Naavi.org

(This is a continuation of the previous article)

As per the ITA 2000, every website of an Indian Company must have information about a compliance officer and a grievance redressal officer. If the Company is collecting personal information, they also need o appoint a Data Protection Officer.

CERT In is responsible for monitoring this compliance.

I would like to bring to the notice of CERT In that L G Electronics which owns the Smart TV service in India has suddenly caused Denial of Service by demanding a mandatory acceptance of terms of service which have no relation to the purpose for which the TV service is offered. Also the Company as a hardware manufacturer does not justify the need for acceptance of certain terms such as Advertising over content that belongs to OTT players.

The Company at present does not provide copies of policies in easily comprehensible language and is therefore in violation of normal principles of Personal Data Collection.

I request the Director CERT In to conduct a suitable enquiry and prevent this strange practice of a hardware manufacturer forcing the users to accept terms which were not part of the sale agreement.

I also request appropriate persons in the Company to clarify on the matter through e-mail.

Since the contact information of relevant persons are not available on the website, I am forced to send this notice through this channel.

Naavi

From Today, L G Electronics has introduced a new provision for access to the Smart TV feature requiring acceptance of 5 different agreements including the Terms of Service, Privacy Policy, Viewing Information Agreement, Voice Information and Interest based advertisement agreement.

Without accepting the agreement the part of the service related to access to apps are not available. hence it is causing denial of access to part of the service and this agreement is being imposed now though the TV was sold without this agreement.

Further the agreements are only available in Hindi and English after scrolling down. It is not convenient to read and accept the agreement as presented. Also there is no option to seek the information in  other languages as provided in the latest draft bill on Digital Personal Data Protection Bill 2022.

I am flagging this issue here so that at the appropriate time this can be addressed by the Data Protection Board.

A request has been sent to serviceindia@lge.com  to send me copies of  the agreement so that it can be studied further and whether the provision of advertisements in the content can be imposed by the hardware supplier.

This appears to be some thing like Microsoft displaying its advertisements when  you are using a Windows Computer. Some of the provisions included in the policies are not necessary for the provision of the services and are extraneous. There is also no option to opt out.

This needs further study by Privacy experts and the Ministry of Information and Broadcasting and Ministry of Information Technology.

Naavi

Reference

Washington post article

Digital Personal Data Protection Bill 2022 (DPDPB 2022) provides the following rights to the data principals namely

1.Right to Access

2.Right to Correction and erasure

3.Right to Grievance Redressal

4.Right to Nominate

There is no specific mention about the “Right to Compensation” as was available under section 62 of the earlier Bill.

Does this mean that the Data principal has no right to seek compensation?

It is possible that at the next stage Government may add “Right to Seek Compensation” as another right associated with the “Grievance Redressal” since the  harm as defined under the Act do recognize the financial gain or loss.

It is also possible to achieve a similar effect by adding a definition of “Grievance”  as any perceived harm caused to the data principal in the course of the processing of the personal data of the individual.

Since “Causation of significant loss” loss is one of the harms recognized despite the use of the word “Significant” causing its own problems, the data principle aggrieved by the breach of DPDP provisions can raise a grievance for being compensated.

However one may also take a view that the  passage of DPDPB 2022 into an act only takes down Section 43A of ITA 2000. However, the provisions of Section 43 of ITA 2000 still remains. Under Section 43, compensation can be claimed for any contravention of ITA 2000 and harm caused in a Data Breach situation can also be considered as a contravention of ITA 2000 under one of the provisions of Section 43. With this there may be a possibility of invoking ITA 2000 for compensation of the data principal as an additional remedy.

Naavi

Naavi had introduced the framework of PDPSI as Personal Data Protection Standard of India to provide a framework of compliance for compliance of PDPB 2019, the earlier draft Bill for data protection in India.

However, when JPC 2 modified the draft Bill of PDPB 2019 as DPA 2021, the Bill was renamed as “Data Protection Bill” and some aspects of regulation of nonpersonal data was brought into the Bill with the possibility of the regulator under the Act having overlapping powers with the Director CERT-In who was responsible under ITA 2000 to regulate non personal data security.

We were therefore forced to rename the PDPSI framework as DPCSI frame work meaning Data Protection Compliance Standard of India. Now that the Government has decided to keep Personal Data Protection only to this act and leave non personal data protection to ITA 2000, it is time to revert to PDPSI as the name of the framework.

The 12 standard, 50 implementation specification format will remain and the DTS calculation based on the 50 Model Implementation specifications will also remain in tact though the new Act is silent on DTS for the time being.

Naavi

One of the first things Companies look for in the Data Protection Bill is what is the cost of non compliance. It appears that the Government has been a little generous to the industry in this respect.

