IDPS 2022 is the flagship program of FDPPI and will focus on Privacy and Data Protection in India. This is the third year of the program and will be conducted as a virtual conference on November 11, 12 and 13, 2022.
Details of the program will be available exclusively on www.idps2022.in
There are many sponsorship opportunities available during the conference for interested persons.
Those who are interested, may look through this flyer.
For more information contact naavi.
One of the features of this year’s IDPS would be the awards to be provided to different category of persons recognizing their contribution to the Privacy and Data Protection eco system in India.
(Download the flyer with all information on the awards)
Naavi
(Continued from the previous article)
P.S: This series of articles is an attempt to place some issues before the Government of India which promises to bring a new Data Protection Law that is futuristic, comprehensive and Perfect.
Restrictions on Cross border transfer of data is one of the most controversial aspects of the data protection laws. Though the PDPB 2019 was criticized for its “Data Localization” aspects, it must be stated that PDPB 2019 was a gross dilution of the provisions of PDPB 2018 in respect of Data localization and even ignored the sectoral law of RBI. The media reports were motivated and was part of the conspiracy to dilute the restrictions.
For records, under PDPB 2019, non sensitive personal data could be freely transferred. Sensitive personal data could be transferred subject to a copy being held in India and explicit consent and Critical data alone was in the restricted category.
On the other hand GDPR imposes impossible conditions for transfer of personal data outside EU and is a draconian legislation in this respect forcing international data importers to contractually oppose the sovereign rights of their respective Governments. GDPR data transfer requirements to a non adequate country cannot be complied with except with an effective pseudonymization/de-identification plan.
However, the vested interests have painted as if PDPB 2019 was restrictive and this cannot be accepted.
As long as Data is considered an “Asset” and its value recognized, the Government has a duty to protect it’s plundering like what happened in the infamous CIBIL-TRANSUNION case.
Hence it is suggested that the New Data Protection Act of India reverts back to the PDPB 2018 version and impose the condition that
a) No Personal or Non Personal Data is transferred out of India except with the consent of the data principal or data owner and
b) A copy being held in data servers held in the geographical boundaries of India
c) Processing of Critical Data shall be undertaken and retained only within India
This does not adversely affect any ongoing data processing activity except that there could be additional storing cost.
Though this is an unpopular decision which would be opposed by Tech Companies and the US Government and was one reason for the withdrawal of the legislation and continues to be the Achilles heel for MeitY as regards Data Protection legislation, it is our sincere belief that India needs to put its foot down as a sovereign country and protect its interests.
P.S: These discussions are presently for a debate and is a work in progress awaiting more inputs for further refinement. It is understood that the Government may already have a draft and may completely ignore all these recommendations. However, it is considered that these suggestions will assist in the development of “Jurisprudence” in the field of Data Governance in India and hence these discussions will continue until the Government releases its own version for further debate. Other professionals who are interested in participating in this exercise and particularly the Research and Academic organizations are invited to participate. Since this exercise is too complex to institutionalize, it is being presented at this stage as only the thoughts of Naavi. Views expressed here may be considered as personal views of Naavi and not that of FDPPI or any other organization that Naavi may be associated with.
(Continued from the previous article)
P.S: This series of articles is an attempt to place some issues before the Government of India which promises to bring a new Data Protection Law that is futuristic, comprehensive and Perfect.
“Consent” is an important aspect of establishing the “Lawful basis” in Data Protection Laws. PDPB 2019 suggested that “Consent” is “Mandatory” and should meet the requirements of the Section 14 of Indian Contract Act.
Section 14 of the Indian Contract Act requires consent to be “Free” which means that there should be no “Coercion”, “Undue Influence”, “Fraud”, “Misrepresentation” or “Mistake”.
The term “Informed Consent” should be interpreted as equivalent to “Free” consent and it has to be achieved through a properly designed “Notice”. The reason why we say that “Notice” has to be “Clear” and “Precise” and rendered in such a manner that the data subject “Understands” it is because it has to stand the test of “Free Consent”.
For the “Consent” to be legally admissible, it has to meet the requirement of law that applies to “Authentication” of Electronic Documents.”. In India the law applicable to authentication of electronic documents is Section 3,3A of ITA 2000 and Section 65B of Indian Evidence Act.
