DGPSI is the Indian Standard for Privacy and Data Protection by Design and Default

One of the notable mentions made by Prime Minister Mr Modi during the Independence Day Speech yesterday was a call for development of Indigenous standards.

This was heartening since FDPPI has been working on the indigenous standard DGPSI (Data Governance and Protection Standard of India) which is meant as a framework for organizations to be compliant with DPDPA 2023.

Currently many organizations and professionals work around available but incompatible frameworks such as ISO 27001 and 27701 and claim that they are able to achieve compliance of DPDPA 2023.

This view arises both from the point that the companies know these frameworks, worked with them and are familiar. The fear of the unknown and “Resistance to Change” prevents them from even considering an alternative solution. Often they find excuse in the fact that their customers ask them if they are ISO 27001 compliant or GDPR Compliant and therefore they have no choice.

Choices can be considered only if there is a conviction that frameworks like ISO 27001 or 27701 were created for different contexts and though they may be best suited for those contexts, they need not be so for he Indian context.

For Example we have repeatedly drawn comparison to Cricket and pointed out that Gavaskar is a legend but today for the T 20 matches he is not the right choice ahead of say Suryakumar Yadav. Mr Neeraj Chopra may be the best Javelin Thrower in India but you cannot ask him to compete in discuss throw or shotput.

Once companies shed their resistance to look at the new frameworks, they need to understand what the framework suggests and arrive at their own conclusions about whether a customized ISO 27701 is a solution for DPDPA 2023 compliance or DGPSI is a better solution.

We must also accept that “Frameworks” are only guidelines and just because we follow a framework it does not mean that we are perfect in compliance. We all know how many companies in India are ISO 27001 compliant and whether they have the necessary security infrastructure. Implementation is therefore extremely important and this comes only with the understanding of the law of DPDPA 2023.

FDPPI in its One day workshops on “Implementation Challenges in DPDPA 2023” of the type being conducted in Navi Mumbai on August 31 and in Mumbai on September 1 addresses these requirements.

We invite all professionals in Mumbai and Pune to take advantage of this program and attend the same.

P.S: Ujvala Consultants Pvt Ltd and Cyber Law College are sponsoring 5 deserving participants in each of the two locations in Mumbai who may be finding the participation fee a hurdle. Contact Naavi immediately if you desire availing this offer since this will be on a First Cum First served basis. These 10 persons will be designated DGPSI ambassadors in Mumbai.

Details of the program are available at : https://fdppi.in/wp/mumbai-on-31-8-and-1-9/

Naavi

Posted in Cyber Law | Leave a comment

Saying ‘No’ to Sunny and ‘Yes’ to SKY

Investment Managers often find a situation when they have to chose a stock for investment not for themselves but for others. As an investor they follow a logic of personal challenge and are able to take higher risks. But in investment firm, when it comes to investing for others as a manager of a portfolio or a mutual fund organization, they tend to take the “Follow the Crowd” attitude. The reason is that “Safety First” attitude overcomes their rational thinking.

The logic is when you invest in TISCO and the price goes down, people will judge that the market has failed you. But when you invest in Adani and it goes down, people will judge your decision and perhaps even the intentions. Hence Investment managers building large portfolios always take the path of the crowd. This principle is well known and understood.

When I interact with Data Protection Professionals in India, I find a similar “Follow the Crowd Syndrome” . When we suggest you can use DGPSI framework for compliance to DPDPA, they still have a hesitation to switch from other more popular frameworks. When we suggest C.DPO.DA. as a certification, they still have a resistance to switch from other more popular framework. They forget that the “Popularity” of other frameworks and programs were developed in a different context and for a different purpose which is not relevant for their current requirements.

Self aware professionals should remember that Sunil Gavaskar or Kapil Dev were India’s best Cricketers of all times but when it comes to selecting the current Indian team for T-20, we prefer to chose a Surya Kumar Yadav or even Shivam Dube.

Let us reflect on why we are prepared to discard respected legends and switch over in such cases and draw lessons on choosing DGPSI or C.DPO.DA.

