In the absence of Data Protection Authority as envisaged under the PDPB 2019 (Since withdrawn) , the regulation of Data Security under the general provisions of Information Security as envisaged under Information Technology Act 2000 as amended in 2008 assumes greater importance. Though the MeitY has also indicated that it would like to revise ITA 2000/8, we presume that they would not scrap ITA 2000 before a new law is passed as they did in withdrawing the PDPB 2019. 

Hence until the new “Comprehensive” and “Perfect” “Digital India Act” (NDPAI) is passed into a law and notified, ITA 2000/8 will continue to be the ruling law on Data Protection in India and  compliance of ITA 2000/8 continues to be the requirement  for all IT Users.

ITA 2000/8 has three regulators namely “Adjudicators appointed under Section 46 of ITA 2000”, “Director General- Indian Computer Emergency Response Team” designated under Section 70A of ITA 2000/8 and the Police as per powers under Section 80 of ITA 2000/8.

All these agencies have  Suo Moto powers of investigation . Police have the powers under cognizable offences. CERT IN has a duty to exercise monitoring of national cyber security and therefore accompanying suo moto powers. Though Adjudicators normally start acting on the basis of a complaint from a cyber crime victim, they also have the suo moto powers under the notifications of MeitY if they chose to exercise. 

Hence all IT organizations who may be feeling comfortable with the withdrawal of PDPB 2019 may be under a false sense of security since ITA 2000 has more powers than what was envisaged under PDPB 2019 for the Data Protection Authority since ITA 2000 applies both to the handling of personal information and non personal information, both sensitive or otherwise and covers both civil penalties and imprisonment. Penalties may not be expressed in terms of 4% of global turnover but there is no upper limit. At the same time, criminal punishments can go upto life imprisonment.

Hence compliance of ITA 2000/8 becomes more onerous than compliance of PDPB 2019.

In the light of the above, the recent CERT In Guidelines assume greater importance since it indicates that the sleeping giant called CERT-In might have woken up to its duties, responsibilities and powers.

We therefore consider it necessary for organizations to work on compliance of ITA 2000 in general and CERT IN guidelines in particular are essential for compliance in the Corporate circles.

Naavi and Ujvala Consultants Pvt Ltd are therefore working on a framework for Compliance Rating under CERT In Guidelines similar to the DTS-GDPR and DTS-DPA 2021 which had been released earlier under the Data Protection Compliance  Standard (DPCSI).

The details will be published shortly. The rating will be called CMR-CERT-IN.

Special Note

We would like to emphasize  that this is a voluntary exercise from Naavi and CERT-In has no role as an organization in this CMR development.

Naavi/Ujvala does not have any accreditation with CERT In for this purpose. However, Compliance is a voluntary exercise and we hope and believe that CERT In should be happy if organizations start complying voluntarily without the wielding of stick by CERT In.

A good rating under this scheme does not legally mean compliance of CERT IN guidelines though it is meant exactly for the purpose.

It may be noted that Naavi has been the Compliance evangelist since 2000 and had floated the idea of CERT-In in private sector 4 years prior to the formation of CERT IN as a division of the Ministry of IT.

The new avatar of Black Money and Corruption is NFTs and Crypto Currencies. The Meta Verse as a technology platform is also being used to promote NFTs and Crypto Currencies just as the Block Chain platform.

This is for the attention of those conspirators who are trying to get Crypto Currencies and NFTs legitimized through the “Technology Innovation” argument and to draw the attention of Mr Narendra Modi that his fight against Black Money is not complete without taking it to the Digital Black Money.

Here is an interesting article on NFTs and how they can be used for money laundering from Chainalysis blog.

https://blog.chainalysis.com/reports/2022-crypto-crime-report-preview-nft-wash-trading-money-laundering/

Naavi

IRCTC has many customer complaints and even the undersigned has pointed out several deficiencies in their services some times on this website itself. However this does not mean that we need to oppose whatever IRCTC does.

