudence on the nomination facility in the banking system is that payment or deliver of articles to a nominee discharges the Bank of its liabilities though it is not a legal settlement of the title. The legal heirs are open to settle their claims separately through the testate instruments such as a Will or through other measures available under the transfer of property provisions of law. Nomination does not settle legal ownership and is only a procedural facilitation for the convenience of the Banking system.

Now, PDPA 2021 introduces the concept of Nomination in respect of “Personal Assets” through a provision in the Bill.

Under the proposed Section 17 (4) regarding Rights of the Data Principal,

it is provided that

“The data principal shall have the following options, namely:-

(a) to nominate a legal heir or a legal representative as his nominee;
(b) to exercise the right to be forgotten; and
(c) to append the terms of agreement, with regard to processing of personal data in the event of the death of such data principal.”

Reading this along with the current provisions of ITA 2000, we need to interpret that this provision is only for “Nomination”  and not to transfer “Legal Ownership” of the data. Hence this does not also confer the status of “Property” to the data.

This provision also has another anomaly since it tries to provide rights of amendment to a contract signed when the person was alive and in respect of a right that does not subsist after the death of a person.

This needs to be corrected by changes to this amendment failing which this provision could be considered as “Ultra Vires” the established process of law and introduce an ambiguity that will become a focus of end less litigation in future.

If this section survives the passing of the Bill, then watch out for the amendments to be made to PDPSI (Personal Data Protection Standard of India)  implementation specifications  where  we may suggest how this anomaly may be handled.

Naavi

(Comments welcome)

Other articles on DPA 2021

14. PDPA 2021: Concept of Discovery Consent

13. JPC Recommendations on SWIFT Alternative: Out of scope and Disruptive of Global Economic System

12. JPC recommendation on Children Data

11. JPC recommends DPA to watch on Incident Register

10. JPC comments beyond the Amendments-2: Implementation Schedule

9. JPC comments beyond the Amendments-1-Priority of law

8. Clarifications from the JPC Chairman on DPA 2021

7. Anonymisation is like Encryption with a destroyed decryption key 

6. PDPA 2021: The data breach notification regarding Non Personal Data

5. PDPA 2021: The Data Protection Officer is now in an elevated professional status

4. PDPA 2021: The nature of Data as an Asset and nomination facility

3. PDPA 2021: Regulating the human perceptions

2. PDPA 2021: Definition of Harm to include psychological manipulation

1. PDPA 2021: Should Big Data and Data Analytics industry be worried?

When ITA 2000 was enacted in the year 2000, Cyber Law College started virtual course on “Certificate in Cyber Laws”. It took several years more for traditional academic institutions to introduce formal courses on Cyber Laws. Initially Cyber Law College conducted certification courses in association with KLE Law College, Bangalore, Hubli and later the SDM law college in Mangalore and JSS law college in Mysore.

Several years later NLSUI and NALSAR followed with their own courses. I was privileged to be associated with both the courses in development of curriculum and handling some sessions.

Now we have entered the era of Data Protection Laws. Again it was Cyber Law College which pioneered Certificate courses both on the Indian law based on ITA 2000 and PDPB 2019 as well as the global laws. These courses are part of the DPO training program of FDPPI and the first course was started by the end of 2019.

Now within a gap of 2 years, NALSAR has decided to launch a course on “International Data Protection Law” as part of its courses. The undersigned is privileged to be associated with this program which will discuss GDPR, US and Canadian laws as well as DIFC and Singapore laws.

The Indian laws are presently not a subject of study yet but may soon be introduced.

The first batch of this ” ONE-YEAR ADVANCED DIPLOMA IN CYBER SECURITY ; DATA PROTECTION LAWS-2021-2022″ will commence from tomorrow.

We wish the program all the success.

