Naavi.org

Naavi thanks the CyberFrat Community for the recognition as an influencer in the Cyber Security domain. I take this opportunity to look back on how from being a Banker and later as a Financial Marketing domain expert in an Advertising agency how my career transformed through Cyber Security, Information Security and Data Privacy.

My journey into Cyber world started around 1995 after Windows95 made internet access more comfortable. The initial professional activity using the computer was as an Internet journalist and also as a News Paper columnist using the Internet resources to run a weekly investment advisory column in Indian Express. The Cyber Security concerns at that time were low and we were talking of border less Cyber Society.

In 1998, I switched over to Cyber Laws when the draft E Commerce Act 1998 was published. Those were the days of Dewang Mehta at NASSCOM and the focus of Computerisation was societal benefit and not commercial exploitation. In 1999 when I wrote the first book “Cyber Laws for Every Netizen in India”, the dream was that there is a community of “Netizens” who are the citizens of the Global Internet society and we are all “Cinezens” who are citizens of a physical country and also Netizens of the Internet society.

Many of my thoughts at that time was to maintain the dual nature of the society where physical society activities would be enriched by Internet as a tool. Even the thoughts on E-Banking as an exclusive Internet Branch, the Smart Cards (Zemo Cards) etc were made in this Utopian thought that Internet society would co-exist with the physical society. These thoughts have undergone a change over the last few decades and today the Netizens lord over Citizens and hence the role of “Security of Citizens from Netizens” has become imperative.

With the advent of E Commerce, the greed of money took over and along with it, the concept of Global Internet society was killed. We created “Internet Boundaries” and made physical laws applicable within virtual jurisdictions. With money flowing in the Internet transactions, Criminals took to Internet as their domain of operation.

This lead to the growth of Cyber Security as a domain. This evolved into regulatory regimes and the concept of “Legal Aspects of Information Security” was born and was adopted as my focus.

With Cyber Law College in 2000, I entered the world of Privacy creating a “Chapter” in the curriculum of the course on Cyber Law which expanded around 2005 into HIPAA Consultancy. I also did lot of work on developing Cyber Jurisprudence in India with ITA 2000 as the base and assisted Cyber Crime investigators in a number of cases.

Since 2018 the GDPR took over all the attention and I simultaneously started looking at the Indian Data Protection Law. While In 1998 I was one of the earliest entrants to the discussion on ITA 2000 and in 2018, I was once again one of the earliest in starting a discussion on PDDPB 2018. The difference was that the group of interested persons in Data Protection increased in geometric proportions where as in 1998-2005 the group if interested persons in ITA 2000 could be counted on the fingers. One of the two other persons who were involved in Cyber Law was Pavan Duggal and the other was Mr Rohas Nagpal who have to be remembered at this point of time.

Today Naavi represents Data Protection which is inclusive of protection of data which was the earlier focus. I have also started switching over to Data Governance and looking at Neuro Rights and AI law as the next domains to focus.

At this time, CyberFrat to have recognized me as part of the CF 100 community which also consists of professionals like Pavan Duggal, Triveni Singh, and Prashant Mali, Rakshit Tandon, Samir Datt (and more) is an honour to cherish.

I therefore thank CyberFrat for the recognition.

Naavi

One of the concerns of the industry on DPDPA Rules which has not yet been addressed in the draft of the draft rules is about when does the Penalties under DPDPA will start being applied. For penalties to be applied, the DPB has to be first formed and afterwards a mechanism has to be built for reporting of data breaches. Data breaches may be reported directly by the Data Fiduciaries or by the complaints received from data principals. DPB may also recognize a data breach suo-moto from news paper reports and alerts from security research organizations.

It is possible for the MeitY to provide some extra time for applying penalties after fixing the compliance date. For example, once the DPB comes into existence and an operating website is set up to take care of data breach reporting, the date for compliance can be notified . The date for penalties to be considered can be the same date or another 3-6 months later. In between the DPB may consider application of the “Voluntary Undertaking” under section 32.

Apart from setting these dates, DPDPA Rules could have clarified how the “Voluntary Undertaking would function”.

The Section 32 states, “The Board may accept a voluntary undertaking in respect of any matter related to observance of the provisions of this Act from any person at any stage of a proceeding under section 28.(Ed: Inquiry)”. The voluntary undertaking may include an undertaking to take such action within such time as may be determined by the Board, or refrain from taking such action, and or publicising such undertaking.

If an order for Voluntary undertaking is given and accepted by the erring data fiduciary, further proceedings on penalties are barred except that if the data fiduciary fails to adhere to the terms of voluntary undertaking, then the penalties will become applicable.

