Naavi.org

One of the concerns of the industry on DPDPA Rules which has not yet been addressed in the draft of the draft rules is about when does the Penalties under DPDPA will start being applied. For penalties to be applied, the DPB has to be first formed and afterwards a mechanism has to be built for reporting of data breaches. Data breaches may be reported directly by the Data Fiduciaries or by the complaints received from data principals. DPB may also recognize a data breach suo-moto from news paper reports and alerts from security research organizations.

It is possible for the MeitY to provide some extra time for applying penalties after fixing the compliance date. For example, once the DPB comes into existence and an operating website is set up to take care of data breach reporting, the date for compliance can be notified . The date for penalties to be considered can be the same date or another 3-6 months later. In between the DPB may consider application of the “Voluntary Undertaking” under section 32.

Apart from setting these dates, DPDPA Rules could have clarified how the “Voluntary Undertaking would function”.

The Section 32 states, “The Board may accept a voluntary undertaking in respect of any matter related to observance of the provisions of this Act from any person at any stage of a proceeding under section 28.(Ed: Inquiry)”. The voluntary undertaking may include an undertaking to take such action within such time as may be determined by the Board, or refrain from taking such action, and or publicising such undertaking.

If an order for Voluntary undertaking is given and accepted by the erring data fiduciary, further proceedings on penalties are barred except that if the data fiduciary fails to adhere to the terms of voluntary undertaking, then the penalties will become applicable.

DPB should therefore set in motion a procedure for application of Voluntary undertaking as a measure for addressing low harm breaches or as a general measure of cautioning before severe action.

In particular it could have been provided in the DPDPA Rules that for SMEs and MSMEs, Voluntary Undertaking could be made applicable as a routine exercise. In fact DGPSI takes this into account and expects organizations to consider responding to DPB notices with a specific Voluntary Undertaking proposals.

In this context we can look at one instance where the Singapore authority used this provision recently.

In a data breach incident of Keppel Telecommunications & Transport Ltd (KTT) and Geodis Logistics Singapore Pete Ltd (GLS, using a ransomware, the attacker had exfiltrated 6287 images of proof of delivery of parcel recipients along with some employee data including passport numbers and Bank details. The access was with the use of the Vendor’s (GLS) user name and password.

Investigations could not find out how the malicious attacker had been able to secure the access credentials. There were also no malicious files or programmes present on the vendor’s computers, and no indication of compromise, data exfiltration, or unauthorised access on its systems.

After the incident, the organization initiated remedial plans which were accepted by the regulator for the Vendor (GLS). However KTT was fined $120000 for failure to protect the employee data.

If a similar incident had occurred in India, KTT as the Principal Data Fiduciary would be responsible for the incident for loss of employee data and GLS would be either a Joint Data Fiduciary or a Data Processor. If it is considered a Joint Data Fiduciary, it would face action under DPDPA 2023.

If GLS is considered as a Data Processor, KTT can initiate action against GLS for loss if its employee data as a contractual failure.

However,, the nature of the parcel delivery data could be open for debate. Should it be considered as belonging to GLS and as “Transaction Data”?. Is it the business data of GLS? or of KTT? Is it the personal data of the parcel recipients? Should we apply Section 72A of ITA 2000? or data breach provisions under ITA 2000? .. are interesting questions.

Open for debate.

Naavi

Educational institutions both Graduate education institutions and undergraduate institutions where the students are minors have a challenge of DPDPA before them. These institutions collect parent’s information, financial information of students and parents for educational loan and fees collection, health information etc. Some personal information related to the education is also generated by the institution itself including the mark sheets etc . All these are retained almost indefinitely.

In India there are many integrated institutions where students join as minors and graduate out as adults or their information stays in the system for years beyond they become adults and turn alumni.

Existing institutions also have “Legacy Data” of huge volume. The data can be considered as “Sensitive” as we have often found that students who turn celebrities later in their life are questioned about their qualifications, age etc from the educational records and could lose their positions and even land up in jail if the data is wrong.

Hence Educational Institutions are eminently qualified to be considered as “Significant Data Fiduciaries” under DPDPA 2023.

