Naavi.org

The year 2000 was the year of the Cyber Law in India with the notification of the Information Technology Act 2000 (ITA 2000) in India.

Year 2009 saw ITA 2000 acquire a information security outlook with the amendments of 2008. That was when Section 43A, Section 72A, Section 67C, etc regarding data protection came into the law.

Now Year 2020 which was a special year marked for development by the late Dr Abdul Kalam, promises to be the year of Data Protection with the Personal Data Protection Act (PDPA) expected to be passed some time in February.

As the year 2019 comes to a close, it is good to take a glance at what has gone by in Naavi.org and its associated activities.

When 2019 started, the draft of PDPA 2018 was already available for discussion and two notifications of the Government namely the Intermediary guidelines and Section 69 notification were under intense debate.

The year started with Naavi unraveling the “Data Trust Score Model” as a suggested methodology to make a quantification of the compliance status of a data fiduciary under the proposed PDPA 2018. The system was explained over a series of articles.

Naavi also placed some suggestions regarding the intermediary guidelines  including a system of “Intermediary Dispute Resolution Policy” to be voluntarily adopted by the industry like the UDRP/INDRP schemes for domain name dispute resolution.

January 10 was also a historic day for the observers of Cyber Crime jurisprudence in the country as TDSAT upheld the earlier adjudication verdict in the case of S. Umashankar Vs ICICI Bank.

In February, Naavi launched the Personal Data Protection Standard of India (PDPSI) in a bid to develop a open standard for compliance of PDPA.

In the month of March, an important one day workshop was held in Chennai on Section 65B of Indian Evidence Act. The Foundation of Data Protection Professionals in India inaugurated its Chennai chapter and Naavi released the print version of his book “Section 65B of Indian Evidence Act clarified”

In the month of April, Naavi expanded his thoughts on the PDPSI through a series of articles all of which are consolidated under www.pdpsi.in Naavi also announced his book on Personal Data Protection Act as part of his training program on PDPA.

In May 2019, a renewed fight ensued on Bitcoin which continued through out the year and may continue into 2020 also as the bill on banning bitcoin may come to the fore in 2020.

June 2019 saw some attention focussed on Cyber Insurance  which continued with a couple of visits to NIA for lectures and interaction with the Insurance industry practitioners.

July 2019 saw the controversial Shafi Mohammed order of the Supreme Court  on Section 65B referred to a higher bench and the continuation of the fight against Bitcoin. The Aadhaar Amendment Act was also passed during this period.

August 2019 saw Naavi.org highlighting the  Trans union-CIBIL take over and flagged the possibility of irregularities. This was also the month when India integrated Kashmir with the abrogation of Article 370 of the constitution.

September 2019 saw  the  setting up of an expert committee on Data Governance and a discussion on Data Productivity vs Data Security, Data Governance law vs Data Protection law etc. This discussion will gain momentum perhaps some time in 2020 when the committee would submit its report. The month saw a new thought on Data being brought into discussion by Naavi in the form of “Atomic structure of data”.

October 2019 was the time when Naavi espoused a new thought “The New Theory of Data” in an attempt to bring more clarity to the concept of Data as seen by a technologist and a legal professional. Based on three hypotheses of “Additive value”, “reversible life cycle” and “Data is in the beholder’s eyes” Naavi is placing before the academic world a thought for discussion which should be useful in future to interpret the data protection regulations and guide it towards a form in which different stake holders can understand the issues with better clarity.

November 2019 saw the announcement of an online course on PDPA by Cyber Law College which is a an important development defining the future course of education in PDPA. FDPPI also participated in the certification process of such programs both for offline and online programs opening up a new era in the Data Protection domain in India.

Finally coming to December 2019, we saw a revised version of PDPA being presented in the Parliament and referred to a select committee. The version now available on www.pdpa2019.in was the basis of the course which Naavi has been conducting now.

Thus 2019 has been an eventful journey for Naavi and 2020 when PDPA may become a law could be even more eventful.

Let’s welcome 2020 with the hope that  prosperity will dawn on the country.

Naavi

A news report has been received that the National Power Training Institute, of the Ministry of power, Government of India is set to conduct a series of training programs ostensibly on “Block Chain”.

The Bitcoin community is going ga-ga about the development and headlined an article  “Indian Government’s Institute offers Block chain training in multiple cities”. 

Three programs have been scheduled according to the report on January 6-10 at Nangal, February 17-21 at Delhi and March 16-20 at Shivpuri.

The content of the program indicate sessions on Bitcoin and Mining with hands on sessions.

It is obvious that the promotion of “Block Chain” is a disguise to promote Bitcoin and in as much as Bitcoin and other Crypto currencies are considered the currency of the criminals and the Government is in the process of passing the bill for banning Crypto currencies and make it a criminal offence to conduct any transactions with crypto currencies, it is surprising and disappointing that an arm of the government of India should be devoting time and money on conducting such programs.

Conducting such programs for students and professors etc has no relation to the working of the power ministry and it is obvious that the resources of the power ministry are being diverted to this project because of the lobbyists from the Bitcoin community.

I have drawn the attention of the Minister of State in the Power ministry, the secretaries of Home and the IT and hope that this series of programs are cancelled forthwith.

Block chain may have some use cases in the power ministry but it is important to recognize that if Crypto currencies are made legal, India would be diverting a vast amount of power to the Bitcoin mining.

According to one estimate Bitcoin energy consumption presently is around TWh 45.165 and expected to reach around 73.12 TWh in 2020 which is comparable to a country like Austria. The carbon footprint at 34.73 Mt of Co2 is comparable to the carbon print of the entire country of Denmark and the e-waste generation at 9.62 kt comparable to the e-waste generation of Luxembourg.

Naavi.org has brought to the notice of the public several articles on bitcoin including he possible disastrous impact on the country.

I wish the Ministers and officials involved in the Ministry of Power, Home and IT wake up to the warnings and ensure that all training programs for promotion of Crypto currencies directly or indirectly indicated in the bitcoin.com article are stopped forthwith.

It would be better if the Home ministry and the IT ministry send out a suitable circular to other ministries to prevent such programs being conducted under the patronage of the Government.

Naavi

Here is a copy of an article published in India Legal.

The published article is available here

An Equilibrium view of  PDPB 2019

Let’s not forget that even Privacy has its boundaries. The Right to Privacy is fundamental but not absolute. But often even wise men get carried away with their obsession as is indicated by the copious criticism being heaped on the Personal Data Protection Bill-2019 (PDPB-2019).

It is to be remembered that “Privacy” as a concept is a “State of Mind” and a “feeling of being Left alone”. Neither the Supreme Court or any experts have been so far able to define it precisely and it remains an enigma of its own.  Now trying to protect an enigmatic concept through regulation of the “information” surrounding the factors that influence the “mental state” is not easy. Further, ensuring that the regulations satisfy the entire population, each of whom have a different “State of Mind” does pose an impossible challenge.

The conflict between” Privacy” of one person and the “Security” of the other is eternal. Any Government of the day needs to have its hands free for “Intelligence gathering” which includes surveillance without which the country is unsafe and we the citizens of the country are unsafe. “Security” is therefore as much a fundamental right as “Privacy” is and a legislation like PDPB-2019 cannot be looked at only with a myopic view as if “Privacy” is an absolute right.

Rejecting the right of the Government to maintain national security through regulated invasion of Privacy will be disturbing the mental peace of millions of other honest citizens for whom the person standing next to him in a crowd could be a terrorist. It is only the faith that there is a security screening that today we travel in air with a safe feeling that the probability of the plane being hijacked or blasted out in the sky is remote. This feeling of “Safety” is as much important for most citizens as the “Feeling of Privacy” some body else would like to have.

Instead of being only critical, it is therefore necessary to examine the draft bill recognizing the presence of  the multiple stake holders such as the Individual, the Corporate, the Government, the Law enforcement etc all of whom have different perceptions of how Data Protection legislation should be.

In the past, here have been several failed attempts to pass a similar law and each time the conflict between Privacy Rights and National Security requirements have caused the proposals to be aborted. Additionally in recent days the industry has developed huge stakes in processing of data and harnessing value therefrom and the Privacy legislation presents a huge hurdle to such business interests who also exercise their own pressure on the legislation.

If the legislation ignores the needs of all stakeholders and takes into consideration only the views of “Privacy Activists”, the country may not become an “Orwellian State” but it is sure to become a “Chaotic State” where terrorism will race ahead and business development may significantly suffer.

Is Government becoming a Big brother?

According to the draft PDPB 2019, section 35, Central Government has retained some powers to exempt itself from  all or any of the provisions of this Act.

It is this provision which is being criticized by all as dangerous and potentially  turning India into an Orwellian State.

It may however be observed that the section is drafted clearly to indicate that it is only when the Government is satisfied that “It is necessary or expedient” in the “Interest of sovereignty and integrity of India, security of the state and friendly relations with foreign states, public order or preventing incitement to the commission of any cognizable offence” that this provision can be invoked. Even in such a case there has to be a direction in writing to a specific agency and this would always be available for judicial review.

It must be noticed that the reasons under which the provision can be invoked omits “decency or morality or in relation to contempt of court, defamation” which are other reasons provided under article 19(2) of our constitution as reasons for which the fundamental rights can be over ridden.

The Government has therefore been restrained in adding this contingent provision and it must be treated as an “Enabling Provision” which has to be present in the law if the Government has to perform its duty to protect  the citizens of India.

All the Privacy and Data Protection Professionals who always hail everything “Foreign” as better, may to note that even the EU GDPR under Article 23 provides similar exemptions.

What the PDPB 2019 contains is therefore reasonable and in tune with the Government’s own obligations to the society. We should stop nitpicking on whether the safeguards on paper are adequate or not speculate.  The details of how this power may be exercised would be in the rules to be notified later and we need to wait for it.

Constitution of the DPA

Another area of criticism has been that the Data Protection Authority (DPA) and whether it would consist of people who are independent and represent the stake holders.

According to section 42 of the proposed act,

“The Chairperson and the Members of the Authority shall be persons of ability, integrity and standing, and shall have qualification and specialised knowledge and experience of, and not less than ten years in the field of data protection, information technology, data management, data science, data security, cyber and internet laws, public administration, national security or related subjects”

The earlier draft had suggested the Chief Justice of India in the selection panel which has been omitted and this has given rise to the concern that possibility that the choice of the Chairman and the Members could be motivated by the Government’s concerns or by the industry lobby.

The earlier draft had also suggested maintenance of a “list of 5 experts”. It was not clear if this was supposed to be an “Advisory Group” to guide the DPA and has been omitted.

Industry people know that there is no Government Secretary who has 10 years experience in the field of data protection etc and is of less than 65 years of age to qualify to be appointed for the DPA. Even in the private sector there are not many with such experience and who would take up the assignment. So there is a difficulty in the constitution of the DPA with right persons and this needs to be recognized.

It is hoped that the Government will not look to bring foreigners and NRIs who may have the necessary experience but having no commitment to Data Sovereignty of India. We can keep our fingers crossed that the right people will be found at the right time for this onerous but responsible position.

Positive elements of the Bill to be hailed

Beyond the criticisms that have surfaced, there are a couple of positive features that the new version has brought in which needs to be recognized and hailed.

One such provision is section 40 suggesting the creation of a “Sandbox” so that start ups can benefit by a limited time exemption from the obligations under the Act while they test innovative technologies.

Another provision is section 37 which recognizes the  need to exempt the BPOs in India who only process personal data of foreign citizens on the basis of a contract with a foreign Data Controller and provides for a suitable notification as may be required. This was necessary for all those companies who were maintaining “Off Shore Data Processing Facilities” which needed to comply with the data protection laws of the respective countries and would have considered the over lapping of the PDPA jurisdiction difficult to manage.

Further, retaining the innovative definition of the role of the “person who determines the means and purpose of personal data” as the “Data Fiduciary” and the subject as “Data Principal” the credit for which should go to Justice Sri Krishna calls for appreciation. Additionally thinking of a role for “Consent Manager” could be another innovation which the industry will welcome.

Taking an equilibrium view therefore we must conclude that the new Bill has tried to improve upon the earlier version and the fears and concerns are perhaps inevitable but not completely valid.

Naavi

There have been so far many awards from Adjudicators in different states  in which Bankers have been held liable for frauds such as “Phishing”. Starting with the S Umshankar Vs ICICI Bank award in 2010, adjudicators in Mumbai, Gujarat, Telengana have on different cases ordered that the victim should be compensated by the Bank in case where the negligence of the Bank has contributed to the loss.

Though the kind of negligence could be different in different cases, and in some of the cases, contributory negligence can also be attributed by circumstances on the victim, the Adjudicators have held that the Bank continues to be primarily liable. In all these cases, Banks try to deflect the blame on the customer and point out the beneficiary of the fraud proceeds as the only culprits forgetting that without the assistance of the bank neither the amount could be fraudulently withdrawn from the paying bank nor collected and withdrawn from the collecting Bank. 

The Adjudicators who are IT Secretaries have some understanding of the technology involved and have repeatedly come to the conclusion that Customers are not to be victimized for the failure of the banking technology to ensure “Secure Banking”.

Though in some cases, the victims being unaware of the process of recovery, approach the Ombudsman or the Consumer forums, and some times have received relief and some times not, it is necessary to observe that the most appropriate forum for such disputes is the Adjudication where the cause of action is built up on a matter of contravention of ITA2000. Where the cause of action is not adhering to a RBI guideline, then the Ombudsman may exercise his jurisdiction and where the cause of action is a “Deficiency of Service”, the jurisdiction can be exercised by the Consumer forum. However, since a “Criminal activity” is behind the loss, and complicated electronic evidences have to be evaluated, it is preferable that the Adjudication is the best forum to take up such issues. 

The second level of evaluation of such cases happen at the TDSAT (Telecom Disputes Settlement and Appellate Tribunal) which is a two member bench where one is a retired Supreme Court judge and the other is a technical member. Hence even in this forum there is a possibility that technical aspects of the case can be evaluated with the assistance of persons having the technical knowledge.

As a result, even where the counsels fail to bring up appropriate points for contention, the two fora namely the Adjudication and TDSAT can be considered having sufficient resources to come to a reasoned judgement in the techno legal cases that the Bank fraud incidents represent.

After the judgement in TDSAT in two cases one of the ICICI Bank and the other of the IDBI Bank, some jurisprudential precedence has been established in such cases.

However, it is notable that now the Supreme Court got an opportunity to consider one case of phishing where DAV School in Kolkata had been defrauded  to the extent of Rs 30 lakhs. Apparently the fraud was caused by SIM cloning and Phishing. But it cannot be ruled out that a bigger conspiracy which could have involved the Bank was behind this loss.

This case went to the State Consumer Grievance redressal forum which expressed the doubt that the Principal was negligent and therefore suspected of complicity and ruled that the Bank cannot be therefore held liable. This was also upheld by the NCDRC (National Consumer Disputes Redressal Commission) and the matter landed up in Supreme Court as a second appeal.

The judgement dated 18th December 2019 from a Supreme Court bench consisting of the honourable judges Dr D Y Chandrachud and Hrishikesh Roy has now held that the Senior Manager, Indian Bank Midnapur Branch, Kolkata is held liable to compensate Rs 25 lakhs transferred  until 2.9.2014 where as the loss of another Rs 5 lakhs transferred subsequently before a complaint was formally filed on 9.9.2014,  was to be borne by the school since it was considered to be on account of their delayed filing of complaint.

This case involved many reasons of which the following are visible from the judgement

a) Negligence on the part of the Bank of having granted Internet Banking facility without request

b) Negligence on the part of the Bank in linking the School’s account to the personal ID of the Principal

c) Compromise of the log in credentials of the individual who was the principal of the School

d) Negligence on the part of the Bank in using the Password authentication system which is not a “Signature” under the ITA 2000 and contravention of RBI circular of June 2001 on Internet Banking.

e) Negligence on the part of the Bank in identifying the unusual nature of the transactions through adaptive authentication security

f) Negligence of one or more collecting Bankers in opening and facilitating the laundering of the proceeds of the fraud through a deficient KYC process.

g) Negligence of the Mobile Service Provider (BSNL) in issuing the duplicate SIM without noting the subtle difference in the name of the applicant reporting loss

Out of these, many of the reasons were not perhaps part of the arguments in the Supreme Court.

However the honourable Supreme Court considered that both the Consumer forums had held that there was a negligence of the Bank but failed to rule compensation for the doubt that there was a complicity of the Principal as a “Master Mind”. However the Police in their investigation had ruled out the complicity of the Principal and hence what remained was only the negligence of the Bank as the cause of the loss. .

Hence the Supreme Court took the stand that the Bank was responsible for the loss of Rs 25 lakhs.

While we appreciate this part of the judgement, the judgement may still be faulted for not allowing the balance Rs 5 lakhs which was rejected for the reason of delay. The reasons for which the loss of Rs 25 lakhs was caused namely the wrongful linking of the school account to the personal ID of the principal was also the reason for this loss and hence it was not logical that the claim on this part of the loss should have been rejected.

It must be remembered that when such a huge loss occurs, the customer would be in such a stunned state of mind that filing a formal complaint after understanding where to file a complaint, whether merely informing the Bank is sufficient since it could also be an erroneous debit etc could take  a few days. In the subject case there is no evidence that verbal complaint was not made to the Bank. Hence the Court was perhaps not correct in rejecting this part of the compensation.

However, the client should be relieved that at least Rs 25 lakhs out Rs 30 lakhs is coming back and more importantly, the personal  stigma that the earlier consumer forums attached to the Principal was removed.

At present when such instances arise, the limited liability circular  of the RBI may also come in handy. According to this circular, if the customer reports an unauthorized debit within 3 days would be zero and between  4-7 days his liability could be nominal and there after as per a reasonable policy of the Bank.

Even in such cases, Banks some times make a false and unsubstantiated claim as to the negligence of the customer in revealing his OTP etc. However the burden of proof for  proving any “Complicity” would   be on the Bank.

Hence in future cases it may not be necessary for the victim to go through the difficulty of the judicial process which is simply beyond the reach of common man. In this instance the victim was a large institution and hence it was possible to fight the case upto the Supreme Court.

In most other cases, the Indian judicial system is so harassing for the victim  and so expensive that individuals without deep pockets do not have a guarantee of Justice as we expect under the Constitution as even the CJI has recently admitted.

Naavi

Looking at some of the criticisms that have come on PDPA2019, one cannot but feel that the experts in India appear to be easily swayed towards taking a negative view point on whatever the Government does. While the politicians have made it a habit to mislead the public and create a ruckus whether it is the Article 370, or Citizen Act Amendment, it is sad that this tendency is also seen in the criticism of a law like PDPA which should be seen more as a professional challenge.

We must recognize that drafting a Data Protection Law is a big challenge since this law tries to protect “Privacy” through “Protecting Personal Information”. “Privacy” itself is an enigma defying precise definition since it is a “State of Mind” of an individual and a “Feeling to be left alone”. This state of mind is uncertain and dynamic and changes in time for a given individual and for different individuals. The law is expected to protect this enigmatic concept in aggregation across the population. Hence satisfying every individual is not feasible.

Some individuals are highly concerned and secretive about themselves and some others are paranoid about security and suspect every person they see as a potential terrorist. Hence “Privacy Protection” of one is in conflict with the “Security Expectation” of another. Hence the Government has to balance the two differing views in the legislation.

Similarly the business is a stake holder in the legislation since “Data” is a valuable “Asset” from which several businesses can be generated.

Hence the legislation cannot pursue a myopic view of a “Privacy Activist” alone and has to reflect the views of a person who considers “Right to Security” as a fundamental right as much as the “Right to Privacy” and expects the Government to fulfill its duty in this regard.

The criticism of Justice Srikrishna included on Section 35 has to be seen in this context. In my opinion the section confines itself to within what Article 19(2) of the constitution provides as possible exception to a fundamental right and even here restricts the provision only to Security of State, Friendly relations with foreign states and Public order, leaving other issues like defamation, contempt of court etc. The provision should therefore be seen as a necessary and enabling provision as well as an international obligation. Branding it as “Creating a Orwellian State” is an exaggeration that should be avoided.

Similarly, going by the report of Hindu,  there is also a severe criticism that the DPA may be constituted with Government Secretaries. This also seems to be a speculation only since the change made from the previous draft is only in the constitution of the committee that selects the DPA members and not the DPA itself. Now a committee of Secretaries will select the appropriate persons who need to have at least 10 years of experience in Data Protection. Such experienced persons are not in Government and hence Government secretaries cannot be appointed for this post. Also there is an age limit of 65 which puts most retired bureaucrats away. There are only a few persons in the industry who meet this criteria since the concept of Privacy itself is new in India.

We sincerely hope that the Government will not look at any imported professionals from abroad because experience relevant for the purpose could be available abroad more easily in EU and US than in India. But the “Data Sovereignty” concern should prevent this.

It is possible that the selection committee may not clearly distinguish the experience in “Privacy Protection through Information Privacy Protection” and “Information Security” and end up picking experienced CISOs as members of DPA. This if it happens reflects the ignorance of the selection panel rather than any lacuna in the law as drafted now.

Some might have been displeased that the CJI is not part of the selection panel and hence the criticism that DPA may be constituted with Government secretaries. We must realize that any committee in which CJI is a part has a time line for decision making which is not good enough to identify and appoint the members committee in the near future. The present constitution of the committee will ensure that DPA will see the light of the day within the next few months instead of being postponed indefinitely.

We have not forgotten that the Cyber Appellate Tribunal was kept defunct for 7 years at the expense of cyber crime victims because the CJI and the Ministry could not identify a proper candidate for the Chairmanship between 2011 and 2018 until the tribunal was merged with TDSAT. The present move of the Government is therefore justified to avoid delays.

Beyond such criticisms, no body seems to appreciate the positive features in the bill and if critics put across both the positive and negative features of the Bill then their words would carry better weight.

In this context we must recognize the following features that need special mention

1. Bill defines the role of the Data Principal and Data Fiduciary as an elevated trustee relationship instead of the mere “Master-Servant” relationship if a Data Subject and Data Controller. Though Section 4 of the Act has been modified by the new Bill, the retention of the words “Data Fiduciary” and “Data Principal” are significant. (Credit for this goes to Justice Srikrishna)
2. Bill identifies a role for a “Consent manager” who will be a Fiduciary with a limited objective.
3. Bill recognizes the needs of Start ups to be free from stringent regulations during their test phase and recommends a “Sandbox” for their operations.
4. Bill recognizes the needs of Indian BPOs who process only personal data of foreign citizens and provides a specific exemption.
5. Bill recognizes the role of Social Intermediaries and brings them under the category of Significant data fiduciaries.
6. Bill recognizes the role of Guardian Fiduciaries in the form of websites serving content for children which can be misused.
7. Bill recognizes the concept of “Measurable Compliance Standard” by a concept of a “Data Trust Score” and mandates its disclosure.
8. Bill has reduced the criminal offences to just “Re-identification” and therefore removed the dangers inherent in the earlier draft.
9. The concept of annual data audit by an external auditor is also a novel concept.
10. Concept of a responsibility for grievance redressal is also welcome

Though there are a few typographical errors and minor corrections which can be made, over all it is not fair to demonize the new version of the Bill.