I agree that this largely depends on the self confidence and awareness of the professional. If I do not know or is uncertain on what is required for DPDPA Compliance, I will go with the crowd even if we know that the crowd may be wrong. The logic is “Being wrong with the crowd” is better than “Going alone and face the responsibility of justifying your action”.

For those who are sure of their ground, it becomes easy to chose the right path. This requires effort in understanding what is required to be a good Data Protection Officer or Data Auditor in India and what it means to construct and maintain a Data Governance and Protection Management System (DGPMS) in India than an ISMS. For those who know, it is immaterial if his ignorant customer may think it is better that vendor systems pass the test of ISMS instead of DGPMS.

FDPPI during its month end programs in Mumbai on August 31 and September 1, will discuss 27 implementation challenges and Solutions that are confronting us in the light of DPDPA 2023.

The objective of this program (one in Navi Mumbai and another in Mumbai) is to ensure that our professionals acquire the level of self awareness of DPDPA and Self Confidence so that they can break out of the crowd.

I request all ISMS auditors to check and find out if they are good enough for being called DPDPA auditors in the days to come and if not how they develop themselves towards this coveted opportunity.

When you say No to Sunny and Yes to Sky, people understand the context. Similarly when you chose C.DPO.DA. or DGPSI, people will understand.

Naavi

Posted in Cyber Law | Leave a comment

Digital Privacy Day of India

Last year, on August 11, DPDPA 2023 was signed by the President into a law. This year we are still expecting that the rules will be notified any time during this fortnight.

However it is time for us to remember the importance of August 11, 2023. Last year we declared it to be recognized as Data Protection Day of India. Whether it is called Data Protection Day or Digital Privacy Day does not matter. But there is a need to recognize the relevance of the day. Let us therefore continue our effort to mark the day.

The only way we can celebrate the day is to ensure that we offer some thing to the society.

Naavi has today made a representation to the CJI regarding introducing a “Register of Legal Guardians Approved by Courts in India” to enable implementation of Section 9 obligations. Naavi has also decided to launch the process of developing the application for “Verifiable Consent for Minors”.

Additionally Naavi with FDPPI has extended a massive 50% discount on membership of FDPPI, Course subscriptions and Subscriptions for the upcoming workshop at Mumbai only for registrations made to day.

I hope other organizations will follow with similar or better activities and offers.

Naavi

Posted in Cyber Law | Leave a comment

Extending the Ownership debate of Meta Data to Telephone conversations…

On July 30, I had posted an article here titled “Who Owns Meta Data”. The post evoked several interesting comments on the linked in and in the interest of taking the debate further, I thought I should share these comments here.

Some of the comments are listed here:

Comment 1: I’d argue that fiduciaries need metadata in order maintain logs of processing activities at the very least but also for the essential functioning of their businesses. For instance if I (as a fiduciary) am processing an e-commerce transaction (Say delivering goods ordered on the fiduciary’s website), the legal basis for holding of personal data (name, address, phone) is already established as they are necessary to process and deliver the goods. In the same tone, the metadata is essential for managing operational performance, transaction lineage, reconciliations etc (to understand and improve my business which is indeed the core part of running a business). As long as the fiduciary has established a legal basis for creating a metadata record, then I think they are well within the DPDA ambit. And by the way metadata should never contain personal information in there (and I wouldn’t call it metadata if it did).

Comment 2: If the sender is the fiduciary then fiduciary owns the message and has a recorded legal basis (e.g. consent or lawful processing) for sending the message to the principal. If the sender is the data principal, then the message should no longer be stored beyond the purpose for which it was sent (e.g. requesting for a change and fiduciary deleting the message once the said purpose is served). It may be possible that the fiduciary needs to retain such communication for a period of time which then would be the legal basis for long term storage (in such cases both the fiduciary and the principal could have a copy of the message). I hope I have understood it right.

