Naavi.org

The  comments submitted by Nasscom-DSCI on the Personal Data Protection Bill 2019 makes an interesting reading.

The copy of the submission is here

So far, whenever a law related to IT industry was drafted, NASSCOM was a close confidant of the MeitY and a trusted advisor. But now it appears that NASSCOM is clearly on the side of the multi national industry players who want a Privacy law which protects the MNC business interests more than it protects the Privacy of the individuals. DSCI obviously follows the views of NASSCOM and hence both have submitted a joint view.

The document is a fairly long document and consists of four parts. The first part is a recommendation of the principles for effective Personal Data Protection, the second is a list of key concerns, the third is a list of clarifications sought and the fourth is a clause by clause comment on the PDPA 2019.

Before going further into understanding what Nasscom wants and why it takes a specific stand, we must note that what we are now commenting on is the copy of the “Act” and once the Act is passed, there will be several notifications that the Government will make. There after, there will be an organization called Data Protection Authority (DPA) which will come up with many more regulatory guidelines.  Each of these namely the Act, the Notifications and the regulations have a certain scope and purpose. Th Act cannot be the notification and the notification cannot be the regulation.

It is not advisable for law to be too detailed so as to make it very rigid. On the other hand, it is possible for some flexibility to be built into the Act so that the later notifications and regulations can take into account the requirements that would unfold over a time.  Many of the suggestions that Nasscom has provided under the first part are already addressed in the Act and many other suggestions are meant for the notifications and regulations.

Hence we can ignore most part of the 43 page document and look at the essence of the recommendations given .

….To be continued

Naavi

Justice Srikrishna calls new Data Protection Bill a blank cheque to the state..https://in.finance.yahoo.com/

This picture appeared in an article in Yahoo.com yesterday and quotes Justice B N Srikrishna who authored the famous report on Data Protection which finally led to the current version of the bill which is before the JPC for  finalization. It also has DSCI representative who was part of the Srikrishna Committee and submitted a dissenting note on Data Localization. It also has other vocal champions of Privacy who have been clearly opposing the Bill for many reasons.  Cumulatively the group wants the Bill not to be passed in the near future unless major changes as suggested by them are incorporated.

None of these people can say that they donot want the Bill to be passed since they have themselves once demanded for a strong legislation on Privacy Protection and their objection is that the law is not to their liking.

Considering the respect that Justice Srikrishna commands, it is necessary to check what his main objections to the latest version of the Bill are and whether they are in deed justifiable.

There are two main objections that Justice SriKrishna has.

The first is that the committee which selects the DPA consists of the Cabinet Secretary, the IT Secretary and the Law Secretary and does not consist of the Chief Justice of India as he recommended.

The Second objection is that under Section 35 of the proposed Act, the powers with the Government to exempt itself from the provisions of the Act are unwarranted.

Appointment of DPA

Let us take the first objection. According to Sri Krishna, the new provision “does away with the Judicial Oversight completely” to the selection of the DPA.  According to Mr Srikrishna, judicial oversight is required right at the selection of the members of DPA.

What this means is that Justice Srikrishna wants the DPA to be elevated to the level of a Chief Election Commissioner or CVC or a Judicial appointment like a Tribunal. The Government however has considered DPA as more like a TRAI, IRDAI or SEBI. It is a body to regulate certain industry segment. While other regulators are meant to regulate all aspects of a given industry sector, DPA regulates one aspect of business namely “Personal Data” across multiple industry segments. It does not even regulate “All Data”. The objective of this law is to bring Indian Data Protection regulation on par with the global approach.
It is not necessary that every top appointment of the Country is done only with the involvement of the CJI. If this argument holds good for DPA, then questions rise why not CJI be involved in the appointment of RBI Governor, or IRDAI Chairman or TRAI Chairman. Question can also be raised on why the leader of the opposition in the Parliament should not be made part of the selection panel?.

While the demand to raise the DPA to the level of a Constitutional position is laudable, one has to point out that this expectation is impractical.

We can note that the Act prescribes some criteria such as 10 year experience in relevant field under an age group of persons less than 65 years of age for persons to be appointed to the DPA either as chairman or as members. It is well known that “Privacy” has been a concept which we the Indians never considered as a great virtue in the past. India has always supported “Freedom of Expression” as a key right much more than Privacy. The concept of Privacy and more importantly the concept of “Data Protection for Privacy Protection” is the concept popularized by EU and it is not easy to find persons with “Experience” in “Privacy Protection through Data Protection”. We may be able to find persons who are in “Information Security for more than 10 years” or “Advocates who have fought privacy related cases in the Courts”. But finding a 10 year experienced person who understands the current “Techno Legal concept of data protection for privacy protection” is not easy since not many are available in the field.

Had the CJI been in the selection committee, his knowledge of people would have been restricted to judges and advocates and not to who amongst them understands the concepts such as Artifical Intelligence, Big Data, Anonymization, Pseudonimization , Privacy by Design, a Data Protection frameworks under ISO 277001 or PDPSI etc. He would have to depend on the IT Secretary for such information. Now between the IT Secretary and the Law Secretary, a short list of knowledgeable persons can be made and the Cabinet Secretary can act as the third wise man to facilitate the final choice. A CJI in a similar position would have an overbearing influence in making the DPA look more like  Judicial forum rather than a body that can regulate the Data Protection Eco system.

At the same time, since the appointment of the Chairman or other members can always be challenged in the Supreme Court if a person with no credentials is appointed.

Had the appointment was made un-impeachable even in a Court of law, the allegation could have been accepted. Just because the CJI is not involved in the appointment, holding that Judicial oversight is completely ignored is unacceptable.

Powers of the Government

The second objection raised by Justice Srikrishna is on section 35 which provides exemption to the Government under such reasonable exceptions  that the constitution provides for all fundamental rights.

Justice Srikrishna appears to make PDPA more stringent than the Constitution and restrict the powers of the Government even beyond what the Constitution itself does.

In the earlier version, (pdpa2018) it had been stated

“Processing of personal data in the interests of the security of the State shall not be permitted unless it is authorised pursuant to a law, and is in accordance with the procedure established by such law, made by Parliament and is necessary for, and proportionate to, such interests being achieved.”
“Processing of personal data in the interests of prevention, detection, investigation and prosecution of any offence or any other contravention of law shall not be permitted unless it is authorised by a law made by Parliament and State Legislature and is necessary for, and proportionate to, such interests being achieved.”

The above were in addition to the exemption provided for legal proceedings, research etc.
The essential difference was the legal implication of the way the restriction was expressed. In the new version  the provision is stated differently as

” Where the Central Government is satisfied that it is necessary or expedient,—
(i) in the interest of sovereignty and integrity of India, the security of the State, friendly relations with foreign States, public order; or

(ii) for preventing incitement to the commission of any cognizable offence relating to sovereignty and integrity of India, the security of the State, friendly relations with foreign States, public order,
it may, by order, for reasons to be recorded in writing, direct that all or any of the provisions of this Act shall not apply to any agency of the Government in respect of processing of such personal data, as may be specified in the order subject to such procedure, safeguards and oversight mechanism to be followed by the agency, as may be prescribed.”

Both versions provide that that exemptions are available for the security of the state and would be subject to necessary safeguards.

The objection is therefore more a clash of drafting technique. We know that the Supreme Court has read meaning into even our constitution where there were no specific mention of a provision (Read the judgement of Aadhaar and Privacy) and has ignored the specific mention of words in the law many a times (Scrapping of Section 66A of ITA 2000 is an example). Hence, whatever way the act is drafted, the Supreme Court has the power to interpret it in its own way and hence there is no harm in the wordings either in the way  PDPA2019 has expressed or PDPA 2018 has expressed.

There is no doubt that Justice Srikrishna appearing in the group of traditional opponents of the Bill who mainly opposed the Data Localization part of the Bill which Justice Srikrishna himself had drafted puts the Government in an embarrassing light. But Justice Srikrishna has failed to explain why he is no longer supportive of the data localization aspect that he himself recommended and Ms Rama Vedashree who was part of the committee dissented.

The MeitY in its new version has yielded on the earlier objections on data localization which was also a set back to the persons who supported  the upholding of “Data Sovereignty” principle and the possibility of economic benefits of data localization. I wish the JPC has the courage to reverse this amendment and go back to the earlier version of the data localization where it was mandatory to keep a copy of all personal data transferred out of the country.

A third aspect which Justice Srikrishna brought up in the round table reported by yahoo is a new objection he has added and it relates to the “Social Media Intermediary and inclusion of Non personal data”. He is quoted as having expressed that they should have been left out of this law, without substantiating why he feels so.

The provision on social media intermediary as well as the empowerment to seek anonymized community data have  certain reasons and hence there is no need to make any changes there in.

(Views expressed here are the views of Naavi as a person and comments are welcome)

Naavi

P.S: People in the above photograph: Left to right: Saikat Datta, Ashutosh Chadha, Justice BN Srikrishna, Rama Vedashree, Shashank Mohan and Parminder Jeet Singh.

Naavi.org was started (first as naavi.com) way back in 1998 with the objective of contributing towards “Building a Responsible Cyber Society”. In the process it continued to contribute towards “Developing Cyber Jurisprudence” by promoting independent interpretation of different aspects of Cyber Law such as the  Electronic evidentiary aspects ingrained in the Section 65B concept of Indian evidence Act.

Time has now come for Naavi.org to extend this service to the Cyber Community in India with contributions towards the development of the Data Protection Eco system on the lines that will be beneficial to the Citizens who are looking forward to Data Protection as a means of Privacy protection, without destroying either the development of the industry or neglecting the needs of the Government.

We believe in co-existence and do not believe that “Privacy” is an objective to be reached at any cost sacrificing the need for coexistence  with Security of the nation and the growth of the industry. Naavi believes that the Supreme Court means the same when it held that Privacy is a fundamental right subject to reasonable restrictions.

We therefore reject many of the criticisms of the law stating that PDPA as it is envisaged now will create an Orwellian State or that data localization will harm the industry.

Naavi.org along with the associate activities of Naavi such as Cyber Law College will therefore now focus on how to ensure that the proposed Data Protection law in India will roll out in the implementation stage achieving the delicate balance between Privacy, National Security and Industrial growth.

In this direction, Cyber Law College of Naavi conceived and implemented the first of the Certification programs creating awareness of data protection law in India in association with the Foundation of Data Protection Professionals in India (FDPPI).

FDPPI has now become the pioneer in India for development of skills required for being an efficient Data Protection Officer in India. FDPPI’s “Certified Data Protection Officer” program has already been rolled out with the first batch of the first module of the program having been completed on 23rd February 2020.

FDPPI’s program for development of skilled DPOs in India, is conceived  with the vision of developing an alround DPO personality which includes “Knowledge with Attitude and Commitment”.

“Data Protection” is not simply understanding the clauses of the PDPA. Being aware of the law  is only the knowledge part.  The attitude part covers preparing the DPO to tackle challenges on three fronts namely being answerable to his boss within the organization which pays him the salary, the DPA which has a duty to protect the Privacy of Indian individuals and the Data Principals  who look at the DPO as the custodian of their Privacy Rights.

While most of the international certification programs end with the testing of knowledge of the law, FDPPI’s program as of now recognizes this as only different modules of the development of the awareness about the law.

The Module 1 (or Module-I) which was completed recently, covered the knowledge level of Indian law as at the present level along with a comparison with GDPR which is the other globally known law.

The future modules envisaged are

Module 2: (Module I+)

More on Indian law when the law is passed into an Act, a DPA is appointed and the DPA issues some basic regulatory guidelines.  This program will be only undertaken after the required developments take place. Hence we need to wait for some time to roll out this module.  (Eventually, Module I and I+ would be merged into one)

Module 3: (Module T)

This module will cover the technology related knowledge essential for an efficient DPO. This will cover the technologies required for compliance and will also discuss the challenges to data protection arising out of the new technologies particularly in the field of AI, Big Data, Encryption etc.

Module 4: (Module B)

This module will cover the behavioural aspects related to an efficient DPO. This will cover interpersonal relationship skills including Leadership, Decision Making, Motivation, Team Building, Counselling, Conflict resolution etc.

Module 5: (Module G):

This module will cover a study of at least 5 international data protection laws including an in-depth study of GDPR and Data Protection Laws applicable to USA along with some other relevant laws such as  Singapore, Australia as well as one optional country. This would be more an extension of the “awareness of law” from the Indian laws covered in Modules I and I+ to the global scenario

Module 6: (Module A)

This module will cover the skill requirements of a “Data Auditor” and follows the modules I, I+,T and B. This will encompass the system audit, information security audit and focus more on the harm audit, the DPIA and the annual data audit requirement under the law.

