Naavi.org

Yesterday (3rd August 2023), Government introduced the Digital Personal Data Protection Bill 2023 (DPDPB2023) in the Parliament.

As expected there were technical objections for the introduction from the opposition members some of whom wanted it to be referred to a standing committee and for presenting it as a Finance Bill. Objections were recorded on there being no provision for compensation for the data principal and the amendment to the right to information act. The minister clarified that the bill was being presented as a general bill.

Subsequently the speaker put the objections to the tabling of the bill to vote and the house by voice vote over ruled the objections. The Bill was therefore tabled and will be taken up for discussion some time later in the session.

The official copy of the Bill is now available at prsindia website The bill has been presented at www.dpdpa.in for easy viewing on a chapter to chapter basis.

In the meantime as we removed the redlined version of DPDPB 2022 vs the draft from the website www.dpdpa.in, others have released similar red-lined version which captures the change from the recent DPDPB 2022 version and the DPDPB 2023 version.

It is interesting to note that unlike the previous days when ITBill 1999 was introduced or the ITA 2008 was passed in 2008 the awareness about the Data Protection Bill is very high in the professional circles. The Bill has been quickly analysed and several views have been published.

One detailed critical view has been provided in this video about the changes to the RTI act.

While we understand the need for politicians to oppose any activity in the Parliament and push everything to the future, professionals should focus on the need for constructive criticism without stopping the law being passed.

To debate the Bill in a more constructive way, FDPPI along with Manipal Law School as its academic partner is organizing a virtual round table today the 4th August 2023 on Zoom, at 7.00 pm. The discussion should approximately take about an hour.

The discussion would be live webcast on youtube and should be available at this link

The main issues to be discussed are ..

a) Is the Bill considered as a Finance Bill obviating the need for passage by the Rajya Sabha?

b) Does the Bill cover the basic requirements of a data protection law such as Rights of data principals and Obligations of data fiduciaries?

c) Are the “Legitimate use” and “Exemptions” provide a reasonable freedom to business?

d) Is the concept of “Duty” of the Data Principal and a penalty for violation of the duty welcome?

e) Is the Grievance redressal system from Company to DPB to TDSAT to ADR and High Court effective?

f) What are the remedies to a Data Principal? Does he/she not have rights to claim compensation? If so why?

g) What is the change made to RTI act? Is it as bad as it is made out to be?

h) How is the Data Protection Board being constituted? Is it properly represented?

i) Any other point of discussion that arises.

We look forward to a useful discussion.

Naavi

Also Refer

NDTV: Penalty can be “Per Breach”…Rajeev Chandrashekar

Miscellaneous articles

In what appears to be the latest version of the Bill to be tabled tomorrow, the draft DPDPB 2023 with 44 sections is now available.

Click here for a Copy

Mr John Brittas, one of the members of the IT Standing Committee which reviewed and commented on the draft DPDPB 2022 has submitted a dissent note which has been promptly been circulated by a section of the media to criticise the proposed Bill. (Refer here)

Also Justice B N Srikrishna in his interview to The Hindu some time back also had criticised the DPDPB 2022

However most of the concerns expressed by John Brittas and Justice B N Srikrishna seems to have been addressed in the version which may be presented in the Parliament.

We are still not clear about the official version which will be presented but the above version with 33 sections appear to be one created after the IT Committee report and has addressed many of the issued. It still has one or two minor modifications that may be required like definition of harm and handling of publicly available data. But these can be incorporated during the discussion.

Mr Srikrishna’s objection on the constitution of the Data Protection Board has been addressed by reverting to the earlier PDPB version of a Board with a Chairman and Six members though the tenure has been reduced from 5 years to 2 years.

Brittas objections like the objection to the amendment to RTI has been discussed in the past and does not hold substance. The Concerns on “Deemed Consent” has been addressed through the Legitimate Interest and there are provisions for addressing deliberate violations.

The power of claiming compensation by data principals is available under ITA 2000 (Section 43) and can be invoked along with the adjudication under DPB. It would however be better if the DPB is provided the power to provide compensation also so that the issue would be settled in one hearing.

Brittas seems to support the data localization and Government should be happy to introduce it through notifications.

Mr Brittas has objection to Right to Data Portability and Right to Forget not being included. These are not sacrosanct. A Data Principal can get the information back and re-submit if he wants. Transfer of data from one business competitor to another under “Portability” is a matter of convenience but not critical. Right to Forget is not possible in India as it can be grossly misused.

It is recognized that Data Protection Law will have a conflicting interests like Startups needing exemption and the Government has accommodated an enablement clause for such purposes which Mr Brittas has an objection to.

Exemption to Government has been an eternal objection but this is an issue which cannot be resolved to the satisfaction of Privacy Activists since there is a security requirement to consider.

The Dissent note of John Brittas is well constructed and needs to be taken note of when the rules and regulations are formulated by the DPB. For the time being the Bill is good to be passed with some minor corrections.

