FDPPI’s flagship event IDPS 202x is an event that every Data Protection Professional looks forward to.
This year’s IDPS namely IDPS 2023 is happening as a hybrid event in partnership with Manipal Law School, Yelahanka, Bengaluru at the MLS auditorium.
Register at www.idps2023.in today
In interpreting any personal data legislation, there is a need to clearly understand the term “Personal Data”. The definition of “Personal Data” has to also relate to the definition of “Person” and “Business Contact data”.
In DPDPA 2023 Personal Data is defined as any data about an individual who is identifiable by or in relation to such data. Note that the term used here is “Individual” not person. Hence personal data is individual data.
On the other hand, “Person” is defined as including an individual, HUF, Company, firm, association of persons, State and every artificial juristic person. This definition is relevant to “Person” for being considered as a “Data fiduciary”.
Many professionals get confused and think data about a company is also “Personal Data”. I hope the above provides clarity in this respect.
DPDPA does not define “Business Contact Data”. However Section 8(9) mandates that a Data Fiduciary shall publish the business contact information of the DPO/Compliance officer.
In Singapore PDPA 2012, “business contact information” is defined as an individual’s name, position name or title, business telephone number, business address, business electronic mail address or business fax number and any other similar information about the individual, not provided by the individual solely for his or her personal purposes;
In the GDPR scenario, work email is considered part of “Personal Information” .
Will Indian DPDPA 2023 refer to Singapore definition or GDPR definition may be clarified later in the notification.
At present we can conclude that since “Business Contact Information” is an information which is mandatorily made public under Section 8(9) of DPDPA 2023, it is not subject to the rights associated with Personal Information. Hence the definition is in tune with Singapore information.
The GDPR definition is not practical since DPO is a point of contact for any data subject contact and hence his contact information such as the e-mail address and perhaps a telephone number has to be made public. Probably the GDPR can be interpreted to require publishing of the email ID of the DPO as dpo@domain.com and not by name of the DPO. In the Singapore law there is a clear understanding that if the information is for business purpose and not solely for personal purpose it is considered as Business Contact address. This is more logical and fits into the Indian definition.
There is another aspect of Personal Data that needs clarification worldwide. It is related to “Transaction Data”. Just as we say two hands are required to clap or give a high five, two (or more) persons are required for a conversation or a transaction.
Any data generated in such an interaction has to be considered as jointly belonging to all the participants of the event.
Hence data related to a joint activity should not be considered as personal data of either of them but a transaction data between both of them. Both will therefore have equal right on the data.
In case of personal conversation like the telephone conversation, there should be a right for each of them to record. If A sends an email to B, B can use the e-mail data at his discretion and cannot consider it as personal data of the sender.
Similarly in an E Commerce transaction or a business transaction the data related to what Mr A bought and for how much etc., is not to be considered as Personal Data but as “Transaction Data”.
Justice Srikrisha in his report of 2018 mentioned the need to consider “Community Data” as a category of data for which law has to be created outside PDPB 2018 which he suggested as the law for personal data. Subsequently Kris Gopalakrishna Committee also endorsed the view that data created by a group is Non Personal Data .
Now it is time to reiterate this concept that Data generated jointly by more than one individual or between an individual and an organization (which includes the Business E-Mail in the name of the company) is not “Personal Data” but is “Joint Personal Data” or “Non Personal Data”.
Naavi
Naavi is pleased to wish you all a Happy and prosperous Diwali.
Naavi.org was born under the motto, “Let’s Build a Responsible Cyber Society”. In pursuance of this objective, special movements such as the Karnataka Cyber Laws Awareness Movement was undertaken to promote ITA 2000.
Now a time has come to take efforts to bring about compliance to DPDPA 2023 across the country.
We are aware that there are several organizations who are unhappy with DPDPA 2023 and even we may have some suggestions. But we believe that we need to implement what is on hand and improvements will follow.
Naavi is closely associated with FDPPI and through FDPPI several projects are being implemented for promotion of Data Protection Eco system in India.
Now Naavi.org has started a new campaign to drive home the concept of “Duty of a Data Principal”.
Under DPDPA 2023, Section 15, the following duties are imposed on Data Principals
(a) To comply with the provisions of all applicable laws for the time being in force while exercising rights under the provisions of this Act;
(b) To ensure not to impersonate another person while providing her personal data for a specified purpose;
(c) To ensure not to suppress any material information while providing her personal data for any document, unique identifier, proof of identity or proof of address issued by the State or any of its instrumentalities;
(d) To ensure not to register a false or frivolous grievance or complaint with a Data Fiduciary or the Board; and
(e) To furnish only such information as is verifiably authentic, while exercising the right to correction or erasure under the provisions of this Act or the rules made thereunder.