We therefore need to highlight that IRCTC has been unfairly targeted in the last one week and its attempt to consider “Data Monetization” was nipped in the bud.

It was not surprising that the Government which recently withdrew the Privacy Bill for irrational reasons perhaps under the pressure of vested interests wanted to put up a show that it has “Privacy Concerns” and pressurized IRCTC to withdraw the tender to find a consultant for exploring data monetization.

It was amusing that the reason given out for withdrawal was that the Privacy Bill had been withdrawn. IRCTC being under the Ministry of Railways and there is a common minister for Railways and IT meant that Mr Ashwini Vaishnaw did not  want the controversy to snow ball into a discussion on the irrational withdrawal of the Bill.

If the Government was really concerned about the Privacy, it would not have withdrawn the Bill in the first place. Even if it wanted to withdraw, it could have kept the bill hanging and replaced it with the new Bill in one shot so that the pressure for compliance on the industry would have kept up.

But the Ministry chose to withdraw the Bill with a promise that a new bill will be introduced which no body believes.

What IRCTC tried to do was to explore the possibility of generating revenue out of its data assets. Part of the tender (Project A) was for conducting a study on monetization possibilities. It was only the second part (Project B) which had the implementation of the project on BOT basis where there was a possibility of data being shared with the implementation partner.

A more logical approach could have been to defer Project B and continue with Project A only.

It is the duty of every data rich organization to know the value of its data assets and to generate revenue for its share holders. In the case of public sector organizations, the duty is to  protect a sovereign asset and ensure that the Government assets are harnessed for the benefit of the people of the country.

Today there are thousands of Public Sector organizations who have vacant lands, unused buildings and surplus manpower  all contributing to a national wastage of resources. In the same vein, the non-harnessing of data assets is also a criminal wastage of national resources. Harnessing of data does not mean infringing the privacy of individuals. It may involve use of non personal data or anonymized ( not de-identified) personal data.

We are all aware that the hackers target Government agencies for stealing data just like targeting the  Banking organizations for stealing money. The reason is that criminals know where the valuable data assets reside.

The Privacy activists who are today objecting to IRCTC efforts to study the monetization possibility include those agents of those commercial organizations who want exclusive rights to exploit citizen’s data for themselves and donot want the Government to make the money of the same assets.

The journalists who donot understand the intricacies simply use words such as “Selling of data” without understanding the difference of “Monetization” and “Selling”.  We have pointed out earlier that in the case of UIDAI tender for “Social Media Monitoring”, even the Supreme Court came out as an ignorant body and shot down a proposal for “Reputation Management” mistaking it for “Surveillance”.

The same Supreme Court or the Standing Committee of Parliament, Privacy Activists and the Journalists as well as the ED or CBI were no where to be seen when Naavi.org highlighted how CIBIL Data worth lacks of crores of rupees were transferred to the custody of a foreign company.

Where were these agencies when Naavi.org pointed out how NFTs and Crypto Currencies could be used for money laundering or how the JPC on PDPB went out of the way to recommend Ripple over SWIFT?

If these agencies had really understood how money laundering can occur with “Data Laundering” , they would have acted swiftly when NCLT declared Net4India insolvent despite over Rs 100 crores of data assets being in its possession or when Banks transferred their share holdings in CIBIL to Trans Union resulting in shift of 500 million sets of sensitive financial data of Indian Citizens which had been provided to CIBIL under trust as a financial agency with a responsibility to reduce NPAs in the country.

The IT Standing committee summoning IRCTC on the tender issue and IRCTC chickening out of the project indicates that these agencies have no appreciation of the value of data.

The study under Project A of the tender would have established a method of identifying the value of data and in the process would have opened the eyes of IRCTC that their present data protection efforts are not commensurate with the risks. This opportunity was lost with the complete withdrawal of the project.