While Section 3 and 3 A speak of Digital and Electronic Signatures that can be used by the Data Subject/Principal to authenticate the electronic notice, Section 65B renders a document admissible in a Court of Law if it is properly certified and hence serves the purpose of authentication through third party witnessing.
Where it is not feasible to obtain electronic or digital signature of the executant, the document can only be a “Deemed Consent”. “Deemed Consent” is supported by some electronic evidence which will be admissible provided it is Section 65 B(IEA) certified.
Hence a valid consent in Indian law in electronic form requires either an online electronic signature in the form of e-sign or collection of meta data about the transaction that can be Section 65B certified by an independent witness. The Supreme Court in its enthusiasm to uphold Privacy has stated that Aadhaar cannot be used for authentication by private sector though there is a system of “Pseudonymised Aadhaar” (Virtual Aadhaar) that could be used for authentication without adversely affecting the privacy of the individuals. Unfortunately despite the authorization to use “Virtual Aaadhar ID” for KYC purpose in the Aadhaar Amendment Act its use has not been universal.
Alternatively, authentication can be obtained through collection of meta data of the consent transaction and archiving it with Section 65B certification as may be necessary.
At present “Online Consents” are obtained as “Click Wrap Contracts” where the data subject clicks on a button to “Agree” a document which is more a “Standard form of contract”. This form of contract does not have validity in India as a “Documentary Contract” and the industry is getting mislead by considering that such online acceptance is legally valid.
At the same time, industry has not been using “Section 65B certified Archiving” to supplement its documentation of consent which is the responsibility of the Data Fiduciary/Controller.
In this context, it is necessary for the New Data Protection Act of India to provide appropriate clarity on whether online click wrap contracts are acceptable and if so under what conditions.
Additionally, “Consent” even if authenticated can only apply to the information that the data subject provides during the collection process.
“Consent” for some information which a person is not aware of fails the test of “Meeting of Minds” which is essential for a valid contract since what the data subject thinks he is agreeing to and what the data controller thinks he is getting the consent to may be different. A Data Analytics company may be using the collected personal data and may be able to create useful “Profiles” which are “Discovered Uses” of supplied data. While we may prescribe that consent should be obtained after discovery and before the first use of the discovered personal data, the “Discovery Process” itself may be construed as “Processing for a purpose not authorized in the initial consent”.
Hence we need to distinguish “Consent” for personal data about which the data subject is aware of and provides for a stated purpose (Shared Data Consent) is different from “Consent for Discovery of Personal Data”. This situation is analogous to the sale/lease of land with a consent for mining and discovery of minerals about which neither party is aware of at the time of sale/lease of land.
We therefore suggest that “Discovery Consent” has to be defined in the new law.
We have already discussed the need of “Witnessed Consent” while discussing the coverage of “Neuro Rights” and this will be another form of consent to be defined in the law.
We have also discussed the need to consider different kinds of profiles such as “Health Profile”, “Financial Profile” or “Advertising Profile” as “Sensitive personal data” and correspondingly the need to get “Explicit/Special consent” in such cases.
We have also discussed “Monetization” as a concept in law for which also a special “Monetization Consent” can be defined.
Hence we suggest that the NDPAI (New Data Protection Act of India) can define following different types of consent as explanations under Section 11 of PDPB 2019 or elsewhere in the definition section.
Additionally in view of the concept of “Consent Managers” as envisaged in the PDPB 2019, there will be a need to define “Consent for giving Consent” or “Authorizing another person to provide consent on behalf of the data principal. This will also be relevant when the data principal is in a state where his contractual capacity is suspended as in the case of Minors, Insolvent persons, or mentally incapacitated persons or persons in inebriated conditions or even those who are physically challenged.
An attempt is made in the following paragraphs to define these types of consent. It may be refined suitably through further discussions.
Authorization Consent
Authorization Consent means consent provided by a data principal to an authorized agent to disclose, share, and consent to further processing of the personal data of the data principal.
Shared Data Consent
Shared Data Consent means consent provided by a data principal or his authorized agent to a Data Manager for personal data which the data provider is aware of and for the legitimate purpose of processing and disclosed uses of data that he has been made aware of by the Data manager and he has agreed to.
