Naavi.org

Among the many abuses of the great innovation called Internet and World Wide Web is the misuse of the technology for organized defamation like what we used to refer in the physical world as “Yellow Journalism”.

While some adopt abuse through obscenity or abuse through manipulated information which are considered offences under ITA 2000, “Abuse through Defamation” and “Abuse through an Online Threat” are no longer offences under the ITA 2000 because our honourable Supreme Court took a wrong decision in the in famous Shreya Singhal case by scrapping Section 66A which has not been replaced so far.

I have recently come across a “Death Threat” on Whats App which cannot be booked under ITA 2000 and another incident of defamation through postings on some websites/blogs dedicated to defamation, which also cannot be booked under ITA 2000.

Such cases have to be booked under IPC but the evidence is in the electronic form and has to be supported by Section 65B certificate.

Unless the Government of India re introduces Section 66A or its equivalent or files for a review with the Supreme Court and the Supreme Court reviews it and allows the section to come back at least in a “read down version”(Please refer to discussions on Section 66A here), there is no relief to the victims.

Similarly, there is no relief to Cyber Crime victims if the MeitY and the MOF continues to ignore the immediate need to ban Crypto Currencies in India. These issues have also been highlighted in this website in the past.

Now I would like to bring to the notice of the public some websites such as shesahomewrecker.com, fraudsters.online and exposecheaters.online.

These are websites which encourage posting of defamatory content. We have earlier discussed in these columns about the “Glassdoor attack” and also referred to the law in NewZealand to prevent such harmful effects of Social Media misuse. In one dimension of job market we pointed out to “Glassdoor attack”  which involved posting of bad reviews about companies by disgruntled employees.

For these websites, and even for the Twitters and Face Books,  attracting visitors is the criteria. If this can be done with sensational news often created out of AI robots, they would grab it with both hands. What is lacking here clearly is “Ethics of Business”.

While Internet provides the freedom of expression which can be used effectively when incidents like suspected murders in the cases of Sushant Rajput or D K Ravi or Sunanda Pushkar, Palghar sadhus, Sridevi etc takes place and the Police under the influence of corruption fail to take appropriate steps, there are also instances when innocent persons are harassed through wrongful posts in some of the websites mentioned earlier.

Of course, these issues have to be handled on a case to case basis and we cannot impose censorship that could prevent good use of Internet freedom.

However, in most cases, it is difficult to find the owners of these websites since the Registrars promoted by ICANN have a false sense of Privacy and mask the identity of the business information called “Ownership of domains” as if they are “personal data. Hence even if our neighbor is indulging in slander, we will be running behind companies registered in Panama to request for the Who Is records. Similarly G Mail does not want to reveal the originating IP address for emails that land in my InBox for which I should have the right of information.

In a recent incident we also pointed out that Net4India a sub registrar of domain names and ISP services in India suspended many of its activities inconveniencing hundreds or thousands of web users.

The ICANN is not taking any responsibility for misuse of Internet and its approach to Cyber Crimes is the biggest challenge to Cyber Security at this point of time.

If we want not to depend on ICANN for securing the Cyber Space, it is only the individual countries who have to ensure that the Cyber Space does not become a menace.

In India therefore the responsibility falls on the MeitY to address some of these issues.

Despite our repeated nudges, MeitY has not taken action for resolving the Net4India issue or the Crypto Currency issue. It has earlier indulged in half hearted attempts to amend Section 79 intermediary rules but backed out when Urban Naxalites launched action in the Supreme court. Though it has taken steps to block Chinese Apps, it has not taken steps to block the websites who have made it a business out of defamation.

Now we need to again remind MeitY that reintroduction of “Harassment through messaging” which was present in Section 66A along with the Cyber Bullying, Cyber Stalking, Spamming, Phishing, Cyber threats which were all present in Section 66A but the Supreme Court failed to see as it was after its own desire to assert its support to freedom of expression calling Section 66A as a “Chilling” effect on the society.

