The successful completion of the Audit of the website will result in issue of a Certificate and A Badge as indicated in the sample. It will be specific to the website audited and is restricted to compliance for processing of information of web visitors only. It is not a corporate compliance certificate. It is only a “Process Oriented Compliance Certificate” and will involve compliance of relevant aspects of DPDPA 2023 with ITA 2000 as per DGPSI framework.
It is reported that the French Supervisory Authority CNIL has imposed a penalty of 32 million Euro (Around Rs 290 crores) because it considers that there is an excessively intrusive system of monitoring employee activity.
The fine is not based on any “Data Breach”. It is about a corporate practice involving performance evaluation of its employees in the ware house.
In a strange ruling CNIL opined that it was illegal to set up a system measuring work interruptions with such accuracy, potentially requiring employees to justify every break or interruption.
The CNIL ruled that the system for measuring the speed at which items were scanned was excessive.
Based on the principle that items scanned very quickly increased the risk of error, an indicator
measured whether an item had been scanned in less than 1.25 seconds after the previous one.
More generally, the CNIL considered excessive to keep all the data collected by the system, as well as the resulting statistical indicators, for all employees and temporary workers, for a period of 31 days.
It is not clear if CNIL is a supervisory authority for data privacy or an employee union by itself.
If the employees had any complaints on the way the collected data was used to take action against the employees, it should be taken up as an Employee Union or labour issue and not a privacy issue.
This is an excessive and inappropriate use of the powers of a supervisory authority under GDPR and needs to be challenged.
Fortunately, Indian law is very specific in providing employee performance evaluation as a “Legitimate use” and hopefully such instances donot occur in India.
In EU the supervisory authorities are using GDPR as a fund raising tool and indiscriminately fining large organizations even when the underlying problem has no “Public Privacy Cause”.
The employer-employee relationship needs to be treated on a different plane than the company-public relationship. The employment rules should be respected by the employee and if it is unfair it is for the labour authorities to intervene and not supervisory authorities.
The employer-employee contract is between two parties with mutual respect and understanding and improving productivity is one of the basic rights of an organization. The objection raised on monitoring inter-scan period not to be too quick, nor idle time not too much etc are legitimate data that an employer should be able to collect.
Employment with a specific company is not a right and if an employee is not happy with the employment conditions, there is no compulsion for him to stay. For CNIL to say that this is an unfair measure to reduce work force and force them to leave voluntarily is ridiculous.
I hope CNIL reviews its decision and remains within its jurisdiction.
Naavi
In continuation of the article yesterday where we indicated that FDPPI would introduce a Certification system for Websites on Privacy compliance as per DPDPA 2023, a similar concept to be extended to Mobile Apps is under development.
This Assurance would be titled “App DTS” and would result in a visual mark that can be appended to the Apps in the home page.
The pilot assessments on both the Web site and Apps will be available through Ujvala Consultants Pvt Ltd from 27th January 2024 which is the International Privacy Day .
The first 10 assessments based on requests would be complementary.
The assessment would be restricted to the norms selected by Ujvala Consultants Pvt Ltd which is a patron member of FDPPI. The assessment would be based on the publicly viewable website and the privacy policy. The Cookie policy which is important for the certification would be assessed with reference to a tool. The Gap assessment would be shared with the website and on bridging of the gap, the final certification would be released.
In view of the obvious conflict, we will not apply this to the website of FDPPI.IN and Naavi.org at present.
We shall however try to modify the Privacy policy documents on both these sites to suit the expectations of DPDPA 2023.
Naavi
FDPPI/Naavi has been working on DGPSI as a framework of compliance. The DTS system is also associated with it and provides a score on the maturity of assessment of the compliance.
In view of the lack of compliance of websites in general for compliance of ITA 2000 as well as DPDPA 2023, FDPPI has decided to introduce a Compliance marker for websites namely “Web-DTS” with immediate effect through some of its accredited data auditors.
FDPPI has developed a Web assessment under DGPSI and for establishing a Compliance score exclusively for compliance of DPDPA 2023 .
The framework which is part of the DGPSI is scheduled to be unveiled by FDPPI during the Privacy Day Celebrations on February 27/28 in Bangalore.
Currently this system may evaluate the compliance of a website on request from the publicly available information so that minimal compliance measures may be initiated. The Company may chose to publish the DTS score preferably after plugging the gaps.