It is expected that in due course I and I+ will be merged into one and the other modules such as T, B, A and G will remain independent.

FDPPI has rolled out this plan of action and Naavi’s Cyber Law College will initially implement many of these modules as if it is an in-house implementation agency of these ideas. The objective is that when the Indian DPA is looking out for professional help for itself in designing the codes and practices and the conscientious industry players are getting ready in advance to be compliant before it is Compulsory, there will be a helping hand nearby with trained DPOs and Data Auditors.

At the same time, FDPPI wants to extend the partnership opportunities to other professional organizations who may have expertise in specific areas suitable for the different modules. They will work on a non exclusive basis to design and implement the training programs under these different modules. Some of the partners could work with regional focus and some could work pan India. Cyber Law College will assist this effort by gradually moving out of training responsibilities to the responsibility of coordinating the evaluation aspects involved in the Certification.

It is time therefore for interested organizations to come together and support FDPPI in its endeavor to build a Knowledgeable, Efficient and Ethical eco-system for the Data Protection industry in India. On behalf of FDPPI, I urge organizations and individuals interested in being the training partners for the FDPPI Certified Data Protection Officer program to get in touch with FDPPI at the earliest.

Naavi

This article of naavi is reproduced from India Legal magazine of February 22, 2020:

Quote:

On December 2018, the central government proposed to issue an amendment to the Intermediary Guidelines under Section 79 of the Information Technology Act, 2000 (ITA 2000). This was neither a new Act nor a new rule. It was only a proposed amendment to a rule placed for public comments.

However, it was challenged as unconstitutional by some activists and referred to the Supreme Court. The government is now expected to present a new version of the rule in the Supreme Court and the industry lobby is already mounting pressure on the centre to bend the rules to their advantage.

Section 79 and the rules therein are meant to bring accountability to intermediaries to prevent certain crimes such as defamation, spreading of hatred and disharmony, inciting violence and such through information posted on websites, blogs and messaging platforms. The role of intermediaries in fuelling such crimes and assisting law enforcement agencies in detecting and bringing to book the perpetrators is undisputed. However, these business entities are averse to accepting any responsibility for preventing their platforms from being used for fake news to disturb the community and as a tool for anti-social elements.

An internet intermediary, incidentally, provides services that enable people to use the internet. They include network operators; network infrastructure providers such as Cisco, Huawei and Ericsson, internet access providers, internet service providers, hosting providers and social networks such as Facebook, Twitter, Linkedin, etc.

The use of fake videos and Artificial Intelligence (AI)-based content for posting malicious material has made the problem more acute since the amendment was first proposed. Two of the most contentious aspects of the proposed amendments are that the intermediary is required to trace the originator of a message that flows through his platform and that he should deploy technology-based automated tools for proactively identifying, removing or disabling public access to unlawful information.

Objections have been raised on the ground that the intended measures are “technically infeasible”, infringe on “privacy” and put restrictions on “freedom of expression”. Given the propensity of courts to react favourably whenever activists quote Articles 21 and 19 of the Constitution, the industry lobby expects a climbdown from the government. After all, the government had buckled under their pressure when it diluted data sovereignty principles in the personal data protection act by dropping “data localization”.

The challenge before the Court is now two-fold. The first is to realise that excuses based on technical infeasibility are false and such measures are already being used by the industry for compliance with other international laws such as General Data Protection Regulation (GDPR). The second is that “national security” is as much the duty of the government and a fundamental right of citizens as the protection of privacy or freedom of expression of certain other individuals. The law should not allow disruption in the lives of innocent persons while protecting the rights to privacy and freedom of expression of some activists.

At present, most large intermediaries do scan the messages that pass through their services to identify the nature of content so that appropriate advertisements can be displayed when the receiver of the message reads them. Most leading companies, including Facebook, also use AI to read the messages and profile the users. Hosted content is also moderated and scanned for malicious codes as part of information security measures. Hence, the claim that it is impossible to make a reasonably effective check and flag objectionable content is not acceptable, particularly in the case of large intermediaries like Google and Facebook. As regards the proactive removal of content which is “unlawful”, this involves the judgment of intermediaries. However, if they are ready to proactively identify potentially objectionable content, the government can always suggest a mechanism for reviewing the tagged content and get it moderated.