Na.Vijayashankar (Naavi) Sir, you write up very well sums up the issues DPDPA 2023 opens up, but I feel ownership is not an issue that the law intends to address. The law confers a few rights on the data principals to give them some control over their data. The right to nominate is just an extension of it, in my view. Moreover, the data fiduciaries need not delete the personal data even when requested by the data principal, if they can show that processing is valid on some legal ground of processing. Meta data will anyway qualify as a personal data if it can identify some individual under the DPDPA be it in isolated or aggregated form. Therefore, I would hesitate to call personal data as ones property as it would amount to giving them absolute right over it.

Comment 4: What are your views on ownership of the meta data subsequent to alterations which causes change in meta data?

Comment 5: Thank you for shedding light on the complexities surrounding metadata. I completely agree that metadata is a grey area that often goes unnoticed, yet it has significant implications for privacy. For instance, when I upload a photo, the metadata can include my location, which is clearly personal data. While not all metadata should be considered personal, in certain circumstances it definitely warrants the same protections. It’s crucial that we have a clearer legal framework to address these nuances. Looking forward to more discussions on this important topic!

Comment 6: Sir you are absolutely correct however there are scenarios different to what you mentioned, I am sending one of my selfies as an email attachment to my bank part of my KYC renewal and the bank’s email account get compromised so are you saying that my attachment won’t have any extractable Metadata which may be considered as my personal data? If yes, then isn’t it the responsibility of the Data Fiduciary to ensure the same is removed when an attachment is received by them as they are definitely going to retain the email with the attachment or only the attachment as per legal obligations.

P.S. – I am using a non-paid email domain to send the email which do not have any facility of removing metadata from the attachment. Also let’s consider it is only the email account got compromised which only made for receiving customer’s photographs, nothing else is compromised.

Comment 7: Surely Govt need to think into deep aspect when it comes to nomination and ownership of data. Who is the real owner of the data? Question also looms around the retention period of metadata. Do we need sector wise retention period guidelines to safeguard personal data? Hope Govt is taking into consideration when the final laws are out

Comment 8: Very interesting topic, data ownership is always contentious. Lacking background, just wanted to check your views on the “behavioural data” that is constructed behind the scene. More often, that holds value beyond the context- is that part of the discussion.

I thank all those who by commenting on the post have extended the debate. The comments are self explanatory.

I would like to however add the following points to the debate..

The above debate arose because DPDPA 2023 declared that “Personal Data is some thing that can be nominated” and the industry generally thinks that “Meta Data” that can be used to identify an individual is personal data. Meta Data by definition is associated with some data and that can be personal data. If we donot recognize that there is “Personal Identity” different from “Business Contact Identity”, every message on the internet is “Personal Data” since it is sent by an individual or by a system that is programmed by the individual to send out automated responses. I.O.W. every message on the internet has a originating IP address and perhaps location etc which can be traced to an individual unless it is anonymized.

Hence most of the “Meta Data” is associated with Personal data and hence becomes an extension especially under the GDPR jurisprudence.

There is a similarity of this to data built by a data fiduciary on the data supplied by the data principal which ultimately may be recognized as a “Profile”. Under the “Additive Value hypothesis of the theory of data” , I have discussed how the value built on data should be considered as the property of the builder. This is consistent with the IPR laws as well. Meta Data may not involve special effort of the data fiduciary but nevertheless it is created by him and is a technical requirement in all cases and also a legal requirement in many cases. There are data retention requirements which may require the log records to be maintained. The CERT In guidelines require retention of meta data for security reasons.

Hence there is a clash between the GDPR jurisprudence and Indian Jurisprudence related to Meta Data and this was highlighted in the article taking the cue from the “Nomination as a Right”.

This leads us to the need to define that “Data Generated during a transaction is a joint property and there are joint and several rights available to both”. I have in the past also argued that when there is a “Telephonic Conversation”, the “Conversation” belongs to both and hence “Recording does not need the permission of the other”. This also clashes with the American jurisprudence which requires such permission.

