Naavi.org

The Data Protection Board under DPDPA is likely to be a very important Government office and symbolically represents “Data Security” in India.

As a result it is likely to be a target of attack by the Hackers who have an anti India agenda.

It is therefore necessary to ensure that the DPB website is well protected and at the same time declared as a protected system under ITA 2000.

DPB should also not use any data storage outside India even in cloud of Amazon or Microsoft.

With such a declaration, any attempt to unauthorizedly enter the site becomes a crime with 10 year imprisonment and CERT IN becomes responsible for the security.

Similar declaration should also be made in respect of “Consent Managers” if they are provided “Visibility” to the data exchanged.

Naavi

The draft rules on DPDPA suggest that the rules related to the setting up of the Search Committee for selecting the Chairman and members of the DPB, the rules related to the terms of appointment of the DPB chairman, Members and employees will become effective immediately. However the draft rules is silent on when the other provisions of the Act will become effective.

In our interactions with the industry it has been noticed that the industry is still complacent and expects an unlimited time to be available to them for compliance. This perception needs to be changed by the Government setting some target time line for itself through the rules.

We therefore recommend that Rule 1 be expanded and include the following.

a) The DPB shall be formed within 3 months of this notification and commence its operational website within 4 months of the notification.

b) Provisions related to Registration of Consent  Manager shall commence as soon as the DPB becomes operational.

c) Compliance requirements such as Consent, Data Breach Notification and Restrictions on transfer of data outside India (Where applicable) shall be required before 9 months from the notification.

d) Penalties under Section 33 shall be effective after one year from notification. (DPB may use its discretion to use the provision of voluntary undertaking to grant time where it is considered necessary).

e) Section 44 DPDPA 2023 shall be effective along with Section 33 ( so that Section 43A of ITA 2000 (Information Technology Act-2000) will be replaced only after the penalty clauses under DPDPA 2023 becomes effective. )

f) Provisions of 10(2)(a) [DPO] may  be made effective within 9 months from the date of notification.

g) All other residual requirements under the Act shall be deemed applicable at the end of one year from notification.

h) Non Corporate Data Fiduciaries and those who fall under the category of SME/MSME  shall be provided an additional time of 6 months over and above the time given for other entities for each of the different provisions.

Your comments are welcome.

Naavi

Under the proposed draft rules, the DPB consists of a Chairman and several members to be appointed by two Search Committees which will be set up after the notification of the Draft Rules. One Committee will select the Chairman and the other the Members.

We donot know at this point of time, how many members would be there in the DPB. WE also do not know if the search committees will complete their task quickly and the DPB becomes operational soon.

In order to spur the next level of compliance the DPB needs to come into action.

In this context, the following recommendations are placed before the MeitY.

a) The minimum number of members (excluding the chairman) shall be Six and Maximum shall be Twenty.

b) DPB shall commence its operation with the minimum number of members and MeitY shall review the requirement of the DPB once in a year and increase the number of members as required.

c) The Search Committee may function for one year at a  time and shall review the functioning of the DPB annually and submit a report to the MeitY before a new Search Committee is  set up for the following year.

d) The respective Search Committee shall be responsible for evaluating any complaints received against the Chairman/Members or observations recorded during the monitoring of the activities of the DPB and recommend disqualification if required.  

e) The Search Committee shall meet each quarter or as often as otherwise required to review the activities of the DPB and recommend corrective action if necessary.

f) The external members of the search committee may be paid remuneration as may be determined by the Ministry for the services rendered including sitting fees for meetings.

g) The external members of the Search Committee shall retire each year and shall not be eligible for re-appointment for a continuous second term.

We also hope that the DPB will be operative within the next 3 months.

Naavi

While deliberating on the DPDPA rules, I have been suggesting that the Government needs to set up a “National Personal Data Archive” so that “unclaimed personal data” and “personal data under dispute” may be shifted out of the custody of the Data Fiduciary so that they can be retrieved if required on a later date subject to an appropriate legal process.

One of the prime benefits of this system is that when the processing of data with a data fiduciary has completed the process for which the data was collected but the consent may not be renewed after DPDPA 2023 becomes effective either because the contact cannot be established with the data principal or the data principal cannot be properly identified or the transfer back is legally disputed for some reason, the data fiduciary can get rid of the custody of the data instead of carrying the dead burden which he cannot use nor delete.

When I discuss this proposition with experts many have expressed distrust with a Government machinery having control of such data because it can be misused for surveillance. Though the Government will have the power to call for any information for National Security purpose which includes certain basic level of surveillance, the fear that the data may be misused by the corrupt system cannot be ruled out.

We may however discuss separately if it is more safe to leave the data with the private sector data fiduciary even after he no longer requires the data for processing but would like to holds onto it under some excuse, than transfer it to the sovereign state which any way is the owner of all unclaimed properties.

For the time being we may however discuss and elicit the views of the experts on whether there is no way that a data base of Personal Data of Citizens can be kept secure against misuse.

In the past, we have discussed a concept of “Regulated Anonymity” . With the advent of DPDPA 2023 every personal data store manager is also a data fiduciary with his own responsibilities which also applies to a Government managed national archive of personal data. The central idea of the suggestion was “Distributed Ownership of Custody” of a data base.

This concept has been well developed in the ICANN system of both Internet Governance and Domain Name Root Server administration.

