Be the King of Data Protection Law


When the earlier draft of Data Protection Law in India had been proposed by the Indian Government in the form of DPA 2021, the law had combined certain aspects of Non Personal Data Protection also into the DPA 2021 making it a combo act. Hence the reporting of data breach to CERT-In was within the provisions of the Personal Data Protection law. Now in DPDPB 2022, the separation between compliance related to non personal data and personal data has been maintained under two laws namely the Information Technology Act 2000 and DPDPB2022.

However in the current ITA 2000 only Section 43A is being deleted and other sections which may be applied to Personal Data collection, storage and management remains. When the Government comes up with the Digital India Act, the overlapping provisions may be rationalized. But the nature of data is such that the lifecycle of personal data and non personal data may merge. Just as new identification parameters of an individual flowing into an organization may convert the hither to non personal data to personal data, the anonymization process may convert the non personal data to personal data. Hence the two laws are not capable of being completely separated.

Recognizing this, the undersigned has been promoting courses on both Non Personal Data Protection and Personal Data Protection though they are referred to as Course on Cyber Law and Course on Data Protection separately.

As a coincidence, Naavi is now launching a new course on each of these programs simultaneously. On June 17, the course on Data Protection will be commencing as an online course. The Cyber Law Course in an updated form has also been just launched with nearly 15 hours of recorded content. In June the Government has planned to provide an updated version of Digital India Act to replace Information Technology Act and hence the current Cyber Law course will be continued with a course on DIA as available by the end of June.

It is expected that knowledge of both the programs would be a powerful combination which has not been offered as a combo by any organization. Hence this will be unique and will make the participant a “King of Data Protection Law” at least from the awareness aspect.

For both programs certain early bird discounts have been announced and they end today.

The Time to Act is therefore now..Last day of Early Bird Discount…

Naavi has always believed in providing value for the community and hence whenever such programs are conducted, some form of concessions are provided for the participants. Often this is presented as “Early Bird Discount or Membership benefits.

Now the FDPPI-DNV program which costs Rs 40000/- with examination fee will be available at Rs 35000/- till end of today. The Cyber Law program which costs Rs 8000/- with examination fee will be available at Ra 6000/- till end of today. (All prices are inclusive of GST)

Since the target audience for both are different, the two programs are offered as separate programs.

At the special request of a few who suggested that Cyber Law course is also relevant for DPOs , for today only a third offer is being made whereby those who take both the programs till the end of the day will get a cash back voucher of Rs 1000/- and a set of free e-books on Cyber Law worth Rs 900/-.

Such students will pay Rs 41000/- and will receive PayTm voucher of Rs 1000/- as cash back incentive along with thee set of E Books and eligibility to sit for both exams as well as ability to be Registered in the coveted hall of fame register…”Indian National Register of Data Protection Professionals”.

This offer is applicable only till the end of today.

The links for registration is available below with more information:

Link for Data Protection Course:

Link for Cyber Law Course:

If you believe that Knowledge is Power, this is the time to act.

All the professionals will also get an entry eligibility to the Indian National Register of Data Protection Professionals.

The future of Data Protection would include both personal and non personal data protection and hence completing both courses would be making the professional the “King of Data Protection Knowledge”.

One wiseman said..

“Opportunities fly past all of us.. but it is only the wise persons who are alert to recognize and catch..They succeed and the rest are left behind”

Let us remember and be the wise and successful person…

Naavi

Posted in Cyber Law | Leave a comment

Need for Secure Communication Software

Recently a senior Privacy Pro from Bangalore posted in a professional group posted this message…

“Is.Byjus reading our WhatsApp messages?

I enquired about tuitions to my 7th standard son in a WhatsApp group and within 5 mins I got a call from Byjus!!!”

I also observed that after I listened to my own video on Youtube on Section 65B immediately thereafter the next video suggestion by YouTune was a video on Advaita by a Swami Tatvananda of Ramakrishna Mission. …perhaps because the video had alluded to “Body” and “Soul” and liking the data in a hard disk to soul in a body.

Both the above incidents indicate that the content in WhatsApp or Youtube video used by the user was observed by WhatsApp and Google respectively and used for further promotion. My video was also played on a mobile and hence it could be Google reading the content through android.

If private conversation in a WhatsApp group becomes known to Baiju a commercial entity, then it is clear that there is no privacy in the use of WhatsApp which claims to use “End to End Encryption”. It is clear that WhatsApp reads every message and an AI algorithm flags any marketing opportunity and reports it to the back end system which perhaps provides a subscription based advertising service either through Google Ads or FaceBook Ads and informs the ad information subscribers to push their marketing efforts.

We can therefore conclude that use of “WhatsApp Messaging” for business transactions is a risk to the business information. If a company is using WhatsApp for communicating with its sales force and a sales person reports, “I just met a prospective client who is interested in our product. We can pursue this lead….” , next moment a competitor may be at the doors of your prospective client to deliver a similar product and steal your lead.

Similarly in a hospital communication, if one doctor is sharing some diagnostic discussion with another doctor on a patient’s condition, it is possible that an insurance company may be lifting the information to alter the insurance terms or deny a claim.

