Naavi.org

It is a common adage to say that “Law is always behind the Technology” ..and also to add, “like the traditional Hindu wife”. But all of us know that the “Tradition” has changed. Modern wife drives the bike while the husband sits on the pillion. DPDPA refers to “She” and “her” instead of the traditional “he” and “him” when referring to an individual in terms of a pronoun. This is the indication that times have changed and we need to change with the times.

In the field of law, we used to recognize that “Ethics” comes first and is converted into “law” in due course. Today we have the concept of “Due Diligence” built into many laws which is nothing but “Ethics” as “Self adopted law”.

Partitioners of Technology however defy “Ethics” and support the concept of “Innovation” at any cost. Technologists want to be exempted from legal bindings so that they can “Innovate” without hindrance. This attitude breeds trouble which we have called “Technology Intoxication” in the past.

One compromise solution the industry that has developed at present to prevent the adverse effect of bad software release is to enable a “Sandbox” where a new software can be tested in controlled environment before it is released to the open.

Despite the availability of this “Sand Box” concept and “Beta Releases” which was a norm earlier, it is common to see that Software normally carry “Zero Day Vulnerabilities”.

Some organizations try to provide “Bug Bounty” programs so that vulnerabilities observed after release can be reported, rewarded and corrected. However there are many companies who donot show even this courtesy.

Also the rewards of Bug Bounty are not good enough to meet the competition from the hacking community where the vulnerability information is sold in dark web for much larger value than the Bug-bounty rewards.

In this context a time has come to discuss if there should be a mandatory sandbox routine before any software is released to the market for direct consumption by the consumers. “Beta Testing” cannot be an option and if so it will always be abused or neglected.

Hence we need to debate a suggestion to create a new “Sand Box Law” to mandate that every software has to go through a “Sand Box” cooling period. It will be necessary for this purpose to create the required infrastructure both by the Government and the industry.

In case of software which is used by the industry as a B2B product, the responsibility for vulnerabilities should be borne by the user (Buyer or licensee) who can get himself indemnified by the developers.

The Consumer protection laws need to be strengthened for this purpose if required.

Advent of AI

Now with the advent of AI, we are aware that all Cyber Crimes have started using AI for making the crime more sophisticated. The information on the Internet today has become completely unreliable since fake news is becoming extremely common. Whether it is political news or war news, nothing seems to be true unless otherwise proved. This is a very sad state of affairs.

India is now considering regulations of AI. Hence this is the right time to consider whether the concept of “Mandatory Sandboxing” is extended to the AI law.

The Government of India has already given an advisory that AI developers and users need to register with the MeitY. But probably this has been ignored by the industry.

The consequences of not complying with the advisory would become a “Lack of due diligence” and loss of “Section 79-ITA 2000” protection or “Non Compliance of the obligations of a data fiduciary” under DPDPA 2023.

To make the law more effective, the deterrence available under the laws need to be highlighted in such context. ITA 2000 has the criminal provisions and depending on the adverse consequence, an AI user organization and the AI developer organization may be liable for upto life imprisonment which can be extended to the executives of the organization. Simultaneously the civil penalties under both ITA 2000 and DPDPA 2023 may also become effective.

We suggest that instead of Naavi.org releasing the note of warning, CERT IN should release a notification in this regard. We can then expect that the industry takes note of this provision. People say, unless there is at least a few cases of imposition of penalties, industry will not respect law and therefore CERT In should order some prosecution in some cases so that people become aware of their responsibilities.

Call for a Debate

I therefore call upon a debate on how “Innovation Can be Bound within a mandatory Sandbox law” with severe penalties both civil and criminal for the consequences arising out of software.

I also call upon a debate on penalizing and punishing those security researchers who identify a vulnerability and sell it to the dark web instead of handing it over to the company simultaneously reporting to the authorities.

In such cases, the Government itself should impose penalties which should be shared with the security researchers as “Incentives” which should reduce the incentive for selling the same in the dark web.

I am certain that this thought is considered revolutionary and perhaps even revolting. But the need for ending the irresponsible behaviour of software developers who have today converted the internet into a large Fake Information factory, which is percolating into AI software because of machine Learning is urgent.

If this is not controlled, AI will kill whatever little trust remains on the Internet. Just as people deride the “WhatsApp University”, the time is not far off when people start deriding “Google University”.

Software industry should for their own existential reasons become more responsible and stop claiming that “Innovation is our job, Protecting the Society is somebody else’s job”.

Innovation that hurts the society has no place and has to be thrown out if not voluntarily, by a new set of laws.

Let’s Debate.

Naavi

Professional life is dynamic. We need to keep running even to stay in the same place. At different points of time in our professional life, opportunities pass by. If we are wise, we need to catch the opportunities. Otherwise they will fly past and we will be only spectators.

One such important change is coming to the professionals who are today thriving as Legal Eagles or Information Security Titans or Veteran Auditors. If we don’t recognize, we will be overtaken by others.

DPDPA 2023 is that key opportunity that is flying past us. If it hits us when we are not prepared, it can destroy us. If it flies past as we look on, we stay where we are while the rest of the world moves forward. If we can take a ride on the opportunity, we will perhaps see a new world ahead.

It is now one year since DPDPA 2023 became a law. Many of us have faith that the MNCs will lobby with the Government and delay the implementation further. But… are we sure? Will Mr Jitin Prasada oblige the Meta, Amazon and Google and delay the already delayed notification of the rule?…. It does not seem likely.