We are not sure that MeitY has an ear to listen to these aspects. MeitY appears to be mortally afraid of PIL lawyers who may get a sympathetic hearing by the Supreme Court also. Our Attorney General is more concerned with letting off persons with a history of contempt of Court proceedings rather than protecting the victims of Cyber Abuse.

But it is our duty to record our observations and hope that some Court at least will take note of the vows of Internet abuse when some defamation cases are brought before them like the Baba Ramdev case which was heard by the Delhi High Court.

Naavi

It is reported that Mr Narendra Modi’s twitter account was hacked and a request was placed for contribution to the PM’s fund through Bitcoins.

It is obvious that this is the work of fraudulent hackers who must have been able to get some benefit by way of Bit Coin contributions before the hack was detected and removed.

Naavi has been urging the Government of Mr Modi to ban Bitcoins through a number of articles here but the request has gone unheeded.

It is our firm belief that unless Bitcoin is banned the Government of India’s effort to remove black money is only to be considered as half hearted.

Unfortunately the Supreme Court paved the way for a surge in Bitcoin usage in India by scrapping the RBI notification preventing Banks from dealing with companies engaged in Crypto Coin exchange.

The Finance Ministry has quietly looked the other way and even the RBI has withdrawn to the back ground since the lobby behind the Bitcoins is so powerful that even Mr Modi is hesitant to act.

Now that Bitcoins have been demanded and received in the name of Mr Modi, we can expect the opposition to demand an enquiry on whether this was really a hack or was only stage managed.

It would not be possible for BJP to prove that no body paid in bitcoins because that is the nature of secrecy that sorrounds this “Currency of Criminals”.

We hope that at least now, Mr Modi and Mr Shah would realize the damaging potential of Bitcoins and issue an ordinance to ban Crypto Currencies forthwith.

Naavi

 

The announcement that a relatively unknown company from Alampuzha a small town in Kerala has won the grand challenge mounted by MeitY to find an alternative to Zoom has created a new enthusiasm in many small software development teams that they too have an opportunity to emulate this company and  achieve  instant recognition if they have a good product.

India has for long been a “IT Service hub” and many giant companies have refused to invest their time and energies in developing a product profile. They have been happy to be followers of the US companies and often develop IP for the US companies to exploit. In the bargain Indian talents are getting hired for a salary to create huge software IP for other companies. Naavi.org has often called them as “Cyber Coolies” not to derogate them but to stimulate them.

Now with a new found enthusiasm to replace the Chinese products there is a new found opportunity for all intelligent software developers in the country to try and develop their own IP and their own products.

If Techgentsia’s VConsol has come out the topper in search of a replacement for Zoom, it will catapult the company into prominence. Apart from the guaranteed Government contract, it is likely to find market among all patriotic Indians waiting to use indigenous products. The Company is targeting a 1 million client base and even assuming a monthly income of Rs 1000 per client, this is a targeted business of Rs 100 crore per month.

We congratulate the company on hitting this jackpot and hope they will not fritter away this opportunity.

Remembering Dewang Mehta

This reminds us of the Dewang Mehta Award which had been instituted by the MeitY for which even Naavi.org had submitted an application. Mr Dewang Mehta was the Nasscom Chief at that time and sadly passed away suddenly at an early age. He was a very dynamic professional who would have contributed significantly to the development of self reliant IT industry in India if fate had not snatched him away. The award instituted in his name by MeitY also carried a prize amount of Rs 1 crore (in 2000) and the first such award was won by a Bangalore company for developing low cost computer. Unfortunately the technology changes have pushed this innovation into the oblivion. Subsequently MeitY seems to have discontinued its association with the award though the family may be continuing the tradition.

