International information Security conference at Bangalore

On June 28, 2024, Bsides Bangalore is conducting its “Security Bsides Bangalore 2024” a premier cyber security conference in India, at Marriott, Whitefield, Bangalore.

 

On June 28, 2024, Bsides Bangalore is conducting its “Security Bsides Bangalore 2024” a premier cyber security conference in India, at Marriott, Whitefield, Bangalore.

On June 28, 2024, Bsides Bangalore is conducting its “Security Bsides Bangalore 2024” a premier cyber security conference in India, at Marriott, Whitefield, Bangalore.

On June 28, 2024, Bsides Bangalore is conducting its “Security Bsides Bangalore 2024” a premier cyber security conference in India, at Marriott, Whitefield, Bangalore.

On June 28, 2024, Bsides Bangalore is conducting its “Security Bsides Bangalore 2024” a premier cyber security conference in India, at Marriott, Whitefield, Bangalore.

On June 28, 2024, Bsides Bangalore is conducting its “Security Bsides Bangalore 2024” a premier cyber security conference in India, at Marriott, Whitefield, Bangalore.

On June 28, 2024, Bsides Bangalore is conducting its “Security Bsides Bangalore 2024” a premier cyber security conference in India, at Marriott, Whitefield, Bangalore.

Posted in Cyber Law | Leave a comment

Use of AI lead Compliance Software for DPDPA

As a natural development of technology there is a scramble by product manufacturers to create products and services to offer “Compliance Products”. Most of these vendors are focussing on developing a “Consent Management Solution”.

The essential feature of such software would be to record the consent for a given set of personal data, give it an identity tag and attach it to the personal data set so that it can be referred to whenever required. The consent has to meet the expectations of “Purpose Orientation”, Data Minimisation” and “Data Retention Minimization”.

One of the dilemmas the companies have is that whether they can take one perennial consent for collecting personal data for multiple purposes which is logically the most suited for business.

However the law does not support such an omnibus and omnipotent, omni present, ever alive consent.

Hence consent collection, use and retention mechanism has to be a carefully considered plan that should meet the legal requirements without seriously hindering the business operations.

Probably the appropriate use of AI should help. However, when an AI is developed on a faulty training data, the AI output will also be faulty. One option that thee ML program has is to parse all similar websites and the privacy policies and gather intelligence which can be incorporated in its own policy. Obviously the user will provide his own inputs on the purpose, data requirements, retention objectives etc so that the AI algorithm will develop a suitable privacy policy that can be used.

In such automation, it is important to recognize that a “Legal Compliance” is difficult to be successfully automated and a strict human supervision is essential.

As more and more such products surface, FDPPI will apply its “Product-DTS” tool to evaluate the compatibility of the product to Indian DPDPA system and provide a “DTS Score”. 

Data Fiduciaries need to be careful when selecting solutions since any purchase of such a product is likely to be a long term purchase and difficult to be changed subsequently.

When FDPPI auditors evaluate a Data Fiduciary, they look at such service providers as “Joint Data Fiduciaries”. But the product vendors themselves have an option to get their products evaluated as a pre-sales qualification criteria. Such evaluation takes into account the principles of EU-AI act, the ISO 13485 etc. Obviously this is a complex process which is perhaps more complex than a routine DPDPA audit for a Data Fiduciary.

FDPPI therefore operates such assignments through  a “Consortium” of its experts so that the technology intricacies are considered along with the Legal, Governance and Business issues. Exciting days are ahead in incorporating EU-Ai act with the DPDPA compliance and w look forward to the same.

Naavi

Posted in Cyber Law | Leave a comment

Implementation Challenges of DPDPA

FDPPI has been conducting many programs around the country discussing the implementation challenges of DPDPA. We are happy to note that after initial hesitation many other consultancy organizations have shed their complacency that the rules are not notified and started conducting their own programs. This is a welcome development for the industry.

Most of these consultants have also accepted Naavi’s argument that DPDPA as a published law has become a due diligence under ITA 2000 and hence the law needs to be applied as of now by companies as part of their plan to be ready to face the next level of compliance where “Penalties” are a “Financial Risk” to be mitigated.

This is how the “Jurisprudence” becomes the “Best Practice” while law continues to the final version that is relevant for determination of penalties.

As we move towards our next program in Delhi on December 11th with the CIOKLUB and also on December 12th under the FDPPI banner, we will continue to discuss the other implementation challenges.

The next challenge that we need to address is that many solution providers have come up offering solutions for Compliance. We understand that some of them are also in discussion with the MeitY and are trying to also advise the ministry in the rule making.

It is a distinct possibility that some of the built in capabilities of these solutions may find expression in the rules to be announced by MeitY in the next few months.