If a custodian of a valuable asset thinks the value of the asset is Rs 100 where as it’s real value is Rs 1 crore then the effort on securing the asset would be that much more robust.  For this purpose every data driven organization must be aware of the value of data in its hands. Hence this exercise would have opened the eyes of the IRCTC management and that of the Government in general about how to discover value in Data. This would have ushered in a revolution in the Data Governance practices in the Government.

Now what has happened is that this “Value of Data” is known only to organizations like Face Book and Google and others lost an opportunity to understand the treasure that is hiding behind the walls of ignorance  in IRCTC and elsewhere.

I am reminded of an earlier incident when Google offered Mysore University free scanning and digitization of all ancient scripts in its library without realizing that sharing of the data with Google is like how the British looted the palm leaves from Tanjavoor temples when they left the country. I will now not be surprised if Google or Face Book associated Data Science companies approach IRCTC and offer a “Free Service” for “Data Re-organization” outside the need for a tender (since it is a free service) and get access to all these data.

We know that the Ministry of Finance is trying to privatize NPCI the same way CIBIL was sold out. Hence there is every possibility that a similar “Acquisition strategy” would be mounted by some interested Big Data Company to take over the data assets of IRCTC in a different manner.

I anticipate and forecast that there could be “Privatization” thoughts floated by the vested interests to assume control over IRCTC data assets through share acquisition. We note that Trans Union started as a 10% share holder in CIBIL for its data science expertise and raised its share holding from 10% to 92.1% through private share deals with the Indian Banks. Similarly some Big-Data Entity can get into IRCTC  with a minority share holding to help it improve its data related revenues and later quietly buy over the shares (In CIBIL issue, it was Trans Union ).

The same journalists who are now objecting to IRCTC tender which was a transparent way to find out the value of its data assets, will remain silent when such plundering of Indian national assets take place.

We must remember that even Mr Arnab Goswami ignored the CIBIL data loot and his competitors also did not spot the opportunity for breaking news. It is unlikely that they will now flag the possible ulterior motive in stopping the IRCTC data monetization project.

Naavi

Also refer:

“Supreme Court Slams UIDAI”.. Is it a fake news created by Economic times?

Regulation of Monetization of Data in NPDAI and IRCTC issue: Shape of Things to Come..13 (Monetization)

IRCTC Should not become another scam like CIBIL

Vidwat Sabha on IRCTC Issue

IRCTC Data Monetization proposal has drawn attention of a wide set of audience. It is reported that the Standing Committee of IT headed by Mr Shashi Taroor has summoned IRCTC officials to discuss the plan.

In the light of these developments, FDPPI is holding a “Vidwat Sabha” (A discussion by experts) at 7.00 pm today on the You Tube. It is open to all and request interested audience to join. (For background information please check this article and also this article on Monetization)

(Continued from the previous article)

P.S: This series of articles is an attempt to place some issues before the Government of India which promises to bring a new Data Protection Law that is futuristic, comprehensive and Perfect. 

In our continued discussion on “The Shape of Things to Come”, we have so far discussed the following.

We have also discussed IRCTC issue in particular in two articles and three other articles on Digital India Act regarding Block Chains, and Meta Verse,

While discussing the “Chapterization” of the proposed NDPAI, we had suggested a separate Chapter for “Data Valuation Framework” to discuss all issues regarding data valuation.

The IRCTC issue has now pre-empted the discussion of some aspects that should go into this Chapter.

Naavi has already published detailed recommendations on “Data Valuation Standard of India”   (DVSI) where we have discussed suggestions on why Data needs to be brought into the Balance Sheet of a Company as an “Special Asset” and how it can be valued  etc. The objective of DVSI was to provide visibility to the value of the asset which the DPO/CISO would be required to protect so that  the Board could deploy appropriate resources in terms of men and material.

It is found that “Monetization” as a concept has not been specifically discussed either under GDPR or under PDPB 2019. In fact, privacy activists hate the word “Monetization” though all Data Professionals live out of the revenue generated by “Advertising” and “Advertising” itself is one avatar of “Monetization”.