Need to Continue this Trend

I hope that the Techgentsia initiative is not a one off initiative but should continue for other major technology replacements we are looking for. The Government has forgotten its commitment to replace the computer operating system and has not even thought of an indigenous mobile operating system. Even some of the replacements for WhatsApp produced even by NIC and the use of local E-Mail services have not been adopted by the Government. If a self reliant India has to be developed, Government should recognize all indigenous initiatives even without funding support to encourage voluntary efforts in this direction.

Naavi’s two Aatma Nirbhar Projects

Naavi has now placed a challenge before MeitY with two initiatives for self reliance in the domain of “Data Protection” by first launching a “Certification Program” for professionals for which individuals are paying crores of rupees to foreign organizations and a “Locally developed data protection standard which can be used both in India and outside” which again can save crores of rupees paid today to foreign organizations. This “Personal Data Protection Standard of India or PDPSI” and its global counterpart “Global Personal Data Protection Standard” will enable SMEs to achieve compliance without spending a huge amount of money to the foreign agencies.

However we need to wait and see if MeitY can recognize such efforts or continue to support the international agencies unmindful of the foreign exchange outflow.

Responsibilities of Techgentsia

On the other hand, I would like to caution Techgentsia that if they want this opportunity not to go waste, they need to recognize that the Government has onboarded them onto a sensitive Government project and they have a huge responsibility to ensure that the security of the system is fully taken care of. Now all the anti Indian forces both in China or Pakistan or in India and more so in the sensitive state of Kerala will be trying to break this system which is going to be associated indirectly with sensitive Government data.

They may come in all forms even in the guise of appreciating the company and helping them. They may try to compromise their employees. They may try to steal the codes. They may also offer huge incentives for compromising the codes. Techgentsia has to overcome all the temptations and preserve their loyalty to the nation.

I hope they will..

Naavi

Following is the interview of Naavi that appeared in Live Mint recently:

Excerpts as published:

What’s your take on the provisions in the bill?

Privacy legislation is always a complicated legislation. You have to balance the interest of privacy activists who want their rights protected, business people who want total freedom so they can exploit, and the government that wants as much control as possible. The preamble of the bill recognizes these three stakeholders. Whatever you do, someone will be happy and someone won’t be. That’s what is playing out here. But overall, I think they’ve done reasonably well.

How does this bill compare with its counterparts in the West, like the General Data Protection Regulation (GDPR) in the European Union?

GDPR has principles of processing. So do we. GDPR has rights [for citizens]. So do we. Except that, in the ‘right to forget’, we are a little more circumspect than the EU. In EU, it’s more or less automatic. In India, we say it is subject to adjudicator’s decision, which is a quasi judicial authority that can take decision on this. This reduces the burden on the judiciary. If the adjudicator’s decision is not acceptable, one can approach an appellate tribunal. If that’s not acceptable, one can approach the courts.

There are concerns that some of the provisions in the bill allow for significant state surveillance.

The Bill will empower government for certain things. Section 35 and 36 allows certain security agencies to process data for surveillance. They are, however, not allowed to misuse this data.

Article 19 of the Constitution also provides reasonable restrictions, where the government allows itself similar exemptions in cases of ‘decency’, ‘morality’, ‘defamation’. Based on the constitution, the government can use ‘incitement to offence’ and ‘public order’ for surveillance. These terms are generic and can be misused.

As per this Bill, the offence has to be related to matters of ‘national security, sovereignty, integrity of the state’, not things like ‘decency’. So in my view, this reduces the surveillance powers of the government.

One of the reasons for concern is the possible broad interpretation of ‘integrity of state’.

I understand. But some parts in the Indian Penal Code also give draconian power to the police. Even they misuse it many times. This is more reflective of persons in charge of the legislation. We can only have deterrence. Likewise, you can’t omit this law on speculative grounds, saying the government might misuse it. The law can provide a framework. If someone wants to misuse it, punish them separately.

How desirable do you think data localisation is, as mentioned in the Bill?

Right now, there is no data localization in the legislation. ‘Non-sensitive personal information’ can be transferred, so can the ‘sensitive information’, subject to explicit consent. Only ‘critical information’ cannot be transferred but we don’t know what constitutes that. There is no restriction on transfer of data.

When we’re talking of having one data centre in India, it will act as a back-up data centre. There is an economic cost for businesses. But I don’t believe the industry will suffer.

Will having a data copy in India affect the way a law enforcement agency can access a person’s data?

For a law-enforcement agency to access someone’s data, it needs to be for law-enforcement reasons. They have to send a notice, identify investigating officer, identify the reasons for which it is done, and tomorrow if police officer is going beyond their normal duty and collect the information, there’s always a possibility that the written request will be questioned in court of law. But if someone wants to ignore the procedures, that is what the private sector – the data centre owner – has to resist. Agencies can’t come and directly take away data.

Is there a possibility of misuse by state agencies, with data being more accessible than earlier?

I have been working in field of cyber crime for 20 years. When we want information for investigation, Google and others don’t give data. If you get an abusive or obnoxious email, you’d need the IP address to find out who sent it. But they will often not reveal the address. In a way, they’re protecting the abuser. I don’t buy this idea that if data is in India, there will be a problem. I don’t trust Facebook or Google.The possibility of misuse exists but both arguments have to be considered on a case-by-case basis.

Naavi

P.S: This is a long post and addresses multiple objectives. Firstly it responds to a report which appeared in Medianama.com on what transpired at the JPC deposition to correct some misconceptions. Secondly it tries to explain the difference between de-identification and anonymization about which confusion prevails with many law makers and judicial experts. Thirdly it also clarifies the seggregation of roles between the past legislation of ITA 2000, present legislation of PDPA and the future legislation of NPDGA.

---

MediaNama Comments

The introduction of the Kris Gopalakrishna Committee report (KGC) has opened up many interesting but basic debates one of which is on the concept of “Anonymization”.

Medianama.com which is one of the well known critics of Government policies made a comment regarding the deposition made by the undersigned before the JPC on PDPB 2019 on August 10,2020, in which it stated as follows:

“FDPPI spent much of their 90 minutes discussing what anonymisation means, how it works,  and potential privacy harms associated with it, five sources told us. Members of the committee asked questions about whether anonymisation was enough to protect people’s privacy, and if de-anonymisation posed a significant risk to users, two sources told us. FDPPI had proposed that the same data fiduciary that anonymises data should not be penalised for de-anonymising such data, three sources told us. According to the Bill, only re-identification of de-identified data (Section 82) is considered an offence. Re-identification of data as an offence was briefly mentioned but not discussed at length.

Despite extensive discussion of anonymisation and anonymised data, the Committee of Experts’ report on governance of non-personal data was only name-checked in that it exists, two sources told us. It was not discussed since members agreed that non-personal data did not fall within the mandate of the Personal Data Protection Bill.

Three sources also confirmed to MediaNama that the FDPPI expressed its support for exemptions granted to government agencies from the provisions of the Bill under Section 35, but the Committee paid no heed to it.”

It may be noted that the discussions were supposed to be confidential and it is surprising that such discussions are being reported regularly by Medianama. However, as long as the report is accurate it is merely a breach of propriety but if there is any error in reporting even if it is a genuine mistake, there could be some unpleasantness.

Since comments have been made on my deposition, some clarifications may not be out of place. Further, in the discussion on the KGC report Justice Srikrishna also had expressed certain views which related to the concept of “Anonymisation”.

In this context, let’s discuss the distinction between Personal and Non Personal da onta and how Anonymization fits into the discussion.

In order to explore the concepts, we may refer to Naavi’s Data Theory . This was first published in October 2019 before PDPB 2019 was released and has several thoughts which have become more relevant today after the KGC report has been released.