We hope that the Parliament will allow the Bill to be passed or more appropriately the Government will pass it whether there is consensus or not.

Naavi

We have so far discussed ISO 27001-2022 in several articles ISO-1 to 7 and summarised ISO 27701 in article ISO-8. Let us now continue our discussions to cover the 93 controls which are part of Annexe A of ISO 27001-: 2022 and also ISO 27002:2019.

The Annexe contains

a) 37 Controls as “Organizational Controls” from A.5.1 to A.5.37

b) 8 controls as “People’s Controls” from A.6.1 to A.6.8

c) 14 controls as “Physical Controls” from A.7.1 to A.7.14

c) 34 controls as “Technology Controls” from A.8.1 to A.8.34

All these controls are effectively covered under the 50 Model Implementation specifications of PDPSI which adds a few more controls of its own to make it more precise than ISO 20001:2022 even if ISO 27701 is added as a combo.

Let us in this article try to get a bird’s eye view of the “Organizational Controls”.

The first control in this set is the need for development of policies for information security which have to be defined, approved, published, communicated and acknowledged by relevant stake holders. They have to be also reviewed periodically. The objective of the policies is to effectively mitigate the risks in different aspects of business with a focus on the CIA principle.

As a part of the policy or as a supplementary policy there is a need to define the roles and responsibilities of different employees with proper segregation of duties with an enforceable mandate that the policies will be adhered to by all.

The organization shall maintain contract with regulatory authorities such as CERT IN and with relevant industry groups to stay in close touch with industry developments.

For proper risk assessment, a system for gathering threat intelligence and integrating IS in each of the projects is to be ensured.

In order to implement the policies, there has to be an inventory of Information assets with proper labeling and ownership assignment. This will be associated with an acceptable user policy till the ownership of the assets are suitably transferred to another authorized person. Such transfer procedures are also to be suitably documented along with a proper labeling of information.

It is also necessary to have a proper classification of information which determines the access policies. IS related classification is normally associated with the CIA triad and limited to classifications such as “Public”, “Restricted”, “Confidential” etc. If ISO 27701 or privacy related compliance is required like PDPSI, then the classification has to take into account “Personal and Non Personal” , “Sensitive and Non Sensitive” etc. PDPSI therefore follows a more elaborate classification system than ISO 27001/27701 and extends it to “Minor and Non Minor”, “Employee and Non Employee”, “Personal Sensitive”, “Personal Critical” etc.

This classification is associated with the Access Control management with management of full cycle of identities for access. The access control mechanism needs to take care of proper authentication of identities. The entire access rights management system needs to be periodically reviewed.

It is also necessary to ensure that information security in supplier relationships including the cloud services are also properly kept in check through the agreements. The IS needs need to be effectively communicated through the supply chain and monitored regularly for review and change.

There shall be a proper Incident management policy to define incidents and handle them effectively when identified with a proper assessment, reporting and learning out of the incidents.

Where required the need for evidence management during incidents and possible business disruption management with business continuity objective shall be ensured.

It is not possible to disassociate the IS requirements from any legal obligations in applicable law and this has to be adequately addressed. This may not only include the IPR related issues but also regulations related to contracts, data storage, security incident reporting etc.

Control A.5.34 specifically mentions that the organization shall identify and meet requirements regarding the preservation of Privacy and Protection of PII (Personally identifiable Information) according to applicable laws and regulations and contractual requirements. This clause extends ISO 27001:2022 to the privacy requirements without ISO 27701.

The organization shall independently review the IS controls periodically, document the compliance with adopted policies and procedures.

All these requirements covered under A.5.1 to A.5.37 are covered under PDPCSI for Establishing PDPCMS or Personal Data Compliance Management System. PDPCMS focusses on Privacy and hence limits itself to the application of CIA principles only to Personal Data and otherwise looks at the Privacy controls similar to ISO 27701. However the larger version of PDPCSI which is called DPCMSI may cover the non personal data protection compliance separately for which the compliance is checked with provisions of ITA 2000 and not the DPDPB 2023. DPCMSI combines ITA 2000 and DPDPB 2023 and hence covers ISO 27001:2022 even with an expanded coverage of Privacy.

If an auditor is aware of the intent of these frameworks and sincerely applies them to the audit, whether he uses ISO 27001:2022 with ISO 27701 or DPCMS does not matter except for the certification and costs.

…continued

Naavi

The Government has now disclosed the report of the Standing Committee on IT on DPDPB 2022.

With this it appears that the bill may finally be tabled in the Parliament probably tomorrow or soon after.

The version of the Bill which was released here a few days back however appears to be a version which is cleared by the Cabinet Committee after the standing committee report. It is a 33 section version as against the 30 section version attached to the IT Standing Committee.

We shall therefore wait for the actual bill to be tabled in the Parliament . The difference would be marginal but still relevant.

Standing Committee Version of the Bill (30 Sections)

Earlier Version of the Bill (33 Sections)

Complete Report of the IT Standing Committee

Naavi

A few days back honourable Chief Justice of India made a statement addressing the Government of India….”Take appropriate action…or else we will have to take action…”.

