Naavi.org

The IT Minister, Sri Ashwini Vaishnaw has called upon the experts to suggest changes to the current laws including ITA 2000.

While we donot claim to be part of the “Experts” which the Ministry would like to take suggestions from, it is necessary to point out that it is not only now that we are placing our suggestions on the law through the series of articles under “Shape of Things to Come”., we have been doing so since 1998 when the first draft of ITA 2000 came into existence.

While detailed articles are spread across this blog over these 20 years, the following links specifically address the suggestions made earlier some of which if not all are relevant even today.

We leave it to the research team supporting the ministry to go through these suggestions and incorporate them in the new draft if they find it suitable.

https://www.naavi.org/naavi_comments_itaa/index.htm

https://www.naavi.org/naavi_comments_itaa/naavi_recommendations/index.htm

https://www.naavi.org/cl_editorial_05/naavi_org_comments_sept19.htm

Digital India Act-Discussions 3-Blockchain

Digital India Act-Discussions 2-Metaverse

The Age of Neuro Rights Dawns in India

Naavi

As per the report of Economic Times , IT Minister , Sri Ashwini Vashnaw has sought suggestions from experts on the proposed new Data Protection Bill. The indications are that there will be three sets of laws namely the New Data Protection Bill, The New ITA 2000 and a new law for Data Governance.

We at Naavi.org are already presenting our views on the “Shape of Things to Come” and so far 15 articles are available as per links below.

We urge the community to add their comments to the suggestions.

Indians have been provided a tragic reminder that car passengers not wearing seat-belts in the rear seat could make them vulnerable to the risk of fatalities in case of an accident. While we express our regrets on the recent tragedy where the precious life of Mr Cyrus Mistry was taken away,  and with due respects to the departed soul, we cannot but remind ourselves of the parallel in the Data Security scenario in India in terms of compliance.

For organizations trying to cover themselves against risk of regulatory backlash due to non compliance of data protection laws, GDPR Compliance was like the driver’s seat belt the need of which they were fully aware and were trying to be compliant with.

The PDPB 2019 compliance was like the front passenger seat belt about which people were aware and were trying to start using.

But just like rear seat passengers never thought it necessary to wear seatbelts since they did not perceive the risk of non compliance, Indian industry does not consider ITA 2000/8 compliance or CERT IN guidelines compliance as requirements that they should consider.

I hope they realize that some times non compliance of ITA 2000/8 and CERT IN guidelines could lead to serious injuries and start wearing the Compliance seatbelts from now on.

Naavi

.S: This series of articles is an attempt to place some issues before the Government of India which promises to bring a new Data Protection Law that is futuristic, comprehensive and Perfect. 

In our continued discussion on “The Shape of Things to Come”, we have so far discussed the following.

We now proceed further….

Naavi.org has been speculating many times that the opposition to the passage of Data Protection legislation in India mainly comes from those companies which are interested in “Data Laundering”. They are afraid that if the law comes in, they will be finding it difficult to continue their present practice of transferring data abroad for their commercial benefit.

This opposition is

a) Against Data Localization or even keeping a copy locally

b) Ensuring absence of malware in data processing devices and software

c) Maintaining KYC of subscribers to VPN kind of services

The Policy Bazaar data breach as reported at the 420.in highlights why all the above three requirements have a national security implications.

The policybazaar data breach is reported to have exposed the data of 50 million customers and the data involves sensitive and super sensitive data.

Some of the data exposed include

customers’ photo, full name, date of birth, complete residential address, email address, mobile number, credit report, PAN number, policy details including nominee details, family members’ policies details, bank account statements, income tax returns, Passport, immigration visa, records of country entry and exit, Aadhaar card (both sides), driving license, health records, payslips.

– sensitive details of defense personal who are Policybazaar customers

– copies of customers past policy documents

– copies of customers birth certificate

– copies of customers vehicle registration certificate

In case of the defence personnel, the data breach may include data of the following kind.

– Details of which specific branch of Indian defense forces someone is in like Indian Army, Navy, Air force, and even specifics if someone is in one of the Indian special forces like SPG, Black Cat commando, CoBRA, Anti Terrorist Squad.

– Current rank and designation in that defense force

– Current location of posting (which is very confidential many times)

– Details if someone is engaged in any hazardous activities, e.g. aviation, diving, parachuting, bomb disposal or special service groups, and length of service in those roles.

– Specific nature of role

– Details if someone in Indian defense is currently serving in or is under orders to proceed to any troubled area, or around border areas of India

– Details if someone handles weapons or explosives. If yes, details of such weapons and explosives.

It is needless to say that the data breach has a national security angle particularly the company is funded by Chinese investors and this information is of interest to the Chinese Government.

We had earlier pointed out “Data Laundering” arising out of Acquisition of CIBIL by TransUnion. The present data breach in Policybazaar is another instance where data laundering might have occurred through a deliberate back door. We have pointed out earlier also about the China Risk in Telecom sector, Manchurian Chips in POS machines and Mother boards from China etc..

It is now time to check if this Policybazaar data breach is also a case of Data Laundering. If “Data” is money, “Data Laundering” is also “Money Laundering”. We need stringent provisions in our Data Protection law to prevent such occurences and to take stringent action if such incidents take place.