(All the articles about the theory of data can be accessed here)

---

The Boundaries between ITA, PDPA and NPDGA

In this discussion, we need to consider three legislations, namely Information Technology Act 2000 (ITA) which is already in existence, Personal Data Protection Act (PDPA), which is in the final stages of being passed and the Non Personal Data Governance Act, (NPDGA) which is in the preliminary stage of conceptualization.

All the three legislations namely ITA, PDPA and NPDGA address “Data or Information” and represent the Past, Present and future of legislation related to a set of binary expressions called “Data” capable of being interpreted in a device called Computer and stored, transmitted, aggregated and modified.

Data is created by technology as a sequence of binary expressions and interpreted by the humans with the use of technology that converts the binary information into a human experience-able form of text, sound or image or a combination thereof.

Data does not know if it is Personal, Non Personal, Sensitive, Critical etc. These are the interpretations humans. It is the challenge to the law makers to ensure that when introducing legal prescriptions on the interpretation of Data, a reasonable clarity is provided on the context in which a particular law is applied. This clarity is achieved through the various definitions.

Definitions of terms as defined in the law define the applicability of the law and the contours of the boundaries of any law.

Section 3(11) of PDPB 2019 defines data as

“data” includes a representation of information, facts, concepts, opinions or instructions in a manner suitable for communication, interpretation or processing by humans or by automated means;

Section 2(1) (o) of ITA 2000 which should be considered the father of PDPA defines data as follows:

“Data” means a representation of information, knowledge, facts, concepts   or instructions which are being prepared or have been prepared in a formalized manner, and is intended to be processed, is being processed or has been   processed in a computer system or computer network. ,.and may be in any form   (including computer printouts magnetic or optical storage media, punched   cards, punched tapes) or stored internally in the memory of the computer;

The definition of data in the parent legislation is more detailed and PDPB 2019 adopts an inclusive definition.

The ITA 2000 is more fundamental as it goes into how “Data” originates as a representation that can be interpreted by a computer system (which itself is defined as a device that functions by manipulation of impulses). The inclusive definition of PDPB adopts the ITA 2000 and does not re-interpret it.

The NPDGA is a law which addresses “Data which is not personal data under PDPA” and hence the definition of data under the ITA 2000 extends to NPDGA also.

Having recognized that data in all forms is a “Binary Sequence”, the interpretation of something being “Personal” is derived from Section 3(28) of PDPA as

“data about or relating to a natural person who is directly or indirectly identifiable, having regard to any characteristic, trait, attribute or any other feature of the identity of such natural person, whether online or offline, or any combination of such features with any other information, and shall include any inference drawn from such data for the purpose of profiling;”

While defining personal data we include the “Offline” information and “Inference”. This pre-supposes that a human is looking at the binary form of the data through the converters called the computers, software applications and hardware peripherals.

What this means is that the definition of what is personal or non personal is relative to the knowledge and capability of the person who is looking at a data.

What is “Personal Data” for A may be not so for “B”. Hence any interpretation of data as personal or non personal has to be based on what a “Prudent Man under similar circumstances” understands.

On either side of this “Prudent man” are people who are not adequately informed to interpret and people with X-ray eyes who can look beyond the obvious.

Law however can only address itself to the middle where a “Person with reasonable information and knowledge considers it as Personal Information”.

One example is to go to Timbuktu and give a person a piece of paper on which it is written “MODI” and give the same chit to a person in Delhi (let’s forget the language issue now). A reasonable man in Delhi is expected to interpret the data as “Personal”. But a “Reasonable man in Timbuktu” is not required to interpret it as “Personal”. Hence when a law is made for India and Timbuktu together, it is difficult to ensure that data will remain “Personal” or “Non Personal” for all the stake holders.

I am quoting this example because today there is a discussion about how do we define “Anonymisation” which is the boundary between PDPA and NPDGA as well as ITA 2000 and PDPA.