Naavi

(This is in continuation of our previous article)

While discussing the PDPA 2021 and inclusion of  Section 3(23)(xi) we observe the following:

The whole concept of “Data Protection Laws” is built on the premise that an individual has a “Choice” on sharing of his personal data which can be captured and given effect to by a third party until such time the person does not “Withdraw” or “Modify” his consent.

This is in itself like skating on thin ice and to top it with a responsibility to recognize the “Psychological Manipulation which impairs the autonomy of the individual” is a cruel imposition on the DPO and the organization.

What is “Autonomy” of an individual and how it gets “Impaired” are going to pose significant challenge to the industry.

We can recall the Cambridge Analytica case where there was an allegation that the personal information was used to develop an algorithm that could predict the political leaning of a subject and that  was considered as an infringement of the privacy rights. The Cambridge Analytica reflected the global hatred for FaceBook and created a precedent that has clouded the judgement of many regulators.

It is for this reason that “Profiling” and “Automated Decision Making” has become a critical issue of data protection regulations.

While “Profiling” stops at making an educated guess to predict the behaviour of a person based on some transactional information available to a data fiduciary, the consideration of “Psychological manipulation” as a “harm” takes the regulation to a higher level since “Harm assessment” is part of Data Protection Impact Assessment and Data Trust Score Assessment.

While expert organizations like FDPPI will device some acceptable standard under PDPSI to handle such issue, academically, there is a need to debate whether the inclusion of Section 3(23)(xi) in PDPA 2021 was required and whether it could be a provision which is not amenable to regulation.

In this context, we need to understand how the “Advertising” industry works. The Advertising as well as Marketing works under the principal of AIDAS  works under the premise that the buying behaviour of a target market has to be changed from “No awareness and No desire to buy” into an action to place an order.

In this process, we follow the steps of AIDAS or creating an Awareness/Attention and Interest which should be converted into a Desire for a product before pushing the individual into the Action of buying and then follow the Satisfaction of the buyer.

What PDPA 2021 is to declare this age old principle of marketing as “Unlawful”.

If therefore an Advertising agency has to work on PDPA 2021 compliance, there is an issue  that the advertising tries to psychologically manipulate a large section of the population though the agency does not know which data principal is being targeted when it releases an advertisement in a mass media.

But it will not be long before the idea catches up where e-mail marketing, SMS marketing or advertisements in specialized media or advertising through subscription model TV broadcasting will all be red flagged as “Creating Harm”.

So far only advertisements on smoking, drinking etc were considered harmful. The Bitcoin industry is fighting against the advertisement ban envisaged for Crypto Currencies. Now PDPA 2021 is likely to place the entire advertising industry and along with it the marketing functions under a question mark.

It would be interesting to know if the industry understands this issue and reacts.

If the Government wants to make a change, it is better to delete this 3(23)(xi) and let the earlier definition of harm be considered sufficient.

Now we shall get back to the question I had placed in the previous article to highlight how legislating what goes on in the mind of a person is not wise.

The question was

What is your response to an information stimuli represented by the following binary stream.

01001101 01101111 01100100 01101001

There can be three responses which we can discuss.

1. This is a number : 1,299,145,833 or One billion 299 million 145 thousand and eight hundred thirty three.

2. Another person says it is the name of a well respected global leader, Modi

3. Another person says it is the name of a most hated Indian leader, Modi

Whether this binary stream is a number or a set of English characters ‘Modi’ depends on the choice of the binary converter which the observer uses.

This means that 01001101 01101111 01100100 01101001 is either a number or a name  based on the technology you use to convert it into a human understandable data. Hence it is neither non personal data nor personal data per-se. It is the observer who  choses to convert it into either a number or a name and hence he determines whether it is personal data or non personal data.

Once it is converted into the four letters Modi, whether it is considered as an “Objectional” word or a “Biased” expression will be decided by Twitter based on who is tagging the content.  If the binary is used in a sentence ” ….. is good”, then if you use an ASCII to to text converter it should be treated as an attempt for “Psychological Manipulation”. If you use the ASCII to number converter, it may not mean “Psychological manipulation”.