Naavi
DGPSI (Data Governance and Protection Standard of India) is a suggested standard and a framework of compliance for organizations who intend to implement “Compliance By Design”. In this respect it is more like ISO 27701 which tries to establish a framework for “Privacy by Design”.
“Privacy” is a right of an individual and all Privacy Activists are committed to the protection of the right to privacy. The world however consists of Privacy Activists and also Data Driven Business and E-Governance authorities. Hence it is essential that “Privacy by Design” has to accommodate “Data Dependent Business” and “Data Oriented Governance”. The legislation whether it is DPDPA 2023 or GDPR or CCPA/CPRA has to therefore accommodate all the stake holders.
Hence “Privacy” cannot be at the exclusion of the right of monetization by the business nor right of “Surveillance” by the Government. Even the “Right to Security” of individuals is as much a fundamental right as “Right to Privacy” and has to be recognized. The law therefore has to accommodate these diverse interests when it makes the law. While GDPR also has provisions which accommodate rights of security and governance to some extent, Indian law namely DPDPA 2023 is more conscious of this responsibility. Hence DPDPA 2023 has certain provisions which may make puritans a little uncomfortable.
FDPPI has recognized this need for harmony and had adopted this as one of its objectives in its memorandum by stating
“To bring harmony in the pursuance of Civil Rights of individuals such as Privacy and Freedom of Expression along with the Right to Information and Right to Cyber Security .”
The approach of DGPSI as an instrument of “Compliance By Design” of which “Privacy by Design” is a component along with Personal Data Governance and personal Data Security. Hence it accommodates compliance of not only DPDPA 2023 but also ITA 2000 and BIS standard of Data Governance.
Just as a Fair Data Protection law has to be fair to the business and Government, DGPSI also is a “Fair Compliance Framework” which tries to be fair to the CFO, CMO along with DPO and CISO. Through “Distributed Responsibility” criteria it even tries to be fair to the DPO and spreads the responsibility across the organization. Through “Implementation Charter” signed by the top management it brings the Board level commitment to support the DPO. By adding Data Valuation and Data Monetization as a policy DGPSI tries to support the CFO/CEO/CMO and adoption of innovative data analytics.
“To be fair to all stake holders within and outside the Company” is therefore the underlying principle of DGPSI. It is practical and recognizes the need of an organization to survive and grow while remaining in compliance with the law of the land. Need to survive is through compliance for mitigating the penalty risk under DPDPA 2023 and ITA 2000. Need to grow is nurtured by enabling policies for handling the dilemma of data monetization and innovative Data Governance. The DGPSI auditors who interpret the principles of DGPSI in a given context need to remember this “Compliance Dharma” to protect the interests of all stake holders.
Naavi
P.S: At the dawn of the Shrirama Shaka of Kaliyuga, let us remember the lessons of Ramayana and adopt it to the challenges faced by a DGPSI auditor. Just as Lord Rama had to balance between his personal interests, wife’s interest, interest to protect the honour of his father, interest to protect the desires and wishes of his citizens and yield to one at different times but for logical and justifiable reasons, DGPSI may at times yield to one of the stake holder’s interest against the other. Maintaining the balance is the work of a DGPSI auditor and as tough as what Lord Rama faced when he had to explain some of his actions.
The inauguration of the Bala Rama Temple in Ayodhya has started a new era in India which should revitalize the old civilization of India. We are therefore entering a new era which we can call the Shrirama shaka.
Naavi.org has been advocating “Cyber Law” and was born with the slogan Let’s Build a Responsible Cyber Society where law would be fair and people would comply voluntarily.
In practice it is not always possible for the law to be drafted in a balanced manner and even if it is so, for the Judicial system to apply it fairly. But the endeavour has to continue. The concept of “Jurisprudence” has to guide both the law makers and law enforcers to be fair and balanced.
Naavi.org is neither a law maker nor the law enforcer but has been trying to fight either a bad law or a bad enforcement while at the same time trying to persuade the public to be compliant. In the past we have supported the litigation requirements of public through CEAC as well as direct participation in the S Umashankar case.
This effort of support to the fair establishment of law as a part of the “Rama Raajya” concept will continue even in the emerging Shrirama Shaka. However, due to the contextual circumstances, Naavi we may restrict our activities to only education and not take up litigation support work.
To mark a new beginning, Naavi will re-dedicate himself to a new range of educational activities both in the Cyber Law as well as in the Data Protection Area.
Watch out for the announcements through this website.
Naavi