ITA 2000 today addresses all aspects of data governance and data security and applies both to personal data and non personal data. PDPA is trying to pluck out ” Parts of Protection of Personal Data” from ITA 2000 and take it over to PDPA.  PDPA will focus on “Due Diligence” and “Reasonable Security Practice” as defined in Section 43A of ITA 2000 and does not address “Cyber Crimes committed with personal data” which will continue to be addressed by ITA 2000.

Hence Personal data as defined in PDPA continues to remain defined as “Data” for the purpose of application of ITA 2000.

While PDPA defines the proactive compliance requirements that a Data Fiduciary or a Data Processor should follow, any misuse of personal data (Other than what is indicated in Section 82 of PDPA) remains within the jurisdiction of ITA 2000.

Two elements have to be considered therefore to distinguish between what data comes under ITA 2000 and what data comes under PDPA.

They are

1. 1. Data becomes personal because the Data Fiduciary  can identify a “hidden natural person associated with the data”.
   2. Issue comes under PDPA for the purpose of compliance of obligations etc stated in the Act and not when a wrongful harm has been caused in contravention of the law (Section 82 excepted)

On the other hand, the boundary between PDPA and NPDGA is defined by the following criteria

1. 1. Data which is not personal data as per PDPA belongs to NPDGA regulation. NPD may also arise separately when data originates without being identified with any natural person.
   2. Issues of misuse of NPD comes under ITA 2000 (subject to any specific offences that may be defined under NPDGA like section 82 of PDPA)
   3. NPDGA is focussed on  “Unlocking the value inherent in the Non Personal data” and not in “Protecting the Non Personal Data”.

The issue of Anonymization

There is a misconception in many that “Non Personal Data” is only generated from Personal Data. This is wrong and has to be corrected.

There is no doubt that Personal Data which is “Anonymized” flows into the ” Non Personal Data” category.

But there are also other kinds of data which takes birth as Non Personal Data directly. One example is the weather data captured by  sensors. If I say temperature in one of the sensors in Bengaluru Airport shows 27 degrees, this is not personal data.

However, the person who has installed the sensor which could be the Government or an individual may claim a right on the data captured because he has invested money to get that data. It is this ownership that NPDGA tries to recognize and call as “Public Data” or “Private Data”.

Some data also arises because of the shared activity of a community.

One example of such data (in a gated community data collection system), is the following data:

“between 10.00 am to 11.00 am , 50 vehicles passed through the toll of which 28 were cars, 12 were two wheelers and 10 others.”

Since this data collection device/system is funded by the society, this data belongs to the community. Each person who is driving out or in, may claim that the information that he drove out or in is his personal data.

But what is being represented as community data is not that A, B or  C drove out in a Car and D, E or F drove out in a two wheeler, but so many vehicles drove out or in.

This is the “Community data” for which NPDGA recognizes the community as the owner for which there will be a “Data Custodian” as a representative of “Collective ownership”

The PDPA has no stake in either weather data collected by the Government or a Private company nor the community data collected by the building society.

If the building society is maintaining a register where the vehicle numbers are being noted along with the names of passengers, that register represents an aggregation of personal data and is within the provisions of PDPA.

But if that data is extracted out into another register and the name and vehicle number is masked and replaced with a serial number 1, 2, etc., then the data becomes “de-identified”.

The information “vehicle 25 moved out at 10.40” is de-identified data.

If instead of replacing the name and vehicle number with a serial number, the name is replaced with another random alpha character and vehicle number is replaced with another random alphanumeric character, then the information generated looks like a normal information that xyz with vehicle number AB25M2020 moved out. But this is “Pseudonymized” and is not revealing the identity of the individual who moved out.

PDPA recognizes that de-identification and pseudonymization are tools of securing the information when it has to be processed by many people to regulate the “distribution of information within an organization on a need to know basis”.

This is however,  not “Anonymization”.

In the case of de-identification or pseudonymisation (PDPA does not distinguish between these two), there still exists a “Mapping record” from which the organization can re-identify. For example if the security manager of the building society wants to know what are the details of vehicle number 30, it can be fetched and provided.