In our recommendations on the Shape of Things to Come we have already discussed the need for defining “Advertising Profile” and the means of using it. This concept has to go with the larger definition of “Monetization” and “Data Valuation” which may be specifically addressed in a separate Chapter.

If the term “Monetization” is defined in law, then the Courts will have some guideline on how to interpret the objections that may be raised later when the data protection law is in place. Not providing a definition will leave a wide scope for interpretation which may be detrimental to the economy and business.

We therefore consider that IRCTC tender issue has provided us an opportunity to debate this point whether “Monetization” has to be defined in data protection law and if so how.

Our suggestion is to define Monetization as follows:

Monetization of Data

Monetization of Data means a structured plan to generate revenue out of Data   in the custody of a Data Manager whether personal or non personal, and includes use of the data for advertising or promotion of the products and services of the Data Manager and/or licensing the use of data to another data manager.

Explanation: Monetization of data can be of anonymised or identified or de-identified or Pseudonymized personal data. However Anonymized personal data is non  personal data and its use does not require consent of the erstwhile data principal.

Monetisation would be a type of use of data and may be subject to “Consent” if the data is identifiable or de-identified or pseudonymized. However when data is anonymised as per the acceptable standard it is considered non personal data and there is no identifiable data principal associated with such data and hence consent is not essential to be documented. In the event an “Anonymised” personal data is “De-anonymisable”, then it would be treated as “Negligence” or “Failure of Due Diligence” of the anonymization done by the Data Manager and treated accordingly for fixing liability.

The IRCTC plan as per its tender document consists of using the monetization for its own benefit. As long as any sharing of processed data is in anonymised form, IRCTC may be within the law. In other cases of use of data for itself, a proper explicit consent may be necessary for monetization.

In the IRCTC issue as reflected in the tender document therefore, the ability of IRCTC to use monetization may be within the data protection law. However it needs to ensure that appropriate controls are in place before the data is entrusted to an outside agency for further processing.

My personal advise to IRCTC is to make use of the “Pseudonymization Gateway” software recommended by the undersigned for “Certification of Data Importers in India for GDPR compliance” and keep the control on the data with themselves and not share identifiable data with any private sector company. Even for processing of anonymized data by any external company, adequate controls, restrictions and indemnities should be incorporated to prevent use of data by the agency outside the contract with IRCTC.

At present the tender document may not have all necessary controls in this respect and at the time of evaluating and approving the contracts, IRCTC should take steps to incorporate suitable controls to prevent “Further Monetization” of secondary data by the agents to whom the processing contract is awarded.

Such “Recommended Controls” to regulate “Unauthorized Monetization” needs to be incorporated in the “Monetization Policy” of an organization that should be part of the “Privacy By Design Policy” to be filed with and certified by the Data Protection Authority.

Some more thoughts on this may be incorporated in the further discussions on “Shape of Things to Come”.

Naavi

P.S: These discussions are presently for a debate and is a work in progress awaiting more inputs for further refinement. It is understood that the Government may already have a draft and may completely ignore all these recommendations. However, it is considered that these suggestions will assist in the development of “Jurisprudence” in the field of Data Governance in India and hence these discussions will continue until the Government releases its own version for further debate. Other professionals who are interested in participating in this exercise and particularly the Research and Academic organizations are invited to participate. Since this exercise is too complex to institutionalize, it is being presented at this stage as only the thoughts of Naavi.  Views expressed here may be considered as personal views of Naavi and not that of FDPPI or any other organization that Naavi may be associated with. 

(Continued from the previous article)

The initial reactions from the market on the IRCTC tender document which spoke of appointing a consultant to study and implement a “Data Monetization” policy was to suggest as if IRCTC is about to loot the public and infringe on the privacy rights in a big way.  Simultaneously there were a few reports to suggest that IRCTC will backtrack and withdraw the proposal because of the criticisms.

In the past IRCTC has been accused of not adopting adequate information security on its ticket reservation platform and using excessive advertising to the extent of annoying the users. A few articles have also been written in this website on these issues.