Currently we are not aware of DPDPA 2023 and its rules provide any sectoral concessions for Educational Institutions.

We must appreciate that even the names of individuals are getting standardized only in the current generation. For people of our generation all our records had no “Second” name. We simply had “Initials” which was the first name of the father and some times of the place of birth. If therefore one looks at our SSLC marks card there will be discrepancy in the name itself. The date of birth also was accepted as per the SSLC records and prior to that in the schools, whatever date was mentioned by the parent at the time of admission, it was accepted. Also the contacts were mostly through addresses which may not even be existent today.

If therefore we are talking of “Consent” for legacy data, there is no way an educational institution which is 50 years or older issue notices and obtain consents.

At the same time, it is not appropriate for the institutions to remove the data for lack of consent after releasing a public notice and not getting response for say 1 year.

The DPDPA rules did remember educational institutions while creating Schedule IV which states conditions where the tracking and behavioural monitoring of children are exempted and it includes the educational sector. Strangely, it covers transport operators ferrying children or creches. As for as Educational institutions themselves are concerned, the exemption is restricted to supporting implementation of any healthcare treatment and referral plan recommended by a healthcare professional for a child, to the extent necessary for the protection of her health.

It is urgently required that Educational Institutions must be exempted from “Sending Notice and Obtaining Consent” for legacy information. Alternatively they can be asked to publish a note on their websites calling for all students and parents who have earlier provided their personal information to inform of any changes and inaccuracy. If anybody suggests change of name in their marks cards, it cannot however be implemented automatically. In such cases the old data and suggested corrected data must both be retained.

Even with such a simple procedure, if every student starts exercising their “Right to Access” that itself will require an unreasonably large resource for a school or a college.

A debate is required by MeitY with the educational sector to provide some reasonable exemptions to protect unintended violations of the law.

In this context we may recall that recently, in Singapore, one medical institution namely Academy of Medicine Singapore providing professional education was fined for a ransomware attack resulting in the exfiltration of personal data of 6574 persons. The leaked data included Passport number, NRC number and Data of birth besides other information such as name, photo etc. The fine was nominal about $9000. However the fact to be noted was that it was an educational institution and the loss of data was due to an external attack and involved only a small number of data sets.

In this context if one lakh data sets are compromised in an Indian educational institution with biometric and Aadhaar data, it would be interesting to see how much of fine would be reasonable. Such risks are possible and needs to be factored in.

Most of the educational Institutions run under a single Trust and whether they need one DPO for each Institution or one DPO for the entire group is another area of doubt. There are many more such issues that may come up in the administration of the educational institutions not all of whom may have the resources to manage compliance like a commercial entity.

FDPPI has after their last industry interaction suggested that a special interest group (SIG) will be formed by FDPPI to study the impact of the DPDPA on educational institutions on a continuing basis and is in the process of identifying the right members for this SIG-Education

Interested persons should contact FDPPI and volunteer.

Naavi

Further to the event held on July 27 in which views of the industry professionals were collected on the draft rules in circulation, FDPPI has compiled a recommendation and submitted to the MeitY.

A Copy of the note submitted is available on www.fdppi.in here.

We trust that MeitY intends to publish another version of the rules officially for public comments modifying the version available earlier (Check here) However in the spirit of “Shaping the Future”, FDPPI has proactively worked on this current draft and elicited the views of the industry.

Naavi.org has expressed its views that sharing such drafts with MNCs who are actually going to Courts challenging the legislations of the Government and not with the general public who are affected by the law/rules is in-appropriate.

Hence we have tried to organize the public discussion on the draft of the draft rules and brought them into discussion.

We trust that at least in future MeitY would keep the stakeholders outside the MNC group into consideration while taking decisions that affect the society.

The discussions will continue…

Naavi

FDPPI conducted an event in Bengaluru on July 27 to discuss the proposed draft of the DPDPA Rules which were earlier shared with select parties for comments. MeitY is now in the process of releasing another version for the public for comments. In the meantime FDPPI held the event so that some comments can be sent to MeitY for incorporation in the immediate next version. The event was attended by over 100 professionals most of them physically and contributed to the discussions. Invitations had been sent to MeitY also and we believe that there were observers from MeitY in the virtual meeting.

