Naavi.org

In the annual flagship event of FDPPI, namely the Indian Data Protection Summit 2024 (IDPS 2024) set to be held on November 30 and December 1, 2024 at Bengaluru, FDPPI recognizes those who contribute to Privacy and Data Protection in India.

Yesterday we lost Justice K S. Puttaswamy who had contributed to the rising of the Privacy Consciousness in India leading to the passing of DPDPA 2023. FDPPI had the satisfaction of recognizing him with a title of “Privacy Pitamaha” during our 2023 AGM. Continuing our appreciation of his contribution to the Privacy eco system in India, FDPPI has decided that this year, the “Privacy Advocate of the year Award” would be “Dedicated to the memory of the Privacy Pitamaha, Late Justice Sri K.S.Puttaswamy”.

Nominations will be open upto 10th November 2024 and the nomination form would be available here https://fdppi.iletsolutions.com/idps-2024-award-nominations.

There will also be 4 other categories of awards namely “Privacy Knight”, “Privacy Squad”, Privacy Champion (Organization) and “Privacy Innovator”. Out of these, the Privacy Champion Award would be “Dedicated to the memory of Padma Vibhushan, Late Sri Ratan Tata”.

We hope that these leaders who have left this world will continue to inspire our professionals through these awards.

A query was received from a student recently “Whether a Data Fiduciary can also be an Intermediary” under ITA 2000.

I have tried to present the response in the video at Naavi Academy and also provide a brief summary here. The video is available here

Naavi has been advocating Jurisprudence on DPDPA through the DGPSI framework and has indicated that DPDPA compliance is better implemented by recognizing that an organization has multiple processes in which it processes personal data and compliance has to be worked out at the process level instead of the enterprise level. The enterprise level compliance will then emerge as an aggregation of the process level compliance.

As a result in an organization there will be several processes and in some the organization determines the Purpose and Means and in some it may not. Hence an organization could be a data fiduciary in one process, a data processor in another process. In some contexts it may share the responsibility as a data fiduciary with another organization. Thus when we look at the organization as an entity, it has one face as a Data Fiduciary and another face as a Data Processor and yet another face where it is a Joint Data Fiduciary.

This possibility had not been explored by any observers of GDPR law or the DPDPA till now and it is for the first time this has emerged as a thought. This goes well with the “Process Based Compliance Approach” adopted by DGPSI.

At the same time, when we look at ITA 2000 we have a category of data handlers who are recognized as “Intermediaries” and others whom we can call as “Data Users”. The nature of an intermediary is that data is collected from one source and passed on to another destination but does not

(i) initiate the transmission,

(ii) select the receiver of the transmission, and

(iii) select or modify the information contained in the transmission

It is noted that the definition of an Intermediary under Section 2(w) of ITA 2000 clearly restricts it to a message. It defines an “Intermediary” as…

Intermediary with respect to any particular electronic records, means any person…..”

From the above definition of an Intermediary it can be seen that it is defined with reference to a message or a context and not applicable to an entire entity under all types of activities. It is therefore possible for an organization to be an Intermediary in one service and not an intermediary in another service context.

This is similar to the approach of DGPSI which recognizes that in one process an organization may be a Data Fiduciary and not be so in another.

A “Data Fiduciary process” cannot be an “Intermediary process” but a “Data Processor Process” can be an “Intermediary Process”.

Hence we need to shed the concept of “This organization is a Data Fiduciary and another is a Data Processor” or “This organization is an Intermediary and another is not”. We should always make such assertion specific to the context.

This article and video underscores the reason why we call “DGPSI is the Jurisprudence for DPDPA”

Naavi

We announced the formation of Naavi Academy a few days back as a channel of educative content through video blogging as a supplement to Naavi.org. While the system of publication of the blog is being finalized, we present the first set of Videos here.

1. Introduction
2. Comment on PIL on Canara Bank in Karnataka High Court
3. Comment on Supreme Court judgement on Aadhar as a Date of Birth reference

In the DPDPA implementation, we have been discussing he requirement of determining the “Age” of a data principal to identify if he is a minor or not. Without identification of the age, the obligations of DPDPA towards a “Minor” cannot be fulfiled.

At the same time, there is a need to develop a mechanism by which one can identify the class of data principals to which Section 9 of DPDPA is applicable (Minors and Disabled Persons). In the case of a minor the consent has to be provided by the guardian who may be either a natural guardian or a legal guardian. In case of the disabled persons, it is the legal guardian who has to provide the consent.