If we are assessing the harm caused by the information therefore, we need to take into account the context, the observer and the device used for observation before considering if there is any attempt for “Psychological Manipulation”.

Under these complexities of human behaviour it is a moot question if the introduction of Section 3(23)(xi) was actually required.

let us have the comments  from others…

Naavi

Other articles on DPA 2021

14. PDPA 2021: Concept of Discovery Consent

13. JPC Recommendations on SWIFT Alternative: Out of scope and Disruptive of Global Economic System

12. JPC recommendation on Children Data

11. JPC recommends DPA to watch on Incident Register

10. JPC comments beyond the Amendments-2: Implementation Schedule

9. JPC comments beyond the Amendments-1-Priority of law

8. Clarifications from the JPC Chairman on DPA 2021

7. Anonymisation is like Encryption with a destroyed decryption key 

6. PDPA 2021: The data breach notification regarding Non Personal Data

5. PDPA 2021: The Data Protection Officer is now in an elevated professional status

4. PDPA 2021: The nature of Data as an Asset and nomination facility

3. PDPA 2021: Regulating the human perceptions

2. PDPA 2021: Definition of Harm to include psychological manipulation

1. PDPA 2021: Should Big Data and Data Analytics industry be worried?

PDPA is a legislation that is meant to uphold the human right concept of “Privacy”. Privacy is a concept which reflects the “State of Mind” of an individual and a feeling of “being left alone”.

According to human psychologists, Hypnotists and also the spiritual gurus, human mind is like a computer which based on the inputs received from the sensory organs creates experiences to which humans respond. If the input is wrongly perceived, the reaction would be inappropriate.

It is easy to understand that if the mind perceives the red traffic signal as green, then the human will proceed and perhaps crash against another person who sees red as red, green as green.

The human perception is based mostly on  past learning like it happens when an AI algorithm is trained with specific inputs. The theories of Thomas Anthony Harris on the life positions individuals may take as “I am OK, You are OK” etc., is based on such principles of how the individual has experienced his childhood.

The theory of Transactional Analysis the PAC model also suggests that our responses to human interactions are conditioned by the way our ego states have been developed.

The ability to “Observe”, “Perceive”, “Interpret” and “learn” is an inherent characteristic of any human being.

Some might have developed the instinct to such  an extent that they develop the skills of “Face Reading”. Some try to develop the expertise as an ability to read the “Body Language”.

Given this inherent human character of taking a mental position based on any of the sensory perceptions fed to their mind, any information is also likely to have an automatic impact on the human being. This cannot be prevented.

Those who can keep themselves immune to the external stimuli and react independently are the Sadguru’s of this world.

Law cannot be made for such Sadgurus since they are too few in number and donot represent the majority.

However the data protection laws across the world appear to take up this task of regulating not only the “State of Mind of an individual” but also what one human perceives when he receives some personal information.

Let me give an example.

Here is a binary stream and I want you to let me know what is the first reaction you have on the same:

01001101 01101111 01100100 01101001

Think over…. We shall continue our discussion in the continued article and the amendment in PDPA 2021 which has added Section 3(23)(xi) which adds a new type of “Harm” namely “psychological manipulation which impairs the autonomy of the individual”  to the list of harms that the regulation tries to protect an individual against.

(Second Part of this article)

Naavi

Other articles on DPA 2021

14. PDPA 2021: Concept of Discovery Consent

13. JPC Recommendations on SWIFT Alternative: Out of scope and Disruptive of Global Economic System

12. JPC recommendation on Children Data

11. JPC recommends DPA to watch on Incident Register

10. JPC comments beyond the Amendments-2: Implementation Schedule

9. JPC comments beyond the Amendments-1-Priority of law

8. Clarifications from the JPC Chairman on DPA 2021

7. Anonymisation is like Encryption with a destroyed decryption key 

6. PDPA 2021: The data breach notification regarding Non Personal Data

5. PDPA 2021: The Data Protection Officer is now in an elevated professional status

4. PDPA 2021: The nature of Data as an Asset and nomination facility

3. PDPA 2021: Regulating the human perceptions

2. PDPA 2021: Definition of Harm to include psychological manipulation

1. PDPA 2021: Should Big Data and Data Analytics industry be worried?

Black Money in India is more powerful than even Mr Modi. Hence banning of Crypto Currencies which means banning of Digital Black Money cannot be done easily by the Government even of Mr Modi or Mr Amit Shah would swear by National Interests.

