Naavi.org

In 200o December, Naavi started the promotion of the concept of “ITA 2000 Compliance”… as the digital mantra for the corporate era. In 2008, the amendments to ITA 2000 changed the characteristics of ITA 2000 into a security oriented law and ITA 2008 compliance became a mandatory requirement. 

ITA 2008 compliance included compliance of Section 43A which covered Personal Data Protection. 

This translated in 2009 into a framework named Indian Information Security Framework IISF 309 which was being used for ITA 2000 compliance. After some evolution, IISF 309 had become a 30 parameter framework as indicated below.

This framework was confined to 30 requirements and not the 114 requirements which we today look at in ISO 27002. However, it covered the essential aspects required for meeting all the requirements as required under ITA 2000 including the Grievance Redressal. It also recognized the responsibilities of operational executives other than the IT executives.

Consequent to the focus that has now come on PDPB 2o19, there was a need for a special framework for Personal Data Protection and it emerged as the PDPSI or the Personal Data Protection Standard of India. This framework had 50 implementation specifications under the umbrella of 12 standards. It was an expansion of IISF since new controls became necessary for Privacy management.

The PDPSI started with a “Classification” of data into “Personal Data” and “Non Personal Data” and thereafter PDPSI focused on the requirements for Personal Data Protection as per the law. The Non Personal Data Protection was left as “DPSI” or “Data Protection Standard of India” to follow under the IISF 309 approach.

This has now evolved into a 33 point framework as follows.

It may be observed that the new framework incorporates the concepts such as the Data Value accounting which came up during the PDPSI discussions.

It was initially expected that the PDPB2019 will restrict itself to Personal Data Protection and a separate law will be passed for “Non Personal Data Governance”.

The PDPB 2019 therefore defined  “Data” as “Personal Data”  based on certain parameters and what was not “Personal Data” was considered “Non Personal Data”. In this distinction there was one set of data which was “Personal Data” and upon Anonymization, became “Non Personal Data”.

There was a confusion in the industry which got onboarded onto the JPC that Anonymization is another form of De-Identification or Pseduonymization. The fact that Anonymization is “Irreversible” transformation of what was hitherto “Personal” into a “Non Personal Information” while the de-identification and pseudonymziation was “reversible” was not sufficiently digested. The Personal Data Protection Authority was expected to develop an acceptable standard of “Anonymization” that would render “Personal Data” into “Non Personal Data”. 

The lack of confidence of technology specialists that there could be an acceptable level of “Anonymization” which could be adopted as a standard while a “Brute Force Attack to re-identify an anonymzied information” could be covered by the law that criminalzied such a “Brute Force de-anonymization” led to the new JPC to consider some changes to the PDPB 2019 as approved by the earlier JPC chaired by Mrs Meenakshi Lekhi.

The leaked reports about the possible modifications to the earlier draft of PDPB 2019 now contain a rumour that the “Data Protection Authority” to be named under PDPB 2019 will be entrusted with the responsibility of both Personal Data Protection and Non Personal Data Governance. Also the reporting of the “Data breach Notification” under PDPB 2019 will now also cover the reporting of “Non personal data breach” also.

The Non Personal Data Governance requirements as suggested by the Kris Gopalakrishna Committee require deliberation of a few years and cannot be brought into the PDPB 2019 in the draft which is expected to be presented in December 2021 to the Parliament. It is therefore expected that whatever changes may be made in the PDPB 2019 regarding Non Personal Data would only be peripheral. 

While making the DPA responsible for the “Anonymization Standard” is natural and to that extent the DPA becomes an authority to regulate the “Converted Non Personal Data”, the entire regulation regarding Non Personal Data Governance is a completely new law which requires a different regulator. While PDPB 2019 is a “Privacy Protection oriented law”, the “Non Personal Data Governance Act (NPDGA)” as it may be called, would be a law on how to monetize the non personal data. This is more involving Data Valuation and Data Marketing.

Just as a CFO and CMO often have different perspectives in business, the PDPA regulator and the NPDPA regulator need to have diametrically opposite attitude to business. PDPA regulator will be close fisted and inward looking and the NPDPA will be an extrovert and more liberal. 

Combining the two roles could result in some conflicts and  be dysfunctional. The Coruts which are following the directions of the Puttaswamy Judgement and expecting PDPA-India to be able to meet the standards of Privacy protection under the Puttaswamy judgement guidelines will find the combined law if it comes forth as a Personal and Non Personal Data Protection Act of India as a dilution of the requirements expected for personal data protection.

This approach will deviate from the global standards which keep the Personal Data regulations under laws such as GDPR and CCPA and keep the Non Personal Protection as part of the “Computer Abuse regulation” or “Cyber Security Act”. 

Since it appears that the declaration that the DPA under PDPA 2019 is also the regulator for Non Personal Data Protection (Which is now the responsibility of the Director CERT-IN under ITA 2000/8) and the “Non Personal Data Breach Notification” would be shifted from the CERT-In to the DPA under the new PDPB2019, the industry needs to gear up to meet this change.

