Naavi.org

Naavi, the Chairman of FDPPI had earlier undertaken  “Karnataka Cyber Law Awareness Movement” in 2005 during which long certification courses were conducted across Karnataka in Bangalore, Mysore, Hubli and Mangalore under the umbrella of Cyber Law College.

Cyber Law College is a division of Ujvala Consultants Pvt Ltd which is a supporting partner of FDPPI.

In a new comprehensive outreach program, Naavi is now scheduling an “Indian National Privacy Awareness  Movement” (INPAM) starting from the Vijayadashami day on 15th October 2021.

The INPAM would be a free program aimed at ordinary citizens and students to make them aware of the concept of “Privacy”, “Data Protection” and the “PDPB 2019”.

The program would be conducted on the Mobile App- FDPPI available here:

https://play.google.com/store/apps/details?id=co.edvin.titge  (For Android)

https://apps.apple.com/in/app/myinstitute/id1472483563 (For ioS)

Please download the App and await further instructions on the batches.

The program would initially be launched in English and Kannada and later different batches would be introduced in different languages.

Naavi

Today’s Economic Times carries a report “Center Weighs Single Nodal Policy”. According to the report, the Government is contemplating a new “Nodal Policy” for Social Media to tackle the aggression of the rogue Tech Companies who have no respect for Indian sovereignty.

In the process however, the Government has once again shown that it does not want to confront the media and is ready to compromise on the Intermediary Guidelines of February 25th, in which an attempt was made to bring self regulation on social media to curb fake news.

It is disappointing that time and again the Government shows its indecisiveness and takes one step forward and two steps backward when it comes to taking tough decisions whether it is the farm laws or the amendments to ITA 2000 or the Personal Data Protection Act.

The opposition may appear weak whenever elections are held in India but their hold on media is so strong that any new law will be opposed both in the media and in the Courts. It is for this reason that media can get away with advertisements to recruit journalists with the sole purpose of opposing the Government and Courts which spend end less hours to defend anti nationals and  bail applications in serious narcotics cases while genuine cases languish in pendency.

The move on “Single Nodal Agency” reminds us of the “Convergence Bill” which was hotly debated in the years 2000-2001 before being dropped like a hot potato for reasons of political expediency.

It may be interesting to look at some of these old forgotten issues in the articles available in the links below.

https://www.naavi.org/cl_editorial_04/edit_01_mar_11_01.htm

https://www.naavi.org/views.htm

Knowing the attitude of the press, the opposition and the Courts, the attempt to bring a “Single Nodal Policy” will only mean that the “Self Regulation” envisaged under the Intermediary Guidelines of February 25th may take a back seat.

Let is wait and see if the new Ministry is able to cut the hesitancy and make bold moves required to take India forward.

Naavi

In 200o December, Naavi started the promotion of the concept of “ITA 2000 Compliance”… as the digital mantra for the corporate era. In 2008, the amendments to ITA 2000 changed the characteristics of ITA 2000 into a security oriented law and ITA 2008 compliance became a mandatory requirement. 

ITA 2008 compliance included compliance of Section 43A which covered Personal Data Protection. 

This translated in 2009 into a framework named Indian Information Security Framework IISF 309 which was being used for ITA 2000 compliance. After some evolution, IISF 309 had become a 30 parameter framework as indicated below.

This framework was confined to 30 requirements and not the 114 requirements which we today look at in ISO 27002. However, it covered the essential aspects required for meeting all the requirements as required under ITA 2000 including the Grievance Redressal. It also recognized the responsibilities of operational executives other than the IT executives.

Consequent to the focus that has now come on PDPB 2o19, there was a need for a special framework for Personal Data Protection and it emerged as the PDPSI or the Personal Data Protection Standard of India. This framework had 50 implementation specifications under the umbrella of 12 standards. It was an expansion of IISF since new controls became necessary for Privacy management.

The PDPSI started with a “Classification” of data into “Personal Data” and “Non Personal Data” and thereafter PDPSI focused on the requirements for Personal Data Protection as per the law. The Non Personal Data Protection was left as “DPSI” or “Data Protection Standard of India” to follow under the IISF 309 approach.

This has now evolved into a 33 point framework as follows.

It may be observed that the new framework incorporates the concepts such as the Data Value accounting which came up during the PDPSI discussions.

It was initially expected that the PDPB2019 will restrict itself to Personal Data Protection and a separate law will be passed for “Non Personal Data Governance”.

The PDPB 2019 therefore defined  “Data” as “Personal Data”  based on certain parameters and what was not “Personal Data” was considered “Non Personal Data”. In this distinction there was one set of data which was “Personal Data” and upon Anonymization, became “Non Personal Data”.