Refer : https://www.cloudflare.com/en-gb/learning/dns/dnssec/how-dnssec-works/

A similar system can be managed to secure this National Archive of Personal Data. This system requires

a) Strong Encryption of Data at rest

b) Distributed key control with an administration team

c) Administration team to consist of non Government persons

d) Some of the members of the administrative team to be elected by digitally identified Netizens through a democratic process.

I want experts to debate on creation of such secure data base and put pressure on the Government to introduce the National Personal Data Archive.

Naavi

Rule 7 of the draft DPDPA Rules prescribe that on “becoming aware of any “Personal Data Breach” , the Data Fiduciary shall to the best of its knowledge intimate to each affected Data Principal the information of the breach. Similarly the DPB shall be informed without delay and subsequently before 72 hours more details of the breach.

It is necessary to recognize that there are cases of false alarms and incidents which may be whistle blowing reports which if confirmed may become breaches but could turn out to be false.

Hence the report to be submitted immediately should be termed as “Provisional”. The confirmed report filed within 72 hours may be called “Personal Data Breach Report”.

Further some “Personal Data Breaches” recognized as such as per the definition under DPDPA 2023 may involve infringement of Data Principal Rights and not exfiltration or “Loss” of personal data from the custody of the data fiduciary. (eg: when data access is compromised within the organization from one employee to another).

These are not as harmful as the data breaches involving exfiltration of data or modification of data.

This has to be factored in to the definition of “Personal Data Breach”.

Hence there is a need to recognize three categories of personal data breaches namely

1. Provisional Data Breach
2. Personal Data Breach not resulting in exfiltration or modification of data
3. Personal Data Breaches resulting in exfiltration or modification of data

The rules should treat these differently.

It is necessary to recognize that every personal data breach involving loss or damage to data creates a liability under Section 43 of ITA 2000 and is also a data breach reportable under CERT IN guidelines even after the repealing of Section 43A.

There should be a process where the DPB and CERT IN act in harmony dealing with the Personal data breach report. Since CERT IN has an infrastructure to provide technical guidance of remediation, there is no need to duplicate the efforts at DPB. Regulatory investigation of technical nature if required should be left to CERT IN and adopted by DPB. For  this purpose, a “DPB-CERT IN Data Breach investigation policy” should be created by MeitY which may specify that the ITA 2000 Compliance Manager and DPDPA Compliance Managers designated by MeitY shall jointly resolve Personal Data Breach related conflicts between CERT IN and DPB if any.

Alternatively, changes should be notified under ITA 2000 stating CERT IN would refrain from investigating such cases which are taken up for investigation by the DPB under DPDPA 2023. This would however require additional technical investigation capabilities to be built up by DPB.

There is a need to recognize that DPB would be more interested in identifying noncompliance of law which may affect the rights of the data principal and hence would like to track even such personal data breaches which do not result in exfiltration of data that causes irreversible damage to the data principal. On the other hand, CERT IN is more interested in prevention of Cyber Crimes and hence focussed on data breaches involving exfiltration of personal data.

Hence there is a need for a simultaneous change in the CERT IN rules related to data breach while these rules are being notified.

Additionally, there is a need to build a knowledge base of Data Breaches occurring in India so that DPB is aware of how the industry is addressing the issue. Hence under the powers of Section 36, MeitY may gather information on data breaches already occurred though no penalties may be imposed on them.

In view of the above, the following suggestions may be made.

1. Provisional Personal Data Breach shall be reported only to DPB  immediately on being aware. Confirmed data breach involving exfiltration or modification of personal data  shall be reported to the data principal as soon as the data fiduciary becoming aware of the “Confirmed Data Breach”
2. All Data Breaches recorded since 11th August 2023 may be reported to DPB under the powers of Section 36 of DPDPA 2023
3. Detailed Report within 72 hours or as extended shall be submitted as proposed to the DPB.
4. A notification of the report sent to DPB on the website of the Data Fiduciary  should be mandatory.

A link to the detailed report should be sent to the Data Principals through e-mail or SMS where available

The Privacy Mitra Yojana of FDPPI intends to work on both dimensions of creating a Privacy Culture amongst the Indian Citizens and Compliance Culture amongst the Data Fiduciaries.

In India Privacy is a new concept. At present only the elite speak of Privacy. For others the “Right to Privacy” is still not a priority. While people understand the adverse effect of a Cyber Crime, they do not fully comprehend the adverse impact of Privacy infringement.

There is therefore a need for building a Privacy Culture in the society for the intentions of DPDPA to succeed.

At the same time, Corporates are also complacent because compliance has a cost and every body is short of resources for compliance. Most companies therefore think that they can wait till some body else gets fined to understand how DPB is likely to function.

In the midst of the reluctance of the companies to take Compliance seriously, and inability of data principals to fight for their rights, the DPDPA as a law has the danger of becoming a paper tiger.

FDPPI therefore considers that it is its responsibility as a full service agency to create the awareness of Privacy in the community, build a compliance culture in the companies before they can deliver their training programs, Certifications, implementation consultancy, audit and assessment.

Towards this goal, FDPPI is now traying to build an all India cadre of committed Privacy enthusiasts to work both in the public front and the corporate front.

In particular FDPPI invites academic institutions to come forward to get their student community take up social projects involving creation of awareness of What is Privacy, Why is it important and How data principals need to be vigilant to protect the Privacy Rights granted to them by DPDPA as a law.

We invite volunteers to join the movement in large numbers to develop the Privacy Compliance Market in India which is good for the society and also create new opportunities for employment and business.

Be in touch with FDPPI and contribute your thoughts in this regard.

Naavi