Naavi.org

While the DPDPA 2023 was gazetted on 11th August 2023, the notification of the date of its effectiveness has been awaited. Presently the draft rule is ready for public comments and the industry is eagerly waiting to know which provisions of the Act will become effective immediately and which will take time.

The current thinking in the Meity seems to be a two stage implementation with about 6 rules to be notified for effect immediately and the remaining around 14+ rules to be effective at some point of time later.

The six rules that may be notified for immediate effect could be

Short Title and Commencement

Definitions

Appointment of Chairperson and other Members

Salary, allowances and other terms and conditions of service of Chairperson and other members

Proceedings of Board and authentication of its ordders, directions and instruments

Terms and conditions of appointment and service of officers and employees of Board

The other rules to be notified on a later date are as follows:

Notice to seek consent fo data principal

Notice to inform of processing done where data principal has given consent before commencement of Act

Registration, accountability and obligations of a Consent Manager

Processing of Personal data for provision of subsidy, benefit, service, certificate, license or permit

Intimation of personal data breach

Time period for specified purpose to be deemed as no longer being served

Publishing of contact information of person who is able to answer questions about processing

Verifiable Consent for processing personal data of child or person with disability who has lawful guardian

Exemptions from processing of personal data of child

Measures to be undertaken by Significant Data Fiduciary

Rights of Data Principal

Exemption from Act for Research, Archiving and Statistical purposes

Techno Legal measures to be adopted by Board

Appeal

It is expected that the setting up of the DPB may take about 3 months and the remaining rules may come into effect subsequently.

There are a few more rules that are yet to be finalized and perhaps they may come up in the third set.

The exact time schedule for implementation is yet unclear and we may have to wait for the Government to complete the constitution of the DPB before a more specific time schedule can be expected.

Naavi

It is amusing to observe that while draftng the rules of DPDPA, MeitY has gone over board to use the feminine gender in the law which was considered a unique aspect of the drafting of the law.

In the law, the data principal who is an individual was referred to as “She” or “her” instead of the normal use of the term “he” or “him” used in other laws.

Now those who drafted the rules have gone a step further to depict even the organziations in a feminine gender.

For example, while indicating the rules regarding the publishing of the business contact information of a Data Protection Officer, the draft rules meant for discussion states,

(1) A Data Fiduciary shall-

(a) publish on her website or app or both as the case may be and

(b) intimate the data principal through in-app notification and every piece of correspondence with her, the business contact information of a person who is able to answer on behalf of the Data Fiduciary, the questions, if any raised by the Data Principal about the processing of her personal data.

(2) If the Data fiduciary is a significant Data fiducairy, the business contact information published under sub-rule (1) shall be that of its Data Protection officer,

(3) The business contact information to be published under sub-rule (1) shall be published in like manner as is provided in sub-rule (2) of rule 5 (Ed: on the home page).

In majority of cases, the Data Fiduciary is an organziation and the appropriate use of pronoun would have been “It” or simply the Data Fiducairy.

There is one benefit however that has arisen on account of this unatural use of the pronoun “her” to a “Data Fiducairy”. It has focussed on the fact that even an individual can be a “Data Fiduciary” in the context of processing of personal data for “Non Domestic use”. Hence theoretically a Data Fiduciary can also be an individual and therefore the use of the pronoun “Her/she” can be justified.

Leaving this minor observation, this rule is important from the perspective of an indirect admission that “Business Contact Information” is actually “Personal Information” which the data principal out of his “Choice” decides to use for business use.

There are many who consider Naavi9 @gmail.com as personal information and refuse to accept it in some forms. On the other hand naavi @naavi.org is considered as an acceptable business use. This is in my view incorrect since it is the prerogative of naavi to hold out naavi @naavi.org as a business address or personal address and naavi9 @gmail.com as personal email address or business email address.

Under DGPSI framework we have been always recommending to leave the choice of declaring if any e-mail or mobile number is a personal information or business information and many companies have started accepting this argument and incorporating this in their personal information gathering exercise.

I hope after the use of the “her/She” to Data Fiduciary and business contact information of a DPO as “her” information confirms that “Business Contact Information” can contain personal name as part of the e-mail.

…..More discussions will follow.

Naavi

Data Breach Notification is an important aspect of compliance of any data protection law. DPDPA 2023 also requires a notification both to the DPBI and the Data Principal in the event of a data breach.

The DPDPA 2023 act had simply stated that in the event of a personal data breach, the Data Fiduciary shall give the Board and each affected Data Principal, intimation of such breach in such form and manner as may be prescribed. Now the the DPDPA rules expands the requirement.

The rules prescribe that as soon as the Data Fiduciary becomes aware of the data breach, one intimation has to be sent immediately to the DPBI with preliminary information including

(a)a description of the breach, including its nature
(b)the date and time when the Data Fiduciary became aware of the breach
(c)the timing or duration of occurrence of the breach
(d)the location where the breach occurred
(e)the extent of the breach, in terms of the nature and quantum of data involved and
(f)the potential impact of the breach  

Within the next 72 hours the Data Fiduciary needs to file a second report with details of the breach. DPBI is expected to provide suitable submission forms on its website for the purpose. In this second report the broad facts related to the events, circumstances and reasons leading to the breach need to revealed along with the remedial measures taken.

Additionally information has to be given to the data principal also which should contain the information about the breach as it affects the specific data principal. The rule seems to avoid specifying the time period within which the intimation has to be provided to the data principal.

Perhaps MeitY has to indicate either the 72 hour time limit specified for intimation to the DPBI as also the time limit for data principal or specify a longer duration.

In case there is a need for more time to report the breach because of the need for a detailed investigation, data fiduciary may seek additional time from the DPBI after the second report.

As of now, every data breach under DPDPA is also a data breach under ITA 2000 and hence the need to report to CERT IN as per the CERT IN guidelines will also be required.

Naavi

According to DPDPA 2023, consent is to be obtained even for applicable personal data collected by a Data Fiduciary before the commencement of the Act as per the notification. Hence identifying such data and issuing notices to such data principals is one of the key activities of data fiduciaries.

The proposed rules is expected to indicate for this purpose,

Notice to inform of Processing done where the Data Principal has given consent before commencement of Act:

(1) Where a Data Principal has given her consent for the processing of her personal data before the commencement of the Act, the data fiduciary shall as soon as it is reasonably practicable, give to the Data Principal a notice, in the following manner, namely:-

(a) The notice shall be made in like manner as is provided for a notice to seek consent and shall be understandable independently of any other information that has been made available by such data fiduciary; and

(b) The notice shall inform, in clear and plain language, the details necessary to enable her to exercise the Rights of the Data Principal, including-

(i) Such minimum details as are required in respect of a Notice to seek consent; and

(ii) description of the goods or services (including the offering of any service) that were provided or the users that were enabled, as a result of such processing

(2) A Data Fiduciary may use a Consent Artifact for thee purpose of giving the notice to inform of processing done.

The rule is silent about how the Data Fiduciary has to handle situations where the notice cannot be given for lack of contact information, or when the notice is returned undelivered or when the recipient is silent on whether the processing can continue.

Under DGPSI, we prescribe that appropriate measures should be built into the Consent artifact itself to meet these contingent possibilities.

It would be interesting to see how other frameworks (if any) address this issue.

Naavi

In one of the versions of the draft DPDPA rules which is under circulation, it is expected that the Government may provide a template for notice for consent.

Accordingly a model notice as follows is expected to be part of the notification.

It is suggested that the above model notice could be part of a “Consent Artifact” as per rule 3(4) and hence it is likely to be adopted mutatis mutandis by data fiduciaries and used for automation of consent. This could lead to inadequate consent and should be subject to some human oversight. It may also be necessary that the above format given as a “model” needs to be fine tuned by users.

One observation is that this model is not following the principle of “Purpose Segregation” in the sense it suggests one notice and one consent for multiple purposes such as “Registration”, “receiving of payments” etc. It does not take into account the need of a data principle who only wants to register today but is not ordering anything or making any payments.

The notice however suggests the segregation of data elements with different retention requirements as has been the suggestion of DGPSI. This needs to be factored into the consent management system.

The model notice suggests a hyperlinked form for withdrawal of consent and for filing a grievance with the Data Fiduciary as well as the DPBI and for saving a copy of the notice.

The model suggests the notification of right to right to “Nominate” ignoring the provision of ITA 2000 [Section 1(4)].

The model form suggests “Erasure” as a right without a clarity that it is “Subject to other legal requirements to preserve the data” which is mentioned in the rule.

The lack of integration of the rule in this regard to the ITA 2000 as it exists now appears to show up.

Under DGPSI framework, we also recommend that one line on reminding the “Duties” of the data principal is also added to the notice and this is missing in the model notice.

It is apparent that the model notice is designed as a web form and has to end with a “Click” which should state say “I accept” converting the notice into a consent contract. The need for proper authentication of the consent needs to be addressed by the Data Fiduciary. There is no mention of how the notice needs to be authenticated in the rule 3

Regarding the rule of erasure, the rule 3(5) is ambiguous as it states

“ The Data Fiduciary shall maintain every notice relating to processing of personal data on the basis of consent given by the Data Principal till the expiry of such period, beyond the date of erasure of such personal data, as may be applicable by law to limitation on the institution of any suit, filing of any appeal or making of any application in relation to such personal data”.

It should be noted that the consent along with the data collected for consent needs to be retained both for the legal rights of the data fiduciary and also the legal obligation as per laws like ITA 2000 where some information has to be kept for 6 months or 5 years. It would not suffice if only the notice is preserved. Even the data has to be preserved. The rules as available misses this point.

