Naavi.org

On December 9, 1999, Naavi released his first book, “Cyber Laws for Every Netizen in India”. The book was released in Chennai at the PIB on the same day Information Technology Bill 1999 was presented in the Parliament to replace the Draft E Commerce Act 1998 which was under discussion till then. The book represented my entry into the world of Cyber Laws and even established the trademark character of “Naavi” for the first time.

Then in May 2000, following the outbreak of the “I Love You Virus”, the Bill was quickly passed into a Law and later notified on 17th October 2000 as Information Technology Act 2000. (ITA 2000).

It is this law that was modified in 2008, with ITA amendment act of 2008 and notified on 27th October 2009 in which Section 43A and 72A were present as specific clauses for Data Protection.

Now in 2023, on August 11, the Digital Personal Data Protection Act was passed and anytime in 2024 it is likely to be notified. When this is notified, Section 43A of ITA 2000/8 will be deleted and DPDPA 2023 with its 44 sections will become effective.

All the provisions of the rules of “Reasonable Security Practices” often referred to as SDPI rules which was notified on 11th April 2011, are now contained in the DPDPA 2023. This makes DPDPA 2023 a law that has evolved from ITA 2000. The Section 43A was applicable only for “Sensitive Personal Data” as defined in the ITAA 2008 while Section 72A and several other sections applied to “Personal Data” both sensitive or otherwise.

DPDPA 2023 is therefore a bigger and better version of Section 43A and comes within the current definition of “Due Diligence” or “Reasonable Security Practice” under ITA 2000 making the date of notification of DPDPA 2023 less relevant than many think.

Hence Compliance of DPDPA 2023 is already a mandate of Compliance of ITA 2000/8.

This transition was also reminded to me in another way when I met a journalist (Mr Srikant Govindarajan of CIOL) , yesterday at Bengaluru in a conference related to DPDPA 2023 and he reminded me that he had attended the book launch of the book “Cyber Laws for Every Netizen in India” in Chennai on December 9, 1999.

It was this interaction that reminded me that my career as an ” Author” has actually completed 25 years and has transitioned from the first book on ITA 2000/Cyber Laws to the first book on Data Protection/DPDPA 2023.

It was a reminder of how the 25 years had passed evangelizing the concept of Cyber Law Compliance which is now turned into Privacy and Data Protection Compliance. I suppose in the next one or two years the Data protection phase will merge into DGPSI phase and another book on DGPSI is due as soon as the DPDPA Rules are released.

I hope the almighty provides the opportunity to complete the DGPSI mission successfully in 2025.

When I wrote thee book on Cyber Laws in India, there was no body to even check the proof and point out any corrections. Even when the book “Guardians of Privacy… was published”, there were not many to assist me in proof reading and suggesting improvements. But now we have an army of Data Protection Professionals and hopefully my next book venture will have more experts to assist me.

Naavi

One of our visitors asked me why FDPPI is terming its flagship certification program as C.DPO.DA. (Certified Data Protection Officer and Data Auditor) while all others are only conducting C.DPO. (Certified Data Protection Officer) program. The person also commented if this is another indication of ” What Naavi thinks today, others will think a few years later” and a bit ahead of times? I understand the honest intention of the gentleman but I think I owe an explanation to this comment.

It is true that in the Cyber Law domain, many of my thoughts took years for others to accept and adopt. The concept of CEAC and Section 65B (IEA) Certification was one such which was initiated by me in 2000, presented in a Court in 2004 but it was only in 2012 that Supreme Court recognized the principles of Section 65B certification.

In the Data Protection domain, others are catching up fast and it is expected that others will catch up much faster. Today if Naavi and FDPPI are thinking of C.DPO.DA. as the skill to be developed and certified and DGPSI as the frame of reference for DPDPA compliance to be adopted, DTS as the assessment framework for compliance status of DPDPA, it is expected that others will soon accept and adopt.

We feel that DPO has the responsibility to implement DPDPA compliance within his organization while Data Auditor is the external auditor who has to verify compliance and certify if required.

It is true that the DPDPA 2023 as an act has been passed but it is yet to be notified with rules. Everyone including the Minister responsible believes that draft rules will be released in the next 15 days. On October 14 Delhi High Court is preparing to hear the petition of WhatsApp and Meta challenging the Intermediary Guidelines of ITA 2000. The same companies may be now preparing for challenging the DPDPA Rules and the Act itself in some manner stating that it is unconstitutional.

