Naavi.org

Following the presentation of the DPDPB 2023, several comments have been published in different publications.

Penalty

NDTV carried the following interview in which the upper limit on the penalty came for discussion. The interview clarifies a number of doubts that the opposition has raised yesterday and has been carried through by the Soros group of media.

One of the issues Mr Rajeev Chandrashekar has stated is about the total penalty. Even earlier he had made a statement that the penalty may be imposed for “Each Instance”.

Currently the Bill speaks of 7 types of penalty. Each of this is a different type of breach. Earlier there was a Rs 500 crore upper limit which seems to have been removed. Hence the possibility of 7 different parts of the penalty table could be aggregated and the total penalty may exceed Rs 500 crores.

Now he has even mentioned that breach of each set of personal data may be considered as a separate breach. This sort of interpretation was being used under HIPAA earlier. Now we may see that there could be a discretion for the Board to consider 7 different types of breach as well as the number of data sets breached. This could mean that we may not be far behind the GDPR which has imposed a fine of US $1.2 billion.

However our law is also considerate to state that the penalty will be proportionate and take into account the likely impact of the imposition of the monetary penalty on the person. Hence it is unlikely that the Board will impose fines which are not sustainable in the appeal stage.

RTI

The second most important objection is on “Dilution of RTI”. Mr Chandrashekar has also rightly answered it in his interview . RTI is not to be misused to harness personal data. Any data released under RTI also becomes “Public Data” and therefore there is a clear danger of RTI being misused. In my view the power of refusal of personal data was already available under RTI and hence the new provision is not significant.

Government Powers

The next objection is that the Bill will provide too much power to the Government and creates two kinds of data fiduciaries namely Government and the others. This also appears to be unfounded and is a speculation that can be made on any legislation. From the same yardstick, any law including IPC can be considered as adversely affecting the fundamental rights.

However the right to privacy itself is not considered “Absolute” and reasonable restrictions are in order.

DPDPB 2022 under Section 2(i) defines a Data Fiduciary without distinguishing the Government or non Government. Hence the Act applies to the Government subject to the exemptions and legitimate uses.

Exemptions are provided under Section 17 and Legitimate uses are indicated in Section 7. Legitimate use provides that a data fiduciary may process the personal data for the following uses.

(a) for the specified purpose for which the Data Principal has voluntarily provided her personal data to the Data Fiduciary, and in respect of which she has not indicated to the Data Fiduciary that she does not consent to the use of her personal data.

(b) for the State and any of its instrumentalities to provide or issue to the Data Principal such subsidy, benefit, service, certificate, licence or permit as may be prescribed, where––

(i) The data principal has previously consented to the processing of her personal data by the State or any of its instrumentalities for any subsidy, benefit, service, certificate, licence or permit; or

(b) for the State and any of its instrumentalities to provide or issue to the Data Principal such subsidy, benefit, service, certificate, licence or permit as may be prescribed, where––

(i) she has previously consented to the processing of her personal data by the State or any of its instrumentalities for any subsidy, benefit, service, certificate, licence or permit; or

(ii) such personal data is available in digital form in, or in non-digital form and digitised subsequently from, any database, register, book or other document which is maintained by the State or any of its instrumentalities and is notified by the Central Government, subject to standards followed for processing being in accordance with the policy issued by the Central Government or any law for the time being in force for governance of personal data.

(c) for the performance by the State or any of its instrumentalities of any function under any law for the time being in force in India or in the interest of sovereignty and integrity of India or security of the State;

(d) for fulfilling any obligation under any law for the time being in force in India on any person to disclose any information to the State or any of its instrumentalities, subject to such processing being in accordance with the provisions regarding disclosure of such information in any other law for the time being in force;

(e) for compliance with any judgment or decree or order issued under any law for the time being in force in India, or any judgment or order relating to claims of a contractual or civil nature under any law for the time being in force outside India;

(f) for responding to a medical emergency involving a threat to the life or immediate threat to the health of the Data Principal or any other individual;

(g) for taking measures to provide medical treatment or health services to any individual during an epidemic, outbreak of disease, or any other threat to public
health;

(h) for taking measures to ensure safety of, or provide assistance or services to, any individual during any disaster, or any breakdown of public order.

These legitimate reasons (a) (d), (e) (f) (g) (h) are all are generally available for all Data Fiduciaries.