Even Mr Mohan Bhagwat of  RSS or Dr Subramanya Swamy are silent on the banning of Crypto Currency.

No body seems to have the guts to take Crypto Currencies by the scruff of its neck and banish it from India.

This week the Crypto Currency Bill in some revised form is expected to be presented in the Parliament. The Ministry of Finance would be feverishly working with all the Crypto Currency exchanges and the Corrupt media elements to draft it in such a manner that Crypto Currencies will continue to be an asset class which SEBI will regulate and IT  department will tax.

I am reminded of the story of Bhasmasura in our mythology who was given a boon by Lord Shiva that he can destroy anybody by placing his hand over his head and Bhasmasura wanted to test it on Lord Shiva himself. Likewise, if Bitcoin and Crypto Currencies get the sanction from the Government in any form, it will be a boon with which the country’s economy would be destroyed. The current drop in the stock markets is not because of the Omicron but in anticipation of the approval to be given to Crypto Currencies in the Bill and consequent shift of investment from shares and other investments in the stock market to the Bitcoin and other crypto currencies.

We respect Mr Modi and Mr Amit Shah and their intentions to do good to India but we cannot underestimate the power of black money and just as Mr Modi retreated in the Farm laws issue, it would not be surprising if Mr Modi develops a cold feet in the Crypto currency regulation and yield to the power of digital black money.

One possibility is that the Bill will be referred to a Standing Committee and the issue would be shelved for the time being.

We are therefore looking out for a black day for India when Crypto Currencies are given a license to devour the legit currency and along with it the economy built by the tax payer’s money.

Hope I am proved wrong.

We sincerely urge Mr Modi not to be the Lord Shiva who gave the boon to Bhasmasura but Lord Vishnu who saved the world by destroying Bhasmasura in the form of Mohini.

Naavi

PDPB 2019 (Personal Data Protection Bill 2019) was in its current draft stage since December 2019. In the last two years, the JPC held an incredible 78 meetings of which the first 66 were chaired by Mrs Meenakshi Lekhi who was subsequently promoted as a Minister and  the rest by Shri PP Choudhary who took over as the next chairman later on.

At the end of this exercise, a new version of PDPB now titled Data Protection Bill 2021 (DPB 2021) emerged and is now before the Parliament.

When the legislative history of PDPB 2021 is written, it is necessary to understand how the exercise which started with the suggestion of the Supreme Court judgement in the Justice Puttaswamy case resulted in the Government forming the Justice Srikrishna Committee which came up with PDPB 2018, which later became PDPB 2019 with the incorporation of public comments and which has now taken the new avatar of DPB 2021.

It is the privilege of the Parliamentarians to draft the law in whatever manner they think fit and we in the industry have to be accept it and move forward. In the professional circles, we can continue to debate what improvements could have been done and what mistakes could have been avoided, but for a Bill which has taken so long to see the light of the day, it would be cruel if we start delaying its adoption further raising demands for more correction.

The exercise for an exclusive  Personal Data Protection Bill first started with the Personal Data Protection Bill 2006 (See a copy of the Bill here)

This means that after the ITA 2000 was introduced on 17th October 2000 containing Section 43 which imposed penalties for failure of an organization to protect data (both personal and non personal), the first attempt at an exclusive personal data protection law was initiated with the PDPB 2006. It has now taken 15 years for PDPB 2006 to evolve into DPB 2021. During this long period of gestation, it was evident that the Business did not want the shackles of the law and any provision on “Surveillance” which the Government wanted to be included in the Bill came to be criticised as an undemocratic move and faced the opposition of the Habitual Nay Sayers and genuine privacy activists acting together.

