Naavi.org

This has reference to the various discussions we have had on this website on the issue arising out of the insolvency petition on Net4India which resulted in thousands of domain name registrants and website companies being unable to operate their websites and E Mail accounts.

After Naavi.org escalated the issue to all levels, first NIXI resolved the transfer issue of  dot in domain names and now ICANN has also taken steps to resolve the transfer of other domain name extensions such as dot.com names.

ICANN has announced   today that it has activated the DARTP process (De-Accredited Registrar Transition Procedure) to enable the successful transition of domain names currently registered with Net 4 India limited to an ICANN accredited registrar who can serve the registrants.

It appears that NCLT which was holding up the resolution so far has cleared the process.

According to ICANN,

“ICANN org is initiating the DARTP process to identify and select a gaining registrar(s) as quickly as possible.

The gaining registrar(s) will assume various responsibilities, including supporting former Net 4 India Limited domain name registrants with the renewal, transfer, and management of their domain names as required in the RAA.

Once the gaining registrar(s) is identified and confirmed, it will be listed on the Bulk Transfers page.

ICANN expects to announce the gaining registrar(s) within the next two weeks.

Once the transfer of registrations has been completed, the new registrar(s) will contact registrants with information on how to access and maintain their domain name registrations.

It is critical that registrants follow the instructions provided by the gaining registrar(s) regarding how to manage their domain name registrations. There is no cost to registrants for the bulk transfer.”

There are still some issues such as the holders of e-mail addresses in vsnl.com domain which was discontinued by the Tatas. We have to wait and see how this would be resolved. We also need to see how the residual balances that the account holders held with Net 4 India would be accounted for.

It is a tragedy that the resolution took so much of time and NCLT needs to apologize to the Indian public for causing this issue and delaying resolution for such a long time.

The issue of Net 4 India taking a loan from SBI and defaulting is apparently a fraud that requires a CBI investigation. The NCLT needs to be educated on how it should meet its responsibilities to the society when the interests of the public are involved. The arrogance of being a Judicial authority should not give a license to NCLT to ignore the interest of 70000 plus members of the public. The MeitY, as well as the Supreme Court failed to intervene and resolve the issue.

I hope all these agencies learn a lesson from the incident and correct their actions in future.

Naavi

In December, Cellebrite, a noted Mobile forensic company announced that Signal App Crypto had been cracked and Cellebrite is assisting the Law enforcement to view messages which Signal claims to be encrypted end-to end. (See article here)

Obviously, this was a big blow to the ego of Signal as well as its claim to be the messaging solution that can be relied upon for Privacy as people move out of WhatsApp.

And Signal in its retaliatory jab, has announced that Cellebrites phone cracking software has its own vulnerabilities which the Signal founder has cracked and that the vulnerabilities can compromise privacy of individuals whose data had been accessed by Cellebrite. (Refer here)

It must be noted that Signal has admitted to “Cracking” which is an offence in every country. On the other hand Cellebrite’s UFED if used by a law enforcement agency, the compromised information would be only with the law enforcement and hence Cellebrite is reasonably protected from direct liabilities.

The mutual accusations between Cellebrite the security company and Signal the encryption company that in a given instance may be helping the criminals is an example of how companies can destroy each other for ego issues.

This is a self destructive exercise in which Cellebrite is better off as it is on the law enforcement side. For Signal, it will be a losing battle both legally as well as reputation wise.

Naavi

We have in the past discussed the issue of “Digital Wills”.  (Refer here: Inheritance of Virtual Assets) ITA 2000 has kept “Wills” in electronic form outside the provisions of ITA 2000. Hence “Digital Wills” are not valid like written documents under Section 3 of ITA 2000. There is a logic for this and hence we can accept this as the current policy of the Government to keep possible frauds by creation of fake digital wills.

Now Dr Prashant Mali, well known Cyber Law expert has published a comprehensive article on the issues related to digital assets and their inheritance. (Refer here).

We are in the threshold of the passing of the PDPB 2019 which will bring new regulations in force on how to handle or how not to handle personal information. In due course we may also have a legislation on “Non Personal Data Governance” and how to unlock financial value out of such assets.

Naavi has also recommended that “Data Assets” should be brought into account books by creating a contra entry in the balance sheet as both an asset and a liability until such time that we have a proper method of valuation of data assets acceptable to the accounting fraternity.

FDPPI has also adopted the PDPSI (Personal Data Protection Standard of India) as a framework for audit and certification of Personal Data Management System (PDPMS).

In the light of the above, it is considered that we need to suggest some changes to the law to resolve the issues of “Transfer of Digital Assets to the legal heirs of deceased”.

This needs to be referred to in ITA 2000 in the form of a “Guideline to Intermediaries on handling of Deceased accounts”. It also has to be addressed in the PDPB 2019 follow up in the form of guidelines to be issued by DPA in due course.