However that does not mean that IRCTC should be blindly criticised for their latest move in trying to create higher value out of its data assets. As long as the “Data Monetization Program” is handled without a marginal adverse effect on the customers of IRCTC, there should be an open mind to appreciate that there has been a recognition that certain assets of the organization which have a value can be re-valued and used in a better manner to generate more revenue.

It is fine to flag the Privacy infringement risks but there is a need for critics to study the intentions as expressed in the tender document, and thereafter follow the implementation plan to raise their objections to the next level.

We would also like IRCTC to not chicken out like the UIDAI (in withdrawing its tender for monitoring social media) or the Government in withdrawing the farm laws. Instead they should stand and fight the opposition in cases like the Agniveer scheme. If there intentions are honest, they should not cave in for the criticism which will only embolden the critics for further such attacks to prevent the Government from introducing any progressive measures.

We have appreciated the Indian Railways when they have expressed plans to generate solar energy by planting solar panels on train tops, convert bogies into mobile hospitals during Covid time etc. Similarly any other innovative measures to use their data assets and generate more revenue is not to be opposed per-se.

Naavi has been advocating that “Data Valuation” and “Bringing Visibility to the Data in the financial statements” of an organization is required and we have added it as one of the suggested Data Protection controls under the DPCSI (Data Protection Compliance Standard of India). We have discussed this topic extensively both under Naavi.org as well as under the separate website www.dvsi.in .

(please also refer this article or to the video available here)

We therefore look at the IRCTC projects with an open mind and look at what are the positives behind this tender. We reject the hypocrisy of critics who accept the private sector’s attempt to monetize the data surreptitiously and raise public money through IPOs and the dubious records of some organizations which opposed the data protection bill till it was withdrawn and are now using the withdrawal of PDPB 2019 as another ground of criticism. The same critics also objected to the provision in PDPB 2019 which empowered the Government to pick up anonymized personal data from private sector companies for public good though they were aware that the private sector companies were collecting and monetizing personal data in violation of all known norms.

The subject tender document indicates two projects.

Under Project A, the objective is “To study monetization of digital data of Railways” . In this project the Railways will share the kind of applications they use and the type of data collected so that the consultant can understand the data environment and identify the potential value of the data collected and how they can be leveraged. At this stage there is no need for the consultant to access real personal data except for testing purposes.

IRCTC can “Pseudonymize” the personal data even for testing purpose so that “No harm” is caused to the passengers due to any activity that arises from this tender.

The tender document specifies that the study shall be conducted in compliance with laws including ITA 2000 and its amendments as well as the Personal Data Protection Bill 2018 of India.

We may point out that they could have mentioned the JPC vetted PDPB 2019 instead of PDPB 2018 though the justification could be that PDPB 2018 is a draft owned by the Justice Srikrishna Committee and cannot be questioned on political bias.

The deliverables under the project are creation of a framework for using the data and crating a monetization strategy.

What IRCTC has set out to do is what every “Data Driven Business Organizations” needed to do immediately after Kris Gopalakrishnan committee gave its report on “Non Personal Data Governance Framework”.  This committee suggested that organizations need to recognize “Data Business” within their activities and generate a recognition of “Data Assets”.

We have earlier pointed out two incidents in USA where data valuations have prevented companies from declaring insolvent and two cases from India where lack of data valuation resulted in one company being declared insolvent and another company selling valuable national assets to a foreign agency without any record of consideration collected. Briefly the incidents are discussed below. There could be many more such incidents which we may not be aware.

1.Case of United Airlines and American Airlines

United Airlines collaterised its passenger data held in the “Milege Plus” scheme (loyalty scheme) which was valued at $20 billion at a time its market capitalization was at $ 9 billion.

Similarly, American Airlines valued its loyalty scheme data of “AAdvantage” at $19.5 billion when its market capitalization was $8 billion

2. Caesar Entertainment Operating Corp

Creditors of this company encashed its Total rewards customer loyalty data base for over $1 billion which was more than the value of Ceaser’s Property.