As a result the Personal Data Legislation remained in the background.

Since the nudge from the Supreme Court in 2017, it has taken 4 more years to reach the current state and during this time there have been a consistent attempt to suggest changes one after the other to the extent that no consensus could be arrived at and the adoption of the bill is delayed at each stage.

Even the current version which will be before the Parliament will have 7 members out of 30 in the JPC submitting dissent notes and the Tech industry already announcing that they will challenge the law in the Supreme Court once it becomes the law.

Even if 2 years time would be given by the act for implementation, it is likely that most of the industry will use the time to wait for the Supreme Court to come up with its decision on the challenge and continue to drift in implementation of the law. The Government would have it’s own trademark “Respect” for the “Pending Supreme Court Verdict” and perhaps  focus more on the other  pressing matters  rather than getting the law cleared in the Supreme Court.

It is therefore a time of uncertainty ahead of us on the implementation schedule of the law. It is unfortunate that even Pakistan and China can now boast of “Personal Data Protection Laws” similar to GDPR or CCPA or Singapore PDPA 2012 while India is still unable to get the legislation through.

The undersigned however has been clearly advocating that the personal data protection is embedded in Information Technology Act 2000 particularly after the amendments of 2008 which introduced Section 43A and 72A.

Industries may ignore but the law is clear that penalties can be imposed for not protecting sensitive personal data under Section 43A or 72A by the Adjudicators under ITA 2000. ITA 2000/8 compliance is therefore the current “GDPR of India”.

When PDPB 2018/2019 was drafted, the legislative intent was clear that the new Bill will replace Section 43A of the ITA 2000/8 and therefore the current Personal Data Protection under ITA 2000/8 would transform into 98 sections of PDPB.

ITA 2000/8 was a single law which protected both personal and non personal data misuse and it was expected to continue its role as “Non Personal Data Protection Law” even after PDPB was enacted. However, the intervention of the Kris Gopalakrishnan Committee in between suggesting a “Non Personal Data Governance Act” (NPDGA) has confused the legislators to an extent that an idea to merge the proposed PDPB 2019 with the future NPDGA into one law and re name PDPB 2019 as Data Protection Bill 2021 (DPB 2021) has gained acceptance.

Whether this was a wise move or not only time will tell. But the Supreme Court may feel that…”we wanted you to bring in Personal Data Protection law to protect Privacy but you are ending up with designing a Cyber Security law by combining Personal Data Protection and Non Personal Data Protection into one law and also perhaps introducing Non Personal Data Governance through administrative guidelines from the Data Protection Authority in the coming days.”

As a result, the focus expected of a law to protect Privacy may get diluted when DPA tries to take over the work of Director General of CERT IN and start taking up Cyber Security issues instead of focussing entirely on Personal Data protection issues.

Consequent to this change in the legislative intent behind PDPA 2021, Section 1 (Name Clause) has been modified. More importantly, Section 2 on “Applicability” has also been modified.

In section 2 the following amendments have been made

Anonymised data by definition means data in such form that the Data Principal cannot be identified as per the standards of anonymization prescribed by the authority. Unless therefore the Authority falters in fixing the Anonymization standard, “Anonymised personal data” has no relevance to the “Privacy Protection” required under the Constitution and the Supreme Court Judgement.

The JPC has however bought the idea that “Anonymization” can be broken by use of certain techniques and therefore added it in the legislation for personal data.

However, it is necessary for us to remember that even “Encryption” and “”Digital Signature” which have special status in law can be broken by hackers and if the “Anonymisation Standard” is defective, the problem is like having a low level of encryption and finding fault with the concessions given to the breach of encrypted data or digital signature.

