Naavi.org

(This is a continuation of the earlier article in which the framework of the New Data Protection Act of India -NPDAI was discussed)

We expect that soon Government will release a draft of  a “Personal Data Protection Act” in lieu of  the PDPB 2019-scrapped”.

However, we as professionals can place our suggestions before the Government and steer the discussion so that we will be assisting the drafting committee.

We shall therefore discuss the contours of this law as a “Draft of NDPAI in the making” in the coming articles starting with

1) Scope of the Act and Definitions of Privacy and other terms

2) Definition of the Protected Information and roles of different organizations

3) Principles of Personal Data Protection including grounds of processing

4) Rights of the Data Principal including children

5) Exemptions

6) Cross Border Transfer

7) Penalties, Punishments

8) Regulatory Mechanism

9) Compliance Requirements from the industry including Data Breach Notification, Audit, DPO etc

10) Miscellaneous provisions

We hope the discussions on these aspects will create a background for discussing the Bill as may be presented by the Government in due course.

Request all readers to participate in this development of a draft law as a “Draft of the Privacy and Data Protection Professionals”.

Next article

Naavi

With the Government of India withdrawing the Personal Data Protection Bill 2019  with a ministerial assurance that the new draft for a “Comprehensive Perfect”, “Digital India Act” which could replace Information Technology Act 2000, PDPB 2019 as well as “Telegraph Act”, “Crypto Currency Bill” etc., the road to a new Data Protection Regime in India is now open.

The ministers and those who are politically supporting the move have been making some illogical statements to give some logic to the decision. However, the logic presented lack conviction and the truth is that the Government has been persuaded to drop the Bill by the US based Big Tech firms and supported by their Indian counterpart namely NASSCOM.

Both Mr Ashwini Vaishnaw and Mr Rajeev Chandrashekar are now making statements which look like the explanations of Sanjay Jha or Sumant Sriraman on many of the TV debates supporting Rahul Gandhi or Partho Chatterjee. Less said about these justifications, better it is.

Excuses like high cost of compliance, the non existent data localisation, too many amendments to contend with, criticism on extra constitutional powers to Government, need to modernise etc are quoted as reasons for the withdrawal of the Bill. These are the typical statements of the political spokespersons who try to defend the indefensible.

We shall therefore ignore these comments and focus only on the new draft which they promise is almost ready to be released for public comments so that they can keep the dissenting voices shut for some more time.

Yesterday we speculated that NASSCOM and Crypto Lobby were possibly behind the move to the withdrawal of the Bill which wasted 4 years of work on the bill instead of working around the suggested amendments of the 30 member JPC. This view has now been vindicated by further reports that are emerging.

We are also seeing some crocodile tears being shed by some to say that withdrawal of the bill is a set back to the citizens and their privacy.

We must accept that different ministries of the Modi Government are slowly succumbing to the pressures of lobbies for whatever reasons that could lie behind and compromising their activities.

Naavi.org expresses its deep dissatisfaction about these developments but would as always redouble its efforts to see that we focus on what needs to be done in future rather than what mistakes have been committed in the past.

Let us therefore look at the framework of the shape of things to come…

The first task before us in the designing of the new data protection act of India (NPDPAI) is to decide whether we are looking at a “Stand alone Privacy and Data Protection Act” or an act that combines “ITA 2000”, “Non Personal Data Governance Act” and “Telegraph Act”.

Prudence indicates that “Personal Data Protection Act” has to be distinct from “Non Personal Data Governance Act”,  “Information/Cyber Security Act”, “E Commerce Act”, “Digital Signatures Act”, “Digital Data Disputes Act”, “Payment and Settlement Act”, “Communication Convergence Act” “Crypto Assets Regulation Act”, “UIADAI Act”, “Digital Copyright Act” etc.

If we try to combine all of this into a “Digital India Act”, then it will be a disaster.

We shall therefore presume that separate legislation would be required for “Privacy and Data Protection” and work on it. In case the Government opts for the Kichdi Act, the Privacy and Data Protection Act can be a chapter of the Kichdi Act.

Similarly the Non Personal Data Governance Act as envisaged under the Kris Gopalakrishna Committee could be another chapter.

Information Technology Act with its amendments combines today aspects that could have been split into Digital Contract Act, E Commerce Promotion Act, “Adjudication of Digital disputes Act” is better left out as a separate act as it deals with the basics of “Recognition of Electronic Documents”, “Definition of Digital Authentication” and “Intermediary Liability”.  However, if the Government wants to kill even this Act as it is inconvenient to the Social Media Platforms due to the recent Intermediary Guidelines and CERT-IN Guidelines, then we can look at a massive and complex law.

A Government which could not draft a simple Personal Data Protection Act (eg; Personal Data Protection Bill 2006)it would be a herculean task to design a “Comprehensive” and “Perfect” law which their utopian dream. It is possible that this is like a manifesto item in the election campaign and is only meant  to be a promise and an excuse not to make any law.

However, Naavi.org starts a discussion on the “Shape of Things to Come” through a series of articles that will follow.

Watch out this column…

Next article

Naavi

The withdrawal of the PDPB 2019 with a cryptic statement by the honourable Minister of Railways and IT, Sri Ashwini Vaishnaw indicates that India does not want to do anything which the Big Tech companies of the west does not want us to do. Our own NASSCOM is a powerful ally of the Big Tech and now the Ministry has exposed the chinks in its armour.

But we, the Indians understand through our Colonial Experience that we are comfortable as citizens of a colony whether it is geographical colony or Data Colony.

The following news item reflects how insensitive we are to the cause of Privacy and Data Protection.

There appears to be no discussion in the Parliament on why the Bill was being withdrawn though subsequently several reasons are being given.

Some of the reasons were

1. There are 81 amendments in a 99 section bill. It is therefore a total overhaul by JPC.
2. Big Tech are concerned with the Data Localization aspect of the Bill
3. Section 35 gives too much power to Government for surveillance

Though the number of amendments look large, most of it are cosmetic changes and language corrections. Basically there were 12 major recommendations only.

There was no “Data Localization” requirement and it is false to say that it was a concern. PDPB 2018 had more stringent provisions and not PDPB 2019.

Section 35 was subordinated to Article 19(2) of the constitution and did not create any Orwellian state as was alleged. “Security” of the citizens of India does require surveillance at some level and there has to be some exemptions provided to the law enforcement agencies. What may be debated is the control to ensure that there is no misuse.

Unfortunately, the Government is mortally afraid of the opposition parties and their disruption tactics in the Parliament and instead of instilling discipline in these ‘Andolan Jeevis” prefers to run away from the battle field like a coward. The developments remind us of the Mahabharata Incident of “Uttara” going to war against the Kauravas and running away from the battle field.

Independent observers feel that the Government in this instance has succumbed to the pressures from the industry led by NASSCOM and representing the interests of the big tech.

There is still a mindset among our rulers that we cannot do what the Big Tech does not want us to do. This is letting the Big Tech create “Data Colony” in India and control our future.

Mr Ravishankar Prasad was eased out of the ministry because he was too aggressive against Twitter. Now the ministry is more friendly to the industry and hence after several rounds of extensions, pretexts etc, they have withdrawn the Bill in its entirety. One should be too naïve not to understand what is going on behind the scenes.

It is easy to lose credibility and reputation and it will take several more years to regain the international credibility for India’s commitment to data protection. Those of us who interact with the data protection professionals from across the globe know that India has become a laughing stock before the world at least in the Data Protection area.

This loss of credibility cannot be regained quickly even of a modified bill is presented in the proverbial “next or next to next” Parliamentary session.

If we have to believe the sources, we can look for a “More Comprehensive” and “Perfect” law for the entire Technology domain which is contemporary and for the future generation.

Great… We all know that the Supreme Court itself has not been able to give a good definition of Privacy even in the Puttaswamy judgement and the definition of “Personal Data” itself is an enigma. The first step before the Government is therefore to find a proper definition of “Privacy” and “Data” before they can search for a “Perfect” law.

Finding a comprehensive legislation which is also perfect, to combine the Information Technology Act, the Telecom regulations and the Data protection legislation is a utopian dream which we shall now try to pursue since life without a positive dream is not worth living.

My hunch is that there is a conspiracy of the industry  which has effectively taken over the decision making in the IT ministry. This industry lobby is capable of taking day to day decisions in the IT ministry. Whether it is the NASSCOM or GOOGLE, FACEBOOK or JIO, we donot know and probably we will never know. But it is clear that there exists a force that is driving the Government into taking decisions which are prima facie illogical.

I personally believe that the Crypto Lobby which has become part of the “Meta” lobby today is behind the financing of this Big Tech influencing of our politicians. We have not forgotten that this lobby had compromised the Judiciary already and rendered RBI to an impotent regulator some time back. The Finance ministry has always been subjugated to the interests of the Crypto lobby which even tried to influence the JPC into adding some recommendations in favour of the use of Crypto Currencies in international transactions though this was completely out of scope of the JPC’s frame of reference.

Otherwise, it would not have been necessary to withdraw the Bill which had already been presented, gone through 78 sittings of JPC, 184 hours and 20 minutes of deliberations. The same bill could have been refined further if required and could have been made more “Contemporaneous” to accommodate whatever was the dream of the Ministry. If we can change the title of the Bill itself through an amendment, it would have been possible to change the preamble also and convert the DPA 2021 or DPA 2022 into a “Comprehensive, Perfect Digital Act which regulated the entire universe of technology”.

Despite the disillusionment that surrounds us, for some more time however, we continue to keep our faith in Mr Narendra Damodar Das Modi as an individual to ensure that vested interests donot succeed in their lobbying in converting India into a “Data Colony” in the year of Amrit Mahotsav of our 75 years of independence.

But Mr Modi needs to understand the power of digital black money which in the coming days will rule the world more than the US dollars. It appears that he is today ignoring this threat and letting the Crypto lobbies to have a free rein first in the Finance Ministry and now apparently in the IT Ministry.

May God give strength to Modi to extend the struggle of independence to the Digital World.

Naavi

Copy of the JPC report in full

Dissent Notes filed for JPC Report

According to this news report in NDTV profit, the Minister of IT Mr Ashwini Vaishnaw has stated that he is hopeful of the new data protection bill to be passed in the next budget session. It is stated that the draft is in final stages and would be released for public comments soon.

According to the statement Mr Vaishnaw is reported to have said

“Without compromising with any of the principles of privacy or with the SC judgement… we have prepared a new draft. We have completed the Parliament’s process today, and we will take the new draft through the approval process very soon. Very soon, hopefully by the Budget session, we should be able to get a new law passed,”

Minister of State for Electronics and IT Rajeev Chandrasekhar reportedly has said the government would develop a comprehensive framework covering all aspects of the digital economy with dedicated rules for data privacy, emerging technologies, and data governance framework.

If the report is to be believed, the next version of the bill will be a comprehensive legislation along with the Information Technology Act, National Data Governance framework.

On several occasions, Mr Rajeev Chandrashekar has stated that ITA 2000 is 20 years old and needs a comprehensive amendment.

We can therefore expect a combination of ITA 2ooo, current PDPB 2019 and the Non Governance data Governance framework as suggested by the Kris Gopalakrishna Committee.

If some body thinks that this will be less complex than the PDPB 2018/2019/DPA 2021, then we should see a miracle in the making.

The objective of ITA 2000 was to enable E Commerce and prevent Cyber Crimes besides setting up a system of quick grievance redressal through adjudication.

The Objective of PDPB2019 was to protect the Right to Privacy as per the Supreme Court definition of Privacy and the objective of DPA 2021 was broader to include some aspects of Non personal data protection.

Now it is intended that “Protection of Non Personal Data”, “Governance of Non Personal Data”, “Protection of Privacy through personal data protection” will all have to be combined in one single legislation.

The regulator of ITA 2000 (CERT-IN) is focussed on Cyber Security and regulator of PDPB 2019 was focussed on Personal Data Protection. The Non Personal Data Governance on the other hand is not a “Protective duty”. It is a promotion of monetization of Non Personal Data which goes with the promotion of E Commerce under ITA 2000 which was one of the objectives of ITA 2000.

The Government is again trying to create a mixture of “Promotion” and “Protection” into one law and one regulator which will introduce several challenges.

While we shall wait for the Government to release its draft for public comments, we intend developing a draft legislation so that it can address all the stated objectives of the Government.  There is no doubt that the Government is not expecting any assistance from the private sector in designing the law, but it is our duty to place our reasonable suggestions before the Government drafting committee so that the process of legislation can be speeded up.

From time to time, I will share the work in progress through these columns.

Naavi

Yesterday, in a surprise move, the Government of India withdrew the Personal Data Protection Bill 2019 in the Parliament. It was a huge embarrassment for the Government as it is clear that the withdrawal was because of the opposition from the Big Tech.

When MR Ravishankar Prasad lost his minister post for criticizing Twitter, it was clear that the Social Media was powerful enough to determine who should be there and who should not be there in the IT Ministry.

Since then excuses after excuses have been provided to delay the Bill until this decision to withdraw.

Publicly, it is stated (Refer zeeenews.com) that there were 81 amendments suggested in the 99 section bill and hence the Government wanted to revamp it completely.  The minister has stated that they will introduce a new bill in replacement. This means that the new bill will go again for a JPC and it will take a few more years to pass.

The Government of India must remember that they are working on public money and if two years of JPC work is being thrown to the gutter for not being able to re-write the 12 recommendations into the Bill during the debate, it is the public money is being wasted.

This is similar to the withdrawal of the Farmer’s bill where the Government has shown that it has no courage to take strong decisions even when it is not related to such complex legislations such as Uniform Civil Code or Freeing of Temples from Government Control or taking action against terrorism etc.

It is a black day for India and when we are in the process of showing our pride by displaying national flag on every house top as a part of 75 year celebration, this comes as a reminder that we as a country are yet to be courageous enough to lead the country to progress.

I have been already receiving messages from some friends expressing disappointment on the development.

However, Naavi.org as well as FDPPI will continue their work on  Privacy and Data Protection as well as for the use of Section 43A of ITA 2000/8 as the current law for Privacy Protection and Data Protection in India and wait for a the Government to muster enough courage to face the Big Tech and the political opposition.

Naavi

Foundation of Data Protection Professionals in India, which is the premier organisation in India dedicated to Privacy and Data Protection has come out with its latest issue of Data Protection Journal of India (www.dpji.in).

DPJI is presently a journal published on internet and its issues are available at www.dpji.in. The current issue is the 7th issue in the series. The earlier issues covered different aspects of Data Protection

In the past issues several interesting topics such as the Valuation of Data, the PDPSI framework (Now renamed as DPCSI framework), the need for compliance culture to be developed in India have been discussed.

In the current issue an important aspect of Data Protection namely the role of people have been discussed.

By focussing on the concept of “Human Firewall” a focus has been brought to the use of humans to develop a security cover to combat the risk of privacy and information security. Just as technology tools such as encryption, firewall and Intrusion detection systems are used to combat technology risks, this concept envisages that human skills have to be used for risk mitigation.

The involvement of humans as part of the security posture is important both because insider frauds constitute a large percentage of cyber risks and cannot be mitigated by policies, procedure and technology. Also even the technology or policy controls have to be implemented by the humans only and motivating them to be “Security Champions” is necessary.

This concept has been well ingrained in our earlier discussions on “Vulnerabilities in human space” and “Theory of Information Security Motivation” etc.

We had also incorporated several principles of using human resources in the unique indigenous framework for Privacy and Data Protection, namely the DPCSI (Data Protection Standard of India). In particular, we had introduced a standard titled

“Distributed Responsibility, along with implementations for Augmented HR policy which included incentivisation and dis incentivisation for motivational purpose. Further the “Augmented Whistle-blower policy” extended the concept to a “Human IDS system”.

Naavi.org has also been discussing from time to time, concepts such as the “Human Bomb”, “Deviant Minds in Workforce”, “Technology Intoxication” etc all revolving around the concept of “Mitigating human Risks” in Cyber Crime prevention.

It was therefore a pleasure to observe that Dr Anirban Ghosh, a professional working in BT group had actually worked on a research thesis on the topic of “Human Firewall” and with his permission the entire thesis has been reproduced in the July issue of the  journal.

We hope that professionals interested in the field of Cyber Psychology, Human Resource Management  and related topics would find the issue worth going through.

Kindly do share the copy within your organization as a part of your knowledge management.

Any queries on any of the topics are welcome.

Naavi