Naavi.org

We have already discussed the WebDts concept of evaluating compliance of the processing of personal data of visitors to a website.

Ujvala has already rolled out a compliance certification for WebDts which will be free till March 31 2024.

The use of email in the domain of the company is another process where the personal data of an individual gets used.

It is important for any company to ensure that it’s email ID is not prone to spoofing.

Ujvala in association with LedgerMail is exploring how a website owner can use LedgerMail solution to eliminate the Risks of SMTP based email system.

This will be towards DPDPA 2023 compliance.

If an organization can protect it’s Web presence and EMail activity, a good part of Risks may be covered. This is in pursuance of the process centric approach to compliance.

Watch out for more information on this.

NAAVI

[This article is related to the number of earlier articles on naavi.org on neurorights which are also collated at www.neurorights.in]

We last discussed some aspects of the legal implications of human brain linking to external brain device in our article “Naavi’s theory of neuro Rights” .

In a significant development announced today, Elon Musk’s Neurolink has obtained FDA approval and implanted a chip in a human. This is considered as the first human trial to test implants.

The study will assess the functionality of the interface, which enables people with quadriplegia, or paralysis of all four limbs, to control devices with their thoughts

This article in Neuralink state that the study nick named PRIME (Precise  Robotically Implanted Brain-Computer Interface) study aims to evaluate the safety of Neuralink’s implant (N1) and surgical robot (R1) and assess the initial functionality of its Brain Computer Interface for enabling people with paralysis to control external devices with their thoughts. 

Under the study, company is recruiting patients with “Quadriplegia” condition (Limited function in all four limbs) for a six year period interaction involving monitoring of the patients.

Once surgically placed, the N1 Implant is cosmetically invisible. It records and transmits brain activity with the goal of enabling you to control a computer. The Implant records neural activity through 1024 electrodes distributed across 64 threads, each thinner than a human hair. It should help the patients to control external devices through transmission of their thoughts.

The objectives of the study are noble and it is a significant development in the human medical research.

In the context of Cyber Laws, it is however necessary to flag that while the thoughts can enable an external computing device to be activated, whether such ability can enable a person without the need for such implant to be able to hack into computers in the vicinity through thoughts.

The patient with an ability to interact with an external computing device through a chip implanted within his body is by definition a “Cyborg”. While there are “Necessary Cyborg implants” for patients with paralysis to which this FDA approval relates to, the possibility of the implant being used for other purposes in due course including manipulating the thoughts of the patients or thoughts of an otherwise healthy individual cannot be ruled out.

Hence we need to look at the risks and accordingly formulate the policies for use of such devices.

Some thoughts that comes to my mind now are that …

All Cyborgs need to

a) be transparent to disclose that they are Cyborgs with some extra human capabilities. In other words, the fact that a human has an implant inside should be disclosed through a note on the face of the person. It should not be “Cosmetically hidden”.

b) made to sign a legally binding declaration to the community that they shall not misuse the implant.

c) agree for an audit of the activity of the implant at periodical intervals from a neutral body.

d) be automatically disqualified of entering into contracts such as disposal of their properties since they donot have full control on their thoughts.

e) Such Cyborgs may be “Intelligent” but donot have a “Free Will”. Hence they cannot enter into valid contracts under Indian Contract Act or similar laws.

Let us call these “Naavi’s Principles of Cyborg regulation” which can be expanded further. Obviously these thoughts do clash with some principles of “Human Rights”. But Cyborgs must consider themselves as not strictly “Human”.

Naavi

P.S: Kindly excuse me if I sound in-human since we are in the Neuralink case discussing about people with unfortunate disabilities and have actually lost some human capabilities which are being restored through this device. But just as a doctor discusses the probability of death before undertaking surgery with the patient and takes his consent for surgery, we need to recognize that while number of deserving persons benefit out of technology there will be odd persons who will misuse them. If we donot have regulations since the majority donot need them, the minority will become terrorists and bring disrepute to the technology itself. Hence regulation is essential.