Calling “Anonymised Data” as requiring regulations under Personal Data protection is like treating all “Encrypted Data” as “Unencrypted”  data and all “Digitally signed document” as “Undigitally signed”.

Hence the inclusion of the words “including anonymised personal data” in Section 2(d) is unimaginative.

We can argue that even if Section 2(d) says DPA 2021 is applicable for Anonymised Personal Data, only if there are other provisions in the law about “Anonymised Personal Data”, we should consider it important and otherwise we can forget it.

However, this has opened the possibility that an imaginative DPA can place regulations on “Anonymised Personal Data” which may create issues for the Big Data Industry or the Data Science field.

In case the regulation is only that “Consent” should be obtained for “Anonymisation”, it is not difficult to implement it.

But blocking “Anonymisation” as a right of the Data Fiduciary  would seriously hurt the “Monetization Prospect” of “Anonymised Personal Data” which is actually a “Non Personal Data”.  This could be considered as an infringement of the fundamental right to carry on a business which does not affect the Right to Privacy of any person whose personal data is anonymised.

In a way the law has given into the perceived power of the hackers and considered that “Anonymisation” is not possible and hence anonymised personal data should not be available for monetization.

Instead of caving into the power of hackers, the Government should have considered increasing the penalty for “Reidentification of the De-Identified Information” from an imprisonment of 3 years to some thing around 10 years.  This would have increased the deterrence and mitigated the risk of de-anonymisation of anonymised personal information.

In the long run, this will be a point to regret. Coupled with the  section that requires the algorithm of processing to be made transparent and hardware and software used in personal data processing to be “Certified”, the Data Analytics industry and Big Data Industry would find it suffocating to carry on their activities. On the other hand these provisions donot add anything additional to the protection of Privacy.

The Government therefore appears to have opened a breach to let the Judiciary find fault with the drafting of the legislation.

At this point of time it appears that this cannot be remedied except by reverting  Section 2 to the previous version and deleting the provision on hardware software certification as well as the algorithmic transparency. All these responsibilities to the extent it adversely affects the Privacy of an individual can be implemented under the concept of “Data Fiduciary” and does not require the amendments as proposed.

As regards “Reporting of Data Breach of Non Personal Information”, it was a responsibility already assigned to the CERT IN. There was perhaps no justification to take over the responsibility of the CERT IN in this respect.

If there was a concern that some data fiduciaries could report a personal data breach as non personal data breach to the CERT IN and avoid scrutiny by the DPA, a provision culd have been inserted for sharing of all data breach reports made to CERT IN with DPA along with a comment/assurance from the CERT IN director that no personal data breach is suspected in the reported data breach.

If these issues had been addressed, there was no need to change  the perspective of the law from “Personal Data Protection” to “Non Personal Data Protection”.

However, from the compliance perspective, we must accept the changes as it would be finally passed by the Parliament and include the “Non Personal Data Protection and Governance” as part of Personal Data Protection compliance.

Naavi

(The above are the personal views of Naavi and does not represent the views of any organization.)

Other articles on DPA 2021

14. PDPA 2021: Concept of Discovery Consent

13. JPC Recommendations on SWIFT Alternative: Out of scope and Disruptive of Global Economic System

12. JPC recommendation on Children Data

11. JPC recommends DPA to watch on Incident Register

10. JPC comments beyond the Amendments-2: Implementation Schedule

9. JPC comments beyond the Amendments-1-Priority of law

8. Clarifications from the JPC Chairman on DPA 2021

7. Anonymisation is like Encryption with a destroyed decryption key 

6. PDPA 2021: The data breach notification regarding Non Personal Data

5. PDPA 2021: The Data Protection Officer is now in an elevated professional status

4. PDPA 2021: The nature of Data as an Asset and nomination facility

3. PDPA 2021: Regulating the human perceptions

2. PDPA 2021: Definition of Harm to include psychological manipulation

1. PDPA 2021: Should Big Data and Data Analytics industry be worried?