DPB should therefore set in motion a procedure for application of Voluntary undertaking as a measure for addressing low harm breaches or as a general measure of cautioning before severe action.

In particular it could have been provided in the DPDPA Rules that for SMEs and MSMEs, Voluntary Undertaking could be made applicable as a routine exercise. In fact DGPSI takes this into account and expects organizations to consider responding to DPB notices with a specific Voluntary Undertaking proposals.

In this context we can look at one instance where the Singapore authority used this provision recently.

In a data breach incident of Keppel Telecommunications & Transport Ltd (KTT) and Geodis Logistics Singapore Pete Ltd (GLS, using a ransomware, the attacker had exfiltrated 6287 images of proof of delivery of parcel recipients along with some employee data including passport numbers and Bank details. The access was with the use of the Vendor’s (GLS) user name and password.

Investigations could not find out how the malicious attacker had been able to secure the access credentials. There were also no malicious files or programmes present on the vendor’s computers, and no indication of compromise, data exfiltration, or unauthorised access on its systems.

After the incident, the organization initiated remedial plans which were accepted by the regulator for the Vendor (GLS). However KTT was fined $120000 for failure to protect the employee data.

If a similar incident had occurred in India, KTT as the Principal Data Fiduciary would be responsible for the incident for loss of employee data and GLS would be either a Joint Data Fiduciary or a Data Processor. If it is considered a Joint Data Fiduciary, it would face action under DPDPA 2023.

If GLS is considered as a Data Processor, KTT can initiate action against GLS for loss if its employee data as a contractual failure.

However,, the nature of the parcel delivery data could be open for debate. Should it be considered as belonging to GLS and as “Transaction Data”?. Is it the business data of GLS? or of KTT? Is it the personal data of the parcel recipients? Should we apply Section 72A of ITA 2000? or data breach provisions under ITA 2000? .. are interesting questions.

Open for debate.

Naavi

Educational institutions both Graduate education institutions and undergraduate institutions where the students are minors have a challenge of DPDPA before them. These institutions collect parent’s information, financial information of students and parents for educational loan and fees collection, health information etc. Some personal information related to the education is also generated by the institution itself including the mark sheets etc . All these are retained almost indefinitely.

In India there are many integrated institutions where students join as minors and graduate out as adults or their information stays in the system for years beyond they become adults and turn alumni.

Existing institutions also have “Legacy Data” of huge volume. The data can be considered as “Sensitive” as we have often found that students who turn celebrities later in their life are questioned about their qualifications, age etc from the educational records and could lose their positions and even land up in jail if the data is wrong.

Hence Educational Institutions are eminently qualified to be considered as “Significant Data Fiduciaries” under DPDPA 2023.

Currently we are not aware of DPDPA 2023 and its rules provide any sectoral concessions for Educational Institutions.

We must appreciate that even the names of individuals are getting standardized only in the current generation. For people of our generation all our records had no “Second” name. We simply had “Initials” which was the first name of the father and some times of the place of birth. If therefore one looks at our SSLC marks card there will be discrepancy in the name itself. The date of birth also was accepted as per the SSLC records and prior to that in the schools, whatever date was mentioned by the parent at the time of admission, it was accepted. Also the contacts were mostly through addresses which may not even be existent today.

If therefore we are talking of “Consent” for legacy data, there is no way an educational institution which is 50 years or older issue notices and obtain consents.

At the same time, it is not appropriate for the institutions to remove the data for lack of consent after releasing a public notice and not getting response for say 1 year.

The DPDPA rules did remember educational institutions while creating Schedule IV which states conditions where the tracking and behavioural monitoring of children are exempted and it includes the educational sector. Strangely, it covers transport operators ferrying children or creches. As for as Educational institutions themselves are concerned, the exemption is restricted to supporting implementation of any healthcare treatment and referral plan recommended by a healthcare professional for a child, to the extent necessary for the protection of her health.

It is urgently required that Educational Institutions must be exempted from “Sending Notice and Obtaining Consent” for legacy information. Alternatively they can be asked to publish a note on their websites calling for all students and parents who have earlier provided their personal information to inform of any changes and inaccuracy. If anybody suggests change of name in their marks cards, it cannot however be implemented automatically. In such cases the old data and suggested corrected data must both be retained.

Even with such a simple procedure, if every student starts exercising their “Right to Access” that itself will require an unreasonably large resource for a school or a college.

A debate is required by MeitY with the educational sector to provide some reasonable exemptions to protect unintended violations of the law.

