Naavi.org

FDPPI’s next destination in its reach out to the Data Protection Community is at Mumbai. FDPPI has now planned two events, one at Navi Mumbai on 31st August 2024 and another at Mumbai on 1st September 2024.

Details are as follows:

These events are full day “Workshops” on implementation of DPDPA in organizations and will be conducted by Naavi and his team.

The program would include

1.Discussion of DPDPA and Rules with reference to a few case studies
2.Discussion on Implementation Challenges
3. Discussions on How to implement Compliance by Design

The objective of the program is to enable professionals with Legal, Technical and Managerial backgrounds to understand the nuances of the DPDPA and the draft Rules and how it can be applied in the user environment.

We invite all interested persons to participate.

Kindly register quickly to avail the different discount options available. The participants will be issued certificates with 6 hours of CPE credits.

Click here for registration: https://www.iletsolutions.com/fdppi_conference_mumbai/

Naavi

In the implementation of DPDPA in India, “Consent” is an important instrument of establishing the legal basis for processing. Such consent has to be “Purpose Specific”. It is the purpose that also determines “Data Minimization” and “Data Retention Minimisation”.

In this background, let us look at the needs of the “Data Analytics Industry” where “Data” is the raw material from which value added products need to be generated. The very existence of the Data Scientists in an organization is for increasing the productivity of available data through research and finding new uses. Even the Business Managers concerned with the “Data Governance” also would like to get more value of available data by using data analytics.

Not all “Data Analytics” can be worked on anonymized data since the company would like to apply its learning to its customer set and therefore would like the precise profiling of every one of their customers. The marketing efforts would be unproductive if we do not understand the behaviour of our prospective customers.

Digital Marketing Companies therefore need to develop “Insights” on customers from out of the data available in transactions and combined with data collected from elsewhere. But this is the classic definition of “Profiling” which is impossible under the strict interpretation of the Right to Privacy.

The process of analysing personal data to discover uses which were not identified when the data was collected will therefore be a problem the industry has to contend with. One school of thought is that “No Personal Data shall be subject to experimentation of a Data Analyst” without consent. While this is acceptable as a strong Privacy principle, we need to also consider if this will curb innovation and technical progress.

Just as we are trying to recognize the problem of Consent Fatigue with individuals and trying to find a solution through Consent Manager, we need to also recognize that businesses do have a legitimate requirement of customer profiling, behaviour monitoring and monetization of personal data.

We therefore consider how we use the “Consent” in such a manner that the individual feels that the data fiduciary has been transparent enough for him to give consent for “Discovery of unknown uses” including “Profiling” and “Monetization”.

One way by which this “Consent” can be made acceptable is to introduce the system of “Witnessed Consent”.

Currently we bring in parental consent for minors because we feel that the minor is not capable of taking a decision. In Medical circles, it is common for doctors to take the consent witnessed by relatives when a surgery is performed or when drug research is permitted.

Similarly we need to have a system of “Witnessed Consent” where certain uses can be subjected to the witness of another adult so that the personal providing consent is not mislead or cheated. As long as a person is willing to submit himself to profiling and monetization of his personal data, it should be a “Right of Choice”.

There is a view that a Constitutional Right cannot not be over ridden with a contract and hence Right to Privacy cannot be over written by the consent.

I would like to challenge this principle.

The world is today discussing Euthanasia, the Right to end one’s life by choice. In such a context, there is a case for a data principal to expect a right to submit himself to profiling or monetization without affecting the constitutional right as long as precautions are taken to get the consent witnessed suitably so that he is not “Cheated”.

The DPDPA Rules should therefore suggest a process of “Witnessed Consent” to be used for “Discovery of Purpose” as well as “Profiling” and “Monetization” purposes and set processes of how such consents can be provided and by whom.

This is the “Shaping the Future” debate and therefore established principles need to be questioned and solutions found.

Comments are welcome…

Naavi

.

Naavi thanks the CyberFrat Community for the recognition as an influencer in the Cyber Security domain. I take this opportunity to look back on how from being a Banker and later as a Financial Marketing domain expert in an Advertising agency how my career transformed through Cyber Security, Information Security and Data Privacy.

My journey into Cyber world started around 1995 after Windows95 made internet access more comfortable. The initial professional activity using the computer was as an Internet journalist and also as a News Paper columnist using the Internet resources to run a weekly investment advisory column in Indian Express. The Cyber Security concerns at that time were low and we were talking of border less Cyber Society.

In 1998, I switched over to Cyber Laws when the draft E Commerce Act 1998 was published. Those were the days of Dewang Mehta at NASSCOM and the focus of Computerisation was societal benefit and not commercial exploitation. In 1999 when I wrote the first book “Cyber Laws for Every Netizen in India”, the dream was that there is a community of “Netizens” who are the citizens of the Global Internet society and we are all “Cinezens” who are citizens of a physical country and also Netizens of the Internet society.