I invite comments on this point….now

Naavi

Posted in Cyber Law | Leave a comment

Let’s meet in Mumbai on August 31 and September 1

FDPPI’s next destination in its reach out to the Data Protection Community is at Mumbai. FDPPI has now planned two events, one at Navi Mumbai on 31st August 2024 and another at Mumbai on 1st September 2024.

Details are as follows:

These events are full day “Workshops” on implementation of DPDPA in organizations and will be conducted by Naavi and his team.

The program would include

1.Discussion of DPDPA and Rules with reference to a few case studies
2.Discussion on Implementation Challenges
3. Discussions on How to implement Compliance by Design

The objective of the program is to enable professionals with Legal, Technical and Managerial backgrounds to understand the nuances of the DPDPA and the draft Rules and how it can be applied in the user environment.

We invite all interested persons to participate.

Kindly register quickly to avail the different discount options available. The participants will be issued certificates with 6 hours of CPE credits.

Click here for registration: https://www.iletsolutions.com/fdppi_conference_mumbai/

Naavi

Posted in Cyber Law | Leave a comment

“Witnessed Consent” should be explored…. DPDPA rules

In the implementation of DPDPA in India, “Consent” is an important instrument of establishing the legal basis for processing. Such consent has to be “Purpose Specific”. It is the purpose that also determines “Data Minimization” and “Data Retention Minimisation”.

In this background, let us look at the needs of the “Data Analytics Industry” where “Data” is the raw material from which value added products need to be generated. The very existence of the Data Scientists in an organization is for increasing the productivity of available data through research and finding new uses. Even the Business Managers concerned with the “Data Governance” also would like to get more value of available data by using data analytics.

Not all “Data Analytics” can be worked on anonymized data since the company would like to apply its learning to its customer set and therefore would like the precise profiling of every one of their customers. The marketing efforts would be unproductive if we do not understand the behaviour of our prospective customers.

Digital Marketing Companies therefore need to develop “Insights” on customers from out of the data available in transactions and combined with data collected from elsewhere. But this is the classic definition of “Profiling” which is impossible under the strict interpretation of the Right to Privacy.

The process of analysing personal data to discover uses which were not identified when the data was collected will therefore be a problem the industry has to contend with. One school of thought is that “No Personal Data shall be subject to experimentation of a Data Analyst” without consent. While this is acceptable as a strong Privacy principle, we need to also consider if this will curb innovation and technical progress.

Just as we are trying to recognize the problem of Consent Fatigue with individuals and trying to find a solution through Consent Manager, we need to also recognize that businesses do have a legitimate requirement of customer profiling, behaviour monitoring and monetization of personal data.

We therefore consider how we use the “Consent” in such a manner that the individual feels that the data fiduciary has been transparent enough for him to give consent for “Discovery of unknown uses” including “Profiling” and “Monetization”.

One way by which this “Consent” can be made acceptable is to introduce the system of “Witnessed Consent”.

Currently we bring in parental consent for minors because we feel that the minor is not capable of taking a decision. In Medical circles, it is common for doctors to take the consent witnessed by relatives when a surgery is performed or when drug research is permitted.

Similarly we need to have a system of “Witnessed Consent” where certain uses can be subjected to the witness of another adult so that the personal providing consent is not mislead or cheated. As long as a person is willing to submit himself to profiling and monetization of his personal data, it should be a “Right of Choice”.

There is a view that a Constitutional Right cannot not be over ridden with a contract and hence Right to Privacy cannot be over written by the consent.

I would like to challenge this principle.

The world is today discussing Euthanasia, the Right to end one’s life by choice. In such a context, there is a case for a data principal to expect a right to submit himself to profiling or monetization without affecting the constitutional right as long as precautions are taken to get the consent witnessed suitably so that he is not “Cheated”.

The DPDPA Rules should therefore suggest a process of “Witnessed Consent” to be used for “Discovery of Purpose” as well as “Profiling” and “Monetization” purposes and set processes of how such consents can be provided and by whom.

This is the “Shaping the Future” debate and therefore established principles need to be questioned and solutions found.

Comments are welcome…

Naavi

.

Posted in Cyber Law | Leave a comment