In this context we may recall that recently, in Singapore, one medical institution namely Academy of Medicine Singapore providing professional education was fined for a ransomware attack resulting in the exfiltration of personal data of 6574 persons. The leaked data included Passport number, NRC number and Data of birth besides other information such as name, photo etc. The fine was nominal about $9000. However the fact to be noted was that it was an educational institution and the loss of data was due to an external attack and involved only a small number of data sets.

In this context if one lakh data sets are compromised in an Indian educational institution with biometric and Aadhaar data, it would be interesting to see how much of fine would be reasonable. Such risks are possible and needs to be factored in.

Most of the educational Institutions run under a single Trust and whether they need one DPO for each Institution or one DPO for the entire group is another area of doubt. There are many more such issues that may come up in the administration of the educational institutions not all of whom may have the resources to manage compliance like a commercial entity.

FDPPI has after their last industry interaction suggested that a special interest group (SIG) will be formed by FDPPI to study the impact of the DPDPA on educational institutions on a continuing basis and is in the process of identifying the right members for this SIG-Education

Interested persons should contact FDPPI and volunteer.

Naavi

Further to the event held on July 27 in which views of the industry professionals were collected on the draft rules in circulation, FDPPI has compiled a recommendation and submitted to the MeitY.

A Copy of the note submitted is available on www.fdppi.in here.

We trust that MeitY intends to publish another version of the rules officially for public comments modifying the version available earlier (Check here) However in the spirit of “Shaping the Future”, FDPPI has proactively worked on this current draft and elicited the views of the industry.

Naavi.org has expressed its views that sharing such drafts with MNCs who are actually going to Courts challenging the legislations of the Government and not with the general public who are affected by the law/rules is in-appropriate.

Hence we have tried to organize the public discussion on the draft of the draft rules and brought them into discussion.

We trust that at least in future MeitY would keep the stakeholders outside the MNC group into consideration while taking decisions that affect the society.

The discussions will continue…

Naavi

FDPPI conducted an event in Bengaluru on July 27 to discuss the proposed draft of the DPDPA Rules which were earlier shared with select parties for comments. MeitY is now in the process of releasing another version for the public for comments. In the meantime FDPPI held the event so that some comments can be sent to MeitY for incorporation in the immediate next version. The event was attended by over 100 professionals most of them physically and contributed to the discussions. Invitations had been sent to MeitY also and we believe that there were observers from MeitY in the virtual meeting.

The participants were presented with 5 panel discussions and three key notes and were also asked to share their views through a google form. Though not all of them have yet filled up the google form, the responses received indicate the trend which we are sharing here.

We are now sharing the same form publicly so that any body including those who did not attend the event can contribute their views. To submit your views you may need to refer to the draft rules at www.dpdpa.in/dpdpa_rules/ . The Act itself is easily available at www.dpdpa.in

There are some professionals who would not like to comment since the draft rules discussed are not branded as “Official”. It is their choice to wait for the next version or raise their voice now itself with the rest of the industry so that the next version itself can incorporate some of these views.

Some of the interesting observations so far received are as below.

Out of the 40 questions shared, the following questions got 100% yes response.

Q2: Was it necessary to notify the definition of Significant Data Fiduciary?

Q31.  Should Courts introduce a system of listing legal guardianship certificates issued for mentally disabled persons?

Q32.  Should UIDAI introduce an age gating service?…clearing a person is not a minor?

Q33.  Should UIDAI provide a certificate that the person providing consent for the minor is  the legal guardian 

Q39.  Can Aadhar Based “Age Pass” be a solution for Age gating?

It was interesting to note one question which received a 100% “No” response . It was ..

Q38.  Is SEBI mediation platform for dispute resolution the acceptable  choice?

Following questions received 80% Yes Response namely..

Q3.  Is it necessary to specifically call out a category of “Joint Data Fiduciary” as a class of processors?

Q5.  Is it necessary to indicate whether “Subsidiaries” need a separate DPO? or a “Group DPO” would be acceptable? 

Q8.  Should purpose oriented consent be “Process Based”?

Q10.  Can Aadhaar data collection to be restricted by rule to Virtual Aadhaar only even for voluntary submission of data

Q14.   Is Legitimate use  meant to  be used only under very special circumstances?

Q16. Should the Consent Manager be a trusted representative of the Data Principal who based on certain pre-approved rules release the consent in his representative capacity?

Q19.  Should Consent Managers be allowed to sub contract any of their services ?

Q20. Should there be a minimum period before which the Consent Manager cannot close down his business?

Q24.  Should there be simultaneous reporting  of a personal data breach to Data Principal?

Q25.  Should there be simultaneous reporting of a personal data breach to CERT IN

Q26.  Is 72 hours for detailed data breach sufficient?