The “Legal Guardian” is always a product of the decision of the Court and unless the Courts create a system of publishing a data base of “Legal Guardians” approved by different Courts, there is no way for a Data fiduciary to know if a person is disabled or not. A request for this has been sent by FDPPI to CJI and some time in future it may see the light of the day.

As regards the Natural Guardian, law has its own uncertainty since there may be many single parents and divorced parents where the natural guardian cannot be determined by just identifying the father or mother.

It is the duty of the Government and the Judiciary to find a proper mechanism to identify the age of a data principal if they are serious about protecting the privacy of a minor. At present Data Fiduciaries simply accept a “Self Declaration” from the data principal that he/she is not a minor and proceed to provide services meant for adults. This is not an effective system for protection of privacy of minors without a verification of the declaration. We therefore need a mechanism for such verification.

At DGPSI, we need to identify a suitable mechanism for organizations to identify the age of a data principal. We have in the past discussed this in these columns and recommended the use of Aaadhar as an instrument for not only creating a “Age Pass” but also to verify the “Guardian of a minor”. (Refer article titled “Is there no solution for Age Gating?)

In this context we need to discuss the recent Supreme Court judgement in the case Saroj & Ors vs IFFCO-TOKIO General Insurance Co & Ors

An article titled “Aadhaar Card Not Suitable as proof of date of Birth: Supreme Court” was published in Live Law yesterday explaining this judgement.

We however would like to point out that the article with the above headline may not reflect the issue in the right context of “Age-Gating” for Privacy regulation and need to be read in the given context.

The context in which the Supreme Court decided in this appeal was that the insurance company had sought a reduction of compensation based on the age of the deceased in the Aadhaar Card vs the Age of the deceased as per a school leaving certificate. There were two age documents available and there was a conflict. The choice of the reference document would have materially altered the compensation payable to a victim of an accident which had taken away the life of a bread winner in the family.

We trust that the decision of the Court has to be viewed in this context.

It is also true that as observed by the Court, the purpose of Aadhaar was to establish the identity of the individual and the noting of the Date of Birth is only incidental.

However it is to be noted that Aadhaar is still the best Government document that can establish the identity of a person. The Adhaar card issued to a minor also records the name of the guardian. Short of a Court order, this is therefore the best document of proof of the age of a minor and the name of the guardian.

The documents which are collected for Aadhaar enrolment are available here and indicate the documents which are used for age verification.

The enrolment documents include the Birth Certificate, Passport, Certificate issued by an Orphanage, School Leaving Certificate, Service Identity Card, Pensioner’s Card, Transgender certificate.

The Aadhaar document therefore is not an adhoc self declaration of date of birth and is based on documentation. The subject Supreme Court judgement was a case where there were conflicting dates in different authentic documents and the Court had to prioritize one over the other. In the context they chose to chose the school leaving certificate ahead of the Aadhar.

DGPSI which is defining the Jurisprudence related to the DPDPA therefore does not suggest dropping of the Aadhar based age determining process for determination of a minor for the purpose of obtaining the consent from the parent.

We remember that when Supreme Court in the Afzal Guru case had held that Section 65B certificate for digital evidence as “Not Mandatory”, Naavi had disagreed with the Court and held to his view that Section 65B Certificate for admissibility of digital evidence was mandatory. It took several more years and the Judgement of PV Anwar Vs P K Basheer to correct the decision. Even subsequently, when Shafi Mohammed judgement appeared to disagree with our view, we held onto the view until it was validated in the Arjun Pandit Rao case. Now IEA has been replaced with Bharatiya Nyaaya Samhita and the jurisprudence that “Section 63 Certificate is mandatory for admissibility of digital evidence” holds, though the form of Certification has changed a little.

Similarly we hold onto our view on Age Verification for DPDPA purpose that an Aadhaar based system is acceptable as a “Reasonable Measure” for the Data Fiduciary to verify the Age. In every case it is not feasible for a Data Fiduciary to be a Court and ask for multiple age proof document and verify the same. Probably a Consent Manager can do it and the case of a specialized consent manager for minors is made out.

At FDPPI, we can state that the data principal can provide any one of the following documents as age of proof namely

1. Birth Certificate,
2. Passport
3. School Leaving Certificate,
4. Service Identity Card,
5. Pensioner’s Card

We would also like to add PAN Card and Driving License to the above list. Obviously a court order would also have to be accommodated in this accepted document list. However, these documents may not be as easily verifiable as the Aadhar data and hence Aadhaar remains the preferred reference tool.