It is strongly believed that the draft rules modified with all new changes suggested by the industry is getting ready to be released.

Be with FDPPI to be the the early starters into the world of DPDPA 2023.

Naavi

Dear Friends

Last year, we held an even at Chennai on August 24, 2023 in which we discussed DPDPA 2023 just after it was passed on August 11,2023.

The discussions held on that day is relevant even today and hence we are re-publishing he same here for reference.

In the meantime, even after one year the rules are yet to be notified. We expect the rules to be officially notified any time during this week.

However, a few weeks back, the MeitY had discussed a version of rules with select industry players which indicates roughly the thoughts of the Ministry. The organizations which had the privileged access to this document were the likes of FaceBook and (Meta), Amazon, Google etc who are all globally renewed for their business. The passage of the law will definitely impact these organizations adversely and hence there is a vested interest for them to delay the implementation of the law and dilute it to the extent possible. These MNCs are also those who will go to the Court immediately to challenge the law and the notification. But the MeitY trusts them by sharing the draft rules with them with the hope that there will be a consensus.

Unfortunately, there is unlikely to be any consensus and the “Non Privileged” part of the industry who are the organizations who will really comply with the law are waiting for the law endlessly with the fear of “Rs 250 crores” penalty hanging over their heads.

In this context this copy of “Business Mandate”, the magazine of MMA, which I had the privilege of contributing a column long time back, and a video of the panel discussion that captures the DPDPA 2023 as an Act is available here.

On July 27, 2024, FDPPI conducted an event in Bangalore where the draft rules referred to above was discussed with industry leaders and a feedback from thee industry was gathered and submitted to MeitY with the hope that some of these suggestions can be incorporated in the rules when notified next for public comments. The program was a paid event and the entire proceedings are available in video form in FDPPI’s Jnaana Bhandar which is available on subscription basis.

I invite professionals to subscribe to this Jnaana Bhandar and also join the community of FDPPI as a “Member” so that they can contribute to the developments in Data Protection in India. FDPPI is a participative movement in which every data protection professional should participate. Whether you are a designated DPO or not, whether you are a just a Lawyer interested in Privacy, a Manager worried about Data Governance or a Technology person who is in Information Security area, FDPPI is open to participation.

You can download the Membership brochure here: You can also visit www.fdppi.in for more information.

Now Naavi is recording a separate video of his views on the draft rules and it will be shortly available here. The objective is to keep the professionals ready to pass proper comments when the Government wants their views.

Naavi

Recently Mr Gaurav Batra, Founder & CEO of CyberFrat got together 100 professionals as “Influencer Titans” under the banner of CF 100.

This unique group consists of Lawyers, Police Officers, Information Security Professionals, etc.

It is the desire of FDPPI to invite this entire team to be also the “Guardians of Privacy” so that they can exercise their influence in the emerging field of Data Protection.

Towards this end, FDPPI would like to organize a Grand Round Table of all these professionals and discuss certain key differentiators for being “Guardians of Privacy”.

Watch out for more information on this.

Naavi

One of the notable mentions made by Prime Minister Mr Modi during the Independence Day Speech yesterday was a call for development of Indigenous standards.

This was heartening since FDPPI has been working on the indigenous standard DGPSI (Data Governance and Protection Standard of India) which is meant as a framework for organizations to be compliant with DPDPA 2023.

Currently many organizations and professionals work around available but incompatible frameworks such as ISO 27001 and 27701 and claim that they are able to achieve compliance of DPDPA 2023.

This view arises both from the point that the companies know these frameworks, worked with them and are familiar. The fear of the unknown and “Resistance to Change” prevents them from even considering an alternative solution. Often they find excuse in the fact that their customers ask them if they are ISO 27001 compliant or GDPR Compliant and therefore they have no choice.

Choices can be considered only if there is a conviction that frameworks like ISO 27001 or 27701 were created for different contexts and though they may be best suited for those contexts, they need not be so for he Indian context.

For Example we have repeatedly drawn comparison to Cricket and pointed out that Gavaskar is a legend but today for the T 20 matches he is not the right choice ahead of say Suryakumar Yadav. Mr Neeraj Chopra may be the best Javelin Thrower in India but you cannot ask him to compete in discuss throw or shotput.

Once companies shed their resistance to look at the new frameworks, they need to understand what the framework suggests and arrive at their own conclusions about whether a customized ISO 27701 is a solution for DPDPA 2023 compliance or DGPSI is a better solution.

We must also accept that “Frameworks” are only guidelines and just because we follow a framework it does not mean that we are perfect in compliance. We all know how many companies in India are ISO 27001 compliant and whether they have the necessary security infrastructure. Implementation is therefore extremely important and this comes only with the understanding of the law of DPDPA 2023.

FDPPI in its One day workshops on “Implementation Challenges in DPDPA 2023” of the type being conducted in Navi Mumbai on August 31 and in Mumbai on September 1 addresses these requirements.

We invite all professionals in Mumbai and Pune to take advantage of this program and attend the same.

P.S: Ujvala Consultants Pvt Ltd and Cyber Law College are sponsoring 5 deserving participants in each of the two locations in Mumbai who may be finding the participation fee a hurdle. Contact Naavi immediately if you desire availing this offer since this will be on a First Cum First served basis. These 10 persons will be designated DGPSI ambassadors in Mumbai.

Details of the program are available at : https://fdppi.in/wp/mumbai-on-31-8-and-1-9/

Naavi