While Privacy activists may try to tackle this data breach in a different way, one technology company in Bangalore has been working on a secure messaging system for organizations where data is secured through encryption “From creation to Consumption” instead of only from “device exit to device entrance”.

In a discussion with Mr Vinaykrishna, the owner of this Dubai based company with a development center in Bangalore, he indicated that this product is specially meant to replace the use of WhatsApp for business applications where sensitive personal data is transmitted. He indicated that no data is safe with WhatsApp type of messaging services where the data is permitted to be used for commercial purpose and the “End to End Encryption is only a myth. His contention is that his solution permits the server to be in house and the encryption control entirely within the admin of the enterprise.

It would be interesting to explore such solutions which appear to come from niche companies but take on established global brands like Meta.

A full video interview of Mr Vinay Krishna would be made available shortly on this website.

Naavi

Posted in Cyber Law | 1 Comment

Jurisprudence on Section 65B by Naavi..CySi event in Chennai

On 20th May 2023, Naavi addressed a group of professionals at the Anna Centenary Library auditorium in Chennai and explained the Section 65B of Indian Evidence Act which is troubling lot of people. This 23 year old provision is now gaining traction because judges in trial courts are now asking lawyers producing electronic evidence to produce Section 65B Certificate for every electronic evidence presented. Some of the lawyers are so frustrated that they want this section to be removed.

It is therefore essential for the community to listen to the views presented here which represents “Jurisprudence”. Some people believe that “Jurisprudence” is what a Judgement presents and hence has to come from the Courts only. But I believe that “Jurisprudence” can come from “Experts” and in the case of technology related issues, it is more appropriate if interpretations come for techno legal experts. Courts will add these views in their judgements when the counsels include it in their arguments and the Judge takes them into consideration.

Naavi has been speaking about Section 65B since 17th October 2000 when ITA 2000 became a law. Naavi produced the first evidence with Section 65B certificate in the SuhasKatti case in 2004. Ever since that date Courts are struggling to come to terms with the section and it was in 2014 with P V Anvar Vs P K Basheer case that Supreme Court finally presented a an acceptable view on the use of the section. Whoever explained the section to the Bench at that time must be congratulated for their work and Judges complimented for bringing out the correct perspective.

However the community of advocates and judiciary continue to question Section 65B particularly the mandatory nature of the section and in this context, the following speech of Naavi given at the Cysi seminar tries to provide clarification.

Any questions based on this may be sent to Naavi and I would be glad to explain it further.

Naavi’s presentation on Section 65B at Chennai on 20th May 2023

Naavi

Posted in Cyber Law | Leave a comment

Course on the emerging Digital India Act

Honourable Minister of State for IT, Sri Rajeev Chandrashekar has announced that the first draft of Digital India Act would be available for public debate by June 7.

Already, the Minister has conducted several public consultations on the general framework to be adopted by DIA. Naavi.org has also discussed the contours of the emerging Act in the following articles

  1. The New Digital India Act in the making-1 : Cyber Crimes under IPC?
  2. New Digital India Act in the making-2: Integrity of ChatGPT like models
  3. New Digital India Act-3 : Should the negative list be continued?
  4. Digital India Act-4 :Is there only one type of Intermediary in ITA 2000?
  5. Digital India Act-5: Adjudication
  6. Digital India Act-6: Fighting the Information Warfare
  7. Digital India Act-7: Data Monetization
  8. Digital India Act 8: Regulatory Oversight on PlayStore/AppleStore
  9. Digital India Act-9 : Digital Media Disclaimer

As we all are aware, the Digital India Act (DIA) is meant to replace the current comprehensive law namely the “Information Technology Act 2000” which has been amended substantially in 2008. The new DPDPB 2022 is an off shoot of Section 43A introduced in the 2008 amendment. There have been several CERT In guidelines and Intermediary guidelines that have also been released from time to time. A reasonable number of Cyber Crime cases have been investigated by the Police and several court decisions have also developed Cyber Crime jurisprudence.

If the new law in the form of DIA is introduced, there will be a substantial disruption to the understanding of Cyber Laws in India. We the professionals need to unlearn and re-learn several concepts.

In order to prepare the Cyber Law Professionals for the upcoming law, Cyber Law College of Naavi is starting a new Course on “Certificate in Cyber Laws ” . This course will have two parts. The first part will cover the current laws. The second part will cover the proposed DIA in whatever form will be available in the month of June. If the Government provides a copy of a draft Bill, the Course will cover a discussion of the Bill section by section so that professionals will be able to participate in further discussions and understand the emergence of the law with a close observation of the debates that would take place later.

If the new Bill is not introduced, we will discuss the draft as is present now and covered over several articles indicated earlier.

The motto of Naavi/Cyber Law College is to enable Cyber Law Professionals to be Ready before others so that you can keep up the Knowledge leadership.

The full details of the Course for Part I is available below:

Part I of the program consists of 14 hours of online sessions available at present. This will be supplemented with the Bridging Session the duration of which will be decided based on the requirement.

