Naavi.org

On different occasions we have discussed the implication of “Data” as a property class. The early discussions on “Data” as a property in legal circles was around the property of “Domain Name”. It was one of the first “Pure Virtual Property” which had no physical equivalent. It had a visual presence in the form of a “Website” but was created as an identity for reaching a particular digital destination. In technical terms, a domain name was a “Pointer”, a set of instructions associated with a standard protocol which a computer application like a “Browser” was programmed to recognize as an “Instruction to search and connect to a remote server and fetch the default page to the user’s browser”.

The property of a domain name being a standard reference to a set of electronic documents stored on a web server with a gateway page and further hyper links created a value perception on the key characters which we called as “Domain Name”. In view of the similarity with the previously known property of “Trade Mark” which was a “Symbol” which was associated with a product of service, domain names were often compared with trademarks.

However there was a significant difference between domain names and trademarks in the sense that the “Trademarks” were created entirely by the owner while “Domain Names” are “Proposed by a owner and registered through a domain name registrar licensed by ICANN which itself is a self regulatory body constituted by a set of stake holders”. The creator of a domain name could create a trade mark or copyright on the unique mark but using it as a domain name required the setting up of domain name servers in a given form which was at the sole control of a registrar. The Registrar could reject the request for creating a domain name or allow creation of multiple domain names in different TLDs or create confusingly similar domain names which diluted the “Value”.

Courts across the globe have often been confronted with the dilemma of considering the nature of domain name as a property.

Obviously, Domain name is not a tangible property. It is “Intangible” but it is a “Special Intangible” property. It is created like an “Actionable Claim” against the domain name registrar. It can be transferred. But going by the dispute resolution mechanism, (UDRP) the “Saleability” of the domain name restricted with the need to “Act in Good faith”. Otherwise the registration can be classified as “Cyber Squatting” and could be cancelled. It is therefore necessary for the owner of a domain name to first of all have some kind of an interest in the domain name and then use it in good faith.

For example, “Naavi” is a set of ascii characters (actually an arrangement of binaries in a particular order as the computer sees it) and Na.Vijayashankar claims a good faith right to use it as his identity on the web space. Partly this is further corroborated because in the native language of Kannada, the abbreviation of the initials Na.Vi. reads as Naavi. Hence there is a “prima facie right for Na.Vijayashankar” to use the domain name “Naavi” as a brand name with any extension “Org” or others. In a way the IPR is a justification for the right to a domain name. However there are many other instances where there  may be no such genuine reason for some body to appropriate a domain name and a person can register any name as long as he can build a brand personality around this. The various domain name dispute cases (Refer www.lookalikes.in for some examples)

The net impact of these established principles is that “Domain Name is a property which can be owned by a person and transferred for consideration with some restrictions”. It can have a “Cost of acquisition” which is different from “Perceived Market Value”.

This concept would be relevant when we discuss “Data Valuation” as well as “Data Inheritance” which are two concepts which we are discussing in depth as part of the introduction of the Personal Data Protection Act (PDPB 2019) in India and preparing for the “Non Personal Data Governance Act” (NPDGA) which is in the pipe line and provides for monetization of Non Personal Data through a “Data Exchange”.

“Data” is defined as a “an arrangement of binary values which when interpreted through appropriate devices and applications create a human experience of a text, sound, image etc. In the coming days we will have devices that can convert the binary values into smell and touch also so that all five sensory perceptions of humans namely sight, hearing, taste, smell and touch can be created in the minds through transmission of appropriate signals to the human brain.

In law, Information Technology Act 2000 defines “Data” and this is further divided into “Personal Data” and “Non Personal Data” by virtue of other laws like the PDPB 2019 or NPDGA (proposed). At each of these stages, Data carries a perception in the minds of the human beholder and hence Naavi’s Theory of Data created a hypothesis that “Data is created by technology but perceived by human beings”.  (Refer to various articles here)

In practice however, legal uncertainties remain and we are confronted with a challenge when we raise the questions

a) Can we bring the value of data in to the financial statements of a corporate entity?

b) Can a legal heir inherit the “Data Property” on the death of the data principal (data subject)

Naavi has initiated a academic debate on both these topics and different expert committees of FDPPI are exploring the issues to arrive at a professional view.

The end result of these academic exploration would be a suggestion to the Government of India to consider a suitable supplementary legislation which should extend the meaning of data both in ITA 2000 and in PDPA of India and lead to the development of an acceptable “global accounting standards for Data value” and an acceptable “Data Inheritance law” in India as part of the Digital Assets Succession Act.

Hopefully by that time we would have forgotten the political distinctions of Hindu Succession Act, Muslim Succession Act, Christian Succession Act, Parsi Succession Act , Jain Succession Act, Buddhist Succession Act etc and converge on a single Digital Asset succession Act.