But Naavi or FDPPI ignores such hurdles placed by “Andolan Jeevies” and proceed with an assumption that MeitY will be mighty enough to roll out the implementation of DPDPA 2023 not withstanding the lobbying by the MNCs.

We therefore expect that DPDPA Compliance requirement will become a reality in 2024 and DPOs will be in action. Data Audit may come in the year 2025 but no skill gets developed overnight. Naavi/FDPPI therefore expects that the need to train one self with the Data Audit requirements will be concurrent with the need to develop DPO skills.

Let those who relish procrastination think that DPDPA 2023 will not be notified in near future, the date of implementation will not be in our lifetime and the Data Auditor concept is unlikely to be implemented by the MeitY, continue to wait .

Let those who think that their GDPR related certifications by international organizations are good enough for DPDPA, continue to think so.

But Naavi and FDPPI will look at the future with the optimism that DPDPA notification is round the corner and there will be a mad rush for compliance there after. It would be a good time for sub optimal automated tools to flood the market but the real fun begins when a good DPB Chairman takes charge. Andolan Jeevies need some body who is happy occupying the position and bide his time for some body some where to lodge a complaint before DPB starts an Inquiry.

It could be a nightmare for the industry if we have an active DPB with a T.N Sheshan kind of Chairman in place. Those who follow the futuristic principles of FDPPI will laugh at that time.

The biggest challenge we see is that in the journey towards being a Data Auditor, the current set of auditors trained and developed on other frameworks will find it difficult to adapt to the requirements of Data Audit under DPDPA. They will still think ISO 27001 is the framework to be used because the 2022 version claims to include “Privacy” and ISO 27701 is more than adequate to meet DPDPA requirement. Only time will tell if it is correct. We donot think so.

But to unlearn the past and re-learn for the future is a tough task which only the wise auditors will be able to understand.

Some of them will be there in the FDPPI Certification program on September 27, 28 and 29 exclusively designed for CERT In Auditors but good enough for others who want to be expert DPO s.

Look for details and register before it is too late.

Naavi

Californian Senate has reportedly approved Bill SB 1223 which is meant to protect the individual’s neural data from misuse. The Bill was authored in the name of Josh Becker and co-sponsored by Professor Rafael Yuste who incidentally had virtually addressed the IDPS 2022.

The copy of the Bill is available here.

The bill places neural data in the category of sensitive personal data within the provisions of CCPA.

“Neural Data” is defined as information that is generated by measuring the activity of a consumer’s central or peripheral nervous system, and that is not inferred from nonneural information.

Naavi had similarly suggested that India should bring neural data under protection within the DPDPA 2023.

At present, DPDPA 2023 does not define “Sensitive Personal Data”. It also has tried to avoid the defining of “Harm” to include “Psychological manipulation” which was present in the previous versions of the PDPB. Now the Consumer Protection Act has by defining the “Dark Pattern” as a prohibited consumer practice stepped in to fill up the void left by DPDPA 2023.

However the nature of “Privacy” is such that the definition of “Sensitivity” and “harm” cannot be completely avoided . In 2005 when people proposed amendment of ITA 2000 to avoid liabilities of the industry like in the case of the “Bazee.com” case, it boomeranged on the industry as the title of the section was changed but the essence remained.

The intermediaries continue to be liable under the Guidelines of 6th April 2023 and the concept of “Due Diligence” is haunting the industry sufficient enough to take the issue to Supreme Court and contend that the Intermediary guidelines notification unconstitutional.

A similar situation seems to have arisen in DPDPA. The industry wanted to dilute the law and ensured that PDPB 2018/2019 was simplified to DPDPA 2023.

But by removing the definition of “Sensitive Personal Data”, MeitY has made all the general obligations apply to all Data Fiduciaries. At first glance it appeared that SDPI guidelines will go and industries can breath freely. But the situation now is different.

Now it appears that all obligations under Section 8 and 9 of the Act are applicable for processing of non sensitive personal data also.

The “Significant Data Fiduciaries” to whom the requirement of DPO, Data Auditor and DPIA apply, bring the concept of sensitivity of information back in contention for determining whether an organization is a significant data fiduciary or not.

In the first version of the “Draft of the Draft Rules” made available for discussion, there was no definition of “Significant Data Fiduciary” (SDF) and it is possible that even in the final version, Meity may refrain from defining a “Significant Data Fiduciary”.

It would therefore be left to a Data Fiduciary (DF) to decide if he is a SDF or not. When things go wrong, the DF who should have been SDF but classified himself as DF may be liable for penalties related to the special obligations of a SDF. It is natural to consider that a DF which is processing Neural Data needs to be classified as posing a significant risk and the organization should be considered as SDF.

