Naavi.org

Naavi had published the book on “Personal Data Protection Act of India (PDPA 2020) which was based on the version of the bill presented in the Parliament as PDPB 2019.

Now the Government has made changes and is in the process of introducing a new version of the Bill during the next few days. Following this we will have an idea on whether it will be passed as such or will be debated in the next budget session.

A new version of the book will therefore be due in the month of March 2022 based hopefully on the new version of the Act.

In order not to discourage readers who would continue to buy the current version of the book as is available on Notion Press or Amazon or Flipkart, we want to provide this offer on a contingent basis of a new version of the book being made available later in the year 2022.

1. 1. This offer would be available only for buyers of the current version of the book after 1st December 2021.
   2. A Discount of 50% on the published price of the new book would be made available on the basis of evidence of purchase of the current version on or after 1st December 2021 until the sale of this book is withdrawn and replaced with the new version.
   3. This offer would be available during the first month of release of the new version and lapse there after.

For those of you who have bought this book earlier to 1st December, some benefit as would be appropriate would be made available. Kindly await for the announcement.

Naavi

One of the interesting new propositions in the PDPB 2021 as compared to PDPB 2019 is the professional status of the Data Protection Officer.

In all data protection laws, there is a requirement that  data controllers/Fiduciaries who handle large number of  personal data or who handle sensitive personal information should designate a special official  called the “Data Protection Officer” (DPO) who can be accountable for compliance.

The DPO has to have sufficient knowledge of the data protection law to guide the organization besides having adequate knowledge of security aspects to understand terms like DPIA, Privacy by Design, Data Trust Score etc. Most laws expect the DPO to be also capable of dealing with data subject relationships and also the relationship with the regulators as a single point contact in the company.

While dealing with the regulators, it is not simply a relationship of reporting a data breach. The law expects that the DPO within the company to be an extended arm of the Data Protection authority (DPA).

When a data breach occurs, one of the key decisions to be taken is to report the breach to the DPA and in some cases to the data principals. But when the data breach is first discovered or when there is a suspected data breach, the company may be concerned about the reputation damage to itself with the disclosure of the breach and  would like to avoid disclosure if possible. On the other hand the DPO is expected to look at the harm from the perspective of the data subject/data principal and take a view accordingly. In such situations there could be a serious conflict situation of the DPO role with the company itself.

In certain circumstances, there could be a lapse by an influential internal employee who would like the suspected breach to be ignored and prevent the DPO from reporting it either within the organization or to the DPA. In such cases the DPO is required to possess a high degree of interpersonal skills to ensure that he fulfils his duty to the DPA/Data Principal even at the cost of displeasing some body within the organization.

These situations open up a discussion on the exclusive skills that the DPO needs to posess and determining the credentials required for a person to be appointed as a DPO.

One of the additional requirements that a DPO needs to possess to meet such requirements is a high degree of “Interpersonal Skills”. This is a behavioural skill normally possessed by the HR persons. Another skill is the grievance redressal skills normally available with the legal professional. Successful leaders are born with such skills or have such skills developed over time through experience and learning.

Hence when a new DPO needs to be appointed, the organization has to scout for the right skills. If the company tries to find a short cut and designate a CTO,  CISO, CCO or CRO as also a DPO, then there could be a conflict with other duties as well as  there may be a serious deficiency of “aptitude”.

For example, typically the CISOs are technical experts and perfectionists. Their expertise is focussed on technology. They may not necessarily good in man management. The HR executive or a Marketing person may on the other hand be a good man manager and communication manager but weak in technology. Most of these may not be well versed in the subject of law. Hence  it is not always easy to find an internal candidate to fit the DPO role.

Yet another problem in promoting one of the existing members into the DPO position is the seniority at which they can be fixed. The legal officer may be the best person for the job but the current functional level of even the Chief Legal Officer may be at a level below that of a CISO or a CTO in a tech company. The DPO position may however be a level above CISO and not necessarily below the CISO/CTO.