This “Digital Valuation and Succession Act” will include

1) Defining Data as a new class of asset and not necessarily to be compared with the known asset classes such as movable, immovable, actionable claims etc.

2) Defining a method of valuation of Data

3) Defining the a means of  disclosure of data value in an organization to the public

4) Defining the ownership rights and means of transfer

5) Possibility of “Nomination” of Data

6) Possibility of “Joint ownership of data” (eg: Either or survivor or Former or Survivor of data held with data processors like Twitter or Facebook)

7) An established methodology for recognizing handling of data of deceased data principals, without automatic deletion  or automatic appropriation by the data fiduciary

8) An established methodology for the legal heirs of a deceased to “Claim” data assets in the hands of intermediaries.

9) An established methodology for the Government to appropriate “Unclaimed Data Assets” after classifying them as “Unclaimed” through a process similar to branding a data asset as “Dormant” and “Inoperative”.

10) Establishment of a  “Uniform Data Disputes Resolution Policy” (UDDRP) to be adopted voluntarily by Data Fiduciaries on the lines of UDRP/INDRP to facilitate data disputes resolution through an ADR process.

and Any other aspect relevant to data valuation, data value disclosure.

Such a law should be compatible with  the current data related laws such as Information Technology Act 2000, Personal Data Protection Act (as proposed),  Non Personal Data Governance Act (As envisaged) and any other laws likely to be considered in the meantime.

FDPPI has been described as the “Dada of Data Protection Agencies in India” and therefore has the responsibility to take constructive steps in finding a solution to these problems of the industry.

In this direction FDPPI is constituting a special committee to draft a bill on “Data Valuation and Succession Act”, deliberate on the issue in consultation with other academic institutions such as law colleges and professional bodies who may be interested.

A proposal is also being sent to the Government of India if it would be interested in setting up such a committee in which case FDPPI may withdraw its committee.

Naavi

A data breach of mega proportions involving 700 GB of corporate data has been reported in respect of a Computer storage Chip maker ADATA, a Taiwanese company.  The company was subject to a ransomware attack and probably because the company refused to pay the ransom, the hackers have released the data in the darkweb. It is claimed that the hacker has stolen 1.5 TB of data which could be business sensitive information. A small part of the information could be personal information.

(See details here)

We reiterate that the society should do everything to discourage such criminal activities including dis engaging the monetary activities of the Dark Web by a global ban on Crypto Currencies like Bitcoin.

Additionally we must recognize that when authorities impose fines for data breach, they should consider that if an organization is a victim of an attack by criminals, the penalties should be moderated unless there has been a gross negligence in implementing basic security. We need to encourage companies to stand up to the black mail of these criminals and not put additional pressures on the companies by imposing a debilitating fines. Ideally in such cases the penalties may cover the compensation of the losses suffered by the individuals in terms of privacy and cost of security insurance that they may have to take up on account of data leak if any and the administrative penalty for failure of security should be kept minimal.

For example in the ADATA case the company by taking an ethical stand not to pay ransom has already suffered substantial damage to its finances  and there is no point in beating it down further by administrative fines.

A third factor we would like to highlight is that any competitor who takes advantage of this data theft by downloading the data from the dark web must be punished as being involved in “Enrichment through a Crime”.

By the measures of banning the Crypto Currency and punishing those who would like to use stolen data for their business advantage, the society would grossly reduce the adverse impact of a data leak of this nature.

Naavi

On June 21, 2021,  EDPB adopted the final version of the recommendations on supplementary measures following the earlier recommendations of November 2020 after the Schrems II ruling of the EUCJ.

The final version of the Recommendations includes several changes to address comments and feedback received during the public consultation and places a special focus on the practices of a third country’s public authorities.

One of the modification suggested is

-the emphasis on the importance of examining the practices of third country public authorities in the exporters’ legal assessment

-to determine whether the legislation and/or practices of the third country impinge – in practice – on the effectiveness of the Art. 46 GDPR transfer tool;

-the possibility that the exporter considers in its assessment the practical experience of the importer, among other elements and with certain caveats; and the clarification that the legislation of the third country of destination allowing its authorities to access the data transferred, even without the importer’s intervention, may also impinge on the effectiveness of the transfer tool.

This means that the Data Exporter has the responsibility to appraise himself about the laws of the destination country and not depend entirely on the existence of a written contract. Some due diligence is required to be exercised.

It was in this context that FDPPI came out with a note on the “Surveillance laws” in India to assist the Data Importers in India who had to keep their vendors informed about the laws in India.

India is a sovereign country and therefore does not submit to arbitrary contractual obligations that prevent a Data Importer to challenge the local Government when a need for surveillance arises under due process of law.

The full text of the Recommendations is available here:

The principles stated in the guidelines are that

1. 1. 1. Controllers should know their transfers
      2.  Controllers should verify the transfer tool relied upon
      3. Assess if there is anything in the law of the destination country that impinges on the effectiveness of the safeguards
      4. Identify and adopt supplementary measures that are necessary
      5. Take such formal procedural steps as may be required under Article 46
      6. Re-evaluate at appropriate intervals the level of protection afforded to the transfer

It may be recalled that Article 46 of GDPR provides that the appropriate safeguards in the absence of “Adequacy” the following measures are available for transfer

(a) a legally binding and enforceable instrument between public authorities or bodies;
(b) binding corporate rules in accordance with Article 47;
(c) standard data protection clauses adopted by the Commission in accordance with the examination procedure referred to in Article 93(2);
(d) standard data protection clauses adopted by a supervisory authority and approved by the Commission pursuant to the examination procedure referred to in Article 93(2);
(e) an approved code of conduct pursuant to Article 40 together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects’ rights; or
(f) an approved certification mechanism pursuant to Article 42 together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects’ rights.

We must also remember that apart from Adequacy under Article 45(3) and safeguards under Article 46, there are derogations available for specific situations under Article 49 which include the following measures which allows transfers to third countries.

(a) the data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards;
(b) the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken at the data subject’s request;
(c) the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person;
(d) the transfer is necessary for important reasons of public interest;
(e) the transfer is necessary for the establishment, exercise or defence of legal claims;
(f) the transfer is necessary in order to protect the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent;
(g) the transfer is made from a register which according to Union or Member State law is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate a legitimate interest, but only to the extent that the conditions laid down by Union or Member State law for consultation are fulfilled in the particular case

In addition to the above measures, the Controller has the right to mitigate the risk by using pseudonymization at his end which is a fundamental suggestion under Article 32.

In view of the above it is suggested that all Data Importers suggest that the Data Exporters adopt the suggested alternate measures and not insist on the signing of contracts which are un enforceable at the end of the Data Importer.

We will be happy to provide any further clarification required under this provision as required.

Naavi

Data was called “Oil” because it was recognized as having immense value to the business. There are organizations where data is a by product and there are also organizations where data is the finished product.

Whenever a ransomware attacker demands a ransom of Rs 10 lakhs or Rs 100 crores, he has a perception of a value for the data. Most often the companies agree to pay the extortion amount which vindicates the value placed on the data by the attackers. Some companies may look at the “Opportunity Cost” of not agreeing to pay the extortion after which the attackers may release the data in the dark web. Some attackers actually auction the data in the dark web or sell it at a fixed price and there are people who are willing to buy.

According to international studies value of data in the dark web may vary if it is a simple name and e-mail data vs sensitive data like finance data or health data. If a data set is current with verified information and contains data such as credit card information with CVV, the value of each set of data could be substantial .

In the recent case of NCLT declaring Net4India as “Insolvent”, it was obvious that the judges had not  recognized the value of data in the possession of the company before declaring it “Insolvent”.

Even companies who ought to know the value of data because they earn their income by processing data, often find that they are unable to take adequate security measures because the CISO or DPO is unable to convince the CFO that a certain investment is required to build compliance competency.

One of the solutions that Naavi has been demanding for a long time is that Accountants should find a way of bringing the value of data in to the balance sheet of the Company. In case the judges at NCLT had seen a Net4India balance sheet with a Data asset value of say Rs 100 crores, they would have perhaps not issued an insolvency order at all.

The accounting community today has a method for valuing Trademark, Copyright or Patent normally on the bases of “Net Present Value” of the benefits that an asset may provide over a period of next 5-10 years. Accountants value Fixed Assets with a “Depreciation” which is a reflection of the period for which an asset remains productive.

Some times, assets are valued on the basis of cost of acquisition, cost of production, market value and such other means.

Most of such valuations are not accurate. They are based on assumptions and often understate the asset value as in the case of Public Sector enterprises sitting on large tracts of land or over state the value as in the case of high tech product companies whose products have a short life time but costs may get spread out over a longer period. We see an investment company faces a sharp fall in their assets when the monsoon is delayed or a favourite political party loses an election and none of the accountants can explain why the P/E ratio of one company is only 4 or 5 where as another company have 10 times the P/E ratio.

Despite these uncertainties in valuation,  accountants still have agreed upon a valuation system, tax authorities accept certain valuation principles, Merger and Acquisition specialists strike billion dollar deals based on their valuation of tangible and intangible assets and the show goes on.

Many times the value of assets as we find in a balance sheet is on a “Going Concern” basis and the moment the organization is recognized as “Sick” the value of assets plummet.

It is therefore strange that when we speak of “Value of Data” being shown in the books of account, some accountants think it is a bizarre thought and refuse to be drawn even into a discussion.

FDPPI (Foundation of Data Protection Professionals in India) has taken the first significant step in trying to convince accountants and corporate managers by including a standard and supporting implementation specifications in the “PDPSI” framework (Personal Data Protection Standard of India framework for assessment of compliance of data protection regulations in an enterprise).

The implementation specification no 6 of the PDPSI framework states

6. Data Valuation and Accounting

The organization shall adopt a policy of assigning a financial value to the inventory of data and provide visibility to the data asset in the books of account.

The implementation specification further suggests

The value of data may be brought into the books based on a scientific valuation method or on a provisional basis and reported as a special reserve or as a Contra entry (both an asset and liability separately)

The Visibility of the valuation of data as an asset shall be extended to both personal and non-personal data.

Many managements may wonder why  a PDPSI audit has to comment on the data valuation policy of the Company.

But the most important reason why the “Bringing the Data Value” into the books of account is to provide “Visibility” to the asset which needs to be protected and harnessed.  If Data at some value is visible in the Manager’s dash board on a continuous basis, then it is more likely that the decision makers in the company will realize that they need to do some thing about it.  What is not visible is likely to be de-prioritized.  When the Company knows that it had a data of Rs 100 cores last quarter and it has jumped to Rs 200 crores this quarter, they will certainly ask a question to the DPO about the implications of the change in the data value.

Some accountants quickly jump and say this will enable fraudulent overvaluation of assets and therefore risky.

But what we are suggesting to start with, is that while all of us try to find an acceptable method of valuation, let the data value be represented as a “Contra Value” where it does not increase either the assets or liabilities nor  even create a “Special Reserve” as we do in the case of valuation of intangible assets such as “Goodwill” or “Trade Mark”. There is no case for accountants to refuse this suggestion so that all advantages of “Visibility” is realized without the risk of inappropriate reporting of profits.

After agreeing to bring a notional value of the data into the books of accounts, we can continue to fine tune the valuation by adopting a combination of

a) Cost based valuation

b) Market value based valuation

c) Computation of Net present value of future revenue generation

d) Accounting appreciation and depreciation based on logical factors

etc.

FDPPI has started a dialogue with the industry and has also set up an internal working group to take this concept to other industry associations.

We welcome Chartered Accountants, Chartered Valuers, Cost Accountants and other professionals to join hands with FDPPI to develop an acceptable system of valuation so that India can lead the world in this respect.

It is however realized that the solution to this problem does not lie in extending the valuation methods presently used by the industry because Data is an Asset Class which is unlike the movable or immovable assets or the actionable claims. It can neither be classified clearly with other known types of asset classifications like “Tangible” and “Intangible assets” .

I draw the attention of some of the thoughts the undersigned has already expressed through these columns such as the “Theory of Data” where we discussed the “Additive Value Hypothesis” of data.

We also enclose a distinct note on the topic which is available here.  I request professionals to go through these papers and start contributing their thoughts. We would like students to debate this in their respective institutions and come up with innovative thoughts.

But it is essential to realize that the valuation methodology of data has to be led by “Data Professionals” and FDPPI therefore takes the lead to develop a proper guidance in this regard which we can take to other forums.

FDPPI has created an internal working group in this regard and would soon be working on an industry level working group across the industry to ensure that there will be a larger participation of professionals.

Naavi

(Comments welcome)

After ISMS and PIMS, it is the time for PDP CMS or Personal Data Protection Compliance Management System to be implemented in organizations. PDP CMS is inclusive of PIMS  and ISMS but is more focused on either of them. ISMS focus rests on technical security across all information in an organization while PDP-CMS is focused on Personal Data. PIMS is focused on Privacy related to one specific data protection law leaving the security to a supporting ISMS system. On the other hand PDP-CMS is a unified system that takes into account all applicable data protection laws in an organization and incorporates Information Security along with Privacy controls as required for compliance.

After conducting three separate modules, Module I, Module G and Module A over the last 18 months, FDPPI is now launching an integrated module of training for professionals who could be consultants for data processing organizations or undertake audits for certification with a calculation of Data Trust Score as envisaged in the proposed Indian law.

The first such program is being inaugurated today at 10.30 AM and would be conducted online over 36 hours spread over six week ends.

FDPPI is happy to welcome DNV the globally renowned Certification agency which has joined hands with FDPPI as a Certification partner for this course.

Naavi

SPOT REGISTRATION

Pay Rs 40000/- through this link 

and Contact Ramesh Venkataraman for the session link

The E Book on Cyber Crimes which was available on the website, E- Book section has now been updated and released in print form.

This book is now available online at the publisher’s website   at Rs 450/-

The Book will also be available on Amazon and Flipkart.

First five purchasers who review the book and send their review by e-mail to naavi, would be eligible for a cash back of 50% of the price paid. This book has a limited objective of meeting the quick needs of the law enforcement.

Naavi