Profiling Consent
Profiling consent means consent provided by the Data Principal or his authorized agent to the Data manager for use the data about the data principal whether collected directly or otherwise for profiling of the data principal and conditions if any of the use, disposal and portability of such profiles.
Monetization Consent
Monetization consent means consent provided by the data principal or his authorized agent to the Data manager for use of personal data or profile created out of the personal data of the data principal for generating revenue with or without consideration being paid to the data principal.
Witnessed Consent
Witnessed Consent means consent provided by a data principal which is witnessed by independent third parties who donot have conflicting interest in the processing of the personal data under circumstances that the data principal may not be reasonably expected to provide a free consent, and includes sharing of neuro data or sharing of personal data when the data principal is not in a medical condition to provide informed consent.
Discovery Consent
Discovery Consent means consent provided by the data principal or his authorized agent for a purpose of processing which is speculative in nature and could discover personally identifiable data or new uses not otherwise envisaged in the consent.
P.S: These discussions are presently for a debate and is a work in progress awaiting more inputs for further refinement. It is understood that the Government may already have a draft and may completely ignore all these recommendations. However, it is considered that these suggestions will assist in the development of “Jurisprudence” in the field of Data Governance in India and hence these discussions will continue until the Government releases its own version for further debate. Other professionals who are interested in participating in this exercise and particularly the Research and Academic organizations are invited to participate. Since this exercise is too complex to institutionalize, it is being presented at this stage as only the thoughts of Naavi. Views expressed here may be considered as personal views of Naavi and not that of FDPPI or any other organization that Naavi may be associated with.
Consent in PDPB was envisaged as a contract. PDPB also envisaged a role of a Consent Manager who could provide consent and exercise rights on behalf of a data principal.
Whether we call it as an assignment or contract, Consent transfers certain rights from the data subject to the data controller.
There does not seem to be any prohibition that the Right to give a consent cannot be delegated.
GDPR also accepts consent directly or indirectly in the form of a contract.
I understand why there could be a doubt.
We say right of privacy is a right of choice. If so, the doubt is whether some body else can exercise a choice for me.
Remember, it happens now in the case of medical instances when relatives exercise rights for a patient who may be unconscious or a person who is insane.
Hence the possibility that X can exercise the choice for Y is not unheard of.
This is compatible with the fact that what we protect in GDPR or PDPB is not “Privacy” per-se but “Information Privacy”.
Information privacy consists of a set of personal data that is disclosed by the data subject to the data controller under a contractual document and the receiver acting as per the contract.
Hence either with a power of attorney or a similar deemed contract, the consent giving right can be transferred….This is my view.
There are other issues such as ITA 2000 does not permit a Power of attorney document in electronic form and that the data fiduciary has to act beyond the contractual obligations because of the trusteeship obligations.
I am therefore suggesting the use of the term data manager instead of either data fiduciary or data controller. Also the Data protection act may itself be considered as providing legal recognition for transfer of rights of consent through an agent.
Similar problem was there in the Nomination aspect included in PDPB 2019.
Further even the click wrap contract can be recognized under the Data protection act itself to override the current ITA 2000 or added as an exception in the new Digital India Act which may replace ITA 2000.
(Continued from the previous article)
P.S: This series of articles is an attempt to place some issues before the Government of India which promises to bring a new Data Protection Law that is futuristic, comprehensive and Perfect.
Naavi has been discussing some aspects of Neuro Rights which are also presented through the website www.neurorights.in.
Neuro Rights are an extension of “Privacy Rights “as defined by the current generation of Privacy Activists. The Puttaswamy judgement referred to “Information Privacy” as an extension of the “Right of Privacy” to the information world. This translated into the PDPB 2018/2019 etc. The core definition of the “Right to Privacy” is however the “Right to be left alone” and is a mental state of an individual which is dynamic and inconsistent, but nevertheless is a Right. It can only be exercised by the individual by stating what is his “Choice” for collection and processing of his personally identifiable data.
Neuro technology however could change the “Free Will” or the “Choice of an individual” because it establishes direct contact with the electro-magnetic emissions that emanate from the human brain as a result of the Electro Chemical changes induced in the neurons.
This therefore requires to be recognized as a threat to the Right to Privacy by interfering with the exercise of “Right to Choice of an individual”.
