Naavi.org

Cut paste approach or Zero based approach?..Shape of Things to Come-23

Posted on September 24, 2022 by Vijayashankar Na

P.S: This series of articles is an attempt to place some issues before the Government of India which promises to bring a new Data Protection Law that is futuristic, comprehensive and Perfect.

Reports emanating in the press indicate that the Government of India may come up with a new draft of data protection law sooner than earlier expected. According to the above report quoted in PTI on September 22, the bill may be presented in the “Next Few Days”.

We at FDPPI have already declared the focus of our IDPS 2022, a virtual summit to be eld on November 11,12 and 13 as “Shape of Things to Come” ready to discuss the new draft in as much depth as possible.

As a reference frame we have also been working on our own draft of what should be considered as an ideal law and we have been discussing this in the series of articles of which this is the 23rd.

Initially the Government was talking of a common law for both personal and non personal data and revision of ITA 2000 simultaneously with this new law. However, if the Government wants to release a draft for public comments immediately, then it is more likely that the draft will confine itself to personal data protection.

In such a scenario, there are two options before the Government. First is to pick the GDPR or the PDPB 2019 and cut and paste most of the provisions as is available and make some cosmetic changes to create the New Data Protection Act of India (NDPAI). The second approach would be to design the law as a zero based approach, forget GDPR and create a law afresh.

While the Government may take the easy path of using the existing GDPR and import it to the NDPAI so that there is easy acceptability of the industry, it would be an opportunity missed if we donot think of creating the law from basic principles.

Though we are aware that the probability of the Government adopting the second path which is more challenging and requires more conviction on the principles, we would continue to place some of our thoughts in this direction so that it goes on record that some thing was suggested even if it was not accepted.

Probably several years from now, some of these principles may become part of the regulations through amendments or through rules.

Since there is some urgency to place these thoughts in public domain before the Government commits itself to a draft of its own which becomes a rigid set of provisions difficult to change, we are providing here some key requirements of the law .

While there is plenty of scope for improvement of these suggestions, we need to start some where to know what can be changed and hence let us proceed further.

The basic aspects that the law has to cover is “Applicability”,” Rights of Data Principals” “Obligations of Data Fiduciaries”, “Prescribed penalties” and “Formation of a regulatory authority”.

Obligations of Data Fiduciaries would include compliance requirements and protection of Rights of data principals.

The details of whether the Data Fiduciary may be called the Data Controller or a Data Guardian etc is a matter of further details which we have tried to cover earlier and will be part of the detailed requirement.

In this article we are trying to take on record the “Rights” that a person needs to be guaranteed through this Act and how the declaration of Rights itself fixes the applicability.

The draft presented here is a “Rights Based Drafting of the Privacy and Data Protection Act” and does not follow the GDPR through cut and paste though all the requirements of GDPR may finally find a place in the Act in a different manner.

This draft revolves around the concepts of

a) Protected Right

b) Protected Data

c) Protected Person.

Protected Data refers to what other laws may call “Personal Data”. “Protected Person” refers to the “Data Principal or Data Subject” . Protected Right refers to the “Right to Privacy and the subordinated rights such as right to access, correction, etc).

The obligations to protect the right lies with the Government as well as every organization which has a duty under the constitution to protect the right.

How the obligations are to be discharged is the “Transparency and Accountability” or “Compliance aspects” covered in GDPR.

These form the real essence of the entire law though the Government draft is likely to focus on the “Regulator” and what would be his authority etc. Industry is also concerned about the detailing of the obligations including the cross border transfer and privacy activists will focus on how to criticise the powers of the Government, exemptions etc.

Our approach to construct the law from “Protected Right” is more basic in approach and is the Zero based approach.

In this approach therefore we will first indicate the core objective of the law by declaring the concept of “Protected Right” as follows.

Protected Right

(a) The right to privacy shall be a right that is protected through due process set by this Act as an intrinsic part of the right to life and personal liberty as envisaged under Article 21 and as a part of the freedoms guaranteed by Part III of the Constitution of India subject to reasonable exceptions under article 19(2) of the Constitution of India.

(b) Any data whether in oral, written or electronic form that is likely to have an impact on the Protected Right shall be construed as “Protected Data” and shall be collected, processed, generated, stored, or disclosed or otherwise used as per the provisions laid down in this Act.

i. Living natural persons who is a recognized citizen of India irrespective of his place of residence

ii. Living natural persons who is a recognized citizen of a sovereign country recognized by India and under authorized residence in the territory of India

(d)Protection under this Act shall not be available to

1. 1. 1. Natural persons who are under unauthorized residence in India
    2. The information related to a juridical person including proprietary or single person owned business entities.
    3. Protection of Right to Privacy under this Act is not applicable to a deceased individual

If we closely observe the above, these provisions defines the “Right to Privacy” which is not presently present in a statutory Act and is always derived from Supreme Court judgements. The definition covers both the Information Privacy and Physical Privacy and extends the definition of Information privacy to oral and written document dimension also.