3. Case of Net4India.com

Net4india.com was the leading domain name registration company in India which the NCLT declared as insolvent because of their inability to repay Rs 100 crores of borrowings from SBI. In the process, NCLT failed to recognize the presence and value of data assets worth far more than Rs 100 crores and let the company be closed liquidating the real estate and causing losses to more than 3 lakh customers of Net4India. (Check out for details here)

4. Case of CIBIL and Trans Union

CIBIL is the credit rating agency started under a separate statute to assist the Indian Banking industry. Initially it was owned to the extent of 80% by Banks in India and agreed to share the data of borrowers for better debt management. However today this organization has become “Trans union CIBIL” which is a private sector company listed in USA with a share holding of 92%. In the process, sensitive personal data of 500 million Indians, worth over a few lakhs of crores of INR became the property of this US private company.  This was a scam because the loss was on the account of Indian Banks who transferred their shares to Trans Union under an undisclosed deal.

We have also pointed out earlier that Vodafone is sitting on a gold mine of monetizable information which could be beneficial to its share holders.

In any of these instances there is no need to sell customer’s data. The value of the data is substantial even in anonymized form or pseudonymized form or de-identified form.

Value of data in identified form is even higher and can be used provided there is appropriate “Consent” from the data principals.

Naavi had developed a patent application around 2008-2009 under the title “Ad View Certification” where monetization of “Advertisement Views on websites” were sought to be monetized with a sharing of revenue with the contributors of data. These were the days before the concept of “Data Subject” or “Data Controller” or “Data Protection” were known in India. The patent was abandoned as it was not commercialized.

What IRCTC is set to do and what Net4India and CIBIL failed to do is therefore well within the realms of possibility and can be achieved without causing any privacy harm to the railway passengers.

While IRCTC estimates a value of Rs 1000 crores to be unearthed, our estimation is that it could go to several tens of thousands of crores. Implementation of digital assets to discover this Rs 1000 crore value is the scope of Project B in the IRCTC tender.

If this tender goes through, it will be one of the Big Tech companies  with experience in big data analytics which may be  involved. Their objective could be to discover data value in excess of Rs 1000 crores, hand over Rs 1000 crores to IRCTC and exploit the rest.

The challenge for Privacy Activists therefore is to ensure that IRCTC either through  ignorance or through corruption does not become another CIBIL when lakhs of crores worth data is made accessible by the implementer of this project (Particularly Project B).

If at all we need to criticise the tender is to question the ability of IRCTC to safeguard its assets from being exploited.

Though it is stated in the tender document that,

” The implementation strategies of Bidder shall comply with various Acts or laws including IT Act 2000 and its amendments, User data privacy laws including GDPR (General Data Protection Regulation) and current ‘Personal Data Protection Bill 2018 of India, and accordingly propose the business models for monetization of Digital Assets and  the Bidder shall ascertain the legality and extent of Monetization of Digital Data of IRCTC before the potential is delved into.”

…it is not explicit on protection of stealing of data particularly since this could be implemented as a Build-Operate-Transfer project.

This project will generate what Kris Gopalakrishnan Committee termed as “Sovereign Data” and it needs to be protected like the Gold or Minerals which are dug out by a private operator from a Government owned mines.

One objection we would like to notify is that the tender  does not appear to have flagged the Cyber Security threat including the Data Theft risk and identified corrective measures with indemnity and criminal consequences.

The real concern is in the data being handed over to an unscrupulous operator, developed into a valuable asset but the utility of the same is not available to the Indian Government.

Will IRCTC clarify on this concern?

Naavi

Also refer

CBI Enquiry is required for finding the truth behind TransUNion taking over CIBIL

Is Trans Union-CIBIL guilty of accessing Critical Personal Data through surreptitious means?

Mistaken Identity lands TransUnion in a $40 million class action suit