The participants were presented with 5 panel discussions and three key notes and were also asked to share their views through a google form. Though not all of them have yet filled up the google form, the responses received indicate the trend which we are sharing here.

We are now sharing the same form publicly so that any body including those who did not attend the event can contribute their views. To submit your views you may need to refer to the draft rules at www.dpdpa.in/dpdpa_rules/ . The Act itself is easily available at www.dpdpa.in

There are some professionals who would not like to comment since the draft rules discussed are not branded as “Official”. It is their choice to wait for the next version or raise their voice now itself with the rest of the industry so that the next version itself can incorporate some of these views.

Some of the interesting observations so far received are as below.

Out of the 40 questions shared, the following questions got 100% yes response.

Q2: Was it necessary to notify the definition of Significant Data Fiduciary?

Q31.  Should Courts introduce a system of listing legal guardianship certificates issued for mentally disabled persons?

Q32.  Should UIDAI introduce an age gating service?…clearing a person is not a minor?

Q33.  Should UIDAI provide a certificate that the person providing consent for the minor is  the legal guardian 

Q39.  Can Aadhar Based “Age Pass” be a solution for Age gating?

It was interesting to note one question which received a 100% “No” response . It was ..

Q38.  Is SEBI mediation platform for dispute resolution the acceptable  choice?

Following questions received 80% Yes Response namely..

Q3.  Is it necessary to specifically call out a category of “Joint Data Fiduciary” as a class of processors?

Q5.  Is it necessary to indicate whether “Subsidiaries” need a separate DPO? or a “Group DPO” would be acceptable? 

Q8.  Should purpose oriented consent be “Process Based”?

Q10.  Can Aadhaar data collection to be restricted by rule to Virtual Aadhaar only even for voluntary submission of data

Q14.   Is Legitimate use  meant to  be used only under very special circumstances?

Q16. Should the Consent Manager be a trusted representative of the Data Principal who based on certain pre-approved rules release the consent in his representative capacity?

Q19.  Should Consent Managers be allowed to sub contract any of their services ?

Q20. Should there be a minimum period before which the Consent Manager cannot close down his business?

Q24.  Should there be simultaneous reporting  of a personal data breach to Data Principal?

Q25.  Should there be simultaneous reporting of a personal data breach to CERT IN

Q26.  Is 72 hours for detailed data breach sufficient?

There was one question which elicited a 80% “No” response, namely..

Q40.  Should Journalists be excluded from Consent and Obligation for protecting the Rights of data principals?

Those of you who want to participate in this Global Survey may access the form and send their views right now in the following link.

https://docs.google.com/forms/d/1IOEgE0bywmrEBENsGI1FFNmwAX8Q7XaDkZvlGRqGqo4/edit?ts=66a362c4

In case responses are received today, they will be added in the collation and sent to MeitY as the “Voice of the Data Protection Professionals”. We will also try to discuss this further for different sectors in the SIGs and keep a continuous watch.

Naavi

In continuation of our post of yesterday on Consent Manager, we would like to point out that the “Personal Data Breach Notification Rule” as contained in the draft rules also requires a re-look before the next version of draft rules are released. Some of our observations are as follows.

We refer to Rule 7 of the draft rule copy of which is available at www.dpdpa.in/dpdpa_rules for this purpose. This rule refers to intimation of personal data breach. The Rule prescribes a two stage reporting one to be made immediately on being aware of the personal data breach and the other within 72 hours with more details. It is noted that the rules donot make any mention of the Data Breach rules notified under ITA 2000 by the CERT IN. (Refer: https://cert-in.org.in/PDF/CERT-In_Directions_70B_28.04.2022.pdf).

It is necessary to recognize that every personal data breach involving loss or damage to data is also a data breach under ITA 2000 and is reportable under CERT IN guidelines even after the repealing of Section 43A. Consequences of non reporting could be initiation of criminal proceedings for imprisonment upto 1 year and fine of Rs 1 crore.