The first observation that we can make is that there is no “Criminal Punishment” specified in this Act. Earlier there was one section on “De-Anonymization” of anonymized information which had a criminal penalty. But any criminal penalty for contravention of DPDPA is well covered under ITA 2000 and hence there was no need to indicate the criminal punishment in this Act.

The purpose of this Act was to replace Section 43A and define “Reasonable Security Practices” more elaborately for the purpose of improving the compliance to nudge the industry to take pro-active measures to protect Personal Data. Even Protection of Non Personal Data under this Act was redundant as it stepped on the ITA 2000 provisions.

Hence it was a good move to restrict the penalties to the Civil liabilities and tag it only to contraventions of this Act  related to personal data.

The schedule of penalties are as given below:

It may be observed that the schedule avoids the “Percentage of Turnover” method which when applied would have been one additional ground for dispute.

Also penalty has been separately prescribed for not following the Reasonable Security Practice which causes a data breach from not notifying the data breach to the regulator and affected data principals or additional obligations of a Significant data fiduciary such as not appointing a DPO, Not Appointing a Data Auditor, Not conducting Data Protection Impact assessment.

The non compliance not leading to a data breach may be fined upto Rs 250 crores while a data breach may add another Rs 200 crores to the fine taking it to Rs 450 crores (maximum). In case of Significant Data Fiduciaries failing to implement additional measures, an additional Rs 150 crores may be imposed as penalty.

All Data Fiduciaries or Data Processors not fulfilling the additional obligations regarding minors may also face an additional Rs 200 crores as penalty.

Thus the maximum cumulative penalty per instance of an investigation of a data breach/non compliance  could have  added upto Rs 800 crores.  But section 25 puts a cap of Rs 500 crores.

The penalty for Data Fiduciary and Data Processor for non compliance are both similar and there is no concession to the Data Processor.

In comparison, if we look at the top 5 GDPR fines upto date they range from a maximum of Rs 6375 crores down to Rs 233 crores.  By capping the penalty at Rs 500 crores, the Government has been extremely fair and considerate and perhaps generous to the Tech industry.

The Data Protection Board will however have the discretion to apply other yardsticks to reduce the penalty. It is expected that initially the penalties may be lower and may be increased gradually as the compliance becomes more mature.

In extreme cases, the Data Protection Board may  apply the Maximum penalty limit of Rs 500 crores “per instance” by recognizing multiple instances of failure which may be in time or type of failures etc.

One way by which “Instances” can be segregated  and considered as “Multiple instances” could be when there was an opportunity for the organization to correct a breach incident and by lethargy or otherwise the organization procrastinated and a repetitive breach occurred. The immediate remedial action can assist the organization in containing the breach to a single instance.

It is time for CFOs to make provision of upto Rs 500 crores or cover it by Cyber Insurance so that at least the next breach risk is covered.

Naavi

Refer:

Views of the IT Minister

The drafting of  DPDA 2022 signifies an approach completely different from the drafting principles adopted earlier. It appears that an entirely different team worked on the Bill. It is not clear if the Ministry of Law would be comfortable with this draft since it appears to be “Over simplified” for the purpose of getting it through the Parliament. In the process a far too much has been set aside to be attended through the subordinated legislation of “Rules”.

All controversial aspects regarding the “Protection of the Right to Privacy by Law”, “Constitution of the Data Protection Board”, “Contours of Cross Border Data Transfer” or “Powers of the Government” have all been brushed under the carpet. But each on of them has to ultimately surface in the form of rules and I would not be surprised if each is contested repeatedly in the Supreme Court.

It is like a boxing match when a player ducks and sways to bide for his time and probably exhaust the opponent and strike back in later rounds. The approach appears to be, let us get the Bill passed for now and worry about the details later. But if the Boxing match has to go to 15 rounds, the ducking and swaying cannot be a winning strategy but only the punches that land on the opponent could be relevant.

In this draft of the Bill it appears that the Government thinks that it can get through  a proper legislation through the rules and it would be flexible. Partially this is true but it makes the task of DPB too onerous because it has to take the responsibility for subordinate legislation and push it through the Supreme Court.

There is a possibility that this could lead to a Judicial person being the head of DPB which  will seriously erode the functioning of the  Board. If a Judge is heading the Data Protection Board it may be judicially strong but operationally rigid.

Puritan Legal practitioners would definitely be unhappy with this over simplified version of the law. They would however be happy with the Judicial person heading the DPB. But this may be counter productive in the long run and lead to stagnation, procrastination, inefficiency and ultimately corruption.

The approach is consistent with the lack of conviction and inability to take the bull by its horn but is disappointing from the overall perspective.

We shall reserve our detailed comments for direct submission to the MeitY, but the red flags need to be raised to warn the Government that  this may not be a successful strategy but one that will haunt the Government in future with repeated legal challenges in the High Courts and Supreme Court.

Naavi

Previous Article:

DPDPB 2022-Simple,…Need to know basis…less scope for objections