RBI Opposes Privacy Law

Until Mr Shakti Kant Das was the Governor of RBI, it appeared that RBI could be relied upon for taking care of the interest of the public. In the Bit Coin case, RBI had taken a bold principled stand which unfortunately had been over ruled by the Ministry of Finance under Mrs Nirmala Seetharaman It was known as the triumph of corruption over national interest.

Now with the new Governor Mr Sanjay Malhotra who was earlier a revenue secretary and has been instrumental in legitimizing Bitcoin using tax as an excuse, the confidence in the RBI as a protector of the public interest is at stake.

This is well reflected in the challenge RBI has mounted on DPDPA 2023 and the Supreme Court judgement on Privacy by stating that “Credit Firms are not required to obtain User’s Consent to maintain Credit Scores” in an affidavit filed with the Supreme Court in the Suryaprakash Vs Equifax and others.

The way Credit rating firms like CIBIL were taken over by foreign companies like TransUnion was directly a consequence of RBI not monitoring the “Data Laundering” that was behind such take overs. Today RBI has gone a step further and is trying to give a free hand to CICs for misusing and profiting from the Credit information of the 140 crore Indians.

The Supreme Court frowned when IRCTC wanted to conduct a survey on whether it is possible to monetization its data and forced it to withdraw the proposal. Whenever UIDAI wants to take day to day operational decisions, Supreme Court pounces on UIDAI to limit its operational freedom.

Now we need to see how committed is Supreme Court in accepting the view of RBI that a consumer has no role in the CICs profiling his credit functioning often causing harm to the data principals.

We consider that the law of DPDPA 2023 should prevail over the earlier CIC law which itself has been fraudulently misused for purposes for which it was not intended.

Under the legislative intent of CIC Act, the credit rating agencies were meant to assist the Banks from reducing their NPAs by preventing borrowing with multiple Banks by a defaulter. It was not the intention to monetize the Credit data of consumers and let US companies make money.

RBI has been a silent spectator in this data loot and must be considered as a co-conspirator in this data laundering exercise.

The current stand of RBI only confirms that RBI wants to challenge the Right of an Individual to determine how his personal data is to be processed by the Banks and for what purposes they can share the data with other Banks. CICs are a third party and if they want to process the data of Bank customers, they have to obtain consent like any other data processor or a joint data fiduciary.

RBI has admitted that the CICR Act was brought as a part of the risk mitigation policy of the Government to arrest accretion of fresh NPAs in the Banking sector. For the same reason the CICR Act does not empower the US Companies to create “Credit Rating” from out of data shared by the banks and sell it to all loan companies at a price.

RBI’s counter affidavit is mis-representation and must be rejected.

Naavi

Posted in Cyber Law | Leave a comment

FIR on AWS

Amazon Web Services has been blamed by a builder in Bengaluru for a data loss of over Rs 150 crores and an FIR is reported to have been registered by CCB, Bangalore.

According to the report in Deccan Herald, Adarsh Developers were using Amazon Web Services and had migrated their data at an agreed cost of Rs 88 lakhs. Now AWS India has reportedly stated that despite their best efforts the data has been lost and they cannot retrieve and restore it.

Employees of the Redington Group and AWS have been blamed for the data loss. Whether it was sheer negligence, incompetence or a possible criminal intention is to be found out in the investigation.

This investigation would currently be under ITA 2000 and involve Unauthorized access, Failure of security , Contractual failure etc.

Even CERT In needs to be involved in the investigations along with the police.

Though DPDPA is not yet applicable, the principles of DPDPA would be part of the due diligence expectations under ITA 2000 and since personal data could also be part of this “Personal Data Breach”, we should consider this investigation and eventual disposal of this case as a case fit for “Privacy Watch”.

Let us closely follow this case since it has a huge implication on AWS as a “Joint Data Fiduciary” responsible for reasonable security practices and indemnifying the loss for individuals whose personal data is involved in the incident.

Naavi

Posted in Cyber Law | Leave a comment

Complexities of Privacy Awareness Building

Despite the DPDPA 2023 having been passed as a law, all of us know that there is a need to create a Public awareness about what Privacy means to a common man. Without this awareness the law is unlikely to be effective.

Hence the first step we all want to take up is how to make the common man appreciate the importance of Privacy or in other words what are the “Risks” of Privacy Infringement.

I would like every member to start thinking how they contribute to the development of this Privacy Culture in India.

Let us assume a task where one of you will address the Parents in a School or Members of a housing society and explain the concept of Privacy. You will immediately realize how to communicate the need of “Right of Choice” of the individuals without adversely affecting the school authorities or the Society putting up CCTV cameras in the society.

Privacy is a complex concept and there is always a conflict between the Individual Privacy Rights with the Business Interests of Monetization as well as the Surveillance and Investigative Needs of Law Enforcement.

When we spread the awareness of Privacy we need to spread the balanced awareness of the rights of Privacy without losing sight that we cannot wish away the needs of Monetization by business and Surveillance for national Security. If we donot recognize the need for such harmony, we will only create three segments of the market who will keep fighting amongst themselves.

The Challenge before us is how to make people aware of their “Rights” along with “Duties” and also how to appreciate that there needs to be an acceptance that Business and Governance also are important for an orderly society.

Can we have comments from all of you?