As the competition in the product market increases, there is likely to be a bombardment of different views on the user companies. The users need to be able to understand what are the compliance requirements and how does each solution meet the requirements.

I suppose that during the Delhi event we will discuss how “Consent Management” solutions or “Data Classification Solutions” which are presently in the market address these issues. We may also discuss how to evaluate interesting offers of solutions who claim “AI based Automated Compliance” as their USP.

If you are in Delhi and are interested in understanding the compliance issues with which you can evaluate different solutions, you should not miss the FDPPI event.

Naavi

Posted in Cyber Law | Leave a comment

Consent Managers can be sector specific specialists

The concept of “Consent Manager” in DPDPA 2023 is not understood by many. It is obviously a registered Data Fiduciary with necessary infrastructure to get themselves appointed by data principals. The registration will require some conditions that Meity may prescribe.

Such conditions may include the Capital and Networth consideration, expertise, information security etc. The ownership of the consent manager as a company, whether it can be owned by foreign interests, will there be a “Fit and Proper Criteria” will there be a minimum period for withdrawal from business, the distance to be kept with Data Fiduciaries etc need to be specified or factored.

One of the recommendations we have is to encourage Consent Managers as sector specific experts so that they will be able to provide better assurance to the data principals.

DGPSI will be working on such sector specific compliance guidelines as part of its development of detailed guidelines.

In the process FDPPI may also develop Consent Manager-DTS or CM-DTS as an indicator of the maturity of compliance as a Data Fiduciary engaged in the service of a C0nsent Manager.

It is possible that the Meity may come up with its own version of rules without taking into account all the requirements that we may suggest. But we hope that the guidance developed by the DGPSI team being the experts in Data Protection will eventually be a “Best Practice”.

To enable this it is better if MeitY does not come up with rigid rules and leave flexibility for compliance.

Naavi

Posted in Cyber Law | Leave a comment

How India is being treated as a “Third Country” by some websites

There is a need to flag the condemnable attitude of service providers including “WhatsApp” who have the temerity to approach the Indian Courts against Government regulations by treating India as a country whose regulations are ignored.

I call the attention of Mr Modi, Mr Amit Shah and Mr Rajeev Chandrashekar with good wishes for their re-election to take note of some of the web sites who set terms of service stating that the jurisdiction for dispute resolution for their consumers is in their country and not in India. While the services are rendered in India, the consumers are barred by a contract to approach Indian Courts.

Some websites have started providing supplementary terms recognizing the rights of EU citizens and Californian Citizens besides the country of the origin of the service. But no other country is mentioned.

While we can accept that any company has the freedom to set its own rules and is not bound to recognize the Indian sovereignty, it is our responsibility to ensure that our citizens are protected.

This can be done only through an omnibus protection provided to Indian users of foreign services through the DPDPA 2023.

Currently such users are considered “Data Fiduciaries” and are liable under the Indian law. Hence any contractual terms that sets the dispute resolution outside the legal mandate of ITA 2000 and DPDPA 2023 is ultra-vires and cannot be considered valid.

However it is better if the MeitY through its rules on DPDPA 2023 makes it clear that

“Clauses in the contracts with any Data Fiduciary, Indian or foreign, which are not in conformity with the Indian laws shall be considered as void and the dispute resolution provisions provided under ITA2000/DPDPA2023 shall prevail.”

Ignoring this and bringing pressure on Indian users to agree to online click wrap contracts should be considered as an attempt to deliberately over-rule the law of the land and should be made punishable.

The DGPSI supported Dispute Resolution Policy shall support introduction of such a clause.

In one of the websites I observed the following clause:

Applicable Law and Jurisdiction. These Terms of Use shall be construed in accordance with the laws of Singapore without regard to its conflict of laws rules. Any dispute arising out of or in connection with these Terms, including any question regarding existence, validity or termination of these Terms, shall be referred to and finally resolved by arbitration administered by the Singapore International Arbitration Centre in accordance with the Arbitration Rules of the Singapore International Arbitration Centre for the time being in force, which rules are deemed to be incorporated by reference in this clause. The seat of the arbitration shall be Singapore. The Tribunal shall consist of three (3) arbitrators. The language of the arbitration shall be English.

…It continues..

The following terms apply if you reside in the European Union:

Dispute Resolution. Notwithstanding the “Applicable Law and Jurisdiction” section of these Terms, if you are a “consumer” as defined under the EU Direction 83/2011/EU, any dispute, controversy or claim (whether in contract, tort or otherwise) between us and you, arising out of, relating to, or in connection with these Terms will be referred to and finally resolved by the court of your place or residence or domicile. You can also file a complaint at the online platform for alternative dispute resolution (ODR-platform). You can find the ODR-platform through the following link: https://ec.europa.eu/consumers/odr.