Since Section 10 (1) states that the Central Government may “notify” any DF based on the “Risk to the rights of Data Principal” as a SDF, absence of such notification can also be interpreted as if there will be no SDFs at all. But such an argument would be fallacious and would be difficult for Courts to accept. At best, Government may take some time to notify the criteria for determining a SDF but it would be difficult to avoid it all together.

Under Section 16, Government has decided to give a “Negative List” of countries to which transfer of personal data from India could be restricted. If the Government wants to avoid defining what constitutes “SDF”, they can chose to declare which types of industries are exempted from being considered as Significant Data Fiduciaries.

Unless the MeitY declares that “Processors of Neural Data” are not Significant Data Fiduciaries, it would be unwise for DFs processing Neural data not to consider themselves as SDFS.

Let us wait if Government takes this route of avoiding a decision.

In the meantime, DGPSI will consider processors of Neural Data as Significant Data Fiduciaries only.

Naavi

When ITA 2000 was enacted and notified on 17th October 2000, technology made its entry into commerce with the recognition of electronic documents and digital signatures. Digital Signatures were also a tool of information security and non repudiable authentication. The concept of due diligence and section 85 had also introduced the concept of corporate responsibility for security for prevention of cyber crimes.

With the 2008 amendments the role of law on information security was further tightened and CERT In got notified as the apex cyber security organization in the country. Sections like section 43A, 69A, 69B etc highlighted the need for corporate compliance action.

However this legal intrusion into information security practice was brushed off by the industry and ITA 2008 compliance and IISF 309 (Indian Information Security Framework) remained only a wishful thinking of Naavi.

After 24 years, with the advent of DPDPA 2023, it appears that industry is now able to recognize this new field of information security combined with law. Just as AI enabled Data Analytics has become the corner stone of innovation in data driven organizations, ITA 2000 driven DPDPA 2023 has become the essence of the corporate information securty practices in the emerging times.

At the Empowering CxOs conference in Bengaluru on 5th September 2024, this aspect came for discussion in a panel “The Future of Data Privacy by Driving a Privacy-First Culture – Balancing Innovation and Privacy: A Strategic Approach.” which I had the privilege to moderate.

The entire event is available at https://www.youtube.com/watch?v=B5ZjUS77xms (Panel discussion is available at 7.10.46)

During the discussions it was clear that the future of technology related to information security would be embedded with DPDPA 2023 in a manner which the industry has fully realized and is trying to find ways to implement.

In this direction DGPSI comes out as a solution in the form of compliance framework to be considered and the training programs like C.DPO.DA. scheduled by FDPPI for information security professionals stand out as a timely introduction to the eco system.

We hope that this integration of Technology and Law in terms of “Information Security and Privacy Protection” will grow from strength to strength in the coming days.

Naavi

At a time, AI is threatening the credibility of the Internet as a medium of communication and perhaps even the human race, we at the “CXO Cywayz “are discussing the future of Data Privacy and how to strategize to bring balance Innovation and Privacy .

Like the ever lasting battle between Security and Privacy, Technology Innovation is also a continuing challenge to Innovation or vice versa.

Innovators often forget that they live in a society and all their innovations have value only if the society survives and functions in an orderly manner. Privacy regulations is one such aspect which should be considered as a necessity to be incorporated into all innovative outcomes of technology.

We in India are today in the period of dawn of DPDPA and Data related business and profession will never be the same again. What we did for the last decade need to be renewed. What we learnt may have to be unlearned because DPDPA is likely to disperse all our current strategy outcomes.

The output from the prism of DPDPA may look colourful but it comes in shades of red as well with a huge penalty lurking in the background threatening the existence of the company that ignores DPDPA.

Setting up a “Data Governance and Management System” (DGPMS) to respect law and ensure a balance between Innovation and Privacy is the way to go. The strategy for this approach lies in DGPSI the unique framework -Data Governance and Protection Standard of India. ISMS and PIMS associated with other frameworks need to yield the way to DGPMS powered by DGPSI.

Bringing harmony between Innovators in technology and the legal community fighting for “Namma Privacy” lies in the unique concept of DGPSI which speaks of “Compliance By Design” as a modified approach to “Privacy by Design”. Why this Compliance first approach is different from Privacy first approach requires a longer debate.

For the time being we can conclude that the future of balancing Privacy and Innovation through a strategic approach belongs to DGPSI and its adoption in the industry.

Naavi