This is what can be called as “Re-identification within a process” which is not an offence under Section 82 of PDPA. However, if the society has disclosed its traffic data in a de-identified form to some body else for a purpose, and that person uses his intelligence or some other information available to him and is able to identify Vehicle number 30 was of Mr Raja, then this Re-identification comes under Section 82.

(P.S: The MediaNama report had not properly represented FDPPI suggestion in this regard.)

The issue of “Anonymization” and “De anonymisation” is different from De-identification and Re-identification.

Anonymization by definition is an “Irreversible Process”.

Conceptually, Anonymization is computationally infeasible to be de-anonymized” and it is impossible to extract personal data out of anoymized data by any reasonable effort.

If however there are “Hackers” who are determined and can “De-Anonymise”, they are not different from hackers who break a password or encryption. Law can only set some minimum standards of security but cannot prevent a determined hacker from criminally extracting information which has been anonymized. Law has to take stringent measures to create deterrence of such activities.

Presently Section 82 applies to “Re-Identification of a de-identified personal data”.

PDPA assumes that since it has defined “Irreversible conversion of identifiable personal data into anonymized data” takes the data out of the purview of PDPA, what a criminal may do with such anonymized data is to be handled by ITA 2000 and not PDPA.

The de-anonymisation of anonymised data can be brought under Section 43 and Section 66 of ITA 2000 and relief would be available to the data principal.

If a certain anonymised information is de-anonymised, it also reflects on the quality of anonymisation process adopted by the Data Fiduciary. If the Data Fiduciary has met the standards of irreversibility that the DPA has prescribed and still the anonymised data has been deanonymised, then the Data Fiduciary cannot be held responsible. Otherwise he can be accused of “Negligence” and can be imposed administrative fines for wrongful disclosure of identifiable/ or de-identified data as anonymised data.

Note on the JPC discussion and MediaNama comment

The discussion with the JPC on Anonymisation was to answer the questions related to the distinction between De-identification and Anonymisation and consequently Personal Data and Non Personal Data.

We should be happy that the members were patient enough to listen and discuss  this conceptual issue and gave an opportunity for us to contribute to the education of the members. This is precisely the purpose of JPC inviting experts to explain on such technical issues.

JPC is not a forum where our business interests are to be taken for being incorporated in the law as some other organizations representing business interest may consider. That is called “lobbying”.

FDPPI was not into “Lobbying” but in “Providing clarifications for the questions asked and hence there was and will be no expectation that our views are to be immediately accepted by the Committee or not.

The comment of Medianama that “Committee paid no heed to the recommendation of FDPPI” is also not a proper way of putting things again for the reasons stated above that the JPC discussion was a “Deposition as an expert” and not a self centered request.

There was no need for the JPC to say, they agree or disagree with any presentation. They are expected to listen and absorb knowledge that experts can bring to the table and use their discretion when they finalize their recommendations. Hence we are perfectly fine with the opportunity provided to present our views and not unduly concerned about the reactions.

Also, we neither confirm or deny what MediaNama has stated on the confidential proceedings in the Committee and provided this clarification only to clear the wrong perceptions which the MediaNama report could have created.

I have also used the opportunity to provide some knowledge inputs as I think is correct from the Jurisprudential point since even judicial experts appear to have difficulty in accepting that de-identification and anonymisation are two different concepts.

Concept of Unlocking

Now looking at the objective of NPDGA, several loose comments have already started floating around that this Act will  enable Government to appropriate data built by private sector at a cost, it will use its power to deny IPR etc.

I would like all experts to take into account that at present the expert committee has just provided its report which the MeitY has placed before the public without any of its comments. It is possible for the MeitY to modify it as they like. It is presently in a very preliminary state and is yet to be converted into a Bill.