(b) and (c) are exclusive to Government and related to Government functions. Hence no objection can be raised on the same.

Exemptions under Section 17 apply to instances including the above cases where the “Consent” may be not required.

Exemptions under Section 17 applies excepting two sub sections of Section 8, the chapter on Rights and the transfer of data outside India.

Section 8 has 11 sub sections out of which the following donot come under exemption.

A Data Fiduciary shall, irrespective of any agreement to the contrary or failure of a Data Principal to carry out the duties provided under this Act, be responsible for complying with the provisions of this Act and the rules made thereunder in respect of any processing undertaken by it or on its behalf by a Data Processor

A Data Fiduciary shall protect personal data in its possession or under its control, including in respect of any processing undertaken by it or on its behalf by a Data Processor, by taking reasonable security safeguards to prevent personal data breach.
Rights and Duties of Data Principal

Out of the six sub sections of Section 17(1), (a) relates to legal right or claim applicable to all, (b) applicable to judicial bodies, (C) applicable to law enforcement, (d) relates to BPOs, (e) relates to mergers etc and (f) relates to credit recovery. None of these make any exclusive provision in favour of the Government.

Subsection 17(2) applies to the Government and we may look at it in detail.

17(2) (b) relates to research and archiving which is mostly cases of anonymised information. Section 17(2)(a) relates to “Sovereignty and integrity of India, Security of State, friendly relations with foreign states, maintenance of public order or preventing incitement to any cognizable offence” all of which fall under reasonable exceptions under Article 19(2). The procedural aspects required to claim this exemption is through creation of an “Instrumentality” and it cannot be arbitrarily exercised by any official. The “Instrumentality” may be subject to judicial review.

Under 17(3) Government may exempt Start Ups and other private data fiduciaries from certain provisions like notice, data retention and accuracy of data.

Exemption to Government is limited to data retention and erasure and data retention.

In view of the above the objections raised on Government having been exempted is in correct.

Composition of DPB

One more objection is that the DPB will be a Government body. This is an empty charge since any such body has to be appointed by the Government and whether it is SEBI or TRAI or IRDAI or RBI, all appointments cannot be made by involving CJI and LOP . Already the SC has become an extended executive and it is unfair to expect that LOP will now be allowed to take all decisions on appointment. We know in the case of CBI or other appointments that the LOP never agrees with the PM and hence such involvement of opposition which is fundamentally interested in not allowing the Government to work is not required.

Money Bill.

There is also a comment on why the Bill is considered as a money Bill. We donot know what will be the view of the Speaker in this regard but it is clear that the Bill envisages a debit to Consolidated fund of India for setting up of DPB and credit of penalties into the Consolidated fund of India. For this purpose and since these expenditure and revenue is not included in the annual budget it is correct to consider this as a “Money Bill” only.

Though Mr Ashwin Vaishnaw and Rajeev Chandrashekar have both confirmed that the Bill has been introduced as a general bill, it would be appropriate to consider it as a money bill only.

In case the Bill can be classified as a Money Bill and passed quickly it should be welcome.

Naavi

Yesterday (3rd August 2023), Government introduced the Digital Personal Data Protection Bill 2023 (DPDPB2023) in the Parliament.

As expected there were technical objections for the introduction from the opposition members some of whom wanted it to be referred to a standing committee and for presenting it as a Finance Bill. Objections were recorded on there being no provision for compensation for the data principal and the amendment to the right to information act. The minister clarified that the bill was being presented as a general bill.

Subsequently the speaker put the objections to the tabling of the bill to vote and the house by voice vote over ruled the objections. The Bill was therefore tabled and will be taken up for discussion some time later in the session.

The official copy of the Bill is now available at prsindia website The bill has been presented at www.dpdpa.in for easy viewing on a chapter to chapter basis.

In the meantime as we removed the redlined version of DPDPB 2022 vs the draft from the website www.dpdpa.in, others have released similar red-lined version which captures the change from the recent DPDPB 2022 version and the DPDPB 2023 version.

It is interesting to note that unlike the previous days when ITBill 1999 was introduced or the ITA 2008 was passed in 2008 the awareness about the Data Protection Bill is very high in the professional circles. The Bill has been quickly analysed and several views have been published.

One detailed critical view has been provided in this video about the changes to the RTI act.