In the light of the new Data Protection Act being designed, the incident indicates that the following provisions should be considered.

a) The provision for Data Processing devices and software to carry assurance certificate that they donot contain any malware (Refer Section 49(2)(o) of PDPB 2019) should not be withdrawn as demanded by some Big Tech Companies

b) Disclosure of the estimated value of data assets of an organization being acquired in a process of merger or acquisition must be disclosed to the authorities including DPA.

c) While processing of personal data during mergers and acquisitions may be exempt from consent as provided under Section 14 of PDPB 2019 (now withdrawn), the continuation of the processing by the merged entity must require a notification to the data principal and an option for opting out. 

d) Failure to inform the data principals of the transfer of beneficial ownership of the Data Fiduciary to a new entity must be considered as an attempt for Data Laundering and it should be one of the criminal offences that should be recognized under the Act.

Naavi

P.S: These discussions are presently for a debate and is a work in progress awaiting more inputs for further refinement. It is understood that the Government may already have a draft and may completely ignore all these recommendations. However, it is considered that these suggestions will assist in the development of “Jurisprudence” in the field of Data Governance in India and hence these discussions will continue until the Government releases its own version for further debate. Other professionals who are interested in participating in this exercise and particularly the Research and Academic organizations are invited to participate. Since this exercise is too complex to institutionalize, it is being presented at this stage as only the thoughts of Naavi.  Views expressed here may be considered as personal views of Naavi and not that of FDPPI or any other organization that Naavi may be associated with. 

P.S: This series of articles is an attempt to place some issues before the Government of India which promises to bring a new Data Protection Law that is futuristic, comprehensive and Perfect. 

In our continued discussion on “The Shape of Things to Come”, we have so far discussed the following.

We now proceed further….

Automated Processing and Automated Decision Making are two concepts which need some clarity in the law.

In the PDPB 2019, the term “automated means” was defined as under.

Section 3 (6) “automated means” means any equipment capable of operating automatically in response to instructions given or otherwise for the purpose of processing data;

One of the operational sections referring to “Data which is processed through automated means” is Section 19 which refers to Data Portability.

This section was as under.

“Section 19: Right to Data Portability

(1) Where the processing has been carried out through automated means, the data principal shall have the right to—

(a) receive the following personal data in a structured, commonly used and machine-readable format—…..”

As against this use of the term “Automated Means” in India  which applies to all forms of processing by the use of Computer devices, Article 22 of GDPR refers to “Automated Individual Decision making, including profiling” and states as under.

1. The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.

We can observe that GDPR refers to “Automated Decision Making” while PDPB  2019 referred to “Automated Means of Processing”. These two are different. The Indian definition refers to all forms of processing using a computer device while the GDPR definition restricts to situations where the processing leads to a certain decision which may have some consequence on the data subject such as providing or rejecting a service or changing the profile of a person to reflect an adverse view.

It is necessary to clarify both terms distinctly.

This is important even for the discussion on whether “personal data disclosed to a computing device but not to a human” should be considered as “Disclosure” or not, which we discussed in our earlier article on “Definition of Privacy”

where we added an Explanation as follows:

“Sharing” in the context above means “making the information available to another human being in such form that it can be experienced by the receiver through any of the senses of seeing, hearing, touching, smelling or tasting of a human in such a manner that the identity  of the individual to whom the data belongs may become recognizable to the receiver with ordinary efforts”.

In the above definition, we specified that only when a personally identified information is viewable by a human being, it would be considered as a “Disclosure”. If the information is processed by an automated system which provides an output which does not have personally identifiable information, the processing is an “Anonymized Processing”. Such processing would be a combination of two processes one of which is “Anonymization”, but both occur within the combined process so that no human views the output in an identifiable form.

The essence of the definition was that such processing did not require explicit consent and could be undertaken by the processor as part of his legitimate interest.

There is a parallel instance in the general legal environment also which we refer to as “Privileged Information”. Certain information disclosed to a Lawyer or a Doctor is considered as “Privileged Information” and is not disclosable to others under a special confidentiality agreement recognized in professional law and ethics.

Similarly information disclosed to a “Process” may be considered as “Privileged Communication” and should not require specific consent even when it contains identifiable information. However, the “Process” is not empowered to disclose the identified information after processing. In the human scenario, the compliance is left to the integrity of the individual while in the case of a process, the compliance is a factor of integrity of the software which can be audited at code level and certified or a suitable assurance provided.

The concept of “Privileged Communication” can be extended to parts of “Legitimate Interest Disclosure” such as when identifiable personal information is disclosed to law enforcement personnel.

With this in view the following definition may be added in the definition clause.

Automated Means:

“Automated means” means any equipment capable of operating automatically in response to instructions given or otherwise for the purpose of processing data;

Automated Decision Making:

“Automated Decision Making ” means a process through which a decision is arrived at by  without any human involvement as a part of the process.

Privileged Communication

Privileged Communication means disclosure of identifiable personal information to another human or a device with enforceable restrictions on further disclosure of the information in a processed form to another human being.

Explanation:

Disclosure of identifiable personal information to a technical process which processes the information and creates an output in anonymised form is a privileged communication to the device.

Disclosure of identifiable personal information or de-identified or pseudonymised information to another human being such as a law enforcement person with an enforceable further restriction of disclosure in identifiable manner is also a privileged communication.

P.S: These discussions are presently for a debate and is a work in progress awaiting more inputs for further refinement. It is understood that the Government may already have a draft and may completely ignore all these recommendations. However, it is considered that these suggestions will assist in the development of “Jurisprudence” in the field of Data Governance in India and hence these discussions will continue until the Government releases its own version for further debate. Other professionals who are interested in participating in this exercise and particularly the Research and Academic organizations are invited to participate. Since this exercise is too complex to institutionalize, it is being presented at this stage as only the thoughts of Naavi.  Views expressed here may be considered as personal views of Naavi and not