Delhi High Court guidelines on Section 79 of ITA 2000

Posted on April 21, 2021 by Vijayashankar Na

In a comprehensive speaking order , Honourable Justice Anup Jairam Bhambhani of the Delhi High Court has issued a judgement dated 20th April 2021 in the case WP (CRL) 1082/2020 and other petitions, holding light on the rules under Section 79 of ITA 2000.

Some details are available at  lielaw.in in the following article.

Removal Of Offending Content From Internet: Delhi High Court Lays Down Procedure, Guidelines For Intermediaries, Govt.Agencies (livelaw.in)

A copy of the detailed judgement is also available here:

The judgement takes into account even the recent notification of February 25 on Intermediary Guidelines and Digital Media Code of Ethics.

The judgement also contains the submissions of Mr Pavan Duggal the noted Cyber Law expert where a good summary of the applicable law is available. Given the international experience of Mr Pavan Duggal who was the Amicus Curiae in the hearing, the judgement will be a very useful reference document for all students of Cyber Law.

Interestingly the judgement has linked the “Need to remove” the content to the judgement in the case of “Baba Ramdev’s case” where content uploaded from India had to be removed globally from the search engines.

The judgement requires a detailed analysis and may be done in due course on this website. It is to be appreciated that this hearing perhaps took place through the video conferencing system proving that the E Court procedures are effective and can be used as a regular procedure.

The conclusions lead to the following directions being issued:

“….the action of the petitioner’s photographs and images having been taken from her Facebook and Instagram accounts and having been posted on the website www.xhamster.com; and then having been re-posted onto other websites and online platforms, amounts prima facie to an offence under section 67 of the IT Act in addition to other offences under the IPC; and that appropriate directions are required to be issued directing the State and other respondents to forthwith remove and/or disable access to the offending content from the world-wide-web to the maximum extent possible.

….The Delhi Police/CyPAD Cell are directed to remove/disable access to the offending content, the Web URL and Image URL of which would be furnished by the petitioner as above, from all websites and online platforms, forthwith and in any event within 24 hours of receipt of information from the petitioner. It may be recorded that the Delhi Police have stated before this court that the offending content has already been removed from
respondent No. 5 website www.xhamster.com;

….A direction is issued to the search engines Google Search, Yahoo Search, Microsoft Bing and DuckDuckGo, to globally de-index and de-reference from their search results the offending content as identified by its Web URL and Image URL,… and to proactively identify and globally disable access to any content which is exactly identical to the offending content, that may appear on any other websites/online platforms

…Investigating Officer to notify such website/online platform or search engine(s) to comply with such request, immediately and in any event within 72 hours of receiving such written communication from the petitioner;

…It is made clear that non-compliance with the foregoing directions would make the non-compliant party liable to forfeit the exemption, if any, available to it generally under section 79(1) of the IT Act and as specified by Rule 7 of the 2021 Rules; and shall make such entity and its officers liable for action as mandated by section 85 of the IT Act

The judgment is a landmark judgement that will be referred to for a long time though it is not from the Supreme Court.

Naavi

A copy of the detailed judgement is also available here:

Posted in Cyber Law | Leave a comment

Data Centric Approach of PDPSI

Posted on April 20, 2021 by Vijayashankar Na

(This is in continuation of our discussions on comparison of the  PDPMS under PDPSI with DPMS of Is17428)

PDPSI was the first PDPMS to introduce the concept of “Data Centric Compliance Structure” while most other frameworks focus on the organization.

IS17428 discusses the applicability of the framework under the two heads of Jurisdiction and Classification.