Hence clarity should be brought in about  need to copy the data breach report to CERT IN. There should be a process where the DPB and CERT IN work in harmony dealing with the breach report.

In case DPB would like to exercise its right of investigation into the causes of a data breach, it would require additional technical investigation capabilities to be built up. On the other hand, CERT In already has the necessary expertise with a team of scientists and can also have access the CERT IN auditors.

There is a need to recognize that DPB would be more interested in identifying non compliance of law which may affect the rights of the data principal and hence would like to track even such personal data breaches which donot result in exfiltration of data that causes irreversible damage to the data principal. On the other hand CERT IN is more interested in prevention of Cyber Crimes and hence focussed on data breaches involving exfiltration/loss/damage of personal data.

Hence there is a need for a re-look at this rule and a simultaneous change in the CERT IN rules related to data breach.

Further, it is necessary to recognize that organizations monitoring security incidents diligently do observe several instances of whistle blowing reports which if confirmed may become breaches but could also turn out to be false.

The draft rule under DPDPA currently requires the report to be submitted “Forthwith”. This will force the organizations to either report all intrusion alerts captured by their systems as data breaches or ignore the provision. While companies may classify such intrusion alerts as not amounting to data breach, there is still a requirement to give some time to organizations to determine if an internal data breach alert is really a data breach or a false alarm. Hence such observations should be termed as “Provisional” at the time of reporting. The confirmed report filed within 72 hours may be called “Personal Data Breach Report”.

Hence there is a need to recognize three categories of personal data breaches namely

1. Provisional Data Breach
2. Data Breach not resulting in loss of data
3. Data Breaches resulting in loss/damage of data

The rules should treat these differently in terms of reporting, mitigation and penalisation.

Since CERT IN has an infrastructure to provide technical guidance of remediation, there is no need to duplicate the efforts at DPB. Regulatory investigation of technical nature if required should be left to CERT IN and adopted by DPB before going in for determination of penalties.

CERT In has its own powers of quasi judicial nature which is more powerful than the powers of DPB. Hence co-ordination of the two entities is essential to prevent confusion in the industry. For  this purpose, a “DPB-CERT IN Data Breach notification and investigation policy” should be announced which may specify a time bound completion of investigation and a non overlapping ruling on penalties. (Similar arrangements can also be worked out with RBI/IDDAI/SEBI)

Alternatively, changes should be notified under ITA 2000 stating CERT IN would refrain from investigating such cases which are taken up for investigation by the DPB under DPDPA 2023.

Wishing away the powers of CERT In may require amendment of ITA 2000 and is not feasible in the short run.

Hence CERT-IN and DPB need to build a method of working together without conflict and this should be done concurrently with the passage of DPDPA Rules.

We also suggest that the “Provisional Data Breach Notification” need not be sent to data principals and the complete notification is posted prominently on the website. The data principals may be sent an email notification but the possibility of many not being reached is high. Hence the website notification should be considered as sufficient notification unless DPB or CERT In specifically instructs individual notifications.

Comments welcome.

Naavi

One of the key provisions of DPDPA is the introduction of the concept of a “Consent Manager” who could represent the data principal for a better protection of his privacy.

According to Section 6 of DPDPA 2023,

The Data Principal may give, manage, review or withdraw her consent to the Data Fiduciary through a Consent Manager, shall be accountable to the Data Principal and shall act on her behalf in such manner and subject to such obligations as may be prescribed and every Consent Manager shall be registered with the Board in such manner and subject to such technical, operational, financial and other conditions as may be prescribed.

Accordingly, the DPDPA Rules address the requirements of how a Consent Manager may be registered under DPDPA 2023 and what are his functional requirements. Since there is already a term “Consent Manager” under the DEPA architecture proposed by MeitY in another context and used in the Account Aggregator scheme of RBI, we need to distinguish that Consent Manager as “CM-DEPA” and refer to the Consent Manager under DPPDA 2023 as “CM-DPDPA” or simply the “CM”.

Naavi.org has been, since the days when PDPB 2019 introduced the term “Consent Manager” and has been consistently projecting it as a very innovative thought. The introduction of a specialist as a Consent Manager who could act as an expert to decipher the request for permissions and assisting the data principal was a master stroke which could enable overcoming of the multiple issues such as “Consent Fatigue”. “Lack of Privacy Appreciation in the society”, “Language barriers”, as well as the difficulty in deciphering the permissions to overcome dark pattern or misleading notices.

We donot know if this was just a follow up of the DEPA Framework or a deliberately introduced feature that could make the Indian law stand out in the world as an innovative legislation. It could have been an accident but a beneficial accident that the concept was introduced in Section 21 of PDPB 2019 stating

“The data principal, for exercising any right under this Chapter, except the right under section 20,(ed: Right to be forgotten) shall make a request in writing to the data fiduciary either directly or through a consent manager with the necessary information as regard to his identity, and the data fiduciary shall acknowledge the receipt of such request within such period as may be specified by regulations”.

“The data principal may give or withdraw his consent to the data fiduciary through a consent manager.” and , a “consent manager” is a data fiduciary which enables a data principal to gain, withdraw, review and manage his consent through an accessible, transparent and interoperable platform. (Section 23 of PDPB 2019).”

The same provisions prevailed in the Data Protection Bill 2021 and are now reflected in DPDPA 2023.

The interpretation provided by Naavi.org that CM-DPDPA is different from CM-DEPA and is having better utility than merely being a software platform was therefore a tribute to the innovative thought of some body in MeitY who drafted the PDPB 2019 whether they had similar intentions or otherwise.

The Rules now under discussion seems to have however ignored the potential of “Consent Manager” as a special kind of data fiduciary who could act as a “Power of Attorney Holder” of a Data Principal or a Trustee of his/her personal data. The rules have relegated the role of CM as a “Software Platform”. This is a classic case of a diamond in the hand being thrown away as just another piece of black charcoal.

The Rule 5 of the draft rule that we now have for discussion that indicates the present thinking of Meity (Check https://www.dpdpa.in/dpdpa_rules/) suggests inter-alia the following provisions which we feel requires a re-look

1. Not specifying that the definition of a foreign company should go beyond mere “Constitution outside India”

2. Stating that every consent manager shall establish …a platform that enables a data principal to give, manage, review and withdraw her consent to herself obtain her personal data from a data fiduciary or to ensure that such personal details shared with another data fiduciary of her choice, without the consent manager being in a position to access that personal data

3. Specifying that the Consent Manager shall  not sub-contract or assign the performance of any of its obligations as a consent manager

4. Specifying that the Board may suspend or cancel the registration without specifying how the interests of the data principals are protected.

5. Not specifying prohibition of data transfer outside India.

For the reasons specified below we request the MeitY to reconsider these provisions.

Consent Manager under DPDPA and DEPA

It is recommended that the definition of Consent Manager under DPPDA 2023 should be distinguished from the definition of Consent Manager under the Account aggregator scheme.

At present MeitY seems to be constrained by its own DEPA architecture where Consent Manager (CM-DEPA) was a technology platform and meant for the limited purpose of data users like portfolio managers etc requesting for consent for financial management purpose and such requests were forwarded to data givers like Banks who could provide the information. This served the purpose of relieving the service user from filling up long forms including assets and liabilities, KYC information etc besides demographic information. RBI applied this system in the account aggregator scheme. These use cases are a single purpose usage and not meant for repeated use.

The Consents under DPDPA 2023 are for multiple purposes, required repeatedly for different sets of data elements by different types of data fiduciaries. It includes the financial service providers such as account aggregators as well as Amazon or Zomato type of data fiduciaries who may require one set of data for clearance of payments and another limited set for logistics management etc.

The CM-DEPA system envisages that every consent request is received from a data fiduciary to the data principal during the subscription of a service is referred to the consent manager who again refers it to the data principal, receives the consent and then communicate the  information to the data fiduciary. What data has to be shared remains the decision of the data principal and he is required to look through the permission request understand the permission requirement and then approve. For every purchase from Amazon and for every order of food from Zomato, separate notice and consent is required and this process of referring to the CM-DEPA needs to be followed.

In the ordinary course, a data principal goes to a data fiduciary service site and receives the notice which he may click for acceptance. The data goes directly from the data principal to data fiduciary as part of the order.

In the CM-DEPA scheme, there is also a necessity for the CM-DEPA to check the identity of the Data Principal whose request is coming from a third party.

In this process the CM-DEPA does not have any visibility of the data and as long as the platform is suitably configured, data flows in and out like an ISP. It is therefore an “Intermediary” under ITA 2000.

The CM-DPDPA was not conceived to be the replica of this CM-DEPA since it was necessary to address problems such as the Consent Fatigue, the Language barrier and technology understanding barrier in providing consent.

The CM-DPDPA was therefore considered as a person who can represent the data principal with the data fiduciary for not only providing the consent on demand but also for withdrawal of consent or raising any grievance. Hence CM-DPDPA was conceived as a “Trustee of the Data Principal” and not as a simple ISP type intermediary.

CM-DPDPA could therefore have visibility to personal data, he could filter the data for delivery to a particular purpose and challenge the permissions with his superior technical and language capability to avoid dark patterns or misleading permission requests.  He could use anonymization and pseudonymisation if required and deliver only such data as is required for a purpose.

For example, amazon order placement team would get the financial information which is normally shared with the payment gateway but may not obtain the demographic or locational data (unless they justify the requirement for appropriate reasons). The amazon or Zomato delivery team would only get the information about the delivery address and not the other details which they can share it with any logistic company. This serves the purpose wise data minimization requirement.

In such a system, the data principal is relieved of the need to check the permissions and understand and be satisfied that a particular data element requested is reasonably required for the purpose or not.

If the concept of CM-DPDPA is merged with CM-DEPA, this  advantage would be given up.

The Consent Manager provision in DPDPA 2023 was innovative and like the “Copyright Society” in Copyright law could be considered as an instrument through which Privacy Culture can be built up in the Country and data principals could be helped in protecting their privacy against business which is driven by their profit motive.

We feel that this great opportunity should not be missed. Hence a review of Section 5 as suggested.  

Even this system requires the “Fit and Proper Criteria” and hence many of the current provisions are relevant.

However Rule 3(a) needs to be modified to remove the words “Without the consent manager being in a position to access the personal data”

In as much as every “Significant Data Fiduciary” is allowed to sub-contract their work with responsibility, the need to prevent “Consent Manager” from sub-contracting can be reviewed.

On the other hand, it may be specified that every  Data Processor of a Consent Manager would be deemed to be a Significant Data Fiduciary himself.

It shall be made mandatory that when a Consent Manager needs to exit or is suspended or services cancelled, the service shall be ported to another licensed Consent Manager so that the data principal is not inconvenienced. Alternatively a time of upto 1 year should be provided for the data principals to switchover to another consent manager of his choice.

The rules prescribe that CM-DPPDA shall be a company but not a “Foreign Company”.

P.S: As per Companies Act

(42) ―foreign company means any company or body corporate incorporated outside India which— (a) has a place of business in India whether by itself or through an agent, physically or through electronic mode; and (b) conducts any business activity in India in any other manner.

This definition is restricted to “Incorporation outside India” and is not sufficient to prevent data laundering. “Data” is a sovereign asset and it has to be protected from being stolen or surreptitiously laundered. Hence the definition of “Foreign  Company” should be expanded to include any foreign or non resident share holding that exceeds 10% or controlling interest that exceeds 33% of the members of the Board.

If the Consent Manager is only a platform and every consent has to be approved by the Data Principal, the very purpose of the consent manager to relieve the consent fatigue and difficulty in understanding the permission requirements is defeated. The CM should therefore be more like a “Power of attorney holder” who can take some decisions on his own without disturbing the data principal.

It is also suggested that the rules  should prescribe that Consent manager shall not store personal data abroad.

We request the MeitY to consider this suggestion before they release the final version of the draft.

We also request professionals to comment on the above.

Naavi