There was one question which elicited a 80% “No” response, namely..

Q40.  Should Journalists be excluded from Consent and Obligation for protecting the Rights of data principals?

Those of you who want to participate in this Global Survey may access the form and send their views right now in the following link.

https://docs.google.com/forms/d/1IOEgE0bywmrEBENsGI1FFNmwAX8Q7XaDkZvlGRqGqo4/edit?ts=66a362c4

In case responses are received today, they will be added in the collation and sent to MeitY as the “Voice of the Data Protection Professionals”. We will also try to discuss this further for different sectors in the SIGs and keep a continuous watch.

Naavi

In continuation of our post of yesterday on Consent Manager, we would like to point out that the “Personal Data Breach Notification Rule” as contained in the draft rules also requires a re-look before the next version of draft rules are released. Some of our observations are as follows.

We refer to Rule 7 of the draft rule copy of which is available at www.dpdpa.in/dpdpa_rules for this purpose. This rule refers to intimation of personal data breach. The Rule prescribes a two stage reporting one to be made immediately on being aware of the personal data breach and the other within 72 hours with more details. It is noted that the rules donot make any mention of the Data Breach rules notified under ITA 2000 by the CERT IN. (Refer: https://cert-in.org.in/PDF/CERT-In_Directions_70B_28.04.2022.pdf).

It is necessary to recognize that every personal data breach involving loss or damage to data is also a data breach under ITA 2000 and is reportable under CERT IN guidelines even after the repealing of Section 43A. Consequences of non reporting could be initiation of criminal proceedings for imprisonment upto 1 year and fine of Rs 1 crore.

Hence clarity should be brought in about  need to copy the data breach report to CERT IN. There should be a process where the DPB and CERT IN work in harmony dealing with the breach report.

In case DPB would like to exercise its right of investigation into the causes of a data breach, it would require additional technical investigation capabilities to be built up. On the other hand, CERT In already has the necessary expertise with a team of scientists and can also have access the CERT IN auditors.

There is a need to recognize that DPB would be more interested in identifying non compliance of law which may affect the rights of the data principal and hence would like to track even such personal data breaches which donot result in exfiltration of data that causes irreversible damage to the data principal. On the other hand CERT IN is more interested in prevention of Cyber Crimes and hence focussed on data breaches involving exfiltration/loss/damage of personal data.

Hence there is a need for a re-look at this rule and a simultaneous change in the CERT IN rules related to data breach.

Further, it is necessary to recognize that organizations monitoring security incidents diligently do observe several instances of whistle blowing reports which if confirmed may become breaches but could also turn out to be false.

The draft rule under DPDPA currently requires the report to be submitted “Forthwith”. This will force the organizations to either report all intrusion alerts captured by their systems as data breaches or ignore the provision. While companies may classify such intrusion alerts as not amounting to data breach, there is still a requirement to give some time to organizations to determine if an internal data breach alert is really a data breach or a false alarm. Hence such observations should be termed as “Provisional” at the time of reporting. The confirmed report filed within 72 hours may be called “Personal Data Breach Report”.

Hence there is a need to recognize three categories of personal data breaches namely

1. Provisional Data Breach
2. Data Breach not resulting in loss of data
3. Data Breaches resulting in loss/damage of data

The rules should treat these differently in terms of reporting, mitigation and penalisation.

Since CERT IN has an infrastructure to provide technical guidance of remediation, there is no need to duplicate the efforts at DPB. Regulatory investigation of technical nature if required should be left to CERT IN and adopted by DPB before going in for determination of penalties.

CERT In has its own powers of quasi judicial nature which is more powerful than the powers of DPB. Hence co-ordination of the two entities is essential to prevent confusion in the industry. For  this purpose, a “DPB-CERT IN Data Breach notification and investigation policy” should be announced which may specify a time bound completion of investigation and a non overlapping ruling on penalties. (Similar arrangements can also be worked out with RBI/IDDAI/SEBI)

Alternatively, changes should be notified under ITA 2000 stating CERT IN would refrain from investigating such cases which are taken up for investigation by the DPB under DPDPA 2023.

Wishing away the powers of CERT In may require amendment of ITA 2000 and is not feasible in the short run.

Hence CERT-IN and DPB need to build a method of working together without conflict and this should be done concurrently with the passage of DPDPA Rules.

We also suggest that the “Provisional Data Breach Notification” need not be sent to data principals and the complete notification is posted prominently on the website. The data principals may be sent an email notification but the possibility of many not being reached is high. Hence the website notification should be considered as sufficient notification unless DPB or CERT In specifically instructs individual notifications.

Comments welcome.

Naavi