Additionally the guaranteed right is restricted to living natural persons who are citizens of India irrespective of the place of residence and non citizens if they are residing in India.

This definition excludes illegal residents in India from protection. Naturally it excludes the business entities and deceased persons.

The exact manner in which the protection is provided will reflect in the compliance part of the law.

Having defined the basic objective of the law as to protect the Privacy right, the next section will be as follows.

Dimensions of the Right to Privacy

The Right to Privacy as envisaged under this Act shall be recognized as the choice of an individual to be “let alone” and extends to the following dimensions

(a) Physical Privacy related to the right of the person to prevent or otherwise regulate a third person gaining access to the physical proximity of the individual

(b) Information Privacy related to the right of the person to prevent or otherwise regulate a third person gaining access to the information in electronic form that provides access to the mind space or neuro space of an individual

The clause (a) here refers to the kind of privacy which Supreme Court decisions like the Kharak Singh Case addressed declaring the “Home as castle”

Clause (b) refers to the kind of privacy which the Puttawamy case addressed as the “Right to be let alone” which is a “State of Mind”. Additionally clause (b) recognizes the distinction between “Right of Choice” relevant in the general privacy understanding which belongs to a conscious mental activity and “Neuro Space” where the conscious choice is not available to an individual.

Thus this law will make India the second country in the world to address the Neuro Rights and we can claim it is progressive and contemporary.

Next, the rights which are covered in the GDPR and other laws are covered through a section on “Subordinate Rights”. These regulations may be stated as under.

Subordinated Rights

The Protection of the Right to Privacy as per Section 3.2 includes subordinated Rights prescribed under this Act includes

Every person whether an individual or a juridical person shall process data which is identifiable as related to a protected person subject to mandatory adherence to the personal data processing principles such as

i) Purpose Limitation:

No protected data shall ordinarily be collected or used in any manner except for a clearly identifiable purpose or purpose which can be considered as incidental to the main purpose except when the requirement is to explore and discover new uses for which a special “Discovery Consent” is obtained from the protected person.

ii) Collection Limitation

No person shall collect elements of protected data more than what is required for the specified purpose.

iii) Retention Limitation

No person shall retain protected data more than what is required for the specified purpose.

iv) Accuracy of Data

Every person using protected data shall endeavour to keep it accurate and ensure that incorrect data is duly corrected subject to production of reasonable evidence about the inaccuracy of the data and the accurate data.

v) Informed Consent

Every person collecting and using protected data shall ensure that the protected person to whom the protected data belongs shall be duly informed about the purpose of collection and use, the manner of usage, the time of retention etc and obtain a verifiable consent.

vi) Right to Information about processing

The protected person shall also have the right to request for information about the processing of protected data related to him any time after the collection and during the time the data is in use subject to such right being exercised responsibly.

vii) Right to Withdrawal of Consent

The protected person shall also have the right to request to withdraw the consent already provided subject to reasonable notice.

viii) Automated Decision Making

Any automated means of collection or use through a computing device shall be attributed to the person who caused the device to collect or use the data in a specified manner and shall be responsible for the consequences of any subsequent disclosure to a human being and automated decision that may cause a harm to the protected person.

ix) Right to Restrict disclosure of Profiling

Any person who has generated a profile of a Protected person shall not disclose it to any other person except with a specific consent of the protected person.

x) Right to Portability

A protected person shall have the right to request porting of protected data excluding the profile created thereof to the protected person only.

Where the profile is reasonably suspected to be causing harm to the protected person the protected person may request for a copy of the profile subject to protection of any intellectual property rights or Trade secrets of the person who created the profile.

xi) Right to erasure

Where the protected data collected by a person has completed its usage as per the specified purpose, it shall be archived as may be required for evidentiary purpose under law and be erased from active usage systems.

xii) Right to Forget

Where the protected data has been archived by the person who has processed it, the protected person may further request that the protected data may be removed from the archive through anonymization or deletion subject to appropriate regulatory review.

xiii) Right to Reasonable Security

The protected data shall be secured against unauthorized access, modification and denial of access by all persons who have authorized access.

xiv) Right to Grievance Redressal

Protected person shall have the right to an appropriate grievance redressal mechanism as prescribed under the Act.

After thus defining the rights, it is suggested that the obligations of the Government bodies is defined in one section as follows:

Obligations of the Government

(a) All the Government bodies including the Government of India the Governments in States and Union Territories and every organization which is part of such Government or Union Territory shall have the duty to protect the Right to privacy of Indian Citizens in harmony with the Right to protect the life and liberty as envisaged in the Constitution of India

(b) All such Government bodies shall institute reasonable and proportionate measures to meet the obligations of protecting such Rights.