In the recent notification of Intermediary guidelines (February 25, 2021), there is a requirement  that the Intermediary shall periodically validate the account holder’s data and get his/her consent at least once a year for the TOS/Privacy policy. In the case of deceased, the intermediary will not get the response and also the account may show an inoperative status. Presently some intermediaries simply disable the account and the assets inside the account get lost.

There should therefore be an amendment to the Section 79 guidelines to the following effect.

“In the event of an account being inoperative for more than 6 months, the Intermediary shall notify the account holder to renew the account by posting a data transaction (which could even be a reset of the password). If the customer remains incommunicado, then the account  may be treated as dormant and archived for better security with an additional factor of authentication for renewal.

If the account remains dormant for a further period of say 18 months, then the account may be declared as inoperative and flagged for an increased level of security.

An inoperative account shall be notified to the office of “Controller of Deceased digital assets” (CDDA) to be created by the MeitY.

If there is any knowledge that the account holder is deceased, the account shall be notified as “Account holder reported deceased” with a suitable mark on the content along with the source of such information and the CDDA shall be notified.

The CDDA may try to establish contact with the account holder and if the account holder fails to respond for a period of 6 months, or on receipt of any confirmation that the account holder is deceased, inform the account holder who there after shall transfer all the assets of the deceased  to the CDDA.

In case of e-mail accounts and facebook pages or the like, the notice that the account has been transferred to CDDA shall be prominently noted as a default error response.

There after the legal heirs may contact CDDA  for transfer of the digital assets and subject to the satisfaction of CDDA the asset may be transferred to the legal heirs of the deceased on demand.

In the event of the legal heirs opting to disown the data, the data asset shall be considered the asset of the sovereign state and shall be kept at the disposal of CDDA which shall dispose it of in appropriate public interest.”

Since the digital information in a personal account is classified as “Personal Data” under the PDPB 2019, the Data Protection Authority shall be empowered to make the regulations under the PDPB 2019 and such an amendment can be incorporated at the time of passage so that detailed guideline can be issued by DPA in due course.

The CDDA could be an authority which would be a “Data Fiduciary” under PDPB 2019. It can also use anonymization of the information and create value to be harnessed as sovereign asset realization when the Non Personal Data Governance Act becomes operative. In the context of upcoming regulation for banning crypto asset, that law also needs to incorporate a reference on how to deal with the crypto assets of the deceased.

I urge FDPPI, the premier Data Protection agency in India to take up the issue to formulate policy guidelines in this regard.

Naavi

Also refer:

Forbes article

Prnewswire

Research paper

FDPPI (Foundation of Data Protection Professionals in India) is an organization dedicated to the empowerment of the Data Processing community in India.

The four dimensions in which FDPPI is working today are

a) Knowledge enhancement

b) Implementation Support

c) Advisory Services

d) Dispute Resolution

FDPPI started its Certification Courses in end 2019 with a Certification Course covering Privacy and Personal Data Protection Laws in India (Module I). It then introduced a Certification Course covering the Privacy and Personal Data Protection laws at global level by covering GDPR of the EU region, CCPA and HIPAA of the US region along with Singapore PDPA, Dubai DIFC DPL, and Brazil LGPD. (Module G). Towards the beginning of 2021, FDPPI also completed the Certification of Data Audit skills with special focus on the unique PDPSI (Personal Data Protection Standard of India) framework.

Recently FDPPI has embarked on two important activities to provide advisory services. The first was to set up a Data Protection Emergency Response Team (DPERT) which will not only track the data protection incidents world over, but also provide quick guidance to organizations  confronting suspected or confirmed data breach incidents. The second initiative is the development of a “Personal Data Protection Guidance Board” (PGPDP) consisting of experts who can develop “Codes Of Practice” for personal data protection.

The PDP-GB is an ambitious project of FDPPI which should help the community to start adoption of a “Self Regulatory Best Practice Code” without waiting for the Government to pass the Bill and make compliance mandatory. Indian corporate world has an unsavory reputation that unless some thing is made mandatory, they would not be interested in compliance. Once the PDPB 2019 is passed into an Act, compliance would become mandatory and non compliance expensive. But until then Compliance is still under ITA 2000, mandatory but with low prospect of punishment for non compliance.  FDPPI would however wish that the Indian Corporates would prove the sceptics wrong and start adopting the principles of PDPB 2019 as the due diligence under ITA 2000/8 and be compliant before the mandatory provisions kick in.

PDPGB is therefore likely to be a significant contributor to the development of a self regulated Data Processing industry in India.

Both DPERT and PDPGB are recent initiatives which are under development.

The fourth dimension of FDPPI is when disputes arise in the compliance environment and we need to provide dispute resolution support. Such disputes could be between a Data Fiduciary, a Data Processor and a sub contractor or between a Data Principal and the Data Fiduciary.