With a view to ensure that an organization following PDPSI framework for meeting the standards of PDPA-India will have to watch their backs for protection of “Non Personal Data of whatever nature” is brought under the new version of the Bill (Eg: Anonymized Personal Data”), it has become necessary to emphasize that PDPSI has to be complimented with the DPSI at least as applicable to the “Data Breach Notification” requirements.

Even if the change is restricted to the reporting of breach of non personal data only, this would require identification of a potential data breach, forensic investigation, a harm audit all directed to Non personal data.  Hence there would be a need to take a holistic view of the Personal Data Protection and the Non personal Data Protection (to the extent covered under the PDPA-India) at the time of compliance.

The 33 point framework indicated above therefore becomes the twin framework to be considered by all organizations. 

The framework will be further expanded with detailed notes shortly.

Naavi

Naavi and FDPPI are dedicated to the continuing education in the Data Protection space in India and undertake many activities towards this goal.

One such activity is the weekly webinars conducted under the Jnaana Vardhini series.

In a bid to streamline the activities of Jnaana Vardhini, the webinars have been activated as a Continuing education course under the FDPPI web app. The app is available both under Android and ioS mobiles as well as on the web.

The Android app is available here: 

The iOS app is available here:

On ioS you need to install an app called MyInstitute and use the FDPPI Institutional ID as TITGE.

For logging in from web, use the link: web.classplusapp.com

The details of the available courses are available on log in.

Naavi

PDPSI is the framework for implementing Personal Data Protection Standard of India. It is designed as a unified framework for Data Privacy and incorporates the best practices in other frameworks.

The first version of the book with Standards and Implementation Specifications is now available in print.

The Book is now available on Amazon, Flipkart and directly from Notion Press,, the publishers.

Information Technology Act 2000 (ITA 2000) has been in existence since 17^th October 2000 and in the amendment of 2008, effective from 27^th October 2009, Section 79 was amended and subsequently “Intermediary rules 2011” were notified under the section with effect from 11th April 2011. On 25^th February 2021, the Government of India announced a revision of  which we may refer to as the “Intermediary Rules 2021”.

It was a general observation of the society that “Fake News” proliferated in the digital media and many of these digital media houses were owned and controlled by foreign business interests. There were also  individuals who were using the privilege of easy publishing without any accountability using You Tube and OTT platforms.  “Yellow Journalism” was spreading like wild fire in the digital media and the Government thought it was necessary to regulate this media just like the Press Council tries to discipline the print media or the Cable TV act tries to impose some responsibilities on the TV medium.

During the farmer’s agitation, it was clear that paid celebrity tweeters from abroad were commenting on the Indian developments without  knowing the facts.  These motivated celebrity tweeters and “Fake Journalists” were teaming up with  “Foreign Agents” to spread political messages through the digital media with a specific objective of embarrassing the Government.

It was natural that many of the activists considered that the Intermediary Guidelines 2021 was an opportunity with which Government could be bashed in the Indian Courts. Hence several cases were registered in the High Courts as PIL or in the name of journalists. Though the Government of India has requested for the transfer of these cases to the Supreme Court, High Courts in their eagerness to stamp their views have been releasing their orders as if it is a matter of national emergency instead of letting the Supreme Court take over the cases. Two such orders have already been released one by the Madras High Court and the other by the Mumbai High Court staying some of the provisions of the notification of February 25^th.

It is now well known that media of today is no longer the “Fourth Pillar of democracy” and is only a commercial arm of business. They have their own agenda including over turning elected establishments. We know that one of the prominent US media house even  released advertisement to recruit reporters based in Delhi with a specification that the Journalist should report with a specified bias against the current Government.

The knowledge of these developments was before the Courts and there was a need to appreciate that it was a legitimate requirement of a responsible Government to regulate the digital media. In this direction,  the Government wanted to introduce certain “Ethical Code” for the so called “Digital Media” who were “News Intermediaries” and fell under the provisions of Section 79 of ITA 2000.

The Intermediary Guidelines of 2021 therefore had some provisions which included

1. Self regulation by a digital media
2. Self regulation by an industry group consisting of different members of the digital media

Beyond these two levels of self regulation, the Government had planned to have a administrative mechanism for oversight with a “Compliance Official” at the Ministry level

Such administrative oversight is  required as part of Governance and it is surprising that the Courts donot appreciate such governance controls being established particularly to any body who sports a tag of a “Journalist”.

The main objection raised before the Court was therefore that an “Ethical code” was being suggested and such an ethical code would cause a “Chilling Effect” on freedom of expression. Some of the media Moghuls appear to think that they cannot be made accountable even for malicious news reporting and they donot want even a self regulation. “Say No to Ethics” seems to be the slogan of the petitioners.

The division bench of Madras High Court has stayed “by way of abundant caution”, sub rules (1) and (9) of Rule 9 of IT Rules 2021. Earlier the Mumbai High Court had stayed sub rules 9(1) and 9(3).