Many of my thoughts at that time was to maintain the dual nature of the society where physical society activities would be enriched by Internet as a tool. Even the thoughts on E-Banking as an exclusive Internet Branch, the Smart Cards (Zemo Cards) etc were made in this Utopian thought that Internet society would co-exist with the physical society. These thoughts have undergone a change over the last few decades and today the Netizens lord over Citizens and hence the role of “Security of Citizens from Netizens” has become imperative.

With the advent of E Commerce, the greed of money took over and along with it, the concept of Global Internet society was killed. We created “Internet Boundaries” and made physical laws applicable within virtual jurisdictions. With money flowing in the Internet transactions, Criminals took to Internet as their domain of operation.

This lead to the growth of Cyber Security as a domain. This evolved into regulatory regimes and the concept of “Legal Aspects of Information Security” was born and was adopted as my focus.

With Cyber Law College in 2000, I entered the world of Privacy creating a “Chapter” in the curriculum of the course on Cyber Law which expanded around 2005 into HIPAA Consultancy. I also did lot of work on developing Cyber Jurisprudence in India with ITA 2000 as the base and assisted Cyber Crime investigators in a number of cases.

Since 2018 the GDPR took over all the attention and I simultaneously started looking at the Indian Data Protection Law. While In 1998 I was one of the earliest entrants to the discussion on ITA 2000 and in 2018, I was once again one of the earliest in starting a discussion on PDDPB 2018. The difference was that the group of interested persons in Data Protection increased in geometric proportions where as in 1998-2005 the group if interested persons in ITA 2000 could be counted on the fingers. One of the two other persons who were involved in Cyber Law was Pavan Duggal and the other was Mr Rohas Nagpal who have to be remembered at this point of time.

Today Naavi represents Data Protection which is inclusive of protection of data which was the earlier focus. I have also started switching over to Data Governance and looking at Neuro Rights and AI law as the next domains to focus.

At this time, CyberFrat to have recognized me as part of the CF 100 community which also consists of professionals like Pavan Duggal, Triveni Singh, and Prashant Mali, Rakshit Tandon, Samir Datt (and more) is an honour to cherish.

I therefore thank CyberFrat for the recognition.

Naavi

One of the concerns of the industry on DPDPA Rules which has not yet been addressed in the draft of the draft rules is about when does the Penalties under DPDPA will start being applied. For penalties to be applied, the DPB has to be first formed and afterwards a mechanism has to be built for reporting of data breaches. Data breaches may be reported directly by the Data Fiduciaries or by the complaints received from data principals. DPB may also recognize a data breach suo-moto from news paper reports and alerts from security research organizations.

It is possible for the MeitY to provide some extra time for applying penalties after fixing the compliance date. For example, once the DPB comes into existence and an operating website is set up to take care of data breach reporting, the date for compliance can be notified . The date for penalties to be considered can be the same date or another 3-6 months later. In between the DPB may consider application of the “Voluntary Undertaking” under section 32.

Apart from setting these dates, DPDPA Rules could have clarified how the “Voluntary Undertaking would function”.

The Section 32 states, “The Board may accept a voluntary undertaking in respect of any matter related to observance of the provisions of this Act from any person at any stage of a proceeding under section 28.(Ed: Inquiry)”. The voluntary undertaking may include an undertaking to take such action within such time as may be determined by the Board, or refrain from taking such action, and or publicising such undertaking.

If an order for Voluntary undertaking is given and accepted by the erring data fiduciary, further proceedings on penalties are barred except that if the data fiduciary fails to adhere to the terms of voluntary undertaking, then the penalties will become applicable.

DPB should therefore set in motion a procedure for application of Voluntary undertaking as a measure for addressing low harm breaches or as a general measure of cautioning before severe action.

In particular it could have been provided in the DPDPA Rules that for SMEs and MSMEs, Voluntary Undertaking could be made applicable as a routine exercise. In fact DGPSI takes this into account and expects organizations to consider responding to DPB notices with a specific Voluntary Undertaking proposals.

In this context we can look at one instance where the Singapore authority used this provision recently.

In a data breach incident of Keppel Telecommunications & Transport Ltd (KTT) and Geodis Logistics Singapore Pete Ltd (GLS, using a ransomware, the attacker had exfiltrated 6287 images of proof of delivery of parcel recipients along with some employee data including passport numbers and Bank details. The access was with the use of the Vendor’s (GLS) user name and password.

Investigations could not find out how the malicious attacker had been able to secure the access credentials. There were also no malicious files or programmes present on the vendor’s computers, and no indication of compromise, data exfiltration, or unauthorised access on its systems.

After the incident, the organization initiated remedial plans which were accepted by the regulator for the Vendor (GLS). However KTT was fined $120000 for failure to protect the employee data.

If a similar incident had occurred in India, KTT as the Principal Data Fiduciary would be responsible for the incident for loss of employee data and GLS would be either a Joint Data Fiduciary or a Data Processor. If it is considered a Joint Data Fiduciary, it would face action under DPDPA 2023.