While we understand the need for politicians to oppose any activity in the Parliament and push everything to the future, professionals should focus on the need for constructive criticism without stopping the law being passed.

To debate the Bill in a more constructive way, FDPPI along with Manipal Law School as its academic partner is organizing a virtual round table today the 4th August 2023 on Zoom, at 7.00 pm. The discussion should approximately take about an hour.

The discussion would be live webcast on youtube and should be available at this link

The main issues to be discussed are ..

a) Is the Bill considered as a Finance Bill obviating the need for passage by the Rajya Sabha?

b) Does the Bill cover the basic requirements of a data protection law such as Rights of data principals and Obligations of data fiduciaries?

c) Are the “Legitimate use” and “Exemptions” provide a reasonable freedom to business?

d) Is the concept of “Duty” of the Data Principal and a penalty for violation of the duty welcome?

e) Is the Grievance redressal system from Company to DPB to TDSAT to ADR and High Court effective?

f) What are the remedies to a Data Principal? Does he/she not have rights to claim compensation? If so why?

g) What is the change made to RTI act? Is it as bad as it is made out to be?

h) How is the Data Protection Board being constituted? Is it properly represented?

i) Any other point of discussion that arises.

We look forward to a useful discussion.

Naavi

Also Refer

NDTV: Penalty can be “Per Breach”…Rajeev Chandrashekar

Miscellaneous articles

In what appears to be the latest version of the Bill to be tabled tomorrow, the draft DPDPB 2023 with 44 sections is now available.

Click here for a Copy

Mr John Brittas, one of the members of the IT Standing Committee which reviewed and commented on the draft DPDPB 2022 has submitted a dissent note which has been promptly been circulated by a section of the media to criticise the proposed Bill. (Refer here)

Also Justice B N Srikrishna in his interview to The Hindu some time back also had criticised the DPDPB 2022

However most of the concerns expressed by John Brittas and Justice B N Srikrishna seems to have been addressed in the version which may be presented in the Parliament.

We are still not clear about the official version which will be presented but the above version with 33 sections appear to be one created after the IT Committee report and has addressed many of the issued. It still has one or two minor modifications that may be required like definition of harm and handling of publicly available data. But these can be incorporated during the discussion.

Mr Srikrishna’s objection on the constitution of the Data Protection Board has been addressed by reverting to the earlier PDPB version of a Board with a Chairman and Six members though the tenure has been reduced from 5 years to 2 years.

Brittas objections like the objection to the amendment to RTI has been discussed in the past and does not hold substance. The Concerns on “Deemed Consent” has been addressed through the Legitimate Interest and there are provisions for addressing deliberate violations.

The power of claiming compensation by data principals is available under ITA 2000 (Section 43) and can be invoked along with the adjudication under DPB. It would however be better if the DPB is provided the power to provide compensation also so that the issue would be settled in one hearing.

Brittas seems to support the data localization and Government should be happy to introduce it through notifications.

Mr Brittas has objection to Right to Data Portability and Right to Forget not being included. These are not sacrosanct. A Data Principal can get the information back and re-submit if he wants. Transfer of data from one business competitor to another under “Portability” is a matter of convenience but not critical. Right to Forget is not possible in India as it can be grossly misused.

It is recognized that Data Protection Law will have a conflicting interests like Startups needing exemption and the Government has accommodated an enablement clause for such purposes which Mr Brittas has an objection to.

Exemption to Government has been an eternal objection but this is an issue which cannot be resolved to the satisfaction of Privacy Activists since there is a security requirement to consider.

The Dissent note of John Brittas is well constructed and needs to be taken note of when the rules and regulations are formulated by the DPB. For the time being the Bill is good to be passed with some minor corrections.

We hope that the Parliament will allow the Bill to be passed or more appropriately the Government will pass it whether there is consensus or not.

Naavi

We have so far discussed ISO 27001-2022 in several articles ISO-1 to 7 and summarised ISO 27701 in article ISO-8. Let us now continue our discussions to cover the 93 controls which are part of Annexe A of ISO 27001-: 2022 and also ISO 27002:2019.

The Annexe contains

a) 37 Controls as “Organizational Controls” from A.5.1 to A.5.37

b) 8 controls as “People’s Controls” from A.6.1 to A.6.8

c) 14 controls as “Physical Controls” from A.7.1 to A.7.14

c) 34 controls as “Technology Controls” from A.8.1 to A.8.34

All these controls are effectively covered under the 50 Model Implementation specifications of PDPSI which adds a few more controls of its own to make it more precise than ISO 20001:2022 even if ISO 27701 is added as a combo.