At this time what is required for experts is to put their comments on the report of the committee and let the MeitY have more information with which a version of the Bill can be developed. This is more like a brain storming exercise and not an exercise to criticize the KGC report as if it is a bill about to be passed along with PDPB.

In this respect we need to only look at the objective of the Bill and make broad recommendations if we have any.

In my view the proposed NPDGA is an attempt to unlock value to a part of data which today  has zero value to either the Government or the community which contributes to the generation of NPD. Only a few intelligent companies are harnessing such data and making commercial value out of it.  These companies who are the biggies like FaceBook, Google etc are expanding their hold on NPD in such a manner that smaller entities have no opportunity to exploit the same.

The NPGDA would be an attempt to ensure that there is a fair mechanism that those who contribute to the generation of the NPD are rewarded by enabling the custodians of community data to realise value. Government on its part may place some data in public hands through the “Open Data” Concept.

In between if the Government feels that some data has been acquired by the Private entities from public resources, it may  acquire the data at a fair cost. Only if the data is related to national sovereignty issues, it may exercise the “Compulsory acquisition” option.

Where there is an IPR for the private party and the data is not in national interest to be acquired, Government cannot force the IPR owner to give up the right and hand over the data. Any speculation in this regard is not backed by reason.

Presently IPR laws such as patent laws do have a “Compulsory licensing” clause and a similar provision may be made in the NPDGA. It would be backed with a due process as well.

Hence the criticisms of NPDGA (Proposed) is premature. We have discussed this issue at present only because people who donot understand the firewall between PDPA and NPDGA created by Anonymization are discussing “Consent for Anonymization”.

While it is possible for a Data Fiduciary to take consent for Anonymization along with the consent for use, in our opinion this is not necessary.

Anonymisation is a legitimate interest of the data fiduciary and does not require consent or explicit consent. Anonymisation itself is not a “use” and post anonymisation the data is no longer under PDPA.

De-identification on the other hand is a technical process of in-process security and  does not require specific consent.

Those data fiduciaries who donot want to anonymize and place the anonymized data in Government hands are welcome to keep the data in personal data form itself and delete it if the purpose of its collection is over. In such a case, as per the present PDPB or KGC report, the Government may not be able to force the personal data owning data fiduciary to anonymize and hand it over to the Government.

Naavi

(Comments are welcome)

 

Naavi has through FDPPI indicated its intention of undertaking a large scale “Data Protection Awareness Program in India” through education programs built around the core concept of “Data Protection”.

One of the first programs taking this concept ahead was conducted in the form of the Virtual Seminar with GK Law College yesterday and will continue today.

This program was organized in  collaboration with the GK Law College Hubballi, which is part of the educational conglommerate namely the KLE Society.

KLE Group of educational institutions has in the past collaborated with Naavi in spreading the knowledge of Cyber Laws in India and the first program titled “Certificate in Cyber Law by Cyber Law College in association with ……” started in collaboration with KLE Law College, Bangalore (Now called Bengaluru).  It then spread to GK Law College in Hubli (now called Hubballi), SDM Law College, Mangalore and JSS Law College, Mangalore.

Now KLE has again become instrumental in the current generation of knowledge dissemination, this time on Personal Data Protection.

FDPPI is proud to be associated with this prominent educational institution in Karnanataka which has over 100 years of service to the society behind it and over 265 different institutions in its educational fold.

The Virtual Seminar was organized by GK Law College, Hubballi on “Cyber Security and Data Protection” in association with FDPPI as the knowledge partner. The program was inaugurated by the Commissioner of Hubballi and Dharwar, Sri R.Dileep, IPS  and Naavi delivered the Key Note Address.

The program was well attended by not only people from Hubbali but from the rest of India and even abroad. It was also live broadcast on Youtube.

We feel that this would be a trend setter in the Jnaana Jyothi program  concept undertaken by FDPPI.

A Link to the key note address delivered by Naavi on the occassion is available here:

Naavi