(c)All such Government bodies shall designate a senior official to be responsible for compliance of the protection of the Right to Privacy and Right to life, property and liberty

(d) In the event of non compliance of the above, the designated person or in his absence the person responsible for the activities in the subject Government body shall be liable for disciplinary action

(e) If the non compliance is associated with malicious intention, the person responsible may be liable for punishment under appropriate criminal

Obligations of Non-Government Bodies

All organizations other than the Government bodies shall adhere to the provisions of this Act as stated further and shall be liable to penalties and punishments as specified here under for any contraventions thereof.

The further chapters can provide the details of compliance where also there is scope for innovation which we shall discuss in subsequent articles.

Advantages and disadvantages of the above approach is open for debate.

Naavi

P.S: These discussions are presently for a debate and is a work in progress awaiting more inputs for further refinement. It is understood that the Government may already have a draft and may completely ignore all these recommendations. However, it is considered that these suggestions will assist in the development of “Jurisprudence” in the field of Data Governance in India and hence these discussions will continue until the Government releases its own version for further debate. Other professionals who are interested in participating in this exercise and particularly the Research and Academic organizations are invited to participate. Since this exercise is too complex to institutionalize, it is being presented at this stage as only the thoughts of Naavi. Views expressed here may be considered as personal views of Naavi and not that of FDPPI or any other organization that Naavi may be associated with.

Introduction	2. Preamble	3.Regulators
4. Chapterization	5. Privacy Definition	6. Clarifications-Binary
7. Clarifications-Privacy	8. Definitions-Data	9. Definitions-Roles
10. Exemptions-Privacy	11. Advertising	12. Dropping of Central Regulatory authority
13. Regulation of Monetization of Data	14. Automated means ..	15.Prevention of Data Laundering-Policybazaar data breach
16. Should neurorights be recognized?	17. Types of Consents	18.Cross Border Restrictions on Transfer
19.Neuro_rights-voice to skull	20.Whose Rights to be Protected	21. Rights before Applicability
22. Simplification of the Government Obligations	23.Cut paste approach or Zero based approach?.

Posted in Cyber Law | Leave a comment

Can the Data Protection Obligation of the Government be simplified?..Shape of Things to come-22

Posted on September 23, 2022 by Vijayashankar Na

(Continued from the previous article)

P.S: This series of articles is an attempt to place some issues before the Government of India which promises to bring a new Data Protection Law that is futuristic, comprehensive and Perfect.

If we look back at the history of Privacy and Data Protection law in India, one of the stumbling blocks is that there are unreconciled controversies about the exemptions that the Government agencies are provided either for Governance or for Law Enforcement.

Even in PDPB 2019, the most contentious section was Section 35 which was an enabling provision which empowered the Central Government to exempt any agency of the Government from the application of the Act. Though the power was within the “Reasonable Exceptions” under Article 19(2) of the constitution, the section was interpreted as providing disproportionate powers to the Government.

Additionally, another empowering section viz Section 92 was seriously opposed as if it provided extraordinary powers of oppression on the private sector by the Government.

In comparison, Section 36 (a) which addressed exemptions for law enforcement nor Section 36(e) which addressed exemption for journalistic purpose did not evoke opposition.

Though these discussions are now redundant, it is likely that similar objections would surface once again when the new draft is issued by the Government and they will also be subject to individual judicial scrutiny if it becomes a law.

In the new Data Protection law which is being proposed for discussion by us, we therefore suggest a simplification of the provisions related to the coverage of the law on Government bodies.

Since Right to Privacy is a fundamental Right under the constitution, there is a duty to the Government to protect the right subject to reasonable exceptions. This follows the judgement of the Puttaswamy case and is yet to be incorporated in any statutory law. This new law is an opportunity to convert the Supreme Court observations to a statutory provision.

However the more micro level specification of the obligation of the Government the law attempts to cover, the more controversies may emerge. Hence it is suggested that instead of a section like Section 35 or 36(a) or 92, the provisions related to the coverage of or exemption from the provisions of the Data Protection law for Government agencies may be summarized as a part of defining the scope and applicability of the Act.

A suggestion in this regard which can be improved by others is to introduce the following set of sections to cover the obligations of the Government in steps.

Step 1: In the first section which specifies the Title of the Act and its date of applicability, the following can also be added

This Act shall be applicable to whole of India and shall also apply outside India to the extent necessary to protect the Rights of the Citizens of India and the interest of the Country as envisaged in the constitution of India.

