Naavi.org

Personal Data Protection (PDP) legislation in India has been one of the most contentious legislations and it is not surprising that several hurdles are being placed in its passage. The latest hurdle is that some creative persons have planted the idea that Personal Data Protection Act should also be considered as Data Protection Act, the Personal Data Protection Authority should also be considered as the Data Protection Authority and the Data Breach Notification under PDPB 2019 should include non personal data breach also.

In the latest round of JPC discussions, Mr Kris Gopalakrishnan has also been invited to present his views. We are aware that Kris Gopalarishnan had presented a report on Non Personal Data Governance (NPDG) and it contained recommendations for identifying “Data Business”, setting up a market place for “Data Trading”, recognizing Non Personal Data ownership as  “Anonymized PD”,” Community NPD” “Private NPD” and “Public NPD” etc.

The objective of PDP and NPDG are different. PDP aims at protecting the Privacy rights of individuals while NPDG aims at providing a  structure for NPD monetization by business houses.  A Data Breach of PD basically affects the individuals. A Data breach of NPD basically affects the Companies. The PD breach and NPD Breach have different consequences and hence need different approach in resolution.

There are two areas where PDP and NPDG may have some overlapping jurisdiction.

First is that a Data Breach incident may include breach of both PD and NPD in which case harm to individuals and harm to the organizations have to be both considered as part of one data breach incident.

Second is that the NPD includes “Anonymized Personal Data” (APD) and the breach may include “Reidentification of APD” causing privacy related harm. In this case the PDP provisions kick in at the time of reidentification of APD.

The argument which has been placed before the JPC could be that in view of the possibility of APD being reidentified and Data Breach being a combo data breach of PD and NPD, the regulator should be same and hence PDP and NPDG can be regulated by a common law.

There can also be another hidden reason that the Data Protection Authority envisaged under PDPB 2019 is being protected from a competitive regulatory authority emerging in the form of the NPD Governance Authority.

If the JPC takes the bait, it could be falling into a trap and it will find it difficult to get the PDPB 2019 passed or avoiding operational conflicts after it is passed which could delay its the notification of operating rules.

Presently data is divided into PD and NPD. Protection of PD+NPD is being addressed by ITA 2000. CERT In is the data breach regulator. Adjudicator is the regulator for awarding compensation for damages to a data breach victim. “Compliance” is the due diligence responsibility which could make an organization liable for data breaches and for payment of compensation to the victims of data breach (Cyber Crime victims). The adjudicator has the powers of Suo Moto investigation and imposing fines on organizations but it would be too much to expect the IT Secretaries who act as Adjudicators to act Suo Moto in the interest of the society when they are reluctant even to take up cases on specific complaints. But law has provided them with the powers which is envisaged under the PDPB for the DPA.

After the PDPB is passed, Section 43A of ITA 2000 will be deleted and hence part of the responsibilities of PDP presently with the Adjudicator and CERT In under ITA 2000 gets transferred to the DPA. However the responsibility for protection of Non Personal Data remains with the ITA 2000 and it automatically becomes the Non Personal Data Protection Act.

The NPD Governance Act which Kris Gopalakrishnan proposed therefore can focus entirely on the monetization of the NPD. When ITA 2000 was framed, it combined the E Commerce Promotion with Cyber Crimes. It also included the equivalent of Civil Procedural Code  related to contraventions under Section Chapter IX.

Many other countries adopted a separate legislations such as E Commerce Act and Cyber Crime Act. Whether what India did in 2000 was correct or not is out of the scope of this discussion.

Now PDPB and NPDG is being contemplated as different laws and the proposed change is trying to combine them into one.  It is like converting the normal twins after birth to a Siamese twin. It may be possible but we are not sure if it is desirable. But if JPC has taken a decision on this, we need to accept this and move on as opposing this at this stage means giving in to the desire of those vested interests who donot want any type of PDP law to come in India.

The industry had slowly adopted to the PDPB 2019 as an extension of ITA 2000 and frameworks such as PDPSI (Personal Data Protection Standard of India) had already taken steps to provide guidelines for compliance. In fact PDPSI had addressed the need for “Unification” of compliance requirements under “PDPB, EU GDPR etc”.

