Draft of DPDPB 2022..Simple..information on need to know basis..less scope for objections

The draft of DPDPB 2022 (Digital Personal Data Protection Bill 2022) has been very cleverly drafted by avoiding unnecessary details to give less scope for critics.

The Bill seems to adopt a principle that the Act needs to contain only the broad provisions and many of the details which were part of the earlier bill can be moved to the regulations after the Bill is passed.

Even the public comments to be received upto 17th December will be handled in confidence so that there will not be a disclosure of who suggested what. I would not be surprised if the Bill is passed in the December session of the Parliament itself without waiting upto the February session and the detailed regulations are presented during the February sessions. This is a good strategy to get the Bill moving.

One characteristic of the Bill that strikes the eye is its simplicity. There are only 30 sections instead of the earlier 99 sections. The IT community can feel happy that it is much easier to understand this law than the earlier versions or even the GDPR which had 98/99 sections/articles. The number of definitions have also been restricted to just 17 as against 40 in the previous Bill.

In the process of simplification, some vital aspects have been omitted and they need to be addressed through the subordinate regulations.

Some notable observations are that the definition of harm includes only “bodily harm” and omits “Psychological harm”. Perhaps “Body” should be interpreted as to include the “Mind” and the “Brain” and the definition can be extended to Psychological and Neurological harm as well.

The name as well as the provisions relate to “Digital Personal Data” and hence there may be a reason to feel that the protection of privacy as a fundamental right in oral and paper environment could be considered outside the law. Fortunately, the definition of electronic document used in ITA 2000 is wide and any paper document produced by the use of a computer (including a printer) can be considered as electronic document and brought under this law. Hence all documents processed through computers may be considered as part of this law.

The applicability clause has also been simplified without bringing in the confusion on Anonymised Personal Data.

In the data principal’s rights, the Right to Portability and Right to Forget have been omitted. This could cause some flutter but will be considered good for the industry. Along with the imposition of the duty on the data principal, frivolous complaints which are a bane in GDPR has been eliminated. This could be one of the biggest reliefs to the Data Fiduciaries.

The provision of “Deemed Consent” covers the legitimate interest of a Data Fiduciary and is similar to the previous provisions in PDPB 2019.

Significant Data Fiduciaries need to appoint an Independent Data Auditor but as of now there is no mention of Data Trust Score as a mandatory obligation. But the Auditor may perhaps use such a measurable parameter if he so decides.

The concept of “Privacy By Design” or “Privacy By Design Policy” is conspicuous by its absence though the obligation to be compliant remains.

The Significant Data Fiduciary would also be required to appoint a DPO based in India. Need for him being a Key Management Personnel has been removed but it has been indicated that he is responsible to the Board.

The provisions for transfer of data outside India have  been left to be handled by the “Adequacy” decision. Hence the controversy gets buried for the time being.

Similarly the exemptions claimed by the Government has been directly linked to the constitutional exemptions without going too much into the details so that another area of controversy is pushed to the background for the time being.

The Government retains the option to exempt some types of Data Fiduciaries and this can come in handy to provide exemptions to NGOs, Educational Institutions, Charities, Religious institutions etc if need be.

Another provision which was highly controversial earlier and has been skirted now in this draft is the constitution of the Data Protection Authority. The draft has announced that there will be a Data Protection Board which will handle the functions of the erstwhile Data Protection Authority. Again the details on its powers and functions are not included in the Bill. Even the “Code of Practice” mentioned in the erstwhile Section 50 is also absent. Hopefully many of these good things will be introduced through the regulations.

The maximum penalty is fixed at Rs 500 crores and there is no mention of any criminal punishments. The Schedule details 6 sub categories of penalties and penalties are designated as “Upto….” without percentage of turnover. In particular penalty in respect of data breach is upto Rs 200 cores while penalty for non compliance could be higher at Rs 250/-  crores. Probably in case of a data breach associated with security non compliance, the penalty could be applied for both. The maximum penalty may however be restricted to Rs 500 crores.

More analysis may follow. However it appears that the Government has ensured that there is very little scope for raising objections at this stage and we need to wait for the notifications to understand the complete implications.

(Comments welcome)

Naavi

Copy of the Act can be perused at www.dpdpa.in

Posted in Cyber Law | Leave a comment

Draft Digital Personal Data Protection Bill 2022 released for public comments

The Government of India has released the draft Digital Personal Data Protection Bill 2022 for public comments.

The Ministry has invited feedback from the public on the draft Bill. The submissions will not be disclosed and held in fiduciary capacity, to enable persons submitting feedback to provide the same freely. No public disclosure of the submissions will be made.