In GDPR, the law suggests…

a) The Organization shall ensure that the data protection officer is involved, properly and in a timely manner, in all issues which relate to the protection of personal data.

b) The organization shall support the data protection officer in performing the tasks  by providing resources necessary to carry out those tasks and access to personal data and processing operations, and to maintain his or her expert knowledge.

c) The organization shall ensure that the data protection officer does not receive any instructions regarding the exercise of those tasks and he or she shall not be dismissed or penalised by the controller or the processor for performing his tasks.

d) The data protection officer shall directly report to the highest management level of the controller or the processor.

The above requirements indicate that  the DPO must be a senior person if he is an employee. GDPR however allows an external consultant to be designated as a DPO which could avoid the conflict arising out of the seniority of the CISO/CTO in the organization who needs to accept suggestions from the DPO.

In the Indian law (PDPB 2021), Section 26 states that the DPO shall be a

“…. a key managerial personnel in relation to a company or such other employee of equivalent capacity in case of other entities, as the case may be, possessing such qualifications and experience as may be prescribed  …”

The explanation to the section mentions that

“Key managerial personnel” means—

(i) the Chief Executive Officer or the managing director or the manager;
(ii) the company secretary;
(iii) the whole-time director;
(iv) the Chief Financial Officer; or
(v) such other personnel as may be prescribed.

The Indian law also prescribes that the DPO should be in India and it appears that the person has to be an employee.

A careful examination of the above indicates that the DPO can be the Managing Director or the Company Secretary or a Whole time Director or a CFO. We need to await the regulatory guidelines to understand how the DPA interprets this explanation and whether the law presumes that there is no conflict with DPO roles for the CFO or the Company Secretary and the roles such as CISO are not mentioned because there is a perceived conflict.

Even where an external consultant is appointed by a company for his expertise, it will be necessary for an internal employee to be designated as a DPO and such internal employee has to be a key management personnel.

Because of this provision, it is clear that the law expects the DPO to be a fairly senior person and could even be at the level of the whole-time director.

Additionally, under Section 85 (PDPB2021), if an offence is attributable to the negligence of an official then he may be held liable for criminal punishment.

The position of the DPO is therefore more onerous than that of the CISO and hence it would be inevitable that he is designated at the CxO level with remuneration that matches the responsibility.

It would be interesting therefore to observe how the Indian companies develop their internal employees to fill up this role or bring outsiders at the senior level which could cause some heart burns within the organisation.

It is therefore advisable for CISOs and CTO to quickly gear up their skills and be ready to bid for the position of the DPO. From our experience of GDPR, DPA s may consider providing common designations such as Compliance Officer cum DPO or CISO cum DPO as creating conflicts.

The mention of the “Company Secretary” in the list of key management personnel is interesting since Company Secretaries have the experience of holding a “Fiduciary” relationship where they have to safeguard the interests of share holders and be the whistle-blowers if there are violations of Corporate Governance principles. The “Statutory Auditors” who come from the community of Chartered accountants also are trained to be independent in their views and express qualifications in the audit reports if they find any non compliance issues. The CFOs come from the same community of Chartered Accountants and hence at least a few of them retain the independent attitude to be able to handle the fiduciary responsibilities that a DPO is expected to handle. Perhaps it is the reason why a CFO has been mentioned in the example of key personnel.

However, the CFO and the CEO will have their own business related conflicts with the duties related to the DPO and hence conflicts may continue to be there. A Company Secretary is better placed amongst these executives to be a DPO though in Tech Companies, the Company Secretary may not be a key position at present and elevating him to the level of DPO  may ruffle some feathers.

The best solution is therefore to appoint an exclusive person to the DPO position who could be a whole time director or Independent Director of the Company.

It is a challenge that Boards of potential “Significant Data Fiduciaries” need to sort out these issues quickly and be ready for the passage of PDPB 2021.

(Comments welcome)

Naavi

Other articles on DPA 2021

14. PDPA 2021: Concept of Discovery Consent

13. JPC Recommendations on SWIFT Alternative: Out of scope and Disruptive of Global Economic System

12. JPC recommendation on Children Data

11. JPC recommends DPA to watch on Incident Register

10. JPC comments beyond the Amendments-2: Implementation Schedule

9. JPC comments beyond the Amendments-1-Priority of law

8. Clarifications from the JPC Chairman on DPA 2021

7. Anonymisation is like Encryption with a destroyed decryption key 

6. PDPA 2021: The data breach notification regarding Non Personal Data

5. PDPA 2021: The Data Protection Officer is now in an elevated professional status

4. PDPA 2021: The nature of Data as an Asset and nomination facility

3. PDPA 2021: Regulating the human perceptions

2. PDPA 2021: Definition of Harm to include psychological manipulation

1. PDPA 2021: Should Big Data and Data Analytics industry be worried?

India enacted ITA 2000 (Information Technology Act 2000) with effect from 17th October 2000 and amended it in 2008 with effect from 27th October 2009. The provisions of ITA 2000/8 included legal recognition for a binary expression which we refer to as an “Electronic Document”, and how such electronic documents can be used and the consequences of its mis-use.

In the amendments of 2008, the act was sharpened with the introduction of how sensitive personal data is expected to be protected through a “Reasonable Security Practice” and the consequences for negligence in the process.

The Personal Data Protection Act (PDPB 2021) and the Crypto Currency Regulation bill which are presently being considered in the Parliament for passage have opened up some discussions on what is the legal nature of some special kinds of electronic documents.

Arguments in the context of Crypto Currency bill revolve around the need to ban Crypto currencies from private entities since it could destroy the legit economy by undermining the central bank currency. However when it comes to the legal status of a Crypto Currency, it has its recognition as an “Electronic Document” and hence one argument is that it should be considered as a separate Asset Clause and allowed to be traded in the stock markets like a “Commodity”.

The now abandoned draft Bill DISHA (Digital Information Security for Health Act) had provided that “Health Data” is owned by the health data subject as if it was a “Property”.

The PDPB 2021 considers “Personal Data” as a special kind of data and ascribes a whole lot of regulations on how it can be collected, used and disposed along with the consequences of contravention of the provisions.

In perception, Personal Data is a separate asset clause in the Corporate Data Asset store and to be compliant with PDPB 2021, an organization needs to recognize its “Personal Data Asset”, classify it as Personal, Sensitive personal, critical personal etc, create an inventory tag it with the country of origin of the data principal, the notice and consent associated with its collection and usage and so on.  The personal data is not a single piece of data and is often an aggregation of data elements from different sources at different points of time. It has depth and width. It also has a quality tag and an erosion of quality over a period of time.

In view of the fact that personal data like all data has an economic value to the user organization, different types of personal data have different values and the “Data Valuation Standard of India” (refer www.dvsi.in/wp) has developed a tentative methodology for valuing the data in the control of organizations and bring it to the books of account.

However, in the midst of these activities, the treatment of the data of “Deceased” data principals has been an issue that required attention. Under several articles in naavi.org (Refer here)we have discussed this issue in the past.

One of the issues discussed there in is whether ITA 2000/8  Section 1(4) Schedule can be amended to include the feasibility of a “Will” for data assets. The other option is to provide for a “Nomination” facility under law.

In financial assets there is both the provision of a “Will” through which the financial assets can be passed on to legal inheritance as well as nomination of Bank accounts.

The nomination facility for Bank held assets were brought in through section 45Z (introduced in 1985) of the Banking regulation Act which states as follows:

45ZA. Nomination for payment of depositors’ money.—

The legal jurisprudence on the nomination facility in the banking system is that payment or deliver of articles to a nominee discharges the Bank of its liabilities though it is not a legal settlement of the title. The legal heirs are open to settle their claims separately through the testate instruments such as a Will or through other measures available under the transfer of property provisions of law. Nomination does not settle legal ownership and is only a procedural facilitation for the convenience of the Banking system.

