Naavi.org

Data Trust Score is an innovative mandatory provision in Indian Personal Data Protection Bill 2019 which introduces measurability an accountability to the compliance initiatives of a Data Fiduciary. In this three part article, Mr M.G. Kodandaram, IRS, retired Assistant Director NACIN, analyses the legal aspects of the Data Trust Score system….. Naavi

Continued from the previous part-1

Now we shall examine each of the factors prescribed in Section 29 of the bill to explore the ways to compute the principles in the proposed a fair and justifiable Data Trust Score.

Issue of notice to principal

Every data fiduciary shall issue a notice to the data principal before the collection or processing of personal data and the contents contained in such form is one of the factors to be considered to evaluate the trust score.  Some factors indicated in section 7(1) of the bill, among others, include the following which are relevant for the present discussions.

“(k) the procedure for grievance redressal under section 32;

(l) the existence of a right to file complaints to the Authority;

(m) where applicable, any rating in the form of a data trust score that may be assigned to the data fiduciary under sub-section (5) of section 29; and

(n) any other information as may be specified by the regulations”.

From the above it is to be noted that (i) having a grievance redressal as prescribed in section 32; (ii) principal’s right to file complaints to Authority and (iii) intimating the data trust score assigned under section 29(5) to the data principal, are the important factors to be considered by the auditor to evaluate the trust score of a fiduciary. To enable higher rating of DTS, it is important for the fiduciary to have a dynamic grievance redressal mechanism in place. At the same time it is the responsibility of the Authority to provide a tool to lodge complaints by the principal and to suitably redress them.

Redressal of grievances of principal

As mandated under section 32 of the bill, every data fiduciary should provide an effective mechanism for redressal of grievances of the data principals. The facility for lodging a complaint by the principal for any contravention of the provisions that has caused or is likely to cause harm to her/him is an essential responsibility of the fiduciary. Such a facility must be managed by the data protection officer or designated officer of the entity. Complaints received have to be resolved by the data fiduciary in an expeditious manner, within 30 days of receipt of the complaint. If such complaints are rejected or not resolved within the time frame, or if the principal is not satisfied with the manner of disposal, the data principal may file a complaint with the Authority. Therefore the Authority is expected to host a separate facility for receiving complaints from principal against such unattended grievances.

As the volumes of transactions are expected to be high, it is expected that these services to the principal could be built by the fiduciary and the Authority together in digital mode. For this development of a central digital facility by the Authority in association with the entities are preferred, as it eases the complaint filing mechanism to the principal, and further monitoring, disposal as well as recording of the entire process could be automated. The quantum of transactions and timelines followed in redressal process could be used as a realistic data source to measure the trust score in respect of each of the fiduciary at one place.

However it is interesting to note that there is no mechanism inbuilt in the bill to obtain feedbacks of the principal.

Privacy by design policy

The second factor to be considered for awarding the score by the auditor is the effectiveness of measures adopted under ‘Privacy by design’ policy as mandated under section 22 of the bill.  The Bill mandates that a data fiduciary is required to formulate policy that (a) ensures Managerial, organizational, business practices and technical systems designed in a manner to anticipate, identify, and avoid harm to the data principal, (b) meets the listed obligations towards protection  of personal data, (c) uses the technology in accordance with commercially accepted or certified standards, (d)  protects the legitimate interests of businesses including any innovation is achieved without compromising privacy,(e) protection of privacy throughout the processing, from the point of collection to deletion of personal data, (f) processing of data in a transparent manner and (g) interest of the data principal at every stage of processing of personal data. The data fiduciaries should submit the policy so prepared to the Authority for certification within the prescribed period. The Authority after due verifications of the information and compliance having been provided as prescribed under Section 22(1), shall certify the same. The said information need to be published in the official websites of the Authority and of the fiduciary concerned. This entire process could be built on a digital platform and the emerging data could be used to gauge the trust score.

Transparency and security measures

Transparency in relation to processing activities under Section 23 is the third factor that needs to be considered in awarding the data score.  The fiduciary should  make available, in prescribed form and manner, the information  namely, “(a) the manner and categories of personal data generally collected; (b) the purposes for processing the personal data; (c) any probable risk of significant harm in such processes; (d) the facilities available for the data principal to exercise rights regarding access, correction, erasure, portability and such other rights vested under law; (e) the right of data principal to file complaint against the data fiduciary to the Authority; (f) where applicable, any rating in the form of a data trust score accorded to the data fiduciary under section 29(5); (g) where applicable, information regarding cross-border transfers of personal data that the data fiduciary generally carries out; and (h) any other information as may be specified by regulations.”