Let us in this article try to get a bird’s eye view of the “Organizational Controls”.

The first control in this set is the need for development of policies for information security which have to be defined, approved, published, communicated and acknowledged by relevant stake holders. They have to be also reviewed periodically. The objective of the policies is to effectively mitigate the risks in different aspects of business with a focus on the CIA principle.

As a part of the policy or as a supplementary policy there is a need to define the roles and responsibilities of different employees with proper segregation of duties with an enforceable mandate that the policies will be adhered to by all.

The organization shall maintain contract with regulatory authorities such as CERT IN and with relevant industry groups to stay in close touch with industry developments.

For proper risk assessment, a system for gathering threat intelligence and integrating IS in each of the projects is to be ensured.

In order to implement the policies, there has to be an inventory of Information assets with proper labeling and ownership assignment. This will be associated with an acceptable user policy till the ownership of the assets are suitably transferred to another authorized person. Such transfer procedures are also to be suitably documented along with a proper labeling of information.

It is also necessary to have a proper classification of information which determines the access policies. IS related classification is normally associated with the CIA triad and limited to classifications such as “Public”, “Restricted”, “Confidential” etc. If ISO 27701 or privacy related compliance is required like PDPSI, then the classification has to take into account “Personal and Non Personal” , “Sensitive and Non Sensitive” etc. PDPSI therefore follows a more elaborate classification system than ISO 27001/27701 and extends it to “Minor and Non Minor”, “Employee and Non Employee”, “Personal Sensitive”, “Personal Critical” etc.

This classification is associated with the Access Control management with management of full cycle of identities for access. The access control mechanism needs to take care of proper authentication of identities. The entire access rights management system needs to be periodically reviewed.

It is also necessary to ensure that information security in supplier relationships including the cloud services are also properly kept in check through the agreements. The IS needs need to be effectively communicated through the supply chain and monitored regularly for review and change.

There shall be a proper Incident management policy to define incidents and handle them effectively when identified with a proper assessment, reporting and learning out of the incidents.

Where required the need for evidence management during incidents and possible business disruption management with business continuity objective shall be ensured.

It is not possible to disassociate the IS requirements from any legal obligations in applicable law and this has to be adequately addressed. This may not only include the IPR related issues but also regulations related to contracts, data storage, security incident reporting etc.

Control A.5.34 specifically mentions that the organization shall identify and meet requirements regarding the preservation of Privacy and Protection of PII (Personally identifiable Information) according to applicable laws and regulations and contractual requirements. This clause extends ISO 27001:2022 to the privacy requirements without ISO 27701.

The organization shall independently review the IS controls periodically, document the compliance with adopted policies and procedures.

All these requirements covered under A.5.1 to A.5.37 are covered under PDPCSI for Establishing PDPCMS or Personal Data Compliance Management System. PDPCMS focusses on Privacy and hence limits itself to the application of CIA principles only to Personal Data and otherwise looks at the Privacy controls similar to ISO 27701. However the larger version of PDPCSI which is called DPCMSI may cover the non personal data protection compliance separately for which the compliance is checked with provisions of ITA 2000 and not the DPDPB 2023. DPCMSI combines ITA 2000 and DPDPB 2023 and hence covers ISO 27001:2022 even with an expanded coverage of Privacy.

If an auditor is aware of the intent of these frameworks and sincerely applies them to the audit, whether he uses ISO 27001:2022 with ISO 27701 or DPCMS does not matter except for the certification and costs.

…continued

Naavi

The Government has now disclosed the report of the Standing Committee on IT on DPDPB 2022.

With this it appears that the bill may finally be tabled in the Parliament probably tomorrow or soon after.

The version of the Bill which was released here a few days back however appears to be a version which is cleared by the Cabinet Committee after the standing committee report. It is a 33 section version as against the 30 section version attached to the IT Standing Committee.

We shall therefore wait for the actual bill to be tabled in the Parliament . The difference would be marginal but still relevant.

Standing Committee Version of the Bill (30 Sections)

Earlier Version of the Bill (33 Sections)

Complete Report of the IT Standing Committee

Naavi