With this, we are providing for the extra territorial application and deriving powers of legislation from the “Right to Privacy” as a fundamental right in the constitution and recording at the same time that there could be other Rights of Citizens and Duties of the Government as per the Constitution. It will also keep the statutory obligations to the citizens of India and in national interests and any other extension of the provisions to non-citizens will be subject to the specific rights granted under this statute. The details will be covered under the provisions on “Rights”

Step 2: The fundamental objective of the Act is recorded by defining the purpose of the Act with the following section.

Protected Right

The right to privacy of an Indian Citizen shall pe protected through due process set by this Act as an intrinsic part of the right to life and personal liberty as envisaged under Article 21 and as a part of the freedoms guaranteed by Part III of the Constitution of India subject to reasonable exceptions under article 19(2) of the Constitution of India.

With this section we are bringing the protection of Right to privacy into the statute in the words of the Puttaswamy judgement and providing the cover of “Due Process” for any exemptions claimed for right to privacy under the reasonable exception clause.

Step 3: We specify the obligations of the Government through the following words

Obligations of the Government

(a) All the Government bodies including the Government of India the Governments in States and Union Territories and every organization which is part of such Government or Union Territory shall have the duty to protect the Right to privacy of Indian Citizens in harmony with the Right to protect the life and liberty as envisaged in the Constitution of India

(b) All such Government bodies shall institute reasonable and proportionate measures to meet the obligations of protecting such Rights.

(c) All such Government bodies shall designate a senior official to be responsible for compliance of the protection of the Right to Privacy and Right to life, property and liberty

(e) If the non compliance is associated with malicious intention, the person responsible may be liable for punishment under appropriate criminal law.

The sub section (a) defines the obligation of the Government as a “Duty” under the constitution and hence does not need any further elaboration in the law as to whether Consent is required in certain circumstances and not in others etc. This should cover even the law enforcement requirements of the Police, ED, CBI etc.

Any action of the Government which is in dispute will be a subject matter of a writ petition and hence in any case of dispute the Court can also decide about whether the action of the Government was within the powers of the constitution.

Even if a section like Section 35 of PDPB 2019 is written down, it will be challenged even before the adoption of the law itself. The suggested section protects the law being questioned in the Court until there is some specific action initiated by the Government.

Perhaps it can still be questioned for “Vagueness” but this vagueness is directly linked to the Constitution and nothing different from the vagueness prevailing now where there is no statutory provision on Right to Privacy and we need to depend only on the interpretation of the Supreme Court judgement.

Under sub section (b) all compliance measures are suggested without going into details such as whether DPIA is required, whether Privacy by Policy document is required etc. The Ministries will have flexibility to define their own “Reasonable Measures”. In PDPB 2019 this discretion was available under section 50 (Code of Practice) and the same is provided here in another manner.

Under sub section (c) a provision to bring accountability to an officer is indicated so that the head of the department may be freed from the liabilities unless no such designated person is appointed as Compliance officer.

Sub sections (d) and (e) prescribe the sanctions that can be imposed on the officials for negligence and where there could be malicious intentions.

This provision means that the Data Protection Authority need not impose any penalty upto Rs 5 crores etc. If there is a compensation payable to a data principal it can be provided by the adjudicator and the Government may be asked to pay. But one Government officer (Data Protection Authority) imposing an administrative penalty on another Government officer (Secretary of a Government department) need not arise. Under the provisions of PDPB 2019, such penalties are collected from the Government and again credited back to the Government which has no meaning and therefore can be avoided.

Having thus defined the obligations of the Government, the rest of the Act may focus on “Obligations of Non Government Organizations” where the compliance measures such as Privacy by Design Policy, Notice and Consent, DPIA, DPO, and Data Breach Notification etc can be specified.

The Grievance redressal for the data principal through Adjudication and Appellate Tribunal may still consider the Government body as a party and claims of compensation under Section 65 of the present PDPB 2019 may continue to be protected even against the Government body as the Data Guardian/Fiduciary.

The above is a suggestion for consideration by other experts. It has been made to simplify the applicability of the law to Government organizations and ensure that the problems that may arise from them donot become a stumbling block to the passage of the law.

Naavi

Introduction	2. Preamble	3.Regulators
4. Chapterization	5. Privacy Definition	6. Clarifications-Binary
7. Clarifications-Privacy	8. Definitions-Data	9. Definitions-Roles
10. Exemptions-Privacy	11. Advertising	12. Dropping of Central Regulatory authority
13. Regulation of Monetization of Data	14. Automated means ..	15.Prevention of Data Laundering-Policybazaar data breach
16. Should neurorights be recognized?	17. Types of Consents	18.Cross Border Restrictions on Transfer
19.Neuro_rights-voice to skull	20.Whose Rights to be Protected	21. Rights before Applicability

Posted in Cyber Law | Leave a comment

Draft Indian Telecommunication Bill, 2022 released for public comments

Posted on September 22, 2022 by Vijayashankar Na

Ministry of Communications had announced that a new Telecommunication regulation would be introduced in the country along with a revised ITA 2000 and revised PDPB 2019.