The concern was well appreciated since the incident was disgusting. Similar incidents happened earlier in West Bengal and Rajasthan but they were Congress/TMC ruled states and hence everybody was confident that the state is in safe hands where as Manipur state Government is with BJP and hence it needed to be criticised. We accept this as the norm of India.

But it cannot be said that the comment of the CJI was appropriate and the Supreme Court could threaten the Government. Did the threat imply that the Supreme Court would dismiss the Central Government? Could it impose its own Court monitored rule on Manipur? Could it order the arrest of Manipur CM for dereliction of duty? Could it censure Mr Amit Shah the Home Minister.. ?

Obviously in India, it is not possible for the Courts to impose emergency. The Supreme Court can only validate the emergency imposed by persons like Indira Gandhi and as long as history recognizes that Indira Gandhi imposed emergency, we also need to recognize that the Supreme Court validated the declared emergency.

Despite the ability to assume powers to re-write constitution even by a split verdict, Supreme Court should consider itself to be answerable to the people of India and has to respect the Parliament as the voice of the people. Supreme Court can also allow a system of national referendum over such issues where the Supreme Court differs with the Parliament so that people can express their views.

Following this development, Mr Badri Seshadri a senior citizen in Chennai (If I remember right, he founded Cricinfo.com which was later taken over by ESPN) was interviewed by a You Tube channel in which he commented

“The SC has said that if you cannot do anything, we will. Let’s give a gun to Chandrachud and send him there. Let’s see if he can restore peace.”

Based on a complaint made by a lawyer Kaviyarasu of Kadur Village, Badri Seshadri was promptly arrested and the Magistrate remanded him to 11 days Judicial Custody.

I am not sure if Badri Seshadri can be called a serious Political commentator as has been described by the media and the comment made by him was worthy of being considered an offence under Sections 153 (wantonly giving provocation with the intention to create riot), 153 A (promoting enmity between different groups on grounds of religion, race, place of birth, residence, language etc and doing acts prejudicial to maintenance of harmony and 505 1(b) (with intent to cause or which is likely to cause, fear or alarm to the public) of the Indian Penal Code.

One will need extraordinary genius to interpret these sections and fit it into the statement made by Mr Badri.

It is obvious that the Police wanted to place Mr Badri in jail for some reason and used this excuse. This is gross violation of the power of the Police to cause arrest. If the comment is considered “Defamatory” to the CJI, the CJI should have instituted a “Contempt of Court Proceedings” and not allow cases to be booked under Sections 153, 153A etc. Where is an intention to create riot or promote enmity between different groups etc? only God and Tamil Nadu Police and the Magistrate knows.

I am reminded of the Palghar incident some time back where two Muslim girls were arrested by the Shivasena led Government for “Clicking the Like Button” on Face Book about a post on deceased Bal Thackeray. At that time the whole country was up in arms against the arrest and ultimately the Supreme Court changed the law itself to express its displeasure on the arrest.

Now we have a similar situation here and the matter is closer to the Supreme Court since the defamation of CJI is the cause of the arrest.

As long as Justice Chandrachud remains silent on the arrest, it means that he endorses the arrest. When he can take Suo moto cognizance of violence in Manipur, summon Tushar Mehta ,demand action from the Government and threaten dissolution like action, can he not at least make a statement whether the arrest of Badri is a violation of the “Freedom of Speech” or not? This case should be considered as a personal case in which CJI is interested and hence his action or in-action will be deemed to communicate his views.

This is not just an issue which the BJP in Tamil Nadu should fight. This is an issue where Police are interpreting the law to their own convenience and the Judiciary by its selective silence encouraging such action. People like Prashant Bhushan and Kapil Sibal may not come in to defend when an ordinary citizen is wronged though they may happily walk in other cases. It is a national issue to be fought by all who respect or claim to respect Freedom of Speech.

I therefore request honourable chief justice of India, Mr D Y Chandrachud to react to the arrest and either lodge his own Contempt complaint or demand that the FIR be withdrawn.

In the meantime the Madras High Court should take Suo Moto cognizance of the illegal arrest and provide relief. Even the DGP of Tamil Nadu can perhaps intervene and set things right if he wants.

While the investigation may continue even against the sections the Police have filed, at least the Court can order immediate release of Mr Badri under bail since we know that Courts give bail in many terror cases also without battling its eyelid. There is no investigation to be done by keeping the accused under arrest when the you tube video is available in the public.

If Democracy in India is under threat, it is these incidents that have to be noted as the incidents of murder of Democracy. I wish there was a national referendum on issues like this so that people’s views could be taken before Police excess being committed against citizens of the country.

I wish the New York times the terrorist friendly journalists of Wire and other similar journals some of them are in the heart of Chennai respond fairly to this incident or accept the criticism that they are all George Soros funded members of the Tukde Tukde India gang.

Naavi