Now, PDPA 2021 introduces the concept of Nomination in respect of “Personal Assets” through a provision in the Bill.

Under the proposed Section 17 (4) regarding Rights of the Data Principal,

it is provided that

“The data principal shall have the following options, namely:-

(a) to nominate a legal heir or a legal representative as his nominee;
(b) to exercise the right to be forgotten; and
(c) to append the terms of agreement, with regard to processing of personal data in the event of the death of such data principal.”

Reading this along with the current provisions of ITA 2000, we need to interpret that this provision is only for “Nomination”  and not to transfer “Legal Ownership” of the data. Hence this does not also confer the status of “Property” to the data.

This provision also has another anomaly since it tries to provide rights of amendment to a contract signed when the person was alive and in respect of a right that does not subsist after the death of a person.

This needs to be corrected by changes to this amendment failing which this provision could be considered as “Ultra Vires” the established process of law and introduce an ambiguity that will become a focus of end less litigation in future.

If this section survives the passing of the Bill, then watch out for the amendments to be made to PDPSI (Personal Data Protection Standard of India)  implementation specifications  where  we may suggest how this anomaly may be handled.

Naavi

(Comments welcome)

Other articles on DPA 2021

14. PDPA 2021: Concept of Discovery Consent

13. JPC Recommendations on SWIFT Alternative: Out of scope and Disruptive of Global Economic System

12. JPC recommendation on Children Data

11. JPC recommends DPA to watch on Incident Register

10. JPC comments beyond the Amendments-2: Implementation Schedule

9. JPC comments beyond the Amendments-1-Priority of law

8. Clarifications from the JPC Chairman on DPA 2021

7. Anonymisation is like Encryption with a destroyed decryption key 

6. PDPA 2021: The data breach notification regarding Non Personal Data

5. PDPA 2021: The Data Protection Officer is now in an elevated professional status

4. PDPA 2021: The nature of Data as an Asset and nomination facility

3. PDPA 2021: Regulating the human perceptions

2. PDPA 2021: Definition of Harm to include psychological manipulation

1. PDPA 2021: Should Big Data and Data Analytics industry be worried?

When ITA 2000 was enacted in the year 2000, Cyber Law College started virtual course on “Certificate in Cyber Laws”. It took several years more for traditional academic institutions to introduce formal courses on Cyber Laws. Initially Cyber Law College conducted certification courses in association with KLE Law College, Bangalore, Hubli and later the SDM law college in Mangalore and JSS law college in Mysore.

Several years later NLSUI and NALSAR followed with their own courses. I was privileged to be associated with both the courses in development of curriculum and handling some sessions.

Now we have entered the era of Data Protection Laws. Again it was Cyber Law College which pioneered Certificate courses both on the Indian law based on ITA 2000 and PDPB 2019 as well as the global laws. These courses are part of the DPO training program of FDPPI and the first course was started by the end of 2019.

Now within a gap of 2 years, NALSAR has decided to launch a course on “International Data Protection Law” as part of its courses. The undersigned is privileged to be associated with this program which will discuss GDPR, US and Canadian laws as well as DIFC and Singapore laws.

The Indian laws are presently not a subject of study yet but may soon be introduced.

The first batch of this ” ONE-YEAR ADVANCED DIPLOMA IN CYBER SECURITY ; DATA PROTECTION LAWS-2021-2022″ will commence from tomorrow.

We wish the program all the success.

Naavi

(This is in continuation of our previous article)

While discussing the PDPA 2021 and inclusion of  Section 3(23)(xi) we observe the following:

The whole concept of “Data Protection Laws” is built on the premise that an individual has a “Choice” on sharing of his personal data which can be captured and given effect to by a third party until such time the person does not “Withdraw” or “Modify” his consent.

This is in itself like skating on thin ice and to top it with a responsibility to recognize the “Psychological Manipulation which impairs the autonomy of the individual” is a cruel imposition on the DPO and the organization.