Now the industry is required to adopt itself to the conversion of PDPB 2019 into DPB 2019. In practice it means that ITA 2000 compliance is now the Siamese twin of PDPB 2019.

In terms of compliance frameworks, PDPSI and DPSI which were two different frameworks now need to be unified into one.

This can be done and will be done.

The DPSI framework which the undersigned has evolved through the IISF309 framework which is being used since 2009 as an ITA 2000 compliance tool is presented in the following document which consists of 40 implementation specifications.

Data Protection Standard of India

This DPSI was presently considered as a stand alone framework ahead of PDPSI. If the new PDPB2019 combines certain aspects of NPD protection into PDPB 2019 then there will be a need to unify the above version of DPSI into a DPSI+PDPSI combo framework.

Probably we will discuss some aspects of this during the IDPS 2021

(Comments are welcome)

Reference:

New Regulations…New Opportunities…New Responsibilities

A Compendium of articles on Privacy

The Session registration link for IDPS 2021 is now available. Register today and block your calendar.

The Flagship event on Data Protection in India for the year namely IDPS 2021 is being conducted as a virtual conference on November 17,18 and 19.

The eventful three days will host 9 Panel Discussions and several Keynote speeches from eminent industry professionals.

At present the registration is free. Please block your calendar and register yourself.

The program schedule is here.

Naavi

Mr Suresh Kumar, the then Law Minister of Karnataka inaugurated a seminar on Privacy on October 17, 2008 at KLE Law College, Bangalore, seen here with Naavi

On 17th October 2000, India notified Information Technology Act 2000. With the notification, for the first time in India, “Binary Expressions” processed in “Computers” were recognized as Electronic Documents and equivalent to written documents (Subject to exceptions in Section 1(4) of ITA 2000).

Simultaneously, digital signatures were recognized as a form of authentication and digital contracts recognized in law became feasible.

This was the birth of Digital Society in India. Today, the 17th October 2021 is the 21st anniversary of this momentous day.

Naavi has been advocating that this day has to be commemorated as the Digital Society Day of India since it marked a significant change in the history of India. If we are today talking of Digital India and taking pride in our achievements in digitization, the origin of this Digital India was in the legal recognition of digital documents.

The importance of October 17, increased when ITA 2000 was upgraded with the amendments of 2008 which incidentally became effective from 27th October 2009. With this amendment, ITA 2000 fortified its provisions on “Personal Data Protection” and “Non Personal Data Protection” with the  introduction of sections 43A, 72A, etc.

Even after Section 43A is replaced with PDPB 2019 passed into an Act, the remaining provisions for data protection in ITA 2000 continue to make it the principal Cyber Law of India.

Let’s remember this day therefore as the day Indian Digital Society was born. Hope some day in future, MeitY will recognize the importance of October 17 for the Digital future of India and start commemorating the day officially.

It may be recalled that Naavi along with KLE Law College, Bangalore conducted a major event on Privacy way back on 17th October 2008 which was inaugurated by the then Law Minister of Karnataka, Mr Suresh Kumar.

That was the time when the Personal Data Protection Bill had been presented in the Parliament along with the ITA 2000 amendment Bill. ITA 2000 amendment bill became a law and created the ITA 2008 version of ITA 2000. The Personal Data Protection Bill however lapsed and we are still struggling to bring a law for Privacy Protection in India.

Today’s Privacy Activists need to refer to the events of this seminar available here and see how the Digital Society Foundation of India started as a trust tried to establish an organization which inter-alia was interested in developing education on Cyber Law in India. However this imitative could not be sustained. The current day FDPPI is a new incarnation of the DSFI which appears to have taken off because the environment is more conducive today to Privacy and Data Protection.

A Copy of the Personal Data Protection Bill 2006 presented in the Parliament at that time is available here and is worth looking into when analyzing the legislative history of PDPB 2019.

Some more photographs of the event are here:

When the Indian Data Protection Summit 2021 (IDPS 2021) discusses the Past, Present and Future of Privacy Law in India, it is necessary to remember this 2006 version of the Bill which faded into oblivion.

Naavi