Naavi.org

The Government of India reportedly released a draft guidelines on Data Anonymisation for public comments before September 21. Public comments may be sent by  Email to Shubhanshu Gupta, Principal Technical Officer at CDAC: shubhanshug[at]cdac[dot]in. with copy the following email address when making your submission: headits[at]stqc[dot]gov[dot]in.

A PDF of the guideline can be accessed here.

This guideline will be part of the compliance requirements for Personal Data Protection since “Anonymisation” is a means of de-linking privacy risks from the personal data.

This has to be read as part of the “Reasonable Security Practices” under Section 43A of ITA 2000.

Though not mandatory, they shall be considered as part of “Due Diligence” and the DPCSI (Data Protection Compliance Standard of India) will take note of this.

We therefore feel that it is important for the public to send their comments.

According to the Medianama article the draft guidelines have been taken out of the MeitY website since September 6th. We donot know the reasons for the taking down of the guidelines and whether it should be considered as “withdrawn”.

One immediate observation that can be made is that “Fear of Re-identification” need not be a constraint to adopt the guideline since “RE-identification” constitutes an offence under Section 66 of ITA 2000 (Diminishing the value of information residing inside a computer) and hence it is wrong to assume that in the absence of Data Protection Act, anonymisation guideline has no meaning.

It should be emphasised that “Anonymisation” is more than “De-identification” or Pseudonymization since it involves irrecoverable destruction of the mapping information between anonymised and identified data sets.

Just as any encryption or access control measure could be defeated by hackers, anonymisation may also be defeated with criminal effort. Law can only define some standards and prescribe deterrence which is available in ITA 2000 as regards Anonymisation. Hence De-anonymisation is a technology risk that should be absorbed in law.

However, in view of the importance of the guideline, it is suggested that comments can be sent as indicated above.

Naavi

The IT Minister, Sri Ashwini Vaishnaw has called upon the experts to suggest changes to the current laws including ITA 2000.

While we donot claim to be part of the “Experts” which the Ministry would like to take suggestions from, it is necessary to point out that it is not only now that we are placing our suggestions on the law through the series of articles under “Shape of Things to Come”., we have been doing so since 1998 when the first draft of ITA 2000 came into existence.

While detailed articles are spread across this blog over these 20 years, the following links specifically address the suggestions made earlier some of which if not all are relevant even today.

We leave it to the research team supporting the ministry to go through these suggestions and incorporate them in the new draft if they find it suitable.

https://www.naavi.org/naavi_comments_itaa/index.htm

https://www.naavi.org/naavi_comments_itaa/naavi_recommendations/index.htm

https://www.naavi.org/cl_editorial_05/naavi_org_comments_sept19.htm

Digital India Act-Discussions 3-Blockchain

Digital India Act-Discussions 2-Metaverse

The Age of Neuro Rights Dawns in India

Naavi

As per the report of Economic Times , IT Minister , Sri Ashwini Vashnaw has sought suggestions from experts on the proposed new Data Protection Bill. The indications are that there will be three sets of laws namely the New Data Protection Bill, The New ITA 2000 and a new law for Data Governance.

We at Naavi.org are already presenting our views on the “Shape of Things to Come” and so far 15 articles are available as per links below.

We urge the community to add their comments to the suggestions.

Indians have been provided a tragic reminder that car passengers not wearing seat-belts in the rear seat could make them vulnerable to the risk of fatalities in case of an accident. While we express our regrets on the recent tragedy where the precious life of Mr Cyrus Mistry was taken away,  and with due respects to the departed soul, we cannot but remind ourselves of the parallel in the Data Security scenario in India in terms of compliance.

For organizations trying to cover themselves against risk of regulatory backlash due to non compliance of data protection laws, GDPR Compliance was like the driver’s seat belt the need of which they were fully aware and were trying to be compliant with.

The PDPB 2019 compliance was like the front passenger seat belt about which people were aware and were trying to start using.

But just like rear seat passengers never thought it necessary to wear seatbelts since they did not perceive the risk of non compliance, Indian industry does not consider ITA 2000/8 compliance or CERT IN guidelines compliance as requirements that they should consider.

I hope they realize that some times non compliance of ITA 2000/8 and CERT IN guidelines could lead to serious injuries and start wearing the Compliance seatbelts from now on.