It is therefore necessary for all members of public to understand the essence of the above duties and take measures to abide by them.
Naavi.org intends to add another voluntary duty to the above list namely
…..To report any observation of contravention of DPDPA 2023 to the DPB.
We are aware that DPDPA 2023 imposes obligations to Data Fiduciaries and non compliance to the provisions of the Act may be penalized to the extent of Rs 250 crores or more.
However it would be difficult for DPB to be aware of all contraventions by thousands of Data Fiduciaries in India. They may be able to take notice of data breaches when reported in the media but the real improvement in the protection of personal data of the public will come when every mobile app and every website is able to comply with the laws. Hence we are requesting all Data Principals to take up the responsibility of filing an appropriate complaint with the DPB.
At the same time we are aware that DPDPB 2023 does not provide for compensation payable to the Data Principal for any loss of privacy. Such compensation where feasible has to be claimed under ITA 2000 as a part of the adjudication mechanism. On the other hand DPDPB discourages filing of false complaints and can impose a fine of Rs 10000/- if false complaints are made.
In view of the remote possibility of the fine as well as the general apathy of our citizens, we anticipate that members of public may be reluctant to make complaints even if the procedure would be as simple as filling up an online form. Some may even feel, why they should file a complaint and DPB would impose a penalty and appropriate the penalty to the Consolidated fund of India.
In the midst of such general attitude, there will always be some dutiful citizens who would take the trouble of bringing DPDPA violations to the notice of DPB.
To recognize this sense of duty and to encourage that attitude, Naavi.org would be interested in providing a “Certificate of Appreciation” to those who register a valid complaint with the DPB. Periodically active participants will be provided additional recognition as may be appropriate. A “Hall of Fame” would be created to place on record consistent efforts of individuals who will take active steps to promote compliance of DPDPA 2023.
At the same time, Naavi and FDPPI will be always ready to provide support to Data Fiduciaries in achieving compliance either before or after a complaint is raised by a Data Principal or to assist them in proposing a Voluntary Undertaking program to DPB in case of any penalty being proposed.
This scheme would come into existence after DPB is established and a procedure for filing a complaint is established .
(P.S: An adhoc recognition has been separately announced for voluntary disclosure regarding Rashmika Mandanna Deep Fame creation in view of its urgency and criticality.)
Artificial Intelligence is hailed as one of the greatest developments in technology in our era after the invention of Internet and WWW. But the recent incidents of use of AI for creating viruses, sending phishing messages, Voice Cloning and now Deep fake video raise an alarm which opens up a debate on how reliable is Internet in general.
If Rashmika Mandanna video can be deep faked, it is also possible for deep fake of Narendra Modi by the unscrupulous opposition to create false narrative and alter the course of an election. It will be naive to assume that such an attempt is not already in place in the labs of the opposition.
If we recall the growth of Internet as an information superhighway, we can note that the history of Internet , suggests that Internet was officially born on January 1, 1983 when the TCP/IP protocol was officially adopted by ARPANET and expanded into the WWW network and became a global information exchange system on 30th April 1993 when the European Organization for Nuclear Research (CERN) placed it in public domain.
Since then, the Internet has been adopted by the world as a way of life.
When Internet was adopted for E Commerce the need for identity of internet actors became paramount. In this phase of development, “Trust” was the key for Internet activity. Digital Signatures and KYC are products of this phase.
This phase of growth of “Identified human beings acting on the Internet” converted the Netizen population to a Netizen-Citizen population with every netizen identifying himself as a citizen of a sovereign country. This gave birth to the concept of Cyber Space being recognized as an aggregation of Cyber Spaces belonging to the individual sovereign states with separate Cyber Laws.
In the meantime, Social Media became a society of its own with a direct user to user interaction and purveying news across the globe. Social Media was a mix of self declared identified activities in physical space and “Pseudonymous” internet activity. In this phase the Cyber Crimes grew as criminals used the pseudonymous nature of Social Media to commit crimes on identified users of the Internet.
As Internet took this journey of Anonymity to Identity and reverted back to Pseudonymity and a mix of population on the Internet with Citizens, Netizens working along together, came into existence, the need for a new set of Cyber Laws in the “Privacy” area emerged.
This is the era in which we now live in at the end of 2023. Now a new era of Artificial Intelligence (AI) is coming up which is set to re-write the nature of information on the Internet.
AI as a technology has its inherent “Bias” created out of the learning data used for the development which renders every AI algorithm as a creature with a specific cultural background in which the AI was developed. For example, an AI algorithm developed out of data in US will reflect the US culture while AI algorithm developed in Gaza will carry the Gaza culture and an AI algorithm developed in India will carry the Indian culture. Just as the “Upbringing” of an individual in a family and society has profound influence on the character of an individual, AI will develop a character which reflects the learning environment.
This can be considered as “Bias” when the algorithm is used in a jurisdiction outside the place from which the learning data was sourced. But this is nothing different from a Japanese or a Chinese having a different perspective on life from an Indian Hindu or a Taliban Muslim. It is part of the development process of the AI.
In other words, we need to recognize that AI which in the coming days express through humanoid robots will reflect the culture of the society in which the AI was developed. Hence a “Sophia” may have a western culture while a “Laxmi” may have an Indian culture.
An incident was reported recently that when a Chat GPT version of the Microsoft was posed a question in India to create a poem, it created a poem which could be considered as derogatory of the Indian women highlighting the inherent bias of the algorithm. It is probable that the poem might not be considered derogatory in the US society where the algorithm was developed.
This recognition of the “Cultural Bias” in the AI algorithms is a significant factor to be taken into consideration by countries like India when they form their AI regulations by providing a “Culture Tag” to the AI.
One of the unusual problems that AI has brought in to the society is the development of fake news and the problem of Voice cloning and Deep fake Video.
These problems are set to grow in the future and the recent incident of a deep fake involving an actress Rashmika Mandanna is a serious issue to take note. While we can appreciate deepfake being used to re-create a Kannada actor Rajkumar or a Tamil actor MGR and bring them back into the film world, use of deep fake to present a false identity of a living person in the manner it was used in the case of Rashmika Mandanna is criminally defamatory.
Government of India has to now show that the Indian Cyber Law in the form of “Information Technology Act 2000 (ITA 2000)” has the necessary teeth to punish those who created the deep fake video of Rashmi Mandanna.
Under the law, Creation of Deepfake video is an offence under Section 66 of ITA 2000 and could be defamatory under Section 499/500 of IPC. It is also an unauthorized act of the data fiduciary under DPDPA 2023. Additionally the “Unauthorized modification” is a contravention under section 43 of ITA 2000 which provides for compensation which can be invoked against the Intermediaries for their negligence under sections 79 and 85 of the ITA 2000.
There is no need to seek the new Digital India Act to consider a modified video as an offence under ITA 2000 nor wait for the formation of DPB under DPDPA 2023. Action can be taken now if the Government has the will to do so.
Despite the noises being made, and the law enabling stringent punishment being available, we cannot be sure if the Government will really take action against the Rashmi Mandanna deepfake case.
I have a specific experience of bringing a Cyber Terrorism incident to the attention of the Meity and CERT-In with no action being taken. The proverbial Kid-glove approach to Cyber Crimes is one of the reasons why Cyber Criminals have got emboldened in India.
Let us see if the Government has learnt its lessons that for rooting out Cyber Crimes, a strong will is required by the Government besides the law.
In this incident, Government should put an inter-state investigation team to identify where the deepfake originated and charge all persons involved in the crime starting from the software person who created the deepfake, to the companies involved in production, distribution and display of the video charge. The software developer may be called upon publicly to be an approver so that he can be granted remission while the other parties involved my be suitably punished.
If the Government has a reward system to recognize whistleblowing in such instances, perhaps more such instances could be brought to light.
I would like to warn MHA that if they donot put down the perpetrator of Rashmi Mandanna deep fake video creation team with iron hand, treating it as an “Attempt” corrupt the the social media and a national security threat, we should be ready to see the fake videos of Mr Modi during the election campaign stating things which could sway the voters against him.
At the same time, Naavi.org invites any person having knowledge of when, where and how the Rashmika Mandanna deepfake was created to share the information with or without revealing their identity to the undersigned. Naavi.org would be happy to recognize such person with a special award for the same in a public event. Any information for this purpose may be shared before 15th November 2023.
Naavi
On November 7, 2023, Reserve Bank of India has made a major announcement related to Information Security Governance applicable to all Regulated entities (RE) . These guidelines will henceforth be considered as “Reasonable Security Practice” requirements and “Due Diligence” for all the entities covered under the notification for the purpose of ITA 2000 as well as DPDPA 2023.