The fourth factor that needs to be considered is the security safeguards adopted by such entity pursuant to section 24 of the bill.  Every data fiduciary and the data processor shall implement and review periodically the necessary security safeguards, such as, “(a) the use of methods such as de-identification and encryption; (b) steps necessary to protect the integrity of personal data; and (c) steps necessary to prevent misuse, unauthorised access to, modification, disclosure or destruction of personal data”. These could be verified by the auditor who can list out the gaps to arrive at the data score relating to the fiduciary. Similarly the instances of personal data breach and timely response of the data fiduciary, including the promptness of notice to the Authority under section 25,  timely implementation of processes and effective adherence to obligations under section 28(3), being the fifth and sixth factors, that could be verified by the auditor to draw fair conclusions.

In the coming part we shall deliberate on the fair means to use of the mandated principles within the scope of the objectives and the proposed legal framework, to arrive at the possible data score method.

 (To be continued as part-3)

• M. G. KODANDARAM, IRS, Assistant Director, NACIN (Retd.)

The Supreme Court of India in its order on Paramvir Singh Saini Vs Baljit Singh  has brought about a very important provision on bringing accountability at Police Stations by directing the use of CCTVs.

The Order is dated December 2, 2020 and is by a bench consisting of Justices R.F. Nariman, K.M Joseph and Aniruddha Bose) and reiterates an earlier order dated 3/4/2018 in SLP (Crl) No. 2302 of 2017, reported as Shafhi Mohammad v. State of Himachal Pradesh (2018) 5 SCC 311.

The Court has given specific directions that CCTV cameras should be compulsorily installed in all Police Stations, CBI, ED NIA, NCB,DRI, SFIO offices.

It has also specified that the cameras should be installed at entry and exit points, main gate of the police station,, lockups, corridors, lobby/reception area, all verandas/outhouses, Inspector’s room, Sub Inspector’s room, outside the lock up room, station hall, in front of the police station compound, outside, outside washrooms/toilets, duty officer’s room, back part of the police station etc.

It is also directed that the CCTV systems should be equipped with night vision and include audio.

It is also directed that the footage should be retained for not less than 6 months which becomes the new data retention standard for CCTV footages. Companies which were erasing the data after 30 days or 90 days need to take note.

While the intention of the order is well appreciated, there is a need to work out the cost of such installation and the need for continuous maintenance.  We often find that CCTVs in Bank ATMs donot function and in many instances the CCTV footage is claimed as non existent due to mal functioning when it is actually erased to suppress evidence.

This is a welcome move as far as preventing human rights violations are concerned and we need to see how it will be implemented.

The issue highlights how protection of one right threatens another right since there could be some privacy concerns arising out of the recommendations. There have been some GDPR decisions in which CCTV recording particularly those facing the public area have been considered a violation of privacy. However this order coming from the highest court of the land will be considered as a precedence in its own.

Similarly the keeping of the records for a minimum period of 6 months will be an adjunct to Sections 67C and 65 of ITA 2000.

It would be interesting to see how this order is implemented.

Naavi

Data Trust Score is an innovative mandatory provision in Indian Personal Data Protection Bill 2019 which introduces measurability an accountability to the compliance initiatives of a Data Fiduciary. In this three part article, Mr M.G. Kodandaram, IRS, retired Assistant Director NACIN, analyses the legal aspects of the Data Trust Score system….. Naavi

Consequences of Data Trust Score

The much awaited Personal Data Protection Bill, 2019 (‘bill’ hereinafter for brevity) is awaiting the scrutiny of the joint parliamentary committee, who are in final leg of their consultation and finalization process. The sub-section (5) of Section 29 of the bill relating to Audit of policies and conduct of processing as a measure of transparency and accountability to be adopted by a data fiduciary specifically mandates, “A data auditor may assign a rating in the form of a data trust score (hereinafter ‘DTS’) to the data fiduciary pursuant to a data audit conducted under this section”. The bill authorises the auditor, conducting the compliance verification of a fiduciary, to measure the trust worthiness of such an entity by awarding a score to be prescribed through regulations by the Authority, as an indicator[i]. The scores so awarded should be published by the fiduciary in the notice issued to the principal[ii] and in the web maintained by the entity in the manner prescribed by the Authority[iii]. These scores should also be announced by the Authority[iv] in their public domains. This stipulation makes the DTS process, a more sensitive proposition as such scores will have huge ramification on the goodwill, investment and the service decisions in respect of such fiduciaries in the competing market place. Therefore it is of utmost importance to devise a justifiable scoring comprehensive pattern and configuration so that there is a fair approach in place for assigning the trust score.

As we are aware that the privacy of an individual is a very subjective issue and for this purpose, the levels of protection in place at the disposal of a fiduciary are not easily measurable in arithmetical terms. It is a well known principle that only those that are measurable could be gauged and monitored. Therefore one should explore for a system which could indirectly assist in assigning such a score with least scope for ambiguity or bias on the part of the compliance auditor. There is no availability of similar tool employed for this purpose elsewhere as no such prescriptions exist in other privacy laws in force around the globe. This is a unique positive approach by the Indian authors of law to stipulate such a mechanism for the first time. In view of the above facts, the quest for a fair and justifiable method for computation of the DTS becomes all the more challenging. An attempt is made here to suggest the ways that could be adopted for this purpose.

The best way to initiate the search for a fair solution, the author feels, is to examine the related provisions in the bill to find out the intentions, objectives and methods embedded in the proposed statute. The solutions should be within the substantial law and should not to transgress the stated perimeters. If any essential factors are missing, the same should be recommended to be part of the law in the making. With these thoughts in the background, the essential legal framework applicable to DTS, as available in the proposed law, or required to be incorporated in the law, if in case of such need arises, are deliberated in the further part of this article.

Impact of proposed law on stake holders

The proposed bill is going to impact every individual’s privacy in the present cyber society as all the services and activities, by the Government or by business and non-business entities, are being built around the digital technology as an essential component. In all walks of life, every citizen (you may call them as ‘netizen’) encounters the privacy issues in all types of communication with others. Therefore one can assume that the entire population residing in the country may have  to be treated as ‘Principals’ of some fiduciary or processors at one stage or time. It could be a visit to a commercial centre or consultations with a doctor or an academy for education or any activity of assorted instances which cannot be narrated at length, where the Principal’s personal data are being collected and processed. Almost all the entities involved in dealing with individual’s personal matters, automatically qualify themselves as data fiduciary, unless they are either kept outside the applicability of the provisions or specifically exempted under the provisions. Now it is left to the guesstimate of the readers to assess the volumes of data and impact on managing such data. The bill places full responsibility on the data fiduciary to protect the privacy rights of the principal and any breach of this assurance make them liable for penal actions. Punitive measures for breaches and violations by the fiduciary could be initiated by the principal or the Authority, and adjudicated by the Authority and courts.  In view of the above legal position, one can conclude that implementation of privacy laws is going to be a change of a massive scale and proportion. Therefore all the stake holders need to prepare sufficiently in advance, both in terms of technology and legal procedures, to absorb and follow the changes.

Legal provisions relating to DTS

Section 29(6) of the bill declares that, ‘the Authority shall, by regulations, specify the criteria for assigning a rating in the form of a data trust score having regard to the factors mentioned in sub-section (2)’. The subsection (2) specifies the criteria for assigning a data trust score which are discussed in the later part. From the stated stipulations the conclusions that could be drawn are, (i) evaluating the score is the responsibility of the privacy data auditor appointed by the Authority; (ii) such compliance audit in respect of a data fiduciary should cover the examinations and observation of the auditor under Sections 7,22,23,24 and 25 of the bill; (iii) the process for scoring are not left to the wisdom of the auditors, but are to be regulated by the Authority. Therefore there is legal necessity to notify the DTS regulations before going for implementation of the DTS provision.

The various powers of the Authority to make regulations are listed in section 94 of the bill. The Authority may, by notification[v], make regulations consistent with this Act and the rules made thereunder to carry out the provisions of this Act. The section 94 (2) lists out the matters that could be regulated, and among them the following are relevant for our discussions. “(l) the other factors to be taken into consideration under clause (g) of sub-section (2); the form and procedure for conducting audits under sub-section (3); the manner of registration of auditors under sub-section (4); criteria on the basis of which rating in the form of a data trust score may be assigned to a data fiduciary under sub-section (6) of section 29;

(g) the manner for submission of privacy by design policy under sub-section (2) of section 22.”