In the proposals so far discussed under this series, we have suggested inclusion of a definition of “Neuro Privacy” and “Neuro Data”. The suggested definitions are as follows.
The principles of “Informed Consent” applies to Neuro Privacy also. However, Neuro Data could be considered as “Super Sensitive Data” and consent may be made effective only on the confirmation of independent witnesses like what a Brain Surgeon would do before undertaking brain surgery.
Consent for “Anaesthesia” (particularly total anaesthesia as different from local anaesthesia) which interferes with the nerve functions and is used in all major surgeries should be considered as an issue of neuro privacy and subjected to this form of special third party witnessed consent.
This requires a modification of the definition of “Consent” to include three types of consent namely
“General Consent” : For multiple usage scenario including deemed consent
“Explicit Consent”: For specific usage and identifiable consent linked to the purpose.
“Witnessed Consent”: For special usage scenarios with a third party confirmation of consent.
All three forms of consent should be legally enforceable.
GDPR defines consent under article 4(11) as follows:
‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
The current definition of “Consent” under Section 11 (2) of PDPB 2019 is
The consent of the data principal shall not be valid, unless such consent is—
(a) free, having regard to whether it complies with the standard specified under section 14 of the Indian Contract Act, 1872;(9 of 1872.)
(b) informed, having regard to whether the data principal has been provided with the information required under section 7;
(c)specific, having regard to whether the data principal can determine the scope of consent in respect of the purpose of processing;
(d) clear, having regard to whether it is indicated through an affirmative action that is meaningful in a given context; and
(e) capable of being withdrawn, having regard to whether the ease of such withdrawal is comparable to the ease with which consent may be given.
Explicit Consent is defined under PDPB 2019 as
the consent of the data principal in respect of processing of any sensitive personal data shall be explicitly obtained
(a) after informing him the purpose of, or operation in, processing which is likely to cause significant harm to the data principal;
(b) in clear terms without recourse to inference to be drawn either from conduct or context; and
(c) after giving him the choice of separately consenting to the purposes of operations in the use of different categories of sensitive personal data relevant to processing.
Now it is necessary to add an additional sub clause to define “Witnessed Consent” and could be on the following lines.
Consent shall be obtained with witness of two independent witnesses who are considered responsible to the interests of the individual where the purpose of consent includes a situation where the withdrawal of consent is disabled by the nature of processing.
IDPS 2022 is set to discuss this aspect. Be there to participate and contribute.
Naavi
P.S: These discussions are presently for a debate and is a work in progress awaiting more inputs for further refinement. It is understood that the Government may already have a draft and may completely ignore all these recommendations. However, it is considered that these suggestions will assist in the development of “Jurisprudence” in the field of Data Governance in India and hence these discussions will continue until the Government releases its own version for further debate. Other professionals who are interested in participating in this exercise and particularly the Research and Academic organizations are invited to participate. Since this exercise is too complex to institutionalize, it is being presented at this stage as only the thoughts of Naavi. Views expressed here may be considered as personal views of Naavi and not that of FDPPI or any other organization that Naavi may be associated with. Continue reading
Laws are often created by the law makers without adequate consultation with the industry. Professionals also have the habit of not interacting with the Government before the law is made but criticise the law once it is made.
Naavi and FDPPI would like to be an exception to both these.
We would provide suggestions before the law is made and try to support compliance once the law is made.
At present we has adopted the provisions of Section 43A and the Intermediary Guidelines as part of the Personal data protection compliance requirements. The DPCSI (Data Protection Compliance Standard of India) therefore adopts the ITA 2008 compliance as the current compliance standard of India with PDPB 2019 as the “Due Diligence guideline (though withdrawn)”.
Now that the Government is considering a new Bill, the time is ripe for placing suggestions for the Government to consider and incorporate in the Bill. Once the Government brings in a Bill until it is passed, we will focus on the suggestions for modifications and once it is passed as an Act will start advocating the compliance as per the Act.
The annual flagship event of FDPPI namely the Indian Data Protection Summit 2022 (IDPS 2022) is the platform with the theme “Shape of Things to Come” where we shall discuss the law as professionals would like it to be and document the suggestions at the end of the conference.
Mark the dates November 11th 12th and 13th for this event and participate both for enhancing your knowledge and to contribute to the suggestions.
Naavi