The Data Principal-Data Fiduciary dispute comes under the powers of adjudication and Appellate Tribunal under PDPB 2019 and hence DDMAC role may be limited in this context to Mediation. But in other cases it may provide arbitration support. Additionally DDMAC would also provide e-Ombudsman services to companies on request.

Under these four different dimensions, FDPPI will be working to serve the PDP community in India in different ways. To support these initiatives, FDPPI also undertakes other ancillary services as may be necessary.

FDPPI is today an aggregation of nearly 200 professionals who work in the space of Privacy, Data Protection and Information Security. As we grow, attempts are being to formalize the operations but it would take some time for FDPPI to come out of its “Start Up” phase and get fully established.

I take this opportunity to invite once again all the professionals who are interested in contributing to the cause of Privacy and Data Protection to join hands with FDPPI and take it forward.

Naavi

This is a continuation of the series of articles

IS 17428-I under para 5.12  states,

Staff handling personal information or activities related to processing personal information shall:
a) Be trained and kept aware about developments depending on their role;
b) Be aware of their responsibility in protecting data;
c) Be traceable to their actions or inactions;
d) Subject to appropriate disciplinary actions when proved to be in violation of responsibility.
The organization shall determine suitable criteria for qualification, competency and evaluate staff before assigning them responsibility related to data privacy.

In the PDPSI the need to equip the employees is handled both at the operative level as well as at the senior level.

Standard 10 under PDPSI states:

“The organization shall establish appropriate strategic and tactical measures to build and maintain a culture of Privacy Protection throug data protection across the entity and covering all stake holders.”

In the detailed explanation of Standard 10, it i stated,

“…Measures are therefore required to be taken by an organization to ensure that the compliance culture is built across all levels of employees, Vendors, business associates as well as the customers, so that every stake holder is aware of and implements the compliance measures as if the responsibility percolates to all.

This requires both incentivization and dis-incentivization strategies to be used for the best impact. Implementation of whistleblower policies and an effective grievance redressal mechanism both for internal and external disputes is also considered essential to maintain the compliance culture across the organization.”

This is further supplemented by the Model implementation specifications that cover “Employee Privacy Management”,  “Work from Home”, “Augmented HR Policy” etc.

Additionally, Standard 9 mentions abut Employee onboarding/Termination policy besides other aspects.

PDPSI goes one more step further and identifies that Data Protection being a “Cross Functional Responsibility”, the DPO is likely to encounter issues of non cooperation or hostility from other senior management professionals and advises appropriate policy  under Implementation specification no 7 that

“The organization shall adopt and implement a suitable policy to ensure harmonious functioning of the DPO with the other senior executives of the organization with an appropriate clarity of roles and responsibilities including measures to resolve differences.”

Thus PDPSI thinks far ahead of frameworks such as IS 17428 and retains its tag line..

Essence of the Essential and yet different by a distance. * meaning  (*सब का सार, फिर भी, अलग…by Far

Naavi

(This is in continuation of the previous article on PDPSI and IS 17428)

IS 17428 has been released as an “Indian Standard” and is the second such standard to be released in India behind PDPSI (Personal Data Protection Standard of India).However, on a deeper perusal IS 17428 appears to be more influenced by the need of Indian organizations to be compliant with GDPR rather than the current or forthcoming data protection law in India.

On the otherhand PDPSI goes deep into the Indian requirement including  even the DTS as part of the mandatory certification process.

PDPSI also has the flexibility built into it so that an Indian Organization processing personal data from across the world can implement this as a Unified Framework for compliance of multiple data protection laws.

IS 17428 (Part I) in para 3.3 defines “Data Controller” with the following notes.

” Depending on the jurisdiction and the particular data protection and privacy legislation, the synonym ‘PII controller’ or ‘data exporter’ or ‘data fiduciary’ can also be used in some countries instead of the term ‘Data controller’.”

India which uses the terminology of “Data Fiduciary” has become “Some Country”.

In the same way the term “Data Subject” is used and not “Data Principal”. Under para 3.10 referring to other country laws, there is no mention of ITA 2000 or PDPB 2019.

It is only when referring to Sensitive Personal Information that the definition included in ITA 2000 has been referred to.

These observations indicate that whoever drafted the document were not able to look at the Indian regulation independently.

The PDPSI thought has been triggered by the proposed Indian Data Protection law. But considering the need of an Indian organization to also be compliant with other laws, it has built in within the Standard and Implementation Specifications, a need to add “Applicable Law” as part of the process of classification of data . Since personal data related to India gets segregated from Personal data related to EU-GDPR or other laws, the next step of implementation specifications will automatically gets fine tuned based on the relevant law.

PDPSI is therefore “Made in India, first for India for the World” . By incorporating principles such as DTS,  PDPSI is taking the Indian law as the lead implementation guideline and in due course can become a guiding force for Personal Data Audits even outside India.

Since PDPSI is inclusive of all requirements under ISO 27701 it can easily absorb the requirements of other countries without forgetting its origin from India.

Naavi