  1. Under para 4.1.1.2, (pat 2) it recognizes that “Organizations that collect and process personal information should carefully determine their jurisdiction before determining the Privacy requirements”.
  2.  Under para 4.1.4 it speaks of “Data Classification Criteria” stating that “It is important to establish a framework for classifying personal information on its level of  sensitivity”. In a slightly contradictory indication, para 4.1.4(d) states that if an organization already has information classification guidelines such as “Restricted”, “Confidential” and “Public”, personal information may be classified as “Confidential” and “Sensitive personal Information” as “Restricted”.
  3.  Additionally under para 1 of Part I, the scope of application is based on the entity as a whole. Further it recognizes the Data Controller and Data Processor status as mutually exclusive. Para 3.5 (Part I) is clear that “For an entity to become data processor, it shall also be a separate entity from Data Controller”

It is worth noting that PDPSI has a more flexible and practical approach to the role definition of a “Controller” and “Processor” which is referred to as “Data Fiduciary” and “Data Processor” according to which the roles will be defined as per the context. For example in one process and organization A may be a Data Controller of B. In another process, organization A may be a Data Processor of C or even B itself.

Further Standard 1 of PDPSI addresses the issue of multiple jurisdictions through “Classification” by stating

“Compliance plan shall be based on specified law applied on an identified Compliance entity”.

The explanatory note on Standard 1 states

When an organization is processing personal data on which laws of multiple jurisdictions are applicable, it is necessary to recognize that one law cannot be applied to the entire processing activity.
Hence scope of compliance program must be defined with reference to the applicable law.
Also since legal compliance is an administrative responsibility, the responsibility of compliance normally rests at the enterprise level.
Hence scope definition cannot ordinarily be restricted to a division or a location.
In certain cases, it will be necessary to restrict the application of compliance to a limited number of processes or people.
In such cases, it is necessary to treat the organization as a “Composite Entity” consisting of multiple sub-units each of which may be exposed to the risk of one data protection law. This is suggested so that some of the other sub-units can be kept out of the compliance without the risk of noncompliance.
This will also enable co-existence of one sub-unit which is GDPR compliant while the second sub-unit is PDPA (India) compliant and the third sub-unit is PDPA (Singapore) compliant etc.
This will simplify the compliance and avoid the errors that may creep in because of overlapping of the laws.

On Data Classification, Standard 5 states

“Appropriate Compliance oriented Data Classification shall be incorporated”

The explanatory  note on the Data Classification  Standard states as follows:

Every data protection law is applicable only to a certain definition of applicability. This is in almost all cases based on the need to protect the Privacy of the citizens of a jurisdiction to which the law belongs, and an organization may simultaneously handle personal data of multiple jurisdictions.
To avoid overlapping of laws and to avoid missing of compliance measures, personal data shall be classified as required for compliance of the specific law, so that a “Virtual Silo” of personal data can be created within an organization. Where personal data from multiple countries of origin are received, the classification may provide creation of multiple virtual silos of personal data, one for each country of origin so that provisions of specific laws may be applied to each silo separately.
Additionally, classification must consider the legal requirement and not based solely on the level of confidentiality which is normally used as a basis of data classification for Information Security purpose.
Hence data classification tags may include personal-non personal, employee-nonemployee, Minor-not a Minor, Sensitive-Not sensitive etc.
Few Countries have regulations where the objective of the data protection laws extend beyond protection of Privacy of an individual to protection of the business entity information or from living persons to deceased persons. These are considered as exceptional situations and classification of such non-personal information is considered as another “Special Category” of information.

The corresponding implementation specification actually goes further and provides a guideline for data classification as indicated below

The classification guideline therefore takes into account both the segregation of data based on applicable law and also in a manner that is relevant for PDPMS. All data which is not  “Individually identifiable” automatically gets classified as corporate data asset or “Non Personal Data”.

If the organization can tweak their technology architecture this classification provides an option to create virtual silos of different kinds of personal data for effective management of controls even when multiple jurisdictional laws are involved.

It is for this reason that PDPSI is referred to as a “Unified ” law.

Additionally PDPSI provides for an ” Aggregation” of people and technology resources to create an “Compliance Entity within a larger Corporate entity” and apply the compliance related to specific law to the specific sub entity.

PDPSI also takes into account the needs of the “Work From Home” situation so that the sub entity can even be created as a “Virtual Entity”.

Thus PDPSI Vision is broader and stands taller than IS 17428.