The feedback on the draft bill in a chapter wise manner may be submitted here

The last date for submission is December 17, 2022

Copy of the Bill is available here

Copy of the explanatory Note is available here

Naavi

Posted in Cyber Law | Leave a comment

Oculus could cause a scare for users…

In the previous article,  we discussed the Oculus and how it is reportedly been designed to cause damage to the human brain. The device is fortunately not yet out in the market and Mr Palmer Luckey no longer works in Meta. But he has how own company and could very well develop this VR set on his own.

While Mr Palmer boasts that he is “Fascinated” by the possibility of bringing the Meta Verse person closer to the real person, if it is to cause damage to the physical person, then the idea is sinister.

To many this is very scary …so scary that they would like to keep themselves away from any VR. Who knows that there is no hidden explosive charge inside which can be triggered by an event in a Meta Verse event?

While people like us may like to push for the laws to control such devices, the public may be also worried that since VRs may be used by many children, the device can be used to cyber hypnotize the users to reveal financial details of their parents or other secrets with which another criminal attack can be launched on the person.

We cannot wish away that this is only a speculation. If people ccoudl create games like the Blue Whale to make children commit suicide, they will definitely use the VR to exploit the immersive experience to Cyber hypnotize the subject and steal information leading to further crimes.

I am also anticipating that terrorists would use it to brainwash members from the public and motivate them for lone wolf attacks.

If we watch the above video and read some of the comments, it is clear that there are many who seem to enjoy this kind of a device. They may be commenting in jest but the possibility that some of them could become agents of a kingpin is plausible.

In view of the above, I trust that Government of India will immediately place all VR sets under a system of “Licensing” based on a critical evaluation of the hardware at code level. The Meta Verse sites that could interact with the users of this kind of advanced VR sets should also be monitored on a continuous basis to ensure that there are no deep web sites that cause an “Immersive” experience to create criminals prowling in the society.

Time to act now…. Address a communication to the Indian Government to take note of this danger.

Naavi

Also Refer:

About Nervergear

Posted in Cyber Law | Leave a comment

I am not happy with FTX crash but I have the right to say ..I told you so…

I have been carrying on a crusade against Private Crypto Currencies such as Bitcoin for years and if anybody can say FTX crash was natural, I have the right to say so.

Money Control today carried an article titled “FTX Collapse: RBI has the last laugh on crypto. If you ignored Das’s warnings, the joke is on you”

I would like Money Control to also refer to the many articles in Naavi.org where I have called out even Money Control for promoting Bitcoins in the past.

See all the articles here

In my scathing attack , I have not spared any body including the media and Supreme Court.

Even today I consider Supreme Court as one of the biggest culprits for having blessed Bitcoins for reasons which only can be surmised.

One has to read this unique judgement to understand how a clever judgement can be written stating that one side wins but the other side takes the benefit. This “Bollywood Judgement” is a museum piece of a judgement which is written like a Bollywood script with heros , villains and climax etc.

In this case where a petitioner who was a Crypto Exchange challenged the decision of the Bank to freeze the account based on the RBI circular, the Court ordered that

“RBI is obliged to direct the Central Bank of India to defreeze the account and release the funds of the petitioner together with interest at the rate applicable.”

The consequences of this judgement was terrible. Technically the Supreme Court may justify its action. But morally it gave a clean chit to the operations of the Crypto Exchanges and painted RBI as in the wrong. Since then the transactions of Bitcoin increased and many more Indian investors were caught by the bug.

The Finance Ministry right from the days of Late Mr Arun Jaitely to the current day have been in favour of Bitcoin. The MCX went to the extent of publicly supporting Bitcoin to be included in the commodity trading and had I not called out their nefarious decision aloud, they would have colluded with the finance ministry and given a commodity status to Bitcoin by this time.

It was only the resistance of RBI and frequent warnings by Mr Shakti Kant Das which held back a decision in this regard. Even now there is an attempt to sneak in the Bitcoin (and other private crypto currencies) through the amended Data Protection Law or ITA 2000. But FTX incident should put a check on this attempt.

The CBDC introduced by RBI is for a different purpose and does not amount to validation of the Crypto Currencies like Bitcoins. It may make it even more difficult for the Bit Coin lovers to get a legal approval for the “Currency of the criminals and the corrupt”

I therefore consider that the FTX incident is a welcome development that prevents more damage to our economy through the crypto currencies. While I regret the loss suffered by the innocent investors, they should have seen it coming since the entire eco system of Bitcoins was created and run by criminally minded persons who were fugitives of taxation law in their respective countries.