Under rule 3(1), it is stated as follows:

3. Notice to seek consent of Data Principal: (1) Every request for consent made to the data principal shall be accompanied oor preceded by a notice given by the Data Fiduciary to such Data Principal shall be accompanied or preceded by a notice given by the Data Fiduciary to such Data Principal, in the following manner, namely:-

(a) The notice shall be so made that it is –

(i) an electronic record or document presented independently of any other information that is or may be made available by such data fiduciary;

(ii) understandable independently of any other information that is or may be made available by such data fiduciary

(iii) storable by the data fiduciary independently of the personal data to which such notice pertains; and

(iv) easily storable or preservable by the data principal for future reference and

(b) The notice shall inform , in clear and plain language, the details necessary to enable her to give specific and informed consent for the processing of her personal data, which shall include, at the minimum,

(i) an itemised description of such personal data

(ii) the specific purpose of such processing

(iii) a declaration that only such personal data is proposed to be processed as is necessary for the purpose

(iv) a description of the goods or services (including the offering of any service) to be provided, or the uses to be enabled, as a result of such processing:

(v) the specific duration or point in time till which such personal data shall be processed

(vi) a list of the Rights of the Data Principal

(vii) the particular communication link for accessing the website or app, or both, of such data fiduciary using which such data principal may withdraw her consent, exercise the rights of the data principal or make a complaint to the Board, and a description of other means, if any , using which she may so withdraw, exercise such rights or make a complaint.

It is clear from the above that the notice and consent is expected to be obtained in electronic form. The possible legal conflict with ITA 2000 regarding validity of digitally signed electronic contracts or the cancellation of the mandate on the death of an individual on nomination has been ignored as was expected.

Though the Data Fiduciary which is a State has the right to use “Legitimate use” basis for processing personal data in situations like provision of subsidy, benefit or service etc., there is a mention under rule 3(2) about the need for notice and consent. This could introduce a needless conflict between “Consent” and “Legitimate use” as two different aspects of establishing the legal basis.

In summary the rule regarding “Notice and Consent” will continue to offer some challenges in implementation which needs to be addressed by the Data Fiduciaries. It is notable that these have already been anticipated and factored into the DGPSI framework in its detailed implementation manual.

More discussions will follow….

Naavi

When the rules under DPDPA is released, apart from the definition of Significant Data Fiduciary, industry would be keenly looking at the rules related to “Consent manager”.

This is one area where Naavi may have divergent views with one section of professionals who may think that the current Account Aggregator (AA) scheme under DEPA and used by RBI is good enough to be adopted to the DPDPA. Obviously the 14 licensed Account Aggregators would be happy to be presented with an additional opportunity to expand their current business.

The system of AAs is currently built as an “Intermediary” under ITA 2000 subject to provisions of Section 79 of ITA 2000. These AAs hold the consent of individuals to “Fetch and Share” their personal information from a set of approved “Data Providing Agencies” or “Financial Information Provider (FIP) to a set of “Data Requesting Agencies” or “Financial Information user (FIU)”through a technical process of exchange that can be triggered by the requester. The system operates through an AA platform. The platform is a data routing platform and should not provide any access to the AA to the data. Data should flow directly from the FIP to FIU and the role of the AA is only to open the gate when the request is made after ensuring that it has the permission from the individual subscriber to its service.

Under DPDPA, the Consent Manager is a Data Fiduciary licensed by DPDPA. Hence current AAs who want to act as Consent Managers, need to obtain an additional license from DPDPA. The procedure for AA licensing There are many agencies which is trying to assist organizations go through this process of registration.

If any of the licensed AAs need to register themselves as a “Consent Manager -Data Fiduciary” it would amount to a diversification of their current business and therefore may in principle violate the terms of license. Whether this is permitted under the RBI’s current AA registration is not clear.

Since AAs will now also come under the DPDPA, unless they declare and obtain a “Conformity Assessment Certificate” that they have no access to identifiable personal information, they will be subject to all compliance requirements of a Significant Data Fiduciary.

They will therefore be subject to “Continuing Consent” for existing data principals as per DPDPA unless they are exempted.

If however the AAs have established systems as envisaged under the AA scheme without any deviation, they may claim to be exempt from DPDPA provisions since they may not process identifiable personal data.

This however could be a point of contention at some point of time in future if any data breach exposes the stream of data flow through the system to a hacker attack. If the FIP and FIU use their own encrypted network as they are supposed to, using an approved digital signature system, then the responsibilities of the AA will remain that of an intermediary and does not extend to a data fiduciary.

I am not fully aware of how the different AAs have structured their IT architecture and hence I request those of you having the information to share the data security features in the AA system. In particular any of you may confirm if there is a digital signature based data encryption system between FIP and FIU.

I look forward to clarification from any of you who is aware.

Naavi