THE UNITED STATES

If you are a user of our Services in the United States of America, the below Additional Terms: (a) are incorporated into these Terms; (b) apply to your use of our Services; and (c) override the head terms of these Terms to the extent of any inconsistency.

If you are a user of the Services in the United States of America, the following terms expressly replaces the above “Applicable Law and Jurisdiction” section of these Terms.

California Resident. If you are a California resident, in accordance with Cal. Civ. Code § 1789.3, you may report complaints to the Complaint Assistance Unit of the Division of Consumer Services of the California Department of Consumer Affairs by contacting them in writing at 1625 North Market Blvd., Suite N 112 Sacramento, CA 95834, or by telephone at (800) 952-5210.

If you are a California resident, then (except to the extent prohibited by applicable laws) you agree to waive California Civil Code Section 1542, and any similar provision in any other jurisdiction (if you are a resident of such other jurisdiction), which states: “A general release does not extend to claims which the creditor does not know or suspect to exist in his favour at the time of executing the release, which, if known by him must have materially affected his settlement with the debtor”.

If such companies can selectively accept laws of EU and California, why should we not insist that they also take into account the laws of India. We need to protect Indian data principals against such clauses on the websites.

Suggestions are invited.

Naavi

Posted in Cyber Law | Leave a comment

Web Scrapping Guideline from GDPR authorities

The Web scrapping industry is one of the industries like the Digital Marketing industry which would be seriously affected by the Data Protection Authorities.

According to a report on Webscrapping from stellar the market for Webscraping software and services may grow at a CAGR of 133% from around USD $ 800 million at present.

However the emergence of Data Protection laws across the globe is likely to be a serious threat to the development of the industry.

DPDPA 2023 provides that if personal information is “Publicly made available by a data principal” the act may not apply to such data. A question therefore arises on whether personal data available on the web either in websites or sites like Linkedin, Twitter or FaceBook can be freely scraped and used by businesses.

Most of the platforms like LinkedIn have themselves made “Scraping” a licensable service and therefore any company which scrapes data from these platforms will be liable to the platform if it violates the terms of the contract. But the question whether the platform itself has the power to license scraping is debatable. This permission has to be part of the consent to be sought from the data principal. If the data principal has provided the data for a specific purpose, its use for any other purpose including monetization by further licensing should be considered as secondary purpose.

If the platforms are clear in their notice and seek explicit consent, “Consent to allow Scraping of data by any web crawler” can be considered as not part of the basic consent. It is likely that many data principals who use the platform may agree that their profile may be made visible to any visitor to the profile page but scraping it for use by another third party for its own monetization may not be permitted.

If this provision is strictly applied, the business of “Web scraping” may suffer adversely.

Also these platforms need to determine if they incorporate a default condition that permission from the data principals is required before scrapping.

DGPSI recommends that platforms conduct their own DGPSI audits and set appropriate compliance conditions applicable for different jurisdictions.

In this context we may note that many of the GDPR supervisory authorities are issuing guidelines for Webscrapping.

For example the April 30, 2020 guideline of CNIL states

 When individuals share their personal data with one data controller, it is not reasonably expected that they will receive direct marketing from another company – another company may re-use their data for such purposes only with the individuals’ consent.

Similarly, when a company re-uses publicly available online data of individuals in order to send direct marketing communications about its products and services by e-mail or through automated calling systems, the company must obtain the individuals’ consent before sending.

The guidelines therefore expect that Data Controllers before using web scraping tools should

  • Verify the nature and origin of the data that will be scraped
  • Minimize data collection
  • Provide notice to individuals
  • Manage the contractual relationship with the web scraping service provider
  • Carry out a Data Protection Impact Assessment (“DPIA”) if necessary

Recently the Netherlands authority also issued guidelines stating the following.

The key takeaways from the guidelines are as follows.

1.Provides a clear definition and distinguishes between scraping and web crawling.
2. Discusses the stringent conditions under which scraping can meet the ‘legitimate interest’ basis, emphasizing that mere commercial interest is not sufficient.
3. Highlights the significant privacy risks associated with scraping, including the inadvertent collection of sensitive and criminal personal data, which often makes lawful processing challenging.
4. Advises on conducting a DPIA to assess risks and ensure compliance with GDPR before initiating any scraping projects.
5. Points out the complexities of using scraped data to train algorithms, stressing the need for ethical considerations to prevent biases and inaccuracies.

An english version of the guideline is available here

Naavi

Posted in Cyber Law | Leave a comment