Naavi.org

There is a distinct reason to believe that the Odissa Balsore train tragedy was caused by either an error in Signalling system or by an error in the points shifting system. The net result was that the Coromandel express changed tracks when it was not supposed to and rammed into a stationery goods train. Some of the derailed bogies fell on the neighbouring track and caused the Bangalore Howrah express train to derail.

The signalling system as well as the points change mechanism are electronic signal driven though the points can be also disturbed manually.

With the points engineer absconding and the CBI enquiry it appears that malicious manipulation of the system resulting in the crash is a distinct possibility.

It is therefore considered that the case should also be registered under Section 66F of ITA 2000 and tried.

Naavi

On June 15, CNIL, the French supervisory authority under GDPR imposed a penalty of EUR 40 million on CRITEO for failing to verify that the person from whom it processed data had given their consent. This is yet another case of GDPR where a substantial fine has been imposed on an incident which is not a “Data breach”.

The moot point for professionals and the industry to consider is whether this incident represents any harm on the individual. It appears that the only harm that has been caused is through display of personalized advertising when a user is browsing through Internet. Even this harm is speculative on the part of CNIL since the penalty is not based on a complaint from any end user but from the habitual protesters like the None of Your Business (NOYB).

CRITEO is an organization which is into “Behavioural Profiling” of individuals to identify their buying habits so that personalized targeted advertising can be provided to the individuals . For this purpose it places some cookies on e-commerce sites and gathers some information which is used later for delivering advertising. Their activity is well explained by the following diagram which has been published by CNIL.

The action of CNIL in penalizing this activity is a clear assault on the advertising industry which is unfair and disproportionate.

The decision to impose the penalty has been based on two aspects namely “Lack of evidence of the consent of the individuals to the processing of their data” and “Transparency”.

The activity of CRITEO results in display of the most relevant advertising to the browser when a data subject is visiting a website of his choice (If that website owner has contracted with CRITEO for delivery of advertising). This enables the website to monetize the content and deliver it free or at a subsidized rate to the user. If the website does not use such a service, they will be displaying random advertisements which have no relevance to the user or charging a hefty fee for the content. That would be an irritation to the user and a waste of resources.

However targeted advertising enhances the value of the content since it provides additional information though it is piggy backing on the content space. CNIL acknowledges that business model of the company ” relies exclusively on its ability to display to Internet users the most relevant advertisements”. If so it is difficult to understand why CNIL should have an objection.

Unless CNIL can prove that CRITEO’s behavioural profiling is completely in-effective and causes annoyance to the user while he is onto some productive content consumption, CNIL cannot consider that any harm was caused to the individual. In fact by avoiding a serving of unrelated advertisements, the service has made the journey of the browser through the content more pleasant and useful.

The fundamental premise that any behavioural monitoring and any advertising is harmful is wrong and CNIL has to re-think its attitude to advertising.

The detailed report as found here also indicates that in many cases where profiling was done through Cookies, the company did not have the “Name of the individual user”. But CNIL considered that the the data was sufficiently accurate to re-identify individuals in some cases.

This betrays the fact that the argument of CNIL was hollow and the information collected by CRITEO may not constitute “Information that may be identifiable to an individual”. If some information is identifiable to an IP address or an unknown Netizen it is improper to classify them as “Individually identifiable information”.

It is clear that CNIL has simply considered that the business of CRITEO is related to “Advertising” and any information collected for “Advertising” is an infringement of Privacy.

CNIL needs to introspect on its understanding of the concept of advertising. It may also be necessary for the advertising industry to undertake a global campaign to promote why Advertising is not to be considered as an enemy of GDPR.

The decision on CRITEO was supported by reference by all the 29 EU supervisory authorities and hence this is considered as a collective view of all GDPR authorities and the fallacy of the argument needs to be exposed.

One of the allegations is an infringement of Article 7.1 of GDPR because CRITEO tracker cannot be placed on the user’s terminal without their consent. The Cookie was placed when the user visited some of the partner sites. These partner sites normally have a consent for visiting a website which includes a clause to the effect …

“The content you may visit on this website may contain third party advertisements who may have their own privacy policies”.

This declaration makes the advertisers to be considered as authorized associates of the content website and the fact that there is a commercial interchange of consideration between the website and the advertiser further validates that they are together in the display of advertisements along with its pros and cons.

Further the Cookie policies of the content website take the consent for “Essential Cookies” and “Non Essential Cookies”. The advertising cookies come under the category of “Non Essential Cookies”.

Perhaps what CNIL decision may suggest is that Content owners need to have a new sub classification of “Advertising Cookies” and provide an option for the user to reject it in which case the website should disable the display of the advertisements.

This is technically possible but is a disproportionate security measure suggested for a non-existing harm.

The CNIL observes that the contracts concluded by CRITEO with the partners did not contain any clause obliging them to provide proof of Internet users’ consent to CRITEO. In addition, the company had not undertaken any audit campaign of its partners prior to the initiation of the procedure by the CNIL. These are the Compliance shortfalls which could have been imposed as a corrective measure for the future rather than imposing a disproportionate fine.

CNIL for records sake also alleged that there was deficiency in the Privacy Policy which did not disclose all the intended uses of information collection, the information provided when the right of access was exercised by data subjects should have been more elaborate, the right to withdraw consent was exercised only in the form of stopping the advertisement and not deletion of data collected. These appear to be peripheral deficiencies added for additional effect.