It must be noted that it is regulations to be made and not the rules, meaning that such matters (auditors, privacy by design and DTS) should be directly controlled and monitored by the Authority. The Authority may, by notification, make regulations consistent with this Act and rules to implement the DTS provisions.

Evaluation of fiduciary by Data Auditor

As per Section 29 of the bill, a significant data fiduciary shall get its policies and the conduct of its processing of personal data, audited annually by an independent data auditor. Further the Authority[vi]  have powers vested with them to direct any  data fiduciary to get an audit carried out by an appointed data auditor, if they are of the view that the data fiduciary is processing personal data in such manner that is likely to cause harm to a data principal. Therefore we can deduce that it is mandatory for all significant fiduciary to get audited annually and for others, it is the on the performance of fiduciary as observed by the Authority. However such proposals should normally be through written directions that could be part of the regulation.

The parameters to be used by a data auditor to evaluate the compliance of a data fiduciary includes, “(a) clarity and effectiveness of notices under section 7; (b) effectiveness of measures adopted under section 22; (c) transparency in relation to processing activities under section 23; (d) security safeguards adopted pursuant to section 24; (e) instances of personal data breach and response of the data fiduciary, including the promptness of notice to the Authority under section 25; (f) timely implementation of processes and effective adherence to obligations under sub-section (3) of section 28; and (g) any other matter as may be specified by regulations.” As this is an inclusive provision similar parameters could be added in the form of regulations, within the principal framework of the bill. It is the responsibility of the Authority to, not only notify the forms and procedures for conducting audits but also appoint persons with expertise in the area of information technology, computer systems, data science, data protection or privacy, possessing such qualifications, experience and eligibility having regard to factors such as independence, integrity and ability, as it may be specified by regulations, as data auditors under the Act. This provision leads to formation of a new stream of auditors specialised in privacy law and appropriate technology, after due entrance examination and personality tests that could be formulated under the regulations. This is one of the most critical aspects in effective implementation of privacy laws as such auditors are to exercise the responsibilities of compliance audit, followed by assigning DT score of the registered fiduciaries. Now we shall examine each of the above prescribed factors to explore the ways to compute the principles in the proposed DTS in the coming part.

(To be continued as part 2)

[i] sec. 22(5), PDP bill, [ii] sec. 7(1) (m), ibid, [iii] sec. 23(1) (f), ibid, [iv] sec. 49(2) (c), ibid, [v]Sec. 29 (7), ibid, [vi] Sec. 29(7), ibid

• M. G. KODANDARAM, IRS, Assistant Director, NACIN (Retd.)

We have just discussed the editorial in Times of India today and now we also have an editorial in Economic Times with similar sentiments expressed about the PDPB. In fact this editorial is direct in expressing its intention because it suggests “Don’t Rush Personal Data Protection Bill”…. “Hasten..slowly…”

A few days back we saw similar reports appearing in two different publications namely livemint.com and moneycontrol.com both carrying the same view but under two different bylines, indicating clearly that it was a planted story by a PR firm.

Now two editorials of two different publications of the same group writing on the same day about the need to delay PDPB indicates another PR exercise where the two editors have written what the PR firm wanted them to write. It is disappointing to see Economic Times editorial being so compromised.

While “Hasten…Slowly” phrase indicates that the editorial perhaps has not been written by a person who is of the editor caliber, there are many statements in the editorial which is factually incorrect.

One of the comments made is

“The Personal Data Protection Bill (PDPB), right now under consideration by a Joint Parliamentary Committee (JPC), is big, in its sweep, intent and implications, particularly for future competitiveness of the economy, in terms of data being available to train algorithms that would drive artificial intelligence, even as individual citizens are protected from harm arising from misuse of their data.”

We donot know what the editor wants to say here. Is he saying that PDPB should not cover use of AI or Big data for processing personal data? or Is he confusing the non personal data governance act which is only a recommendation now by the Kris Gopalakrishna Committee ?.. Does he not know that all data protection laws consider “Profiling” as regulated personal data?

Another comment made is…

“The JPC would do well to hasten slowly, and take on board the suggestions of as large a swathe of stakeholders as is possible. Right now, civil society groups, several large companies and even some members of the committee complain that they have not been given a chance to present their views.”

The suggestion is that JPC should give opportunity to more companies to depose before the committee. It must be remembered that the PDPB 2018 version was first placed for public comments in December 2018, then PDPB 2019 was placed for public comments in December 2019, and now we are in December 2020. All this time there were opportunities for companies to express their views and send it to the committee. It was not necessary for these companies to  wait for a personal presentation before the committee. If so far they did not have any comment to make, then there is no reason why they should now be expected to have comments to be directly presented to the committee so that 30 parliamentarians of the committee already constrained by the Covid situation should spend more time in hearing to the lobbying of these companies. Industry associations like Nasscom, FICCI etc have made their presentations reflecting the business views and hence the editorial comment does not make sense.

Then comes the expression of ignorance by the Editor in the comment…

“Unlike Europe’s General Data Protection Regulation, India’s PDPB subsumes collection of data under processing of data. While the goal of limiting collection and processing of personal data in proportion to the purpose at hand might, at a glance, not be compromised by a bar on disproportionality in processing, there could well be certain cases, in which it makes sense to separate collection from further processing, so as to limit the scope of unintended permission for processing of data beyond collection.”

This comment indicates that the author is unaware of how GDPR and all other data protection laws define “Processing”. Every law defines “Collection” as “Processing” and it is unbelievable that the editor has not checked the definition of processing in GDPR.

Another comment made is …

“The wording of the regulation should not give scope for babus to penalize companies for no fault of theirs. Giving a detailed notice on data collection and obtaining consent might sound noble, but is likely to be observed more in the breach vis-à-vis illiterate or semi-literate or time-starved rural folk.”

It is necessary for the editor of the premier Financial news paper of the country to understand that in PDPB, no “Babu” is authorized to impose any penalty. All penalties are decided by the “Adjudicator” who is a quasi judicial authority and his decision may be reviewed by an Appellate Tribunal and subsequently by the Supreme Court. Without knowing the provisions of the Act, the publication has made comments.

One more adverse comment made in the editorial is about the minors. It says…

“Financially autonomous youngsters who are not yet 18 need their parents’ permission for their data to be collected, whereas social media accounts merely require reaching the age of 13.”

This is a ridiculous statement which indicates that the editorial appears to be a “Proxy Editorial” written by some body with no proper understanding of the Bill. While the age of minority is a matter of general law, just because social media wants to open out to 13 year old teens, there is no reason that Indian law need to be changed.

Lastly the editorial ends with another foolish statement that “Holding those who collect data responsible for the accuracy and completeness of the data is unreasonable“. Does the editor mean that data accuracy need not be insisted? why should such exemption be given only in Indian law where as more than 130 countries who have adopted such laws insist that data should be accurate?. In fact this is already a requirement under Section 43A of ITA 2000 and not a new provision.

The comment also states as a footnote ” Distinctions between sensitive data and critical data, as well as between being forgotten and data erasure, seem overkill that will wrongside companies“… once again broadcasting the ignorance of the author about  data protection legislation.

Finally the editorial links this editorial with the TOI editorial stating ” All this is over and above the untrammelled access of the State to personal data that the law provides for.”

Overall it appears that this editorial as well as the TOI editorial has been written not by the respective editors but by some PR executive because the editors cannot be so naïve and uninformed.

It is shameful that these large publications have started selling out even the editorials to the PR causes of companies.

I am sure that the readers will see through this PR game and the credibility of these publications will be seriously eroded.

Naavi

“

Privacy Protection has always been a matter of interest to the Privacy Activists. Business has always been against Privacy being protected too rigorously since it would hurt their profitability.

News papers are no longer the “Fourth Pillar” of democracy and publications like Times of India were one of the first of the print publications which became a fully commercialized news vendor. TOI regularized soft porn and front page advertising pushing news to be a secondary objective of the publication.

Further as could be seen in the recent instance of onslaught on Freedom of Press by the Maharashtra Government in the Arnab Goswami Case, Times Group did not take an unequivocal stand to protect the freedom of Press.

I remember that in 1975, when Mrs Indira Gandhi imposed press censorship as part of the emergency, most publications left their editorial blank to register their protest. Indian Express at that time was in the forefront of the resistance against press censorship. Subsequently, HINDU was also strongly in support of freedom of press to the extent that it was a gold standard of journalism.

But today, neither Indian Express nor Hindu is an independent publication and cannot consider them better than the motivated publications supported by those who oppose any positive developments that happen in our country.

TOI on the other hand has always held it’s commercial interests as a priority and Naavi.org itself has pointed out in earlier occasions how TOI took an unreasonable stand in spreading false narrative about Information Technology Act.

Now as the Personal Data Protection Bill 2019 is appearing to be close to being finalized by the JPC, and all the PR Campaigns in Print.com, or Moneycontrol.com have been found insufficient to shake up the resolve of JPC which is having 5 meetings between today and day after tomorrow to finalize the Bill, TOI has come up with an editorial with caustic  remarks about the Bill.

Let’s analyze the editorial, a copy of which is available here to understand why the editorial lacks credibility.

The head line to the editorial proclaims “Granting Government Sweeping Exemptions from protecting Personal Data is Wrong”. The statement per-se is fine. But in this context, it is implying that the PDPB is wrong.

The editorial says

“the section on exemptions grants extraordinarily wide latitude to the Centre to be exempt from any or all provisions of the legislation. The Centre has to be merely satisfied that it is “necessary or expedient” in the interests of sovereignty and integrity of India, public order, among other things, for exemptions to kick in for any agency of the government.”

The editorial continues with its opinion that

As it stands the legislation effectively nullifies the fundamental right to privacy, and may not withstand judicial challenge.

In this context, EU’s tests for necessity and proportionality in exemptions are relevant.

The data protection laws in the EU specify that cross-border transfer of data is permissible if the recipient has adequate standards of protection. Poor drafting of the legislation will cause Indian firms to miss out on big opportunities and have a negative impact on jobs.

Besides protecting India’s economic interests, which too are integral to national security, the legislation also needs to adhere to the letter and spirit of the Supreme Court ruling on privacy.

The editorial is referring to the Section 35 of the PDPB which states as follows:

35.Power of Central Government to exempt any agency of Government from application of Act

Where the Central Government is satisfied that it is necessary or expedient,—

(i) in the interest of sovereignty and integrity of India, the security of the State, friendly relations with foreign States, public order; or
(ii) for preventing incitement to the commission of any cognizable offence relating to sovereignty and integrity of India, the security of the State, friendly relations with foreign States, public order,

it may, by order, for reasons to be recorded in writing, direct that all or any of the provisions of this Act shall not apply to any agency of the Government in respect of processing of such personal data, as may be specified in the order subject to such procedure, safeguards and oversight mechanism to be followed by the agency, as may be prescribed.
Explanation.—For the purposes of this section,—
(i) the term “cognizable offence” means the offence as defined in clause (c) of section 2 of the Code of Criminal Procedure, 1973;
(ii) the expression “processing of such personal data” includes sharing by or sharing with such agency of the Government by any data fiduciary, data processor or data principal.

It is necessary for the critics to remember that the Supreme Court judgement (Puttaswamy Judgement) upheld the Right to Privacy  as part of Right to Life and Liberty under Article 21 of the Constitution which says “No person shall be deprived of his life and personal liberty except according to procedure established by law“.

The “Procedure established by law” is always treated as including the “Reasonable Restrictions” under Article 19(2). It also includes the “Legitimate interest” of the public other than the person whose Privacy we are discussing since that person is also a citizen of the country and he has a right to “Security” (which could be in conflict with the Right to Privacy of the subject).

Hence “Right to Privacy” should always be balanced with the Duty of the Government to protect the Rights of other Citizens who could be harmed if “Right to Privacy” is considered as an absolute Right.

It may be noted that Section 35 of PDPB 2019 actually does not use the entire canvas of exemption that could be availed under the “Reasonable Restrictions” permitted under Article 19(2) since it omits

” decency or morality or in relation to contempt of court, defamation”  or

“incitement to an offence” except “any cognizable offence relating to sovereignty and integrity of India, the security of the State, friendly relations with foreign States, public order”

Hence Section 35 has imposed restrictions on the Government more than what they could have gone away with and this should be appreciated.

The only thread of argument that requires debate is whether the words

”  is satisfied that it is necessary or expedient”

is different from the words

“necessary for, and proportionate to, such interests being achieved” (Version of PDPA 2018)

This distinction is one of semantics.

“Necessity” is there in both the versions and hence it is not the word being objected to.

What is omitted in the Bill is “Proportionate to such interests being achieved” and it uses the word “Expedient” instead.

What is “Proportionate” in a given circumstance is what is “Required to be done to achieve an objective”. As long as some thing is considered “necessary”, what is considered expedient is proportionate to the objective.