The recorded programs can be completed in about 1 month. Once the new Bill is available, the schedule of live sessions for DIA would be announced. Since Naavi has also scheduled a course on “Certified Data Protection Professional” starting from June 17 as a week-end program, the DIA course will be scheduled during the week days at about one hour per day for which a schedule would be announced later. If the Government does not present the draft Bill, the Bridging session may be a short session.

Registration for this course is now open. The fees is a moderate Rs 6000/- (inclusive of GST). Participants can complete the course and obtain a participation certificate. They will also be provided an option to take an online proctored examination and if successful they would be provided with a Certificate as “Certified Cyber Law Professional (DIA)”.

Since this program is now under the umbrella of FDPPI certification, details are also available here. Kindly register only in one place.

Register here

Naavi

Posted in Cyber Law | 1 Comment

Need for “Compliance Surcharge” to be factored into Data Processing Contracts

The fine imposed on Meta at $1.2 billion holding the Standard Contractual Clause agreement unacceptable and US-EU agreement in the form of Privacy Shield rejected by the EUCJ and insisting that the US legal system has to be changed, is an attempt to use GDPR fines as an extortion tool against companies to teach a lesson to the US authorities.

Recently during the Ukraine war, US confiscated the properties of Russian businessmen under its “Sanction” mechanism though the dispute was not between US and Russian Citizens. US thought that hitting the citizens of a country through economic sanctions is a way of “Proxy war”.

Now EU is paying back US with the same coin. It is extorting money from Meta, Amazon and Google periodically under GDPR fines. In some cases the supervisory authorities say that legal Basis of “Contract” is not acceptable even though GDPR says so. In another case SCC is not acceptable though EDPB says so. It has become difficult for businesses to develop a compliance plan with certainty. (Though the undersigned has suggested some means of overcoming these issues to a reasonable extent)

The Meta decision is also a reflection of the cartel of EU supervisory authorities forcing Irish authorities to keep the fine at the higher level to show their power. DPC left to itself might have imposed a lesser fine.

US companies like Meta need to decide if this GDPR fine should be accepted and gulped down as the EU tax to live with or to fight back on the unreasonable nature of the order.

Recently, EU imposed certain Export restrictions on India to punish India for its Russian policy. India hit back with counter sanctions by increasing the import duties on EU imports. Similarly, Meta, Google, Amazon and the other international non-EU entities should start charging a “GDPR surcharge” on their services and generate additional revenue to meet the future fines. This will be a sort of “Insurance” against “GDPR administrative fines”.

Pricing of all products and services to EU should be peppered to add “GDPR Risk Factor”. This could be around 10% of the revenue so that some funds are built up for administrative fines.

Indian companies also should start collecting such “Compliance Surcharge” for their services particularly to EU customers. In future “Compliance Surcharge” should be considered part of the pricing strategy for any data related business and the CFOs and DPOs need to work out what should be the surcharge for different data elements based on the country of origin.

Perhaps it is time for PDPCSI (Personal Data Protection Compliance Standard of India) to add this requirement in its Model Implementation Specifications.

It is suggested that Compliance surcharge rates have to be developed for different country’s data and the collection funded into a special reserve as if it is a “Self Insurance Fund”.

Comments are welcome.

Naavi

Posted in Cyber Law | Leave a comment

It is EU on war with US. Meta is a collateral damage

The decision of DPC in the Meta issue imposing a fine of $1.2 billion is a reflection of a war between EU and US. EU wants US to change its laws to give up the rights of its law enforcement authorities to access the personal data transferred from EU to US for processing.

Without this immunity against the rights of the law enforcement agencies, the other instruments such as “Contract with the data subject” or “Standard Contractual Clauses” will not be considered “Adequate”.

It is not for Meta to change the US laws and hence options before it are clear.

  1. Transfer all processing of data into EU so that there is no cross border transfer. This would be a forced data localization.
  2. Persuade US Government to follow the Indian approach of allowing setting up of “Data Colonies” in US where there is immunity from US law enforcement’s powers.
  3. Don’t transfer the personal data from the data subject to its facilities in US but “Buy and own the data from the data subject” (Provided this is not challenged legally) before it is transferred as its own “Asset”.
  4. Stop activities in EU region completely and black out EU…also persuade other tech companies to black out EU in a “Global Sanction against colonization attempt of EU”

All Indian Companies also have to ensure that they donot take a “Data Controller Stance” in any activity in EU and if so, localize the processing in EU. If data is brought into India our laws will prevail.

For a brief period, there was a suggestion of providing “Diplomatic Type Immunity” to special data processing zones and if it is introduced, such zones will be “Data Colonies” of the EU data controllers.

It appears that Vasco Da Gama is back in India …. with permission from the local kings…like what happened centuries ago in Calicut. Read this article to find out how Portugese started their occupation by defeating King Zamorin who was responsible for giving them the entry to India.

Naavi

Also see: Meta Fined $1.3 billion by the Ireland GDPR authority

Posted in Cyber Law | Leave a comment