If GLS is considered as a Data Processor, KTT can initiate action against GLS for loss if its employee data as a contractual failure.

However,, the nature of the parcel delivery data could be open for debate. Should it be considered as belonging to GLS and as “Transaction Data”?. Is it the business data of GLS? or of KTT? Is it the personal data of the parcel recipients? Should we apply Section 72A of ITA 2000? or data breach provisions under ITA 2000? .. are interesting questions.

Open for debate.

Naavi

Educational institutions both Graduate education institutions and undergraduate institutions where the students are minors have a challenge of DPDPA before them. These institutions collect parent’s information, financial information of students and parents for educational loan and fees collection, health information etc. Some personal information related to the education is also generated by the institution itself including the mark sheets etc . All these are retained almost indefinitely.

In India there are many integrated institutions where students join as minors and graduate out as adults or their information stays in the system for years beyond they become adults and turn alumni.

Existing institutions also have “Legacy Data” of huge volume. The data can be considered as “Sensitive” as we have often found that students who turn celebrities later in their life are questioned about their qualifications, age etc from the educational records and could lose their positions and even land up in jail if the data is wrong.

Hence Educational Institutions are eminently qualified to be considered as “Significant Data Fiduciaries” under DPDPA 2023.

Currently we are not aware of DPDPA 2023 and its rules provide any sectoral concessions for Educational Institutions.

We must appreciate that even the names of individuals are getting standardized only in the current generation. For people of our generation all our records had no “Second” name. We simply had “Initials” which was the first name of the father and some times of the place of birth. If therefore one looks at our SSLC marks card there will be discrepancy in the name itself. The date of birth also was accepted as per the SSLC records and prior to that in the schools, whatever date was mentioned by the parent at the time of admission, it was accepted. Also the contacts were mostly through addresses which may not even be existent today.

If therefore we are talking of “Consent” for legacy data, there is no way an educational institution which is 50 years or older issue notices and obtain consents.

At the same time, it is not appropriate for the institutions to remove the data for lack of consent after releasing a public notice and not getting response for say 1 year.

The DPDPA rules did remember educational institutions while creating Schedule IV which states conditions where the tracking and behavioural monitoring of children are exempted and it includes the educational sector. Strangely, it covers transport operators ferrying children or creches. As for as Educational institutions themselves are concerned, the exemption is restricted to supporting implementation of any healthcare treatment and referral plan recommended by a healthcare professional for a child, to the extent necessary for the protection of her health.

It is urgently required that Educational Institutions must be exempted from “Sending Notice and Obtaining Consent” for legacy information. Alternatively they can be asked to publish a note on their websites calling for all students and parents who have earlier provided their personal information to inform of any changes and inaccuracy. If anybody suggests change of name in their marks cards, it cannot however be implemented automatically. In such cases the old data and suggested corrected data must both be retained.

Even with such a simple procedure, if every student starts exercising their “Right to Access” that itself will require an unreasonably large resource for a school or a college.

A debate is required by MeitY with the educational sector to provide some reasonable exemptions to protect unintended violations of the law.

In this context we may recall that recently, in Singapore, one medical institution namely Academy of Medicine Singapore providing professional education was fined for a ransomware attack resulting in the exfiltration of personal data of 6574 persons. The leaked data included Passport number, NRC number and Data of birth besides other information such as name, photo etc. The fine was nominal about $9000. However the fact to be noted was that it was an educational institution and the loss of data was due to an external attack and involved only a small number of data sets.

In this context if one lakh data sets are compromised in an Indian educational institution with biometric and Aadhaar data, it would be interesting to see how much of fine would be reasonable. Such risks are possible and needs to be factored in.

Most of the educational Institutions run under a single Trust and whether they need one DPO for each Institution or one DPO for the entire group is another area of doubt. There are many more such issues that may come up in the administration of the educational institutions not all of whom may have the resources to manage compliance like a commercial entity.

FDPPI has after their last industry interaction suggested that a special interest group (SIG) will be formed by FDPPI to study the impact of the DPDPA on educational institutions on a continuing basis and is in the process of identifying the right members for this SIG-Education

Interested persons should contact FDPPI and volunteer.

Naavi

Further to the event held on July 27 in which views of the industry professionals were collected on the draft rules in circulation, FDPPI has compiled a recommendation and submitted to the MeitY.

A Copy of the note submitted is available on www.fdppi.in here.

We trust that MeitY intends to publish another version of the rules officially for public comments modifying the version available earlier (Check here) However in the spirit of “Shaping the Future”, FDPPI has proactively worked on this current draft and elicited the views of the industry.

Naavi.org has expressed its views that sharing such drafts with MNCs who are actually going to Courts challenging the legislations of the Government and not with the general public who are affected by the law/rules is in-appropriate.

Hence we have tried to organize the public discussion on the draft of the draft rules and brought them into discussion.

We trust that at least in future MeitY would keep the stakeholders outside the MNC group into consideration while taking decisions that affect the society.

The discussions will continue…

Naavi