CNIL also commented that when the data erasure request was received, the company will determine on a case to case basis on whether there was legal basis for processing as if this was a wrong process. In this context, CNIL appears to be opposing the right of CRITEO to exercise its legitimate interest and legal obligations if any before erasing the information. Once the advertisement is stopped, the erasure is a procedural aspect that needs to take into account certain other requirements of the organization including its billing requirements, settlement of disputes regarding billing etc and it is unfair to expect an automated deletion.

CNIL has forgotten the fundamental reason for the existence of GDPR, which is to prevent the harm to an individual and if no such harm is caused, there should be a reasonable tolerance on the procedures used for compliance.

It is necessary for CNIL to consider itself as an organization that works for the improvement of the Privacy eco-system rather than an organization that wields a stick to collect revenue.

CNIL has also pointed out that the contract between the CRITEO and some of its partners could be found defective since it did not recognize the “Joint Data Controller Status”. This is a valid observation and indicates the ignorance of many Data Controllers. However this is part of the educative process and needs to be given some time for implementation.

In every such case, it is the duty of CNIL to provide for implementation of corrective measures rather than take pride in imposing large penalties.

We urge the EU supervisory authorities in general and CNIL in particular to consider whether through such decisions they are hurting innovations in data science and productive use of data for advertising which is not an enemy of the Internet.

By taking such unreasonably tough stance, the cost of internet will increase and the burden will have to be borane by the public. Hence such decisions are unproductive for the community.

In the era of AI and Data Science, the attitude of CNIL appears regressive.

I invite a debate on this aspect of “Relevance of Advertising based on Behavioural Profiling”.

Naavi

Also Refer: EDPB Decision on noyb complaint against Meta is ultra-vires its authority and unfair | Naavi.org

FDPPI in association with DNV launched the second Joint Certification Course on Data Protection yesterday, the June 17 2023.

Naavi during the day’s proceedings highlighted not only how the concept of Privacy has been evolving in India through the Supreme Court judgements, but pointed out how the 23 year old ITA 2000 itself is the current Data Protection Law in India.

The concept of adopting ITA 2000 to the current Data Protection law requirement marks the uniqueness of Naav’s jurisprudence on ITA 2000. The net impact is that whatever time the Government takes in passing the DPDPB 2022 the law is already recognized under ITA 2000 and the Adjudicators can very well take on the responsibility of a regulator of personal data protection in India

The program will continue today with a discussion on DPDPB 2022 and will be followed next week end on discussions of other Global laws before getting into the discussion on the PDPCSI Audit framework.

The motto of the program is to take professionals towards being a Data Auditor in India.

Naavi

You have heard about CIPP or DCPLA or CDPSE. Each Certification has a value. Each has an objective to make you conversant with some aspect of Data Protection. But FDPPI-DNV’s CDPP program is different. If it is supplemented with FDPPI-CLC’s CCLP it is even better.

CDPP.CCLP program of FDPPI is a one of kind program that imparts expertise on the knowledge of Indian Data Protection laws, past, present and future, Key Global data Protection laws of the present, and the Indian Cyber Laws, past, present and future.

The program is conducted over virtual interaction as well as through recorded program.

Option is provided to take participation certificate without taking the examination. If an online examination is successfully completed, the participants can get the fully empowered certificate. The examination will also be online and would be proctored.

The faculty will be Naavi, one of the veteran teachers of Cyber Law and Data Protection in India.

The curriculum for the two courses are given below.

FDPPI-DNV Data Protection Program

FDPPI-CLC Cyber Law Program

The Schedule for the program is as follows:

FDPPI-DNV Data Protection Program	FDPPI-CLC Cyber Law Program
10.30 am to 1.30 am on June 17,18 June 24,25 July 1,2 July 8,9 Recorded sessions would be made available including some from outside the sessions on these days. Total Video content would be more than 30 hours.	Recorded videos for 14 hours plus interactive sessions between 3.30 pm and 5.00 pm on June 17, 24 July 1, 2

The Fees for the programs is as follows:

Type	FDPPI-DNV Data Protection Program	FDPPI-CLC Cyber Law Program	Both Programs together
Participation only	35000	6000	40000
Examination	6000	2000	7000
Participation with Examination	40000	7000	45000
Basic Membership of FDPPI worth Rs 6000	Complimentary	Rs 5000 (valid for next 1 month)	Complimentary
Entry in the Indian National Register of Data Protection Professionals	Complimentary	Rs 3000/-	Complimentary

Link for payment: (Chose the appropriate amount)

Kindly complete the form with information:

[formidable id=25]

Foundation of Data Protection Professionals, the premier Data Protection organization in India of the professionals and by the professionals for the Data Protection Eco System, is organizing a Roundtable discussion on DPDPB 2022 and its impact on the Healthcare sector, in Bangalore on 10th of June.

The event is a physical event and participation is by invitation.

However, the event would be live broadcast the event for the benefit of people outside Bangalore in the Youtube channel -Live section at https://www.youtube.com/naavi9 (Kindly click on the link-live)

Several senior persons from the industry are expected to participate in the event and share their thoughts.

Currently Indian Healthcare sector including hospitals are required to be compliant with ITA 2000 and Section 43A requirements more specifically since health data generated by these organizations is considered “Sensitive Personal Data”. DPDPB 2022 is likely to bring in some modifications in these regulations which should be in place in the next few months.

The event will debate the concerns of the Industry and also set up an SIG on Sectoral implications of DPDPB 2022 for Healthcare sector to take the discussion forward.

Naavi

FDPPI (Foundation of Data Protection Professionals in India) has launched a unique dual specialization Certification program for creating super specialization in Data Protection. The FDPPI-DNV program will lead to a Certificate of CDPP (Certified Data Protection Professional) and FDPPI-CLC program will lead to a Certificate of CCLP (Certified Cyber Law Professional).

See all the details here: