Naavi.org

(Continued)

The DPDPA 2023 is now put  on track and the  Indian Personal Data Eco system is preparing itself to adopt the obligations under the Act.

In the meantime, the issue of “Securing” the Cyber Space which consists of non personal data as well as the production and use of cyber devices, the upcoming technologies such as AI , Quantum Computing, Crypto Currencies etc remain under the ToDo list.

The Digital India Act which was spoken off for some time was intended to address this issue either as an amendment to ITA 2000 or a new act.

With the India -EU trade deal opening up doors of opportunity for Indian software and hardware companies the industry’s attention has been drawn to the EU-Cyber Resilience Act 2024 which is gaining traction through implementation deadlines in 2026 and 2027 and possibly impacting the Indian manufactures of Software and hardware.

In this context, there is a need to take a fresh look at the possibility of our reacting to the EU-CRA with our own IN-CRA or Cyber Resilience Act of India.

We should start thinking about the broad contours of such an Act, its objectives, the scope, obligations, penal provisions, the regulatory authority etc.

 “Cyber Resilience” is a layer above “Cyber Security” and the IN-CRA needs to build  a National capability to respond to Cyber Security threats.

The EU-CRA focusses on imposing obligations on manufacturers of Cyber Products and imposes a penalty of 2.5% of global turnover or Euro 15 million as a deterrence and includes manufactures outside EU who place their products in EU. Hence compliance of EU CRA becomes mandatory for Indian suppliers of Cyber products to the EU.

IN-CRA should prepare the Indian industry to develop an Indian standard of Cyber Resilience first which can be upgraded to the Eu standards in due course.

While we need to take the cue from the EU-CRA and adopt the security guidelines mentioned  there in, we need to  also use this as an opportunity to strengthen our Cyber  Security Eco System so that there is a perceptible difference created for enhancing the Indian Cyber Security system also.

One of the objectives of the IN-CRA should be to prevent product manufacturers from releasing defective products in the market and using the users as guineapigs. This should increase the Digital Trust for customers using products which are CRA Compliant.

Another  objective of IN-CRA should be to improve the operational efficiencies of the existing institutional framework creating a unified command  structure.

Yet another  objective is  to ensure that emerging technologies like AI and Quantum Computing donot become tools of crime before they become tools of  progress.

We need to explore this further . Your comments are welcome.

(To Be continued)

Naavi

India has just signed two important trade deals. One the mother of all deals with EU and now the father of all deals with USA.  Additionally the budget has also provided some push to exporters of tech products Both may aid and assist growth of exports of tech products.

These developments could incentivise new manufacturing investments in Cyber Products who may look for prosperous export opportunities to harness EU markets both directly and through US.

Amidst these positive developments we need to also keep in mind that this year that EU passed a Cyber Security regulation namely the EU Cyber Resilience Act 2024 (EU-CRA) which becomes partly operative during 2026 and fully operative from December 11, 2027. The act will impact exporters of  Cyber products to the EU Market and require them to incorporate certain compliance measures. Penalty for non compliance could reach upt0 Euro 15 million or 2.5% of global annual turnover.

EU-CRA applies to all economic operators placing digital products on the EU market, regardless of where the company is headquartered.

That means Indian manufacturers, software producers, and suppliers whose products are sold in the EU must comply with CRA requirements. They must embed robust cybersecurity practices into product lifecycles if they want continued access to the EU market.

The requirements of CRA pushes manufacturers towards “Proactive Cyber Security Engineering” during the  software development.

CRA may require mandatory third-party conformity assessment audits in respect of certain critical products such as smart cards, Critical infrastructure components etc. In other cases, self assessment and documentation may be essential.

The CRA Compliance by design approach may require threat modelling at design stage and adoption of secure coding standards.

Secure Coding  Standards try to prevent vulnerabilities like SQL injection, Cross-site Scripting, Buffer overflow etc.

Under the DGPSI-AI framework for developers, we had indicated the following implementation specification

“The AI developer shall document a Risk Assessment of the model indicating its susceptibility to third party security compromise and the potential harm to the user or data principals whose personal data may be processed as well as the society at large.” (MIS-4 ; DGPSI-AI for AI developers)

“The AI model shall be audited by an independent third party auditor using an acceptable audit standard”  (MIS-11:DGPSI-AI for AI Developers)

Under these specifications, if any AI developer or any exporter who is embedding AI into his products, it would be considered necessary to add a CRA Compliance assessment.

While this is a Governance burden for the Exporters to manage, it can also be looked upon as an opportunity for professionals to develop services towards improving the compliance to Cyber Resilience Act.

It is time we explore opportunities in this direction.

We also request the MeitY to develop a note for “Digital Exporters” on EU-CRA Compliance.

FDPPI recently developed the DGPSI-GDPR as a compliance framework for GDPR compliance under an indigenously developed framework.

Now it is time to work on the compliance of EU-CRA compliance also….

(To Be continued)

Naavi

Healthcare industry in India is increasingly exploring the use of Blockchain technology for managing Electronic health Records. Blockchain, Smart Contracts and AI are the new technologies that the industry is trying to adopt as they move ahead.

At the same time, the DPDPA is hanging like a Damocles Sword on all health care companies such as Hospitals, Health Research Labs, Diagnostic Centers etc. Most of these health care organizations deal with sensitive and ultra sensitive personal data including DNA records, Generic abnormalities,  life threatening decease information etc. By virtue of the sensitivity even with a smaller volume of data being processed, most of the Health Care companies fall into the category of “Significant Data Fiduciaries”  who  are required to follow a stringent compliance requirement.

The exemption of DPDPA 2023 is limited to Research institutions who are exempted from Consent and Rights clauses. But certain standards of security would be applicable and the exemption is restricted to instances where the data is not used for taking any decision on the data principal. In the case of a pure research laboratory, this condition may be applicable. But Hospitals and research institutions which share their research to their associate hospitals or drug testing companies, will not be able to take the benefit of these exemptions.

The legitimate  use as an  alternative to Consent may be available in certain cases for the Hospitals handling medical emergencies and life threatening situations but not  in all cases.

When organizations use Blockchain technology, they have a challenge in managing the Data Principal’s consent during the lifecycle of the data and the management of consent modification, withdrawal, Right of Access etc.

Some Blockchain architecture like IPFS (Inter Planetary Filing System” or RBTS (Reference Based Tree Structure) tries to overcome this problem of deletion of data after it has  gone into a Block chain by keeping an off-chain  storage of data with a hash value alone going into the Block chain or placing a Reference pointer in the main block, keeping the data in a different sub-chain.

The problem of managing the block  chain where the chain continues with 50% or 67% consensus of the nodes instead of 100% is another risk that these systems may  pose to the data fiduciaries.

When Smart Contracts and AI is also used along with the block chain, the combination may enlarge the risks rather than limiting them.

It is therefore necessary for the technology advisors to the Health care industry to understand the law and adopt it to the new technologies used in the industry.  While “Innovation” in technology is welcome, we must understand that the responsibility for compliance increases with technology instead of reducing. Hence there has to be a proper Governance mechanism that should go with the use of frontier technologies.

We need to watch  out how organizations manage this conflict between Innovation and Responsibility.

Naavi

There are two rumours/news-plants that are running in the media about DPDPA Rules. They are

a) Government may accelerate the time line for implementation from 18 months to 12 months in some respects.

b) TCS is likely to apply for Consent Manager license.

Let us briefly review these two issues.

It would be welcome if the Government goes for a faster implementation time line particularly for the large companies who are already compliant with global laws and are capable of implementing the law within the next 6-9 months. Given the fact that DPB is yet to be formed, a period of 1 year seems reasonable.

It is possible that for SMEs the implementation can be kept at the present level of 18 months so that they will have the benefit of observing the implementation challenges as resolved by the large entities before the smaller entities can jump in with lesser resources for software selection and implementation. This could even be part of the promise in the budget today.

Second aspect is the TCS applying for being a Consent  Manager. While it appears logical that a conglomerate like TCS would consider it attractive to have an in-house consent manager for its group entities, the “Conflict” situation could be very tough to handle.

Secondly we are aware that TCS has the record of entering the business of Certifying Authorities and later exiting. This is not a good track record to boast for a business like Consent Manager and the group may have to disclose the reasons for their surrendering the  Certifying Authority license since similar possibilities may also exist in TCS surrendering the Consent Manager license in the future.

Now that the Government is considering revision of some of the rules, I suggest some changes to the consent manager rules.

The Current Consent Manager rules under Rule 4 suggest that data can be transferred from one data fiduciary to another at the instance of the consent manager. This amounts to “Data Portability” which the parent law has omitted as a “Right of the Data Principal”.  The rule therefore is “Ultra-Vires” the law at least in legislative intent.

Secondly, we have pointed out that if the Consent Manager does not have “Visibility” to the data, the rigorous conflict related conditions appear to be an overkill. It can be modified if the Government comes out of its blinkers that Consent Manager is like an Aggregator in the DEPA framework.

Yesterday, I was discussing with the “Spastic Society of Karnataka”  on the possibility of such NGOs to become specialist Consent Managers for “Disabled Data Principals”.  These institutions know who is entitled to be in this category, what they need from the Internet and what is the law of guardianship for such persons better than any other commercial organizations. It therefore appears that such organizations should be allowed to be “Consent Managers” for some niche category of data principals. However such organizations may not be able to fulfill say the Capital requirement nor they may be “Companies incorporated in India”.

Hence we suggest that the Government should consider providing exemptions from some conditions of the Rules under Rule number 4 to enable such genuine NGOs to be the consent managers for their niche areas of operation.

Hope the MeitY considers these suggestions when they think of making some changes to the November 13 rules for which they have had a closed door meeting with the privileged Tech Giants.

Naavi

When we started working on the Internet in the early 1990s we used to speak about the need to bridge the “Digital Divide”. In this pursuit of equality of the citizen and the netizen we created a new merged world of Cinezens. While  Citizens derived the benefit of E Commerce and E Governance due to this merger, Cyber Criminals exploited this situation by committing Cyber Crimes and get away with it due to weaknesses in law and the enforcement systems.

Now we are seeing an ugly face of this cyber crime where there is a complete dependence of citizens on the Internet and this dependence is creating a field day for psychological manipulators in cheating the innocent citizens .

New technology developments such as AI and VR/AR have only increased the cyber crime risks for the society. One offshoot of this development is the increasing addiction of our children to mobiles which is a concern for the next generation.

It is time that  we try to find a solution to this and make our Children safe on the Internet. Merely asking them not to use mobile will not work since the usage will go “Underground”.

Hence we need to ensure that even if the children continue to use Internet and the devices, the harm is reduced substantially.

Some measures we need to consider in this direction is for schools to work towards creating an awareness that “Cyber World is different from Physical World” and we need to learn “Not to trust any message online without Fact Checking”.

In other words we need to build a psychological barrier for children to recognize  that mixing the cyber experience with real experience is dangerous. The augmented reality, the games that mix cyber space  existence with real life need to be  closely monitored and regulated.

We understand that the Government is thinking of banning mobile for children like what Australia has done. Probably this will help a little but real  success comes from children voluntarily distancing themselves from Mobiles and the reels.

The SMART network is a guideline but we need to  design strategies to create a psychological digital divide so that children know that the two societies are different  and should not be mixed.

May be  we require  the Schools to work more on this aspect while they continue to promote the responsible use of Internet through computers. Access through Computers at our option and access through mobile whenever it “Trings” are two different things and this has to be recognized.

All of us including adults need to remember the need for “Ulysses Contracts” where use of the screen is at our choice and not at the device’s choice.

AI specialists should work on how to prevent addiction rather than create more and more addiction. If not, regulators  need to step in with a liberal interpretation of “Dark Patterns” which are already recognized as Crimes in our legislations such as Consumer Act, ITA 2000 and DPDPA 2023.

Need to discuss these during the S P Acharya Endowment  lecture today at Bangalore.

Naavi

The next C.DPO.DA. program will be conducted by FDPPI as a Virtual Program on February 21 and 22, 2025.

The program will be conducted by Naavi and will cover the following topics.

Day 1:

Legal nuances of DPDPA and the DPDPA  Rules
Classification of DPDPA protected Data (DPD)
ROPA as a strategic tool of Compliance
Technical challenges of Management of Legal Basis for processing and Rights of Data  Principal
Digital Omnibus GDPR Amendments
DGPSI-GDPR  introduction

Day 2:

Governance  Structuring for meeting the obligations under DPDPA by a Data Fiduciary
The Roles of DPO and Data Auditor in the DPDPA era
Use of DGPSI as a Compliance Management framework
AI and its challenges in meeting the obligations with DGPSI AI
Comparison of DGPSI with ISO 27701

Fees Rs 29500/- including all taxes . This includes fees for examination (One attempt). Subsequent attempts Rs 5000/- (Subject to changes)

Interested persons may kindly join here:

PAY HERE FOR REGITRATION

Also fill up the application form here

For any clarifications, contact  Naavi

Naavi