Naavi

Posted in Cyber Law | Leave a comment

Hotels as Data Fiduciaries

The DPDPA 2023 has completely changed the outlook of the industry in the Use and Management of Data. So far, like every other business entity that has adopted itself to the “Data Driven” business strategy, the industry was concerned only with “Information Security” or “Cyber Security”, preventing Cyber criminals access data in their custody and commit frauds.

In late 2018, J W Marriot chain had “become aware” of a data breach of its reservation system which had actually happened in 2014 in the network inherited from “Starwood” hotels which had been purchased by the Marriott in 2016. Over 500 million guest data with credit card and passport details had been accessed by hackers. Investigations revealed that one of the Competing bidders for the takeover of Starwood could have been responsible for the breach. The involvement of the Chinese Military was also traced. It was therefore a business rivalry and foreign state sponsored attack. This was considered an “Information Security Issue” and the damage to individuals was collateral.

However in terms of the damage to the Company, the penalty imposed by the UK ICO was more than $120 million under GDPR and was much more than the direct loss suffered most of which was covered by the Cyber Insurance.

The Insurance industry is deeply divided on whether the administrative penalties can be covered by Insurance and in the instant case J W Marriott did not contest the fine and it is reported that it ultimately settled the penalty at around $52 million.

Indian Hospitality industry so far was not much concerned about such data breaches since the industry was protected by weak enforcement and weaker judicial system in India.

The the current law of ITA 2000 required an affected party to claim damages for it to be liable for such data breaches but the “Valuation” of personal data for claiming damages continues to be a grey area and it would require decades of litigation for a PIL to materialize (eg: Bhopal Gas Tragedy case). Hence industry was taking it easy. Most large hotel chains today have lakhs of personal data including Aadhaar data, PAN data, Driving license data etc and they are retained for decades.

Now with DPDPA 2023 coming into force, the “Risk of DPDPA Non Compliance” hangs over the heads of all the members of the hospitality industry though to the limited extent of around Rs 250 Crores to say around Rs 500 crores if multiple breaches or non compliance is recorded.

Under DPDPA 2023, the Hospitality industry players will be given a new responsibility as “Data fiduciaries” and responsible for the protection of the “Privacy Rights” of their customers.

Industry should therefore wake up and start taking steps to mitigate the DPDPA non compliance Risk.

After shedding the complacency and deciding to secure the personal information under their custody, the industry should not fall into the second trap of complacency that they are secured by being certified for ISO 27001 or GDPR. They need to look for Certification under the India specific Compliance frameworks such as DGPSI.

In this context it is timely that ETCISO is hosting an event on 18th February 2025 at 4.00 pm to 6.00 pm in Bengaluru (Park Hotel).

Naavi

Posted in Cyber Law | Leave a comment

“Unknown Risk” is “Significant Risk”

Data Fiduciaries who are deploying AI products for Personal Data Processing needs to take note that DPDPA Rule (no 12) expects that

“(3) A Significant Data Fiduciary shall observe due diligence to verify that algorithmic software deployed by it for hosting, display, uploading, modification, publishing, transmission, storage, updating or sharing of personal data processed by it are not likely to pose a risk to the rights of Data Principals.”

While some data fiduciaries may find comfort that this only relates to “Significant Data Fiduciaries” and not others, the determination of which data fiduciary is a “Significant Data Fiduciary” may itself may require an assessment of the “Sensitivity” of processing and the harm likely to be caused to the data principal.

The Officer of MeitY designated for this purpose may declare certain classes of data fiduciaries or specific data fiduciaries as “Significant Data Fiduciary”. However if any data fiduciary thinks that if the designated official has not declared a specific category of data fiduciaries as “Significant Data Fiduciaries”, they may not be fully correct.

The need to make an assessment of the Risk of processing still lies with the data fiduciary since he is a “Fiduciary” and not a “Controller”. It is the responsibility of every data fiduciary to do a self evaluation of his processes and document why he is not a significant data fiduciary.

In this context, deployers of AI will have a unique challenge. In case they are using an Open Source AI, it is their responsibility to understand the risk and declare if there is a high risk to a data principal. If however they are unaware of the code of the algorithm then they need to depend on the provider of the algorithm.

Due diligence in this regard means that the data fiduciary obtains an assurance along with indemnity and include it in the contract. Alternatively the provider should be declared as a “Joint Data Fiduciary” so that the responsibility of compliance will be on the provider also.

In the context of proprietary algorithms, the deployer being unaware of how the algorithm processes the personal data, the risk is not quantifiable. In such a case any data fiduciary should presume that the “Unknown Risk” could be high risk and therefore the process renders them as “Significant Data Fiduciary”.

In other words “Deployers of all Proprietary AI algorithms need to be automatically tagged as “Significant Data Fiduciaries”. If use of AI is ubiquitous, then a large number of Data Fiduciaries will be Significant Data Fiduciaries.

Naavi

Posted in Cyber Law | Leave a comment

Date for filing Comments on DPDPA Rules Extended

As expected, MeitY has yielded to the pressure from the industry and granted extension for submission of comments on DPDPA Rules from February 18 to march 5.

It is reported that by this time more than 10000 comments have already been submitted and this extension may swell it further . Hope this will not delay the finalization further.

Naavi

Posted in Cyber Law | Leave a comment