This “Master Direction on Information Technology Governance, Risk, Controls and Assurance Practices” will replace all earlier guidelines issued since 2002 including the GGWG guidelines of April 29, 2011 and the Cyber Security Framework of 2017.
The directions titled Reserve Bank of India (Information Security Governance, Risk, Controls and Assurance Practices) Directions 2023, will be effective from 1st April 2024.
These directions will be applicable to all Banking Companies, Corresponding New Banks, SBI, NBFCs, Credit Information Companies, Exim Bank, NABARD, National Bank for Financing Infrastructure and Development, NHB and SIDBI,
The directions are not applicable to Local Area Banks, NBFC Core Investment Companies.
The guidelines consist of the following 7 chapters.
Chapter I: Preliminary
Chapter II: IT Governance
Chapter III: IT Infrastructure & Services Management
Chapter IV: IT and Information Security Risk Management
Chapter V: Business Continuity Plan (BCP) and Disaster Recovery Management
Chapter VI: Information Systems (IS) Audit
Chapter VII: Repeal and Other provisions
The IT Governance Framework under Chapter II indicates five key focus areas namely
a) Strategic alignment
b) Risk Management
c) Resource Management
d) Performance Management and
e) Business Continuity/Disaster Recovery Management.
Under the guidelines, the REs shall put in place a robust, comprehensive and accountable framework of Governance specifying the responsibilities of the Board of Directors, Board level committee and Senior Management.
Under the guidelines, the REs shall appoint a sufficiently senior technically competent and experienced official in IT related aspects as head of IT function who will be responsible for
(i) Ensuring that the execution of IT projects/ initiatives is aligned with the RE’s IT Policy and IT Strategy;
(ii) Ensuring that there is an effective organisational structure to support IT functions in the RE; and
(iii) Putting in place an effective disaster recovery setup and business continuity strategy/ plan.
Under Chapter III on IT Infrastructure and Services Management, one of the guidelines indicated is that REs shall avoid using outdated and unsupported hardware or software and shall monitor software’s end of support date and AMC dates on an ongoing basis. This could mean that there would be an immediate refreshing of hardware and software facilities in all REs.
In third party arrangements for outsourcing, REs shall apply the RBI outsourcing directions 2023 and further put in place measures to assess and mitigate risks, including compliance of all applicable legal, regulatory requirements and standards to protect customer data.
While adopting new or emerging technologies, REs need to align the strategies with the risk appetite of the organization.
It is also specifically indicated that REs shall obtain the source codes of all critical applications from the vendors and put in place a source code escrow arrangement. REs shall also obtain a certificate or a written confirmation from the application developer or vendor stating that the application is free of known vulnerabilities, malware, and any covert channels in the code. Such a certificate or a written confirmation shall also be obtained whenever material changes to the code, including upgrades, occur. Any new IT application proposed to be introduced as a business product shall be subjected to product approval and quality assurance process.
The REs shall put in place a system for collecting and monitoring audit trails of all critical applications.
The guidelines suggest use of cryptographic controls which are internationally accepted and not deprecated and adopt a straight through processing when data is transferred from one process to another.
The access control is expected to be on a need basis and personnel with elevated access shall be based on multifactor authentication and closely supervised.
Chapter IV covers the IT and Information Security Risk Management. The guidelines require an appropriate policy that shall be reviewed at least once a year and a Cybersecurity Policy and Crisis Management Plan (CCMP) .
A senior level executive (preferably General manager level) shall be designated as the CISO who shall not have direct reporting relationship with the head of IT functions and shall not be given any business targets.
The guidelines recognize the need to report incidents to CERT-IN but no mention has been made on Data Protection Board under DPDPA 2023. This indicates that these guidelines have been developed before DPDPA 2023 was passed and hence DPDPA 2023 compliance need to be built over this Information Security guidelines.
Under Chapter V, the BCP and DR policy requirements are indicated and shall include the interconnected systems of vendors and partners. It is expected that REs shall achieve minimal RTO (Recovery Time Objective) as approved by the IT Security Committee and near zero RPO (Recovery Point Objective) for critical information systems.
Information Systems (IS) audit under Chapter VI indicate that there shall be an IS audit policy along with a governance mechanism.
An annexure along with Chapter VII ensures that multiple regulations of the earlier years are promptly repealed so that this guideline will become an unambiguous guideline applicable from 1st April 2024.
Information and Data Security professionals need to take note of this guideline not only for sectoral regulations but also as a general guideline on industry practices.
Naavi