What is “Autonomy” of an individual and how it gets “Impaired” are going to pose significant challenge to the industry.

We can recall the Cambridge Analytica case where there was an allegation that the personal information was used to develop an algorithm that could predict the political leaning of a subject and that  was considered as an infringement of the privacy rights. The Cambridge Analytica reflected the global hatred for FaceBook and created a precedent that has clouded the judgement of many regulators.

It is for this reason that “Profiling” and “Automated Decision Making” has become a critical issue of data protection regulations.

While “Profiling” stops at making an educated guess to predict the behaviour of a person based on some transactional information available to a data fiduciary, the consideration of “Psychological manipulation” as a “harm” takes the regulation to a higher level since “Harm assessment” is part of Data Protection Impact Assessment and Data Trust Score Assessment.

While expert organizations like FDPPI will device some acceptable standard under PDPSI to handle such issue, academically, there is a need to debate whether the inclusion of Section 3(23)(xi) in PDPA 2021 was required and whether it could be a provision which is not amenable to regulation.

In this context, we need to understand how the “Advertising” industry works. The Advertising as well as Marketing works under the principal of AIDAS  works under the premise that the buying behaviour of a target market has to be changed from “No awareness and No desire to buy” into an action to place an order.

In this process, we follow the steps of AIDAS or creating an Awareness/Attention and Interest which should be converted into a Desire for a product before pushing the individual into the Action of buying and then follow the Satisfaction of the buyer.

What PDPA 2021 is to declare this age old principle of marketing as “Unlawful”.

If therefore an Advertising agency has to work on PDPA 2021 compliance, there is an issue  that the advertising tries to psychologically manipulate a large section of the population though the agency does not know which data principal is being targeted when it releases an advertisement in a mass media.

But it will not be long before the idea catches up where e-mail marketing, SMS marketing or advertisements in specialized media or advertising through subscription model TV broadcasting will all be red flagged as “Creating Harm”.

So far only advertisements on smoking, drinking etc were considered harmful. The Bitcoin industry is fighting against the advertisement ban envisaged for Crypto Currencies. Now PDPA 2021 is likely to place the entire advertising industry and along with it the marketing functions under a question mark.

It would be interesting to know if the industry understands this issue and reacts.

If the Government wants to make a change, it is better to delete this 3(23)(xi) and let the earlier definition of harm be considered sufficient.

Now we shall get back to the question I had placed in the previous article to highlight how legislating what goes on in the mind of a person is not wise.

The question was

What is your response to an information stimuli represented by the following binary stream.

01001101 01101111 01100100 01101001

There can be three responses which we can discuss.

1. This is a number : 1,299,145,833 or One billion 299 million 145 thousand and eight hundred thirty three.

2. Another person says it is the name of a well respected global leader, Modi

3. Another person says it is the name of a most hated Indian leader, Modi

Whether this binary stream is a number or a set of English characters ‘Modi’ depends on the choice of the binary converter which the observer uses.

This means that 01001101 01101111 01100100 01101001 is either a number or a name  based on the technology you use to convert it into a human understandable data. Hence it is neither non personal data nor personal data per-se. It is the observer who  choses to convert it into either a number or a name and hence he determines whether it is personal data or non personal data.

Once it is converted into the four letters Modi, whether it is considered as an “Objectional” word or a “Biased” expression will be decided by Twitter based on who is tagging the content.  If the binary is used in a sentence ” ….. is good”, then if you use an ASCII to to text converter it should be treated as an attempt for “Psychological Manipulation”. If you use the ASCII to number converter, it may not mean “Psychological manipulation”.

If we are assessing the harm caused by the information therefore, we need to take into account the context, the observer and the device used for observation before considering if there is any attempt for “Psychological Manipulation”.