Hence branding the Bill as “Nullifying the fundamental right to privacy”, “Loophole” are incorrect and an exaggerated motivated interpretation.

The Editorial therefore needs to be treated as an attempt at mis-information.

The editorial seems to respect the EU GDPR and let us now see what Article 2(d) of EU GDPR says.

It states

” This Regulation does not apply to the processing of personal data:

(d) by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security”

In this article, which is the “Competent Authority”, what does it mean by “Prosecution of criminal offences” and “Execution of criminal penalties” or “Prevention of threats to public security”?. is relevant to see if there is any binding that guarantees that this provision cannot be used by a Government agency to appropriate powers which are not available in GDPR.

We may observe that Indian provision restricts use of exemption only to such of the offences which are cognizable and related to the “sovereignty and integrity of India, the security of the State, friendly relations with foreign States, public order” as against the GDPR provision which is open to be used for any criminal offence or even for execution of a criminal penalty.

Further the Indian law has a Article 19(2) guidance on the procedure to be followed in using the exemption (Eg: Supreme Court decision in PUCL Vs Union of India -1997″ regarding the use of Indian Telegraph Act.) But in GDPR, there is no guidance to who is the “Competent Authority” and what should be the procedure .

Besides, Indian law has an immediate quasi judicial oversight in the form of Adjudication and a legal oversight of the Appellate Tribunal followed by the Supreme Court, where as, GDPR does not provide such judicial oversight to challenge any wrong order .

If therefore any Government department orders disclosure of information in violation of the principle of necessity and expediency, the data fiduciary or the data principal has an opportunity to invoke judicial remedies of the Supreme Court after adjudication and appellate tribunal.

Hence the concerns of the editorial that there will be a grave danger to the Privacy and violation of the Supreme Court order are misplaced.

Overall, the editorial is an attempt to mis-inform the public and allow the opposition members in the JPC to raise a ruckus to disturb the proceedings of the JPC with a view to prevent the finalization of the Bill.

As we know through the politics of protests, if some body is motivated and is not willing to be convinced we better ignore and proceed.

We urge the JPC to ignore such motivated attacks and proceed with the finalization of the Bill which has already been delayed beyond reasonable period just to satisfy opposing views.

Naavi

Not withstanding the wishes of many to delay the passage of PDPB 2019, it appears that the JPC is determined to complete its work this week and present their recommendations to the Cabinet. This is indicated by the fact that the JPC has scheduled 5 meetings in the

next 3 days to discuss clause by clause consideration of the Bill. It had already been indicated that about 50 of the sections had already been discussed and finalized and hence the remaining 49 sections are due for discussion in these 5 sessions at 10 sections per session.

Hopefully the JPC will be able to complete its task as scheduled.

It is therefore time for all the doubting Thomases that they gear up to be compliant in time. The biggest challenges that the industry will face in this direction is

a) Resistance to Change

b) Unlearning the GDPR Concpets

c) Adopting to the multi compliance management scenario

Resistance to change is a universal problem and when disrupting new legislation is implemented, there will certainly be difficulties. However, I feel this will be a greater problem for the Government, Manufacturing entities and the Small entities  while the IT companies who are already adopted to GDPR may accept and adopt to the new legislation without much of resistance.

However, while those entities for whom Privacy Protection through Data Protection is new will be able to learn the tricks of the trade from PDPA implementation, the IT Companies who are already aware of GDPR and other data protection laws will have another kind of difficulty namely “Unlearning the GDPR Concepts”.

Many of the concepts in PDPA could be different from GDPR and those who are expecting it to be a clone of GDPR will find erring on the wrong side when they think “Being compliant with GDPR is also being compliant with PDPA-India”

The concept of Privacy By Design Policy, Registration with DPA, Mandatory Consent, the Sandbox system, the Section 37 exemption, the Adjudication system etc may pose challenges of their own to those professionals and companies who cannot think beyond GDPR.

Lastly, the Indian Companies will try to act like a personal data hub and be required to be compliant with multiple laws simultaneously. In such a scenario, if they stick to ISO 27701 as a solution for compliance, they could find themselves wanting. They need to quickly get on board the PDPSI system (Personal Data Protection Standard of India) which is being drafted by FDPPI. (Foundation of Data Protection Professionals in India).

These and other details are being discussed today at the PrivSec webinar at 3.15 pm (1st December 2020)

Attendance is by registration here.