Most data managing companies undertake a similar “discovery” exercise when it comes to complying with laws such as GDPR. There is no reason why they should not apply similar “data discovery” tools to identify offensive content and flag it for manual supervision. The technology is available and being used by the same companies who are resisting the request of the government. The Court should reject such claims. Their bluff needs to be called out.

We may also note that the Personal Data Protection Act, which is expected to be a law soon, has also brought in a provision whereby social media intermediaries have to provide an option to users to get them “verified” and the “verification” should be visibly presented with the account.

In other words, it will be mandatory for social media companies to identify the owner of a message and therefore make him accountable. In the case of WhatsApp, it must be mentioned that what is required is not “reading of the message” which is objected to from the “privacy” angle as the information may be encrypted, but only to identify the origin of a message. This can be technically achieved by tweaking the header information of the message and incorporating a checksum identity of the message. This can be identified at the server whenever it is forwarded.

In view of the above, the technical infeasibility objections for not being able to trace the origin of a message is unsustainable in the current age of technology using AI. These are false excuses.

However, while issuing the new guidelines, the government may have to recognise that some views on Section 79 have been expressed by the Supreme Court in Google India Private Limited vs Visakha Industries and the proposed amendment has to be compatible with the views expressed therein. This case involved a complaint of defamation and the non-removal of the content by Google when demanded. It also opened a discussion on the concept of “due diligence” as per the version of Section 79 in ITA 2000 and an amendment made in 2008 which became effective from October 27, 2009.

The final outcome of this judgment was focused more on the applicability of the law with reference to the date of the incident. But during the course of the judgment, some important principles of international jurisdiction and the scope of “due diligence” emerged. These would be relevant in analysing the proposed intermediary guidelines. It may be noted that the original version of Section 79 required “due diligence” to be exercised to “prevent the commission of offence”. The due diligence under the old Section 79 had not been expanded with any notification of rules and hence was an open-ended responsibility.

In the case of the amended Section 79, which is applicable now, the law requires that “the intermediary observes due diligence while discharging his duties under this Act and also observes such other guidelines as the Central Government may prescribe in this behalf”. It, therefore, extends beyond “prevention” when the data enters the control of the intermediary and monitoring throughout its lifecycle.

Additionally, the concept of “due diligence” has been detailed in the intermediary guidelines on April 11, 2011, which is now proposed to be replaced with an amended version. The Court recognised that the amended Section 79 provided protection from liability not only in res­pect of offences under ITA 2000 but other laws as well which was welcomed by the industry as an expansion of the safe harbour provisions.

At the same time, we need to observe that the scope of Section 79 has expanded significantly in terms of how the government may exercise its regulatory powers and also the level of control that the intermediary is expected to implement as part of the compliance requirements.

In view of the vindication of the current version of Section 79 in the Visakha judgment and the lack of sustainability of technical infeasibility objections raised by the intermediaries, they seem to have no option but to accept accountability that the amended guidelines prescribe. The challenge mounted in the Supreme Court may, therefore, end up only with a clarification on the procedures related to content removal.

However, the Court could suggest some standard measure to ensure that between the period when the victim notices the harm and brings it to the knowledge of the intermediary and until a Court comes to a decision, he would get some interim relief which is fair to both parties. Hence, if a notice for removal is received by an intermediary, pending an order from a Court, he should exercise caution to prevent continuation of the alleged damage. Ignoring the knowledge of alleged damage would neither be legally wise nor ethically justifiable.

In such cases, the content may continue but it should be flagged as “reported objectionable vide notice received from ….” with a hyperlink to the copy of the notice. The flag may be removed after a reasonable period such as 90 days if no court order is received.

This measure will ensure that the delay in obtaining court orders does not continue to harm the victim to the same extent as it otherwise would. If such a measure is not available, every complainant will seek relief in the form of an interim order to block the content.

If such a request is agreed to by the trial court, the content remains blocked until the case is settled which may last for years. It would be good if the suggested procedure of dispute management is included as part of the intermediary guidelines.