Accordingly, the Government has released a draft and public can send comments before October 20, 2022.

Copy of the Bill is available here:

An Explanatory note is available here:

Comments can be sent by e-mail to : naveen.kumar71@gov.in

Posted in Cyber Law | Leave a comment

Applicability of the NDPAI-Shape of things to come-21

Posted on September 22, 2022 by Vijayashankar Na

(Continued from the previous article)

P.S: This series of articles is an attempt to place some issues before the Government of India which promises to bring a new Data Protection Law that is futuristic, comprehensive and Perfect.

Applicability of any law is generally limited to the jurisdiction in which the law making body has the power to legislate. Hence every sovereign Government has the power to make laws within a given jurisdiction.

In some countries there is a federal governance system and there could be multiple sub geographical areas where law can be made independently while the federal law may apply to all such sub units.

For example the Union of India or USA or EU can make federal law applicable to the entire country of India, United States of America or all the EU member countries etc. At the same time individual States of India may have certain powers to make laws for Governance activities listed in the state list or concurrent lists. Similarly the States of USA such as California or New York or Colorado or Connecticut can make laws applicable within the state. So also the individual members of the EU which are countries in their own right can also make laws for their countries.

Some times the Federal laws and State laws may over lap and create compliance confusions. It is for the law makers to avoid such confusions by incorporating suitable explanations in the law.

One distinct take of this law making principle is that India cannot make a law applicable in EU and EU cannot make a law applicable in India. However in certain circumstances, if the activities of a resident of a foreign country could lead to an adverse impact on a local resident, the local Government can add “Extra Territorial Jurisdiction” in its law and say that the law is also applicable for activities outside the jurisdiction of the law making body.

This extension of the jurisdiction has been used in laws like GDPR where it is provided that if the personal data of a EU citizen is processed outside EU for profiling a EU citizen/resident or for carrying on targeted business with the local resident, then GDPR is applicable to such processing.

Some times organizations which are constituted subject to laws in a particular country represent the country and its activities outside the country, need to be monitored by the Government of the resident country of the organization in order to ensure that its citizens (individual or corporate) do not become an embarrassment to the country.

In view of the above, while defining the applicability of law such as the data protection laws, we normally consider

a) What is the type of data and what activity related to such data to which the law is applicable.

b) What type of organizations and their place of constitution to which the law is applicable

c) Whether the law is applicable to organizations constituted and operating outside the law making country and if so under what conditions

While PDPB 2019 followed the GDPR and stated that the law is applicable for “personal data” when collected, or processed in India, it also extended the law on the basis of companies constituted in India for their global operations and for foreign entities who could remotely process the data of Indians for profiling and for targeted business.

In these circumstances, it is necessary for us to remember that all laws are basically applicable within the country of origin of the law and every extension to this basic principle is an exception and should be read with the conditions attached.

Also when we speak of a duty to pass a law as part of Governance responsibilities, the duty is to the citizens of the dominion. Any extension of this to the “Non Citizens” is also an “Extra-territorial application” considering the category of people to whom the law is applicable as a “Territory”. Hence when the law says that data protection law is applicable to “Residents”, it can be made conditional and the remedies available to a resident who is not a citizen could be different from a citizen though such differences could lead to charges of “Discriminations” based on racism.

However, as long as the differences are logical and have a purpose, they can be justified. One example is the Indian law of CAA which gave some different treatment to immigrants based on whether they are Hindus/Sikhs/Jains or not.

Laws may some times overlap not only because of the territorial reasons, or citizenship or residential status but also on the material scope such as ITA 2000 being applicable to both personal data and non personal data while PDPB 2019 is applicable only to personal data.

One of the challenges in designing the New Data Protection Law in India is to consider if we can reduce the potential overlapping of the laws by being clear about the “Applicability of law”.

Most data protection laws often state that the “Notice given to a data subject/Data Principal should be clear and precise”. Similarly the citizens have the right to expect that the law itself is as much clear as possible at least regarding its applicability though on other aspects, interpretation may be inevitable.

The argument made by one of the justices (Justice Chelmeshwar) in the Puttaswamy judgement that ” ..there is no need to define Privacy to create liability on organizations to protect privacy” is not an ideal way to handle law making. It is with such approach that today every day to day operational notification of a company (eg UIDAI tender to appoint an agency for social media monitoring and IRCTC tender to study the monetization prospect) is referred to the Supreme Court besides the notifications issued by ministries, converting the Supreme Court into a sub executive body rather than a separate judicial body.