In fact I was pleasantly surprised to hear a discussion about this Bill in the US which highlighted several of the above novel features . A link to this discussion is provided below.

Listen to this discussion

It is unfortunate that we in India donot have a positive attitude to recognize the positive features of the Bill.

The Indian Bill has decided to place lot of responsibilities with the DPA and most of the concerns we are seeing now are premature speculations that the DPA will not do its job. I think we need to look optimistically at the constitution of the DPA before the next round of criticisms if any.

One thing we can suggest is that the Government should put up the list of prospective candidates to be selected to the DPA in the public domain and enable a background verification with public participation so that only the most elite of the Data Protection experts get into this key board.

Naavi

Yesterday, mr Ravi Shankar Prasad, the honourable minister of MeitY presented the “Personal Data Protection Act 2019” (PDPA2019) which is the revised version of PDPA 2018 suggested by the Justice Srikrishna Committee which was presently under discussion. The new version incorporates some changes based on the public comments as well as the discussions with stakeholders undertaken by the Government.

The copy of the new version can be accessed here : http://www.pdpa2019.in

The bill has now been sent to a select committee for review and re-presentation during the budget session in February 2020. By all indications, it is likely to be passed before the end of the budget session.

At the next stage the Data Protection Authority has to be constituted and necessary rules need to be notified.

When the Act is fully operational, all Data Fiduciaries namely those who collect, process personal data will come under the provisions of the Act. Amongst them those who deal with “Sensitive Personal Information” will need to designate a “Data Protection Officer” (DPO).

The DPO will be an executive at the higher levels of management on par or even above the CISO and needs to have the skills to advise the company on technical aspects of data security, legal aspects of Privacy protection and HR skills of negotiation to deal with the DPA, the Adjudicator, the Cyber Appellate Tribunal (Coordination with a lawyer), mediation with the data principal etc. He needs to also have audit skills and skills to manage internal relationships in the organizations where he is likely to have clashes with the Business heads and CTOs and CISOs.

Further most Indian companies will be exposed to Data Protection regulations of not only India but also other countries.

Recognizing all these requirements, Cyber Law College, which recently started a course on PDPA in association with FDPPI, has decided to take up a long term plan of developing well rounded DPOs through a multi level Course structure.

The present program will be considered as Level I of becoming a “Certified DPO”. Next year after the Act is passed, DPA Constituted, Codes and Practices for data processing established, there will be a next level of training which will be called Level-2.

Subsequently a “SoftSkills Development” training will be conducted to cover the requirements of the DPO and it will be considered as Level 3.

Presently the technical skills are kept out of these training since  there are other avenues for this purpose.  However certain technical aspects that are relevant for Data Protection may be covered under Level 3 or separately as Level 4.

During these programs the discussions will also cover major international data protection laws such as GDPR, CCPA, Federal Data Protection Laws of USA (When established) etc.

Education is endless and need to acquire additional knowledge and skills is ever green. Hence Cyber Law College will continue to add value to each levels of these trainings as may be relevant at the appropriate time.

This entire program developed by Cyber Law College is being recommended to be introduced through the FDPPI, the Foundation of Data Protection Professionals in India which is a Not for Profit Section 8 company.

I look forward to the support of all well wishers in making this program a success. One way to take this forward with your participation is to join the movement of FDPPI as a member and make it the movement of all Data Protection Professionals in India.

Naavi