Under these complexities of human behaviour it is a moot question if the introduction of Section 3(23)(xi) was actually required.

let us have the comments  from others…

Naavi

Other articles on DPA 2021

14. PDPA 2021: Concept of Discovery Consent

13. JPC Recommendations on SWIFT Alternative: Out of scope and Disruptive of Global Economic System

12. JPC recommendation on Children Data

11. JPC recommends DPA to watch on Incident Register

10. JPC comments beyond the Amendments-2: Implementation Schedule

9. JPC comments beyond the Amendments-1-Priority of law

8. Clarifications from the JPC Chairman on DPA 2021

7. Anonymisation is like Encryption with a destroyed decryption key 

6. PDPA 2021: The data breach notification regarding Non Personal Data

5. PDPA 2021: The Data Protection Officer is now in an elevated professional status

4. PDPA 2021: The nature of Data as an Asset and nomination facility

3. PDPA 2021: Regulating the human perceptions

2. PDPA 2021: Definition of Harm to include psychological manipulation

1. PDPA 2021: Should Big Data and Data Analytics industry be worried?

PDPA is a legislation that is meant to uphold the human right concept of “Privacy”. Privacy is a concept which reflects the “State of Mind” of an individual and a feeling of “being left alone”.

According to human psychologists, Hypnotists and also the spiritual gurus, human mind is like a computer which based on the inputs received from the sensory organs creates experiences to which humans respond. If the input is wrongly perceived, the reaction would be inappropriate.

It is easy to understand that if the mind perceives the red traffic signal as green, then the human will proceed and perhaps crash against another person who sees red as red, green as green.

The human perception is based mostly on  past learning like it happens when an AI algorithm is trained with specific inputs. The theories of Thomas Anthony Harris on the life positions individuals may take as “I am OK, You are OK” etc., is based on such principles of how the individual has experienced his childhood.

The theory of Transactional Analysis the PAC model also suggests that our responses to human interactions are conditioned by the way our ego states have been developed.

The ability to “Observe”, “Perceive”, “Interpret” and “learn” is an inherent characteristic of any human being.

Some might have developed the instinct to such  an extent that they develop the skills of “Face Reading”. Some try to develop the expertise as an ability to read the “Body Language”.

Given this inherent human character of taking a mental position based on any of the sensory perceptions fed to their mind, any information is also likely to have an automatic impact on the human being. This cannot be prevented.

Those who can keep themselves immune to the external stimuli and react independently are the Sadguru’s of this world.

Law cannot be made for such Sadgurus since they are too few in number and donot represent the majority.

However the data protection laws across the world appear to take up this task of regulating not only the “State of Mind of an individual” but also what one human perceives when he receives some personal information.

Let me give an example.

Here is a binary stream and I want you to let me know what is the first reaction you have on the same:

01001101 01101111 01100100 01101001

Think over…. We shall continue our discussion in the continued article and the amendment in PDPA 2021 which has added Section 3(23)(xi) which adds a new type of “Harm” namely “psychological manipulation which impairs the autonomy of the individual”  to the list of harms that the regulation tries to protect an individual against.

(Second Part of this article)

Naavi

Other articles on DPA 2021

14. PDPA 2021: Concept of Discovery Consent

13. JPC Recommendations on SWIFT Alternative: Out of scope and Disruptive of Global Economic System

12. JPC recommendation on Children Data

11. JPC recommends DPA to watch on Incident Register

10. JPC comments beyond the Amendments-2: Implementation Schedule

9. JPC comments beyond the Amendments-1-Priority of law

8. Clarifications from the JPC Chairman on DPA 2021

7. Anonymisation is like Encryption with a destroyed decryption key 

6. PDPA 2021: The data breach notification regarding Non Personal Data

5. PDPA 2021: The Data Protection Officer is now in an elevated professional status

4. PDPA 2021: The nature of Data as an Asset and nomination facility

3. PDPA 2021: Regulating the human perceptions

2. PDPA 2021: Definition of Harm to include psychological manipulation

1. PDPA 2021: Should Big Data and Data Analytics industry be worried?