There was a confusion in the industry which got onboarded onto the JPC that Anonymization is another form of De-Identification or Pseduonymization. The fact that Anonymization is “Irreversible” transformation of what was hitherto “Personal” into a “Non Personal Information” while the de-identification and pseudonymziation was “reversible” was not sufficiently digested. The Personal Data Protection Authority was expected to develop an acceptable standard of “Anonymization” that would render “Personal Data” into “Non Personal Data”. 

The lack of confidence of technology specialists that there could be an acceptable level of “Anonymization” which could be adopted as a standard while a “Brute Force Attack to re-identify an anonymzied information” could be covered by the law that criminalzied such a “Brute Force de-anonymization” led to the new JPC to consider some changes to the PDPB 2019 as approved by the earlier JPC chaired by Mrs Meenakshi Lekhi.

The leaked reports about the possible modifications to the earlier draft of PDPB 2019 now contain a rumour that the “Data Protection Authority” to be named under PDPB 2019 will be entrusted with the responsibility of both Personal Data Protection and Non Personal Data Governance. Also the reporting of the “Data breach Notification” under PDPB 2019 will now also cover the reporting of “Non personal data breach” also.

The Non Personal Data Governance requirements as suggested by the Kris Gopalakrishna Committee require deliberation of a few years and cannot be brought into the PDPB 2019 in the draft which is expected to be presented in December 2021 to the Parliament. It is therefore expected that whatever changes may be made in the PDPB 2019 regarding Non Personal Data would only be peripheral. 

While making the DPA responsible for the “Anonymization Standard” is natural and to that extent the DPA becomes an authority to regulate the “Converted Non Personal Data”, the entire regulation regarding Non Personal Data Governance is a completely new law which requires a different regulator. While PDPB 2019 is a “Privacy Protection oriented law”, the “Non Personal Data Governance Act (NPDGA)” as it may be called, would be a law on how to monetize the non personal data. This is more involving Data Valuation and Data Marketing.

Just as a CFO and CMO often have different perspectives in business, the PDPA regulator and the NPDPA regulator need to have diametrically opposite attitude to business. PDPA regulator will be close fisted and inward looking and the NPDPA will be an extrovert and more liberal. 

Combining the two roles could result in some conflicts and  be dysfunctional. The Coruts which are following the directions of the Puttaswamy Judgement and expecting PDPA-India to be able to meet the standards of Privacy protection under the Puttaswamy judgement guidelines will find the combined law if it comes forth as a Personal and Non Personal Data Protection Act of India as a dilution of the requirements expected for personal data protection.

This approach will deviate from the global standards which keep the Personal Data regulations under laws such as GDPR and CCPA and keep the Non Personal Protection as part of the “Computer Abuse regulation” or “Cyber Security Act”. 

Since it appears that the declaration that the DPA under PDPA 2019 is also the regulator for Non Personal Data Protection (Which is now the responsibility of the Director CERT-IN under ITA 2000/8) and the “Non Personal Data Breach Notification” would be shifted from the CERT-In to the DPA under the new PDPB2019, the industry needs to gear up to meet this change.

With a view to ensure that an organization following PDPSI framework for meeting the standards of PDPA-India will have to watch their backs for protection of “Non Personal Data of whatever nature” is brought under the new version of the Bill (Eg: Anonymized Personal Data”), it has become necessary to emphasize that PDPSI has to be complimented with the DPSI at least as applicable to the “Data Breach Notification” requirements.

Even if the change is restricted to the reporting of breach of non personal data only, this would require identification of a potential data breach, forensic investigation, a harm audit all directed to Non personal data.  Hence there would be a need to take a holistic view of the Personal Data Protection and the Non personal Data Protection (to the extent covered under the PDPA-India) at the time of compliance.

The 33 point framework indicated above therefore becomes the twin framework to be considered by all organizations. 

The framework will be further expanded with detailed notes shortly.

Naavi

Naavi and FDPPI are dedicated to the continuing education in the Data Protection space in India and undertake many activities towards this goal.

One such activity is the weekly webinars conducted under the Jnaana Vardhini series.

In a bid to streamline the activities of Jnaana Vardhini, the webinars have been activated as a Continuing education course under the FDPPI web app. The app is available both under Android and ioS mobiles as well as on the web.

The Android app is available here: 

The iOS app is available here:

On ioS you need to install an app called MyInstitute and use the FDPPI Institutional ID as TITGE.

For logging in from web, use the link: web.classplusapp.com

The details of the available courses are available on log in.

Naavi

PDPSI is the framework for implementing Personal Data Protection Standard of India. It is designed as a unified framework for Data Privacy and incorporates the best practices in other frameworks.

The first version of the book with Standards and Implementation Specifications is now available in print.

The Book is now available on Amazon, Flipkart and directly from Notion Press,, the publishers.