We therefore try to define applicability of the New law by defining Privacy, Data, Roles of different stake holders properly. Once an organization or an individual understands clearly that the law is applicable to them, it becomes easy for them to consult experts on how to be compliant. If the stake holders are in doubt about the applicability then they tend to remain non compliant by ignorance or mis-interpretation.

In the new Data Protection Act, one option is just to adopt the current PDPB 2019 provision of Section 2 according to which the law will apply to “Personal Data” of “Natural persons” processed by any type of juridical entities constituted in India (Companies, Government, Partnership firms, associations of persons and also individuals collecting data for business purpose) with exceptions of foreigner’s data processed in India (Erstwhile Section 37).

While this would be a straightforward approach and would suffice with the addition of “Exemption for processing of personal data of foreigners in foreign locations also” on the lines of Section 37, we would like to explore if it is possible to adopt a different approach to define applicability.

In all laws, we define the applicability and then define rights and obligations of the stake holders to whom the law is applicable. What we are trying to explore is whether it is possible to define the rights and obligations first and then all those who have those rights or obligations will automatically be considered as coming under the applicability of the law. This may also re-define the chapter on “Cross Border Restrictions or Data Localization” which becomes exercising of the rights of the data principals rather than a compliance imposition by the law enforcement agency.

This approach is radical and needs deep thinking. We shall debate this both here and also in the IDPS 2022. In the meantime, please do share your thoughts.

Naavi

Introduction	2. Preamble	3.Regulators
4. Chapterization	5. Privacy Definition	6. Clarifications-Binary
7. Clarifications-Privacy	8. Definitions-Data	9. Definitions-Roles
10. Exemptions-Privacy	11. Advertising	12. Dropping of Central Regulatory authority
13. Regulation of Monetization of Data	14. Automated means ..	15.Prevention of Data Laundering-Policybazaar data breach
16. Should neurorights be recognized?	17. Types of Consents	18.Cross Border REstrictions on Transfer
19.Neuro_rights-voice to skull

Posted in Cyber Law | Leave a comment

SBI raises Rs 900 crores from Customers for its Digital Administration expense

Posted on September 21, 2022 by Vijayashankar Na

A report in businessleague.in (To be confirmed independently) suggests that SBI plans to introduce a mandatory customer ID card which will be required for deposit and withdrawal of money from accounts. This will be perhaps in addition to the Debit Card and Credit Card issued by SBI and will function as a “Unique Customer ID Card”. Soon we need not be surprised that every Bank may issue their own Unique Customer ID Card since this move is expected to raise Rs 900 crores to SBI from no where. Other Banks are unlikely to give up such windfall gain if possible.

These “Green Cards” are expected to be priced at Rs 20/- and will be in addition to the annual ledger maintenance charges and specific charges on Cheque book issue, ATM withdrawal etc.

I am not sure if there will be a “Bank Entrance Fee” shortly to be introduced by some innovative Banker since no Bank wants its customers to come into the Bank premises if possible.

SBI has about 45 crores and in one master stroke, SBI plans to raise Rs 900 crores revenue through the issue of “Customer ID Cards”. Compared to the PAT of Rs 30,000 crores the revenue generated by these new cards is about 3%. If this adds to the bottom line, the EPS will go up and correspondingly the share price has to go up by at least Rs 20/- solely on this decision.

There is also another angle to this customer loot. At least 5% of the cards may get lost and renewed each year and hence along with issue of cards to new customers the scheme promises a perennial income to the Bank.

In the process just like the Aadhaar Card, PAN card, Kisan Card, Health Card, etc, customers need to carry one more card namely the SBI Green Card. (may be one such card for each of the Banks where they maintain accounts). Since all Bank accounts are already linked to both PAN cards and Aadhaar cards the new card is a redundant ID card with limited use. At the same time it will pose the risk of identity theft, loss of identity and frauds related to the mis-use.

However this is an innovative “Data Monetization” scheme by SBI which should be appreciated for its ingenuity.

It would be better if RBI clarifies the logic for charging money for this card even if it was required to improve the digital administration in the Bank. This cost should be absorbed by the Bank as part of its administration cost. Hope RBI will look into this.

Naavi

Posted in Cyber Law | 1 Comment

Applicability of the NDPAI-Shape of things to come-20

Posted on September 21, 2022 by Vijayashankar Na

(Continued from the previous article)

P.S: This series of articles is an attempt to place some issues before the Government of India which promises to bring a new Data Protection Law that is futuristic, comprehensive and Perfect.

The honourable Minister of IT, Sri Ashwini Vaishnaw in an interview yesterday has indicated that

a) a new Telecom Bill will be introduced in the next 8-10 days to replace the archaic 1885 laws

b) Drafting of the bill to replace PDPB 2019 is practically complete and will be very soon uploaded for consultation and re-introduced in the Parliament in the budget session (February 2023)

c) Protection of online users will be covered in a new draft of the Information Technology Act with greater accountability among social media platforms for content that is being published.