Naavi

FDPPI along with Manipal Law School, CSA Bangalore, BSPIN and NXP made this year’s International Privacy Day memorable with a grand two day event in Bengaluru.

On 27th the event was held at Hotel Lalit Ashok and on 28th the event continued in NXP premises in Manyata park.

Nearly 200 professionals attended the event on both days. Some photographs of the event are given below.

The successful completion of the Audit of the website will result in issue of a Certificate and A Badge as indicated in the sample. It will be specific to the website audited and is restricted to compliance for processing of information of web visitors only. It is not a corporate compliance certificate. It is only a “Process Oriented Compliance Certificate” and will involve compliance of relevant aspects of DPDPA 2023 with ITA 2000 as per DGPSI framework.

It is reported that the French Supervisory Authority CNIL has imposed a penalty of 32 million Euro (Around Rs 290 crores) because it considers that there is an excessively intrusive system of monitoring employee activity.

See the report here

The fine is not based on any “Data Breach”. It is about a corporate practice involving performance evaluation of its employees in the ware house.

In a strange ruling CNIL opined that it was illegal to set up a system measuring work interruptions with such accuracy, potentially requiring employees to justify every break or interruption.

The CNIL ruled that the system for measuring the speed at which items were scanned was excessive.

Based on the principle that items scanned very quickly increased the risk of error, an indicator
measured whether an item had been scanned in less than 1.25 seconds after the previous one.

More generally, the CNIL considered excessive to keep all the data collected by the system, as well as the resulting statistical indicators, for all employees and temporary workers, for a period of 31 days.

It is not clear if CNIL is a supervisory authority for data privacy or an employee union by itself.

If the employees had any complaints on the way the collected data was used to take action against the employees, it should be taken up as an Employee Union or labour issue and not a privacy issue.

This is an excessive and inappropriate use of the powers of a supervisory authority under GDPR and needs to be challenged.

Fortunately, Indian law is very specific in providing employee performance evaluation as a “Legitimate use” and hopefully such instances donot occur in India.

In EU the supervisory authorities are using GDPR as a fund raising tool and indiscriminately fining large organizations even when the underlying problem has no “Public Privacy Cause”.

The employer-employee relationship needs to be treated on a different plane than the company-public relationship. The employment rules should be respected by the employee and if it is unfair it is for the labour authorities to intervene and not supervisory authorities.

The employer-employee contract is between two parties with mutual respect and understanding and improving productivity is one of the basic rights of an organization. The objection raised on monitoring inter-scan period not to be too quick, nor idle time not too much etc are legitimate data that an employer should be able to collect.

Employment with a specific company is not a right and if an employee is not happy with the employment conditions, there is no compulsion for him to stay. For CNIL to say that this is an unfair measure to reduce work force and force them to leave voluntarily is ridiculous.

I hope CNIL reviews its decision and remains within its jurisdiction.

Naavi

In continuation of the article yesterday where we indicated that FDPPI would introduce a Certification system for Websites on Privacy compliance as per DPDPA 2023, a similar concept to be extended to Mobile Apps is under development.

This Assurance would be titled “App DTS” and would result in a visual mark that can be appended to the Apps in the home page.

The pilot assessments on both the Web site and Apps will be available through Ujvala Consultants Pvt Ltd from 27th January 2024 which is the International Privacy Day .

The first 10 assessments based on requests would be complementary.

The assessment would be restricted to the norms selected by Ujvala Consultants Pvt Ltd which is a patron member of FDPPI. The assessment would be based on the publicly viewable website and the privacy policy. The Cookie policy which is important for the certification would be assessed with reference to a tool. The Gap assessment would be shared with the website and on bridging of the gap, the final certification would be released.

In view of the obvious conflict, we will not apply this to the website of FDPPI.IN and Naavi.org at present.

We shall however try to modify the Privacy policy documents on both these sites to suit the expectations of DPDPA 2023.

Naavi