I had participated in the first Bitcoin conference in India and was enamoured by the technology and even stated that legally it can be acceptable in India through the ITA 2000. Even some RBI officials were present during the conference as observers.  But when I tried to reason with the Bitcoin syndicate that they should align with a law compliant system, I found out that they had no intentions of working within the legal environment and it was thereafter that I started my crusade against Bitcoin.

Our war against Private Cryptos is not over until the Government comes up with a suitable legal provision to declare transactions related to Private Crypto Currencies as “Money Laundering” and start taking penal action. Now we will only be going with the presumption that Bitcoin is not legal but what we need is  to treat it as a punishable crime to deal with or promote private crypto currencies in any form. Work on this is pending.

Naavi

Posted in Cyber Law | Leave a comment

Oculus Proves the Immediate Need for Neuro Rights Protection-Do you endorse?

(PS: The device picture shown above is a conceptual replica. It was not actually built and Mr Palmer was perhaps terminated by Meta for other reasons and not for developing this lethal idea.. But the danger of the concept seems plausible and could be built by others)

It is surprising how some criminal minds work. When I urged the need for Neuro Rights legislation in India during his speech at the IDPS 2022, the  existence  of  a concept like Oculus VR set with a possible Microwave blast  was not highlighted.  I only highlighted the developments of Neuro Technology such as Brain Implants and Brain Computer Interfaces that can be misused by the operators to unauthorizedly alter the human mind by manipulating the neuro data.

Mr Palmer Luckey who is identified as an “Entrepreneur” by the Wikipedia is associated with a potential invention of a VR set which can have an embedded Microwave bomb that gets triggered when the wearer is playing a video game and get killed. The Microwave blast would be directed at the brain of the head set wearer killing him in physical life.

Law makers need to seriously think if this technology development is not stopped right now, will it not be a facilitation of  plain “Murder” or “Abatement to suicide”?

If so, it is time to endorse the need for Neuro rights legislation in India now.

The basic requirement of law is

a) Recognize the form of “Neuro Data” as a kind of data coming under “Protected data” 

b) Recognize “Neuro privacy” as a kind of “Protected right”

c) Recognize “harm” due to neurological manipulations

c) Recognized a higher level of “Consent” called “Witnessed Consent” to protect Neuro right

The rest of the law related to penalties and punishments can be considered under other provisions of the data protection act as well as ITA 2000 and IPC as a “Contravention of law”.  The Oculus must me considered as a weapon of death and its inventor and distributor should be punishable under law including punishment of death for third degree murder or attempt thereof.

Considering the urgent need for legislative protection, apart from using other provisions under the “Gaming Control Notification” that the Government is considering, the law on Personal Data Protection, a draft of which is expected to be released anytime must include provisions of Neuro Rights Protection.

Some of the suggested provisions are as follows.

1.“Neuro Data” may be defined as- “Neuro data means the electromagnetic signals that are collected from or fed into the human brain by a Brain Computer Interface in binary form.”

2.“Neuro Privacy” may be defined as- “Neuro Privacy” means the choice of an individual to determine to what extent the individual may share his neuro space with others”

3.“Neurological harm”  may be defined as – Neurological manipulation which alters the ability of an individual to take autonomous decisions” should be added to the definition of harm to extend the “psychological manipulations”

4.“Witnessed Consent” may be defined as-  consent provided by a data principal which is witnessed by independent third parties who donot have conflicting interest in the processing of the personal data under circumstances that the data principal may not be reasonably expected to provide a free consent, and includes sharing of neuro data or sharing of personal data when the data principal is not in a medical condition to provide informed consent.”

I would urge readers to read the series of articles on the suggestions for the new data protection law available at here.

Readers  can  also  view  the  keynote  address  of  naavi  at   IDPS 2022 which is available below.

I request viewers to send their views on whether the time has come to bring Neuro Rights into the Indian law in the current “Draft Digital Personal Data Protection Bill” that the Government is now contemplating.

Please join your voice here so that when FDPPI submits its request to the Government to add these provisions into the draft, your voice will also be heard.

Naavi

Reference:

India Today article

 

Posted in Cyber Law | Leave a comment

Bank of Baroda, Union Bank of India and Punjab National Bank declared protected systems

Through separate Gazette Notifications, Government of India has declared three more Banks namely Bank of Baroda, Union Bank of India and Punjab National Bank as “Protected Systems” under Section 70 of ITA 2000.

They join ICICI Bank and HDFC Bank declared earlier .

The corresponding notifications are available here.

 

Naavi

Posted in Cyber Law | Leave a comment