Naavi

.S: This series of articles is an attempt to place some issues before the Government of India which promises to bring a new Data Protection Law that is futuristic, comprehensive and Perfect. 

In our continued discussion on “The Shape of Things to Come”, we have so far discussed the following.

We now proceed further….

Naavi.org has been speculating many times that the opposition to the passage of Data Protection legislation in India mainly comes from those companies which are interested in “Data Laundering”. They are afraid that if the law comes in, they will be finding it difficult to continue their present practice of transferring data abroad for their commercial benefit.

This opposition is

a) Against Data Localization or even keeping a copy locally

b) Ensuring absence of malware in data processing devices and software

c) Maintaining KYC of subscribers to VPN kind of services

The Policy Bazaar data breach as reported at the 420.in highlights why all the above three requirements have a national security implications.

The policybazaar data breach is reported to have exposed the data of 50 million customers and the data involves sensitive and super sensitive data.

Some of the data exposed include

customers’ photo, full name, date of birth, complete residential address, email address, mobile number, credit report, PAN number, policy details including nominee details, family members’ policies details, bank account statements, income tax returns, Passport, immigration visa, records of country entry and exit, Aadhaar card (both sides), driving license, health records, payslips.

– sensitive details of defense personal who are Policybazaar customers

– copies of customers past policy documents

– copies of customers birth certificate

– copies of customers vehicle registration certificate

In case of the defence personnel, the data breach may include data of the following kind.

– Details of which specific branch of Indian defense forces someone is in like Indian Army, Navy, Air force, and even specifics if someone is in one of the Indian special forces like SPG, Black Cat commando, CoBRA, Anti Terrorist Squad.

– Current rank and designation in that defense force

– Current location of posting (which is very confidential many times)

– Details if someone is engaged in any hazardous activities, e.g. aviation, diving, parachuting, bomb disposal or special service groups, and length of service in those roles.

– Specific nature of role

– Details if someone in Indian defense is currently serving in or is under orders to proceed to any troubled area, or around border areas of India

– Details if someone handles weapons or explosives. If yes, details of such weapons and explosives.

It is needless to say that the data breach has a national security angle particularly the company is funded by Chinese investors and this information is of interest to the Chinese Government.

We had earlier pointed out “Data Laundering” arising out of Acquisition of CIBIL by TransUnion. The present data breach in Policybazaar is another instance where data laundering might have occurred through a deliberate back door. We have pointed out earlier also about the China Risk in Telecom sector, Manchurian Chips in POS machines and Mother boards from China etc..

It is now time to check if this Policybazaar data breach is also a case of Data Laundering. If “Data” is money, “Data Laundering” is also “Money Laundering”. We need stringent provisions in our Data Protection law to prevent such occurences and to take stringent action if such incidents take place.

In the light of the new Data Protection Act being designed, the incident indicates that the following provisions should be considered.

a) The provision for Data Processing devices and software to carry assurance certificate that they donot contain any malware (Refer Section 49(2)(o) of PDPB 2019) should not be withdrawn as demanded by some Big Tech Companies

b) Disclosure of the estimated value of data assets of an organization being acquired in a process of merger or acquisition must be disclosed to the authorities including DPA.

c) While processing of personal data during mergers and acquisitions may be exempt from consent as provided under Section 14 of PDPB 2019 (now withdrawn), the continuation of the processing by the merged entity must require a notification to the data principal and an option for opting out. 

d) Failure to inform the data principals of the transfer of beneficial ownership of the Data Fiduciary to a new entity must be considered as an attempt for Data Laundering and it should be one of the criminal offences that should be recognized under the Act.

Naavi

P.S: These discussions are presently for a debate and is a work in progress awaiting more inputs for further refinement. It is understood that the Government may already have a draft and may completely ignore all these recommendations. However, it is considered that these suggestions will assist in the development of “Jurisprudence” in the field of Data Governance in India and hence these discussions will continue until the Government releases its own version for further debate. Other professionals who are interested in participating in this exercise and particularly the Research and Academic organizations are invited to participate. Since this exercise is too complex to institutionalize, it is being presented at this stage as only the thoughts of Naavi.  Views expressed here may be considered as personal views of Naavi and not that of FDPPI or any other organization that Naavi may be associated with. 

P.S: This series of articles is an attempt to place some issues before the Government of India which promises to bring a new Data Protection Law that is futuristic, comprehensive and Perfect. 

In our continued discussion on “The Shape of Things to Come”, we have so far discussed the following.

We now proceed further….

Automated Processing and Automated Decision Making are two concepts which need some clarity in the law.

In the PDPB 2019, the term “automated means” was defined as under.

Section 3 (6) “automated means” means any equipment capable of operating automatically in response to instructions given or otherwise for the purpose of processing data;

One of the operational sections referring to “Data which is processed through automated means” is Section 19 which refers to Data Portability.

This section was as under.

“Section 19: Right to Data Portability

(1) Where the processing has been carried out through automated means, the data principal shall have the right to—

(a) receive the following personal data in a structured, commonly used and machine-readable format—…..”

As against this use of the term “Automated Means” in India  which applies to all forms of processing by the use of Computer devices, Article 22 of GDPR refers to “Automated Individual Decision making, including profiling” and states as under.

1. The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.

We can observe that GDPR refers to “Automated Decision Making” while PDPB  2019 referred to “Automated Means of Processing”. These two are different. The Indian definition refers to all forms of processing using a computer device while the GDPR definition restricts to situations where the processing leads to a certain decision which may have some consequence on the data subject such as providing or rejecting a service or changing the profile of a person to reflect an adverse view.

It is necessary to clarify both terms distinctly.

This is important even for the discussion on whether “personal data disclosed to a computing device but not to a human” should be considered as “Disclosure” or not, which we discussed in our earlier article on “Definition of Privacy”

where we added an Explanation as follows:

“Sharing” in the context above means “making the information available to another human being in such form that it can be experienced by the receiver through any of the senses of seeing, hearing, touching, smelling or tasting of a human in such a manner that the identity  of the individual to whom the data belongs may become recognizable to the receiver with ordinary efforts”.

In the above definition, we specified that only when a personally identified information is viewable by a human being, it would be considered as a “Disclosure”. If the information is processed by an automated system which provides an output which does not have personally identifiable information, the processing is an “Anonymized Processing”. Such processing would be a combination of two processes one of which is “Anonymization”, but both occur within the combined process so that no human views the output in an identifiable form.

The essence of the definition was that such processing did not require explicit consent and could be undertaken by the processor as part of his legitimate interest.

There is a parallel instance in the general legal environment also which we refer to as “Privileged Information”. Certain information disclosed to a Lawyer or a Doctor is considered as “Privileged Information” and is not disclosable to others under a special confidentiality agreement recognized in professional law and ethics.

Similarly information disclosed to a “Process” may be considered as “Privileged Communication” and should not require specific consent even when it contains identifiable information. However, the “Process” is not empowered to disclose the identified information after processing. In the human scenario, the compliance is left to the integrity of the individual while in the case of a process, the compliance is a factor of integrity of the software which can be audited at code level and certified or a suitable assurance provided.

The concept of “Privileged Communication” can be extended to parts of “Legitimate Interest Disclosure” such as when identifiable personal information is disclosed to law enforcement personnel.

With this in view the following definition may be added in the definition clause.

Automated Means:

“Automated means” means any equipment capable of operating automatically in response to instructions given or otherwise for the purpose of processing data;

Automated Decision Making:

“Automated Decision Making ” means a process through which a decision is arrived at by  without any human involvement as a part of the process.

Privileged Communication

Privileged Communication means disclosure of identifiable personal information to another human or a device with enforceable restrictions on further disclosure of the information in a processed form to another human being.

Explanation:

Disclosure of identifiable personal information to a technical process which processes the information and creates an output in anonymised form is a privileged communication to the device.

Disclosure of identifiable personal information or de-identified or pseudonymised information to another human being such as a law enforcement person with an enforceable further restriction of disclosure in identifiable manner is also a privileged communication.

P.S: These discussions are presently for a debate and is a work in progress awaiting more inputs for further refinement. It is understood that the Government may already have a draft and may completely ignore all these recommendations. However, it is considered that these suggestions will assist in the development of “Jurisprudence” in the field of Data Governance in India and hence these discussions will continue until the Government releases its own version for further debate. Other professionals who are interested in participating in this exercise and particularly the Research and Academic organizations are invited to participate. Since this exercise is too complex to institutionalize, it is being presented at this stage as only the thoughts of Naavi.  Views expressed here may be considered as personal views of Naavi and not that of FDPPI or any other organization that Naavi may be associated with.