It appears that both the revised Telecom Bill and Revised PDPB 2019 may be presented in draft from for public comments soon. Revised ITA 2000 is a more complicated exercise and the Government may immediately focus on getting a proper revised version of the Intermediary Guidelines that covers Digital Media.

In our attempt to design a New Data Protection Act (NDPAI) for discussion during the IDPS 2022 (Indian Data Protection Summit 2022) due in November 2022 based on the earlier statements of the MeitY, we had considered the possibility of a new law which combines the Governance and Security of Personal and Non Personal Data.

We had identified eight chapters in the law where chapters on Preliminary, Data Valuation Framework and Miscellaneous issues were common to both Personal and non personal data.

Chapter II was envisaged for creating the statutory law for recognizing the Right to Privacy in non digital environment so that the rest of the law could focus on “Information Privacy”

Chapters on Governance and Protection of Non Personal Data were meant to replace the ITA 2000.

We now await the new draft for Personal Data Protection which the minister has promised to produce soon. If the Government has to collect public comments and introduce it in February 2023, the draft has to be released in October 2022.

We may continue our discussion and suggestions awaiting the draft and synch it with the draft when it is presented.

In this article we shall discuss the definition of the scope of the Act.

The scope of PDPB 2019 was defined under Section 2 and included 4 provisions. As per this section the Act would apply to

(a) the processing of personal data where such data has been collected, stored, disclosed, shared or otherwise processed within the territory of India;
(b) the processing of personal data by any person under Indian law;
(c) the processing of personal data by data fiduciaries or data processors not present within the territory of India, if such processing is—

(i) in connection with any business carried on in India, or any systematic activity of offering goods or services to data principals within the territory of India; or
(ii) in connection with any activity which involves profiling of data principals within the territory of India; and

(d) the processing of non-personal data including anonymised personal data.

The act was indicated as applicable to non personal data but only the following provisions could be attributed as applicable to processing of Non personal Data

i) Reporting of data breach of non personal data to the data protection authority under this Act,

ii) Empowerment to direct any data fiduciary to share non personal anonymised data,

ITA 2000 on the other hand applied to all kinds of data and addressed issues of “Cyber Crimes” both with personal data and non personal data. Hence the scope of ITA 2000 was comprehensive and PDPB 2019 could only carve out some specific aspects of ITA 2000 (eg: Section 43A) and frame a separate law. The overlapping of ITA 2000 on PDPB 2019 and therefore the powers of the CERT IN over the DPAI became a difficult legal problem to sort out.

We may presume that the Government realized this conflict between ITA 2000 and PDPB 2019 and took the bold decision to withdraw the PDPB 2019 despite the embarrassment that the withdrawal caused to the country in the international circles.

Now it remains to be seen if the Government vindicates its objective of withdrawal by framing a law which segregates the “Governance of Personal Data and Non personal Data” effectively between the new personal data protection act and new information technology act or under a combined act.

The “Protection of Data” from unauthorized access, modification or access (CIA principle) applies both to personal data and non personal data and hence can be considered as a common requirement for both personal data protection and non personal data protection. Additionally the data principals (owners of personal data) were recognized to have some “Rights” such as Right to Access, Right to Correction, Right to Portability, Right to Forget, Right not to be subjected to personal data processing without a legal basis, Right to withdraw consent, Right to Grievance redressal, Right to minimal collection, Right to minimal retention, Right to information about processing before collection, (Notice).

Personal Data Protection recognized these “Rights” as an interpretation of the “Right to Privacy” extended in the form of “Information Privacy” where the “Ability to chose how the personal data of an individual could be collected and used is regulated. But ITA 2000 did not mention the “Right to Security of a Citizen” except through definition of “Cyber Crimes and Contraventions” and prescribing penalties. Each of the punishable offences or contraventions could be considered as a “Right of a Citizen against misuse of Non personal data” though the clarity was absent. Prevention of Cyber Crimes were looked at more as an obligation of the law enforcement duty of the Government rather than “Protection of the Right of Security of a Citizen of the Country”.

I feel that we now have an opportunity to define the “Duty of the Government” to provide Cyber Security by guaranteeing the “Right to Security” along with “Right of Privacy” in a single legislation.

In the NDPAI-Shape of Things to Come, we are therefore suggesting that “Rights” be defined of the Citizens of the Country in such a manner that any mis-use of personal or non personal data shall be protected. This obligation is only to the citizens of the country. Rights of “Other Residents of the country” including foreigners on transit for travel or employment must be defined separately and exclusions temporary or permanent must be added to illegal migrants, terrorists, convicted criminals and accused criminals subject to checks and balances as permitted in the constitution.