—The writer is a cyber law and techno-legal information security consultant based in Bengaluru

Unquote:

Naavi

February 23rd 2020 is set to be a historic day in the development of Data Protection eco system in India. It is the day when the very first batch of professionals are facing their challenge for getting certified by the Foundation of Data Protection Professionals in India (FDPPI).

The participants of this initial batch are those who undertook a 6 week long online training provided by Cyber Law College (www.cyberlawcollege.com).

The current batch is a small batch of foundation members of FDPPI and will form the backbone of such certification programs in the future. This batch has been trained and the certification program is being administered solely by Naavi.

After the successful conduct of this program, the Certification mechanism will be taken over by FDPPI and more such programs both for training and for Certification will follow.

This Certification would be titled “Certified Data Protection Officer in India-Level 1” and incorporates the awareness of the law as of date. It will be followed by higher levels in due course as additional skills are input at different levels including  Advanced awareness of the law as it emerges, the Technical Skills, the leadership skills and the awareness of international laws. In totality this Certification would be unique and is conceived at a level higher than the currently available systems in other countries.

While many of the Indian professionals do get certified through international agencies, FDPPI envisages creation of “Ethical Data Protection Professionals” who have their primary expertise in the Indian market.

This indigenous system of Certification is considered essential as the principle of “Data Sovereignty” is embedded in the Indian data protection laws and needs to be incorporated into the system of training and certification.

The motto of FDPPI is to create “Knowledgeable, Skilled and Ethical Data Protection Professionals” and the Certification program would be a significant step in this direction.

Naavi

Cognizant is a respected MNC with significant stake in Indian data processing industry. It is not a company of the type Facebook, WhatsApp or Google who are known to have woven their business around harnessing (Exploiting?) “Personal Data” and profiling of data principals/subjects.

But today’s ET carries an article with the headline “Cognizant sees data protection bill increasing costs, obligations”.

The article also uses the following photograph of Cognizant’s building for the article.

This is a clear indication that the reporter wants to attribute the opinion conveyed in the article to Cognizant and no other company.

The body of the article says

“IT services provider Cognizant has said the Personal Data Protection Bill, 2018 could impose stringent obligations on it for localisation of sensitive data, and along with regulatory changes in other countries may lead to additional compliance costs.”

“Complying with changing regulatory requirements requires us to incur substantial costs, exposes us to potential regulatory action or litigation, and may require changes to our business practices in certain jurisdictions, any of which could materially adversely affect our business operations and operating results”.

The second paragraph of the article mischievously makes another quote from a company called Teaneck, a New Jersey based form which is more directly critical of the Indian law  and says

“If enacted in its current form, it would impose stringent obligations on the handling of personal data, including certain localization requirements for sensitive data. Other countries have enacted or are considering enacting data localization laws that require certain data to stay within their borders,” .

Gartner’s quote in the same article says ““Some short-term disruptions are possible, but the answer to this would be significant investment in data governance. It will impact smaller providers more because they have to create special provisions, change processes and systems of transferring data,”.

The journalistic mischief is in presenting the facts as if Cognizant is critical of the introduction of PDPA in India. It is well known that there is a lobby in India which is critical of the Bill for various reasons. The article clubs Cognizant with such companies.

It is to be noted that in the 2018 version there was opposition to the Data Localization aspect. Unfortunately the Government yielded to the pressure of the industry and diluted the provisions in the 2019 version which is currently under discussion. This ET article suggests that Cognizant is still unaware that PDPA 2018 has now become PDPA 2019 and is set to become PDPA 2020. The reaction of Teaneck also indicates that they are not aware of PDPA 2019.

Assuming that the comments are attributed to the annual reports, it is fine for the management to acknowledge that there is a changing legal landscape and there will be additional costs associated with it. This is a normal expectation from any financial report to the share holders.

But the reputed publication like ET should remember that quoting a dated comment in the current context where public are watching the comments on the PDPB 2019 being submitted to the Parliamentary committee, is a misuse of journalistic freedom. Had the reporter added a sentence that a revised version of the bill is now under discussion with a diluted data localization measure, he would have been more truthful.

I request Cognizant India to issue a clarification that it is not the view of Cognizant that the introduction of PDPA for the protection of Privacy of Indian Data Principals as directed by the honourable Supreme Court is undesirable and imposing any unreasonable costs on its operations in India.

Naavi