As we have discussed earlier, the verification of age is not only a requirement for a person who has already declared himself as a minor so that we donot want anonymous malicious adults in minor community. For this purpose, we need to apply age verification to all data principals as a general rule of entry. Verification of who is the guardian is a more complicated exercise and at present Aadhar is the only document (other than a court order) that has this data. PAN card of a minor may also have this information but they may not be as many minor PAN cards as there are minor Aadhar cards.

To summarize, we may say that the Supreme Court judgement cited above is not a bar on use of Aadhar for the purpose of age verification in the DPDPA compliance and can be one of the several ways by which the data fiduciary may satisfy himself about the status of a data principal as a minor or not a minor.

Naavi

Naavi.org has been in existence since 1998 (initially as Naavi.com) and has been providing knowledge inputs on Cyber Laws, ITA 2000 and now DPDPA etc. Over these 25 years, lot of content has been accumulated on the website though it might not have been organized properly.

Now it is intended that Naavi.org will be converted into a Video Blog so that the content of Naavi.org will slowly be described in short videos.

The videos will be accessible through a mobile app.

The objective of this exercise is to bring educative content on DPDPA, Data Protection and Cyber Laws in video form. So far, I have been more comfortable with the written articles on naavi.org though several videos are present in the You Tube channel youtube.com/naavi9 Naavi Academy will be a direct interaction of Naavi with the students of Cyber Law and Data Protection.

Naavi Academy videos would be available through a mobile App for easy access.

This activity will mainly support the Cyber Law College and FDPPI activities of conducting Courses on Cyber Law and Data Protection.

If found feasible, some of these videos may also be grouped separately into a structured presentation for privileged access.

This is the beginning of a new phase of Naavi.org and its mission to spread knowledge. Watch out for more information…

Naavi

DGPSI as a framework targets the compliance to DPDPA. It can be used by Data Auditors to audit the compliance of an organization and certify them for adequate compliance. DGPSI can also be used to make an assessment of the compliance maturity through the Data Trust Score or DTS which can be used for monitoring the compliance and build an assurance for the Data Principals.

At the same time, DGPSI also has another use for those who build Privacy Compliance technical tools such as those for “Data Discovery”, “Data Classification”, “Consent Management” etc. This is for creating “DPDPA Compliance Software Tools” for compliance.

Since DGPSI is a reflection of DPDPA, DPDPA Compliance in a technology situation is better addressed by DGPSI Compliance.

Hence Privacy Enhancement Tool (PET) developers can target DGPSI Compliance to be built into their tools and thereby become DPDPA Compliance. Such tools can also be audited by DGPSI auditors and certified as “DGPSI Compliant”. They can even be assigned DTS scores to indicate the level of assurance.

Naavi invites technologists to come forward and tweak their current tools to meet the DPDPA compliance through being DGPSI Compliance through appropriate DGPSI Consultants and obtain a DTS Score for their tools.

The Data Auditors of FDPPI are being trained to make such assessments and provide assurance certificates for tools with a DTS score which fairly represents the ability of the tool user to meet compliance of DPDPA while he processes personal data using the tool.

This is a unique process and will take time to develop. The Data Auditors need to be specially trained for this purpose. But a beginning has been made and this should usher in a new era in PET development in India.

Need for Incentivisation

During the early days of HITECH Act implementation in USA, there was an incentive scheme by the US Government to promote use of HIPAA Compliant technology by the Health Care industry. This included a system for certification of “HIPAA Compliant Software” the use of which would make a covered entity eligible for subsidy. A total of $17.2 billion was distributed under this scheme over 5 years from 2009-2014 and is believed to have contributed significantly to the adoption of technology by the health care professionals. This was more relevant for individual doctors and small pharmacies where the lack of funds could have delayed the adoption of compliance technology.

It is time for India to consider a similar system to promote use of DPDPA Compliant technology and introduce some incentives to the Data Fiduciaries particularly in MSME sector to promote use of “DPDPA Compliant Software systems” for processing personal data.

It is our desire that before the Government can introduce a system for such purpose, we have a system of evaluation of software to be certified for DPDPA Compliance. Once such a scheme is introduced, there will be many players who would introduce their own DPDPA Compliance systems and promote them with aggressive marketing efforts. Naavi and FDPPI would however endeavour to make “DGPSI Compliance” as the hall mark that should have its unique value.

In the upcoming training for Data Auditors in Mumbai scheduled for January 24, 25 and 26, this aspect would be discussed in greater detail. Before that training, this may also be discussed in the IDPS 2024 on November 30 and December 1 at Bangalore. Watch out for details for both programs in FDPPI website. (www.fdppi.in)

Naavi