The current definition of “Scope” of the PDPB 2019 revolves around “Data” whether it is personal or non personal whether it is processed by an Indian organization or foreign organization and whether it is processed in India or outside India.

Even the GDPR defines the scope in terms of a mix of Material scope, Territorial scope and subject matter scope. In this mix, people forget the subject matter scope which says that the regulation is “relating to the protection of natural persons” . Everything else including the regulation of what is called “Personal Data” is incidental to the protection of the natural person.

In view of the lack of focus, we normally consider that the basic purpose of GDPR is to “Protect Personal Data” and derive many of our compliance requirements ignoring that the core objective of GDPR is to protect “Natural Persons” and the scope is limited by international jurisdiction to “Protection of Natural Persons who are the citizens of EU”. Extra territorial jurisdiction is only in “Hot pursuit” of the protection of the rights of the citizens.

GDPR does make reference to “Residents of EU” and try to protect them under GDPR. This is more an obligation in recognition of human rights on a global scale and not necessarily as a duty under the EU Constitution.

India can chose to also protect certain rights to legal residents of the country as a part of its global obligations. But instead of mixing up these rights with the rights of citizens, it is better to define it exclusively.

Hence we need the NDPAI to recognize

a) Rights of living natural persons who are recognized citizens of India

b) Rights of living natural persons who are recognized citizens of a sovereign country recognized by India under authorized residence in the territory of India

c) Rights of deceased natural persons who were recognized citizens of India

d) Rights of deceased natural persons who were recognized citizens of a sovereign country recognized by India under authorized residence in the territory of India

We therefore suggest consideration of defining the scope of the NDPAI with reference to protection of rights of natural persons on the basis of their citizenship and define the territorial scope, material scope etc with the core objective of protecting the rights of the Citizens. This would meet the constitutional obligation which the Supreme Court also highlighted in the Puttaswamy judgement. Definition of Rights in this context will automatically fix the scope of the law.

We may recognize that the term “Data Principal” in a personal data protection context may refer to persons with a right on a personal data set which includes “Guardians” of minors or Data Fiduciaries/Consent managers with contractual right to manage and monetize.

In the context of non personal data, data is owned by an organization or an individual and any mis-use affects another individual or an organization indirectly as a victim of cyber crime. The individual victim of a cyber crime always has an involvement of his personal identity being in some way compromised. Hence Cyber Crimes against individuals can always be considered as crimes under Personal Data Protection Act.

Since “Corporate entities” are not protected with a “Right of Privacy”, their right to protection is in the form of right to carry on business without disruption etc. The Non personal data protection act needs to protect such entities who are not “Natural Persons”.

Similarly deceased persons may not have all the rights of a Citizen and hence must be covered separately. So also are “Residents who are not Citizens” whose rights are to be considered separately.

In the case of Non personal data, we can define a term “Data Guardians” who are custodians of data and are the “Data Fiduciaries” in that context. In our earlier article on the roles, we discussed the role of a data fiduciary as “Data Manager” taking into account the possibility of profiling and monetization. May be the term “Data Guardian” is a better proposition which covers the Data Controller, Data Fiduciary, the Consent Manager and Data Processors.

Within this category of Data Guardian, different classes as “Personal Data Guardian” and “Non personal data guardian” can be identified.

In this approach we can define the applicability of the Data Protection regulation in terms of the end stake holder who is either a Data Principal or a Data Guardian and what rights of these stake holders are protected.

Data Principal is given protection of his Right to Privacy and the subordinate rights such as Right to access etc. Data Guardian has the obligation to meet the compliance requirements. Right to Security is applicable both to the Data Principal and the Data Guardian if they are citizens of India or established under the Indian law or otherwise carrying on activity in India as a resident.

We may therefore re-write the Section 2 of the PDPB 2019 appropriately. The exact drafting of this “Scope Section” will be attempted in a follow up article.

Open for debate… Send your views. Those who are willing may contribute a video recording (not exceeding 5 minutes) on how do we define the scope of the New Data Protection Act of India, for being carried in IDPS 2022 (Expert View Section)

Naavi

Introduction	2. Preamble	3.Regulators
4. Chapterization	5. Privacy Definition	6. Clarifications-Binary
7. Clarifications-Privacy	8. Definitions-Data	9. Definitions-Roles
10. Exemptions-Privacy	11. Advertising	12. Dropping of Central Regulatory authority
13. Regulation of Monetization of Data	14. Automated means ..	15.Prevention of Data Laundering-Policybazaar data breach
16. Should neurorights be recognized?	17. Types of Consents	18.Cross Border REstrictions on Transfer
19.Neuro_rights-voice to skull