For those who are not blinded by the aura around “ISO”, PDPSI is a Taller and Broader framework and leaves IS 17428 far behind in terms of futuristic outlook.

Professionals who understand the “Need to be compliant” rather than “Need to be Certified”, PDPSI would be the unmistakable choice.

While it is difficult to reproduce the entire PDPSI framework and compare with the entire IS17428 in these columns, any specific queries may be addressed to Naavi

Some of the FDPPI’s supporting members are already equipped to handle the responsibility as “Consultants” as well as “Auditors” with trained auditors available for providing the consultancy/audit services.

PDPSI audits come with an assurance of “Mentor Support” for a limited consultancy on quarterly basis as a continuing service for the auditee companies which also is a unique support that is made available to increase the confidence of organizations taking up the audits of their PDPMS under the PDPSI framework.

Naavi

Posted in Cyber Law | Leave a comment

PDPSI DTS system is ready for the future…..while IS 17428 is beginning its journey

Posted on April 20, 2021 by Vijayashankar Na

(This is a continuation of the earlier article in the series)

One of the hallmarks of rapid development is the ability to learn from others. Hence it is natural that IS17428 could have borrowed some concepts from the pioneering framework of PDPSI.

Though IS 17428 has carefully avoided any reference to PDPB 2019 as if it was non existent,  it could not ignore the need for  recognizing one of the features of PDPSI which is the concept of “Measurability” of a Personal Data Protection Management System. (PDPMS).

Standard 12 of the PDPSI (Refer page 16 Handbook on PDPSI) states

“Appropriate measures amenable for measurability of compliance shall be maintained”.

The explanation to the standard states

PDPSI requires the Data Auditor to assess the compliance not only against the implementation charter adopted by the organization, but also the larger standards expected under the relevant law as per the evaluation of the data auditor.

This assessment is required to be converted into an indicative compliance score such as the Data Trust Score and shall be disclosed to the auditee organization as well as the Certification body where required.

Though computation and disclosure of the measure of compliance is not mandatory in some data protection laws, it is considered a good practice and made part of the PDPSI audit system .

The disclosure of the Data Trust Score as declared by the auditor to the public may depend on the legal requirements and the discretion of the organization.

The Certification system under PDPSI envisages that the auditor will compute the DTS, inform the auditee company and also inform FDPPI. FDPPI will upon receiving consent (if provided) by the auditee company will publish the DTS. 

As a part of the audit training, the auditors have been trained with a detailed system of DTS calculation which incorporates the assessment of the auditor on the PDPMS of the auditee company. 

In the first year of DTS evaluation, one number would represent the DTS score. Additionally, in the subsequent years, DTS Score will be suffixed with a trend indicator such as + or – indicating an improving or declining trend.

We may now see what the Chota bhai IS 17428 has indicated regarding the evaluation of the DPMS.

Para 5.15 of the IS17428 (part 2) states

Measurement and Continuous Improvement

Appropriate Metrics should be developed to track various aspects of DPMS. The metrics could be qualitative or quantitative and need to be chosen among other factors, based on the current maturity of the organization.

5 examples of metrics have been indicated namely

a) Lead time to mitigate privacy risks

b) Number of Critical Privacy Incidents

c) Service level agreement to address and close privacy incidents/breaches

d) Number of changes that were not subjected to PIA

e) Percentage of staff trained on data privacy

The guideline suggests that the triggers for improvement initiatives could be from unfavourable performance as reflected by the measurement program and improvement can be demonstrated broadly in two forms namely

  1. Consistent trend in improvement
  2. Exceeding set target based on industry standard

IS 17428 however does not go further in defining how the “measurement program” can be developed.

It is left to the discretion of the organization to develop its own measurement program

PDPSI has however covered the last mile requirement of how the DTS can be evaluated and how the qualitative observations of the auditor can be converted into a quantitative assessment as envisaged by the PDPB 2019.

Probably the Chota brother born later missed an opportunity to either follow the big brother or more appropriately design an even better system given the advantage of prior knowledge it had access to.

The DPA when it is formed is expected to come up with its own suggestions on how the DTS may be computed. However the current system of PDPSI is so comprehensive that it can accommodate any variations that may be brought into by DPA.

In case the DPA adopts only a few parameters of measurement such as what Naavi 5X5 DTS system or the IS 17428 has suggested or the more comprehensive 50 parameter evaluation that PDPSI, the PDPSI framework is ready to compute the DTS on its expected level of maturity as well as the DPA expected level of maturity.

The PDPSI-DTS system is therefore “Ready for the Future”.

Naavi

Posted in Cyber Law | Leave a comment

PDPSI  or Personal Data Protection Standard of India was unleashed in February 2019 with an article here titled “A step beyond BS 10012 and GDPR-Personal Data Protection Standard of India-PDPSI”. 

At that time there was a need to create an Indian substitute for BS 10012. Subsequently ISO 27701 was also introduced. But both looked at PIMS from the GDPR angle. While that was the requirement in the international scenario, recognizing the need to introduce an India specific framework for Personal Information Management, the undersigned introduced the concept of PDPSI.

PSPSI was an extension of the IISF 309, which was a framework developed by Naavi in March 2009 for compliance with ITA 2000 and revised subsequently from time to time.

IISF 309 focused on ITA 2008 compliance of which Section 43A compliance along with other sections like Section 72A, 79 etc formed the Privacy part.  PDPSI however was more focused on the PDPA 2018 which became available in December 2018.

Hence PDPSI was the first Privacy Protection Framework of India.

Since  2019 when PDPSI was launched, Naavi.org has been discussing the various aspects of the standard along with the DTS system a version of which was called “Naavi’s 5X5 DTS system” which had been launched a little earlier on the new year day of 2019.

Recently FDPPI adopted PDPSI and went ahead in creating an infrastructure for developing Lead PDPSI consultants and Lead PDPSI auditors. The FDPPI version of PDPSI was developed on the basis of PDPB 2019 and with lot of discussions with professionals who had experience in ISO and other audit systems. As a result the  current version with 12 standards and 50 implementation specifications emerged and was used in training prospective Data Auditors.

With the recent release of IS 17428, there are a few who think that IS 17428 is the first PIMS framework for India. But I would like to correct this perception. IS 17428 is the second framework from India.

PDPSI remains the first Privacy related framework to be developed in India.

We however would like to call it “Personal Data Protection Management System ” (PDPMS) while ISO 27701 uses the terminology of PIMS (Personal Information Management System) and IS 17428 uses the terminology of “DPMS” (Data Privacy management System).

IS 17428 however presents itself more as a framework for complying with GDPR in India though it makes a reference to ITA 2000 and Section 43 A at some places.  Whenever ITA 2000 is referred to, the IS 17428 speaks as if it is a third country law. Hence IS17428 appears to be an Indian Framework with the focus on data protection laws outside India. It does not recognize the law in the pipe line represented by PDPB 2019. This is one of the biggest disappointments about this framework.

This framework is driven by industry representatives, NASSCOM and DSCI which have been in the forefront of pulling down PDPB 2019 and perhaps this has reflected in the released document. Even the Annexure on legal provisions in India on Data Privacy speaks of the Indian Constitution and Section 43, 43A, 72A and Section 85 of ITA 2000/8 along with a multitude of other laws and sectoral regulations but avoids a mention of PDPB 2019.

Where the IS 17428 has erred is not recognizing the concept of “Due Diligence” which is mentioned under the Section 79 rules under ITA 2000 and also a part of the “Reasonable Security Practices” under Section 43A.

The concept of “Due Diligence” does not restrict itself to the written words in a statute or regulation but represents absorption of the environmental experiences into the operations of an organization.

If a law such as PDPB 2019 has been contemplated and presented in the Parliament and the principles of the Bill have already been implemented in some of the Government projects such as the NDHM (National Digital health Mission) project,  it must be recognized as constituting the “Due Diligence”  and part of the “Reasonable Security Practices”.

Hence PDPB 2019 at least deserved a mention in the footnote.

We donot know whether IS 17428 will be revised after PDPB 2019 becomes a law or the industry will try to claim that IS 17428 is bigger than PDPA -India and challenge the DPA into accepting IS 17428 as “Deemed Compliance” of PDPA -India.

Going by the past history the NASSCOM/DSCI views on Data Localization, Financial Information as Sensitive Personal Information etc., it appears that IS 17428 may be used as an instrument to suggest to the DPA that “If I am IS17428 compliant, you cannot question me on compliance of PDPA”.

I hope whoever takes the responsibility of being in the  DPA as chairman or Member would steer clear of using the terminology of “Deemed Compliance used in the Section 43A notification under ITA 2000” and leave it to the market to adopt the best available framework because the ultimate responsibility for compliance lies in the implementation of the framework by the organizations. Frameworks can be tools to guide but Certificates cannot substitute implementation on the ground.

As a  veteran watch dog of the developments in Cyber Law in India, Naavi will keenly watch the developments in this respect and will alert the community if there is any developments in this regard.

I also draw the attention of the Secretaries of Meity, Secretary of Law and the Chief Cabinet Secretary  to such a possibility  ( A copy of this article will be sent to the three secretaries for their information).

We however welcome the arrival of the Chota Bhai IS17428 to the field of Indian Data Protection Frameworks so that the family of frameworks becomes bigger and there will be more variety. PDPSI will absorb all essential requirements of Privacy Management and will be an “Inclusive” framework. Yet it will try to maintain some key differences so that it will be different from the rest. PDPSI will undergo frequent upgradations as would be dictated mainly by the developments of the Personal Data Protection regulation in India. Being dynamic would be one of the strengths of PDPSI.

Leaving this controversial issue aside, let us get back to our discussion on PDPSI as the big brother of IS 17428 and how much of the traits of PDPSI have been absorbed in IS 17428 and why PDPSI deserves a tag line… Essence of the Essential and yet different by a distance. *

(*सब का सार, फिर भी, अलग…by Far orಎಲ್ಲದರ ಸಾರ , ಆದರೂ ವಿಶೇಷಗಳ ಆಗರ )

Naavi

(Watchout more in this Big Brother Series on PDPSI)

 

Posted on April 20, 2021 by Vijayashankar Na | Leave a comment

Inclusive but Different

Posted on April 19, 2021 by Vijayashankar Na

The Bureau of Indian Standards has released the IS 17428 part I and Part II as Data Privacy Assurance Requirements and Guidelines.

FDPPI has already released the PDPSI standards which are inclusive of the ISO 27701 which is a GDPR based Personal Information Management Standard (PIMS).

We welcome the release of IS 17428 and ensure that PDPSI would be inclusive of the best practice indications in IS 17428.

However PDPSI will stand out as “Inclusive but Different” and continue to be a unified  “Certifyable Standard” for compliance of data protection  regulations.

PDPSI compliance will therefore be inclusive of the essence of IS17428 compliance while the vice-versa may not be true. However, if there is any conflict between IS17428 and PDPSI, the PDPSI will call out the conflicts.

More information about how the IS 17428 will merge with PDPSI will be provided in due course.

Naavi

Posted in Cyber Law | Leave a comment

Pick a premier Privacy Certification Program from FDPPI

Posted on April 12, 2021 by Vijayashankar Na

 

FDPPI, the premier Privacy and Data Protection organization in India is offering a single stop Combo certification leading to Certified Global Privacy and Data Protection Consultant. Top performers will have an opportunity to be also accredited as Certified Global Privacy and Data Protection Auditors.

The program is available on tap through online video streaming courses followed by online examinations.

The total cost of three certifications, Module I on Indian Data Protection laws, Module G on Global data protection laws and Module A on Audit skills will be available at a total cost of Rs 30000/-.

Register today at www.fdppi.in.

Naavi

 

 

Posted in Cyber Law | Leave a comment