The High Courts have been liberal in expressing that they are protecting the “Freedom of Press”, and that the rules cause a “Chilling Effect” on freedom of expression and is “Ultra Vires” the ITA 2000. Additionally, new Jurisprudence is being brought in by the Madras High Court stating that the decision of the Mumbai High Court should have a “Pan-India” effect.

In a democracy while the executive has to respect the judiciary, the Judiciary also has to respect the executive and recognize that they have certain duties. Imposing “Ethics” on media cannot be considered as “Manifestly unreasonable” as the Mumbai High Court said in its order.

We can observe that the same courts had a different interpretation of freedom of speech when they were confronted with the rights of Arnab Goswami or S V Shekar. The lack of consistency is perplexing.

Let’s see what Rule 9(1), 9(3) and (9) state which the Courts felt necessary to stay.

1. 1. 9. Observance and adherence to the Code.—

(1) A publisher referred to in rule 8 shall observe and adhere to the Code of Ethics laid down in the Appendix annexed to these rules.

(2) Notwithstanding anything contained in these rules, a publisher referred to in rule 8 who contravenes any law for the time being in force, shall also be liable for consequential action as provided in such law which has so been contravened.

(3) For ensuring observance and adherence to the Code of Ethics by publishers operating in the

territory of India, and for addressing the grievances made in relation to publishers under this Part, there shall be a three-tier structure as under—

(a) Level I – Self-regulation by the publishers;

(b) Level II – Self-regulation by the self-regulating bodies of the publishers;

(c) Level III – Oversight mechanism by the Central Government.

Under Rule 8, these guidelines are applicable to publishers of news and current affairs content and publishers of online curated content, provided they operate in the territory of India or such publisher conducts systematic business activity of making content available in India.

The appendix referred to above  states

(a) “A publisher shall not transmit or publish or exhibit any content which is prohibited under any law for the time being in force or has been prohibited by any court of competent jurisdiction.

(b) A publisher shall take into consideration the following factors, when deciding to feature or transmit or publish or exhibit any content, after duly considering the implications of any content as falling under the following categories, and shall exercise due caution and discretion in relation to the same, namely:—

(i) content which affects the sovereignty and integrity of India;

(ii) content which threatens, endangers or jeopardises the security of the State;

(iii) content which is detrimental to India’s friendly relations with foreign countries;

(iv) content which is likely to incite violence or disturb the maintenance of public order.

(c) A publisher shall take into consideration India’s multi-racial and multi-religious context and exercise due caution and discretion when featuring the activities, beliefs, practices, or views of any racial or religious group.

Rest of the appendix talks about providing ratings such as U, U/A etc which is commonly used in other context such as film censoring.

It is difficult to understand which part of this rule is considered “Chilling”. It appears from the ruling of the Court that the “Reasonable Exceptions under Article 19(2)  of our constitution” is what the Court is referring to as “Causing Chilling Effect”.

If the Court was seriously concerned only about the oversight mechanism, then there would have been no need to stay 9(3)(a) and 9(3)(b) which was creation of the self regulatory systems (supported by the grievance redressal mechanism).

The Court makes a reference to the “Shreya Singhal Case” where the Supreme Court had interpreted the law applicable to  “Transmission” of an electronic message (under Section 66A of ITA 2000) to “Publishing” of an electronic  message in Twitter and Face Book and struck down the section without taking efforts to read it down.

Similarly in the current case also the Court has resorted to staying rule 9 (1) and 9(1)(3) when it was not necessary.

It appears that Courts themselves need to impose a self regulation on themselves not jump to scrap the law at the drop of the hat. Where necessary they should exercise the option of “Reading down” the law so that the functioning of the Government is not disrupted but the misuse of the law is prevented. If the Courts are trigger happy and shoot down not only the laws but also the administrative notifications, then the executive will stop being decisive. This will encourage inefficiency and procrastination.

In the instant case, “Digital Publishers” cannot escape being recognized as “Intermediaries” under ITA 2000 and hence they have to be accountable for what they publish to the extent of tagging the content, removing the content when there is a Court order etc. This cannot be considered as “Ultra-Vires” ITA 2000. The ethical code itself is within the provisions of Article 19(2) and the earlier Supreme Court decisions and hence the current Court order appears to be challenging Article 19(2) of the Constitution.

When the dust settles down on this case, three questions remain to be answered by the judiciary.

One of the questions is to what extent a decision of a High Court in one state should be considered as applicable “Pan-India”.  If this is universally acceptable, there is a possibility that desired decisions adverse to the Government may be obtained by a clever choice of the High Court.

The second question is whether the Courts should resort to striking down administrative guidelines as easily as they seem to do without appreciating the long term impact it may have on converting a functioning executive to a non-functioning executive which will reduce the efficiency of Governance.

The third question is whether the Courts should exercise a self regulation for themselves and use “Reading down Provision” as a rule and not strike down provisions of law. When the striking down is for provisions having direct reference to Article 19(2), it is questionable if such an order itself is ultra-vires the powers of the Court at this level.

Like we say “Bail is the rule and Jail is an exception, “Reading down should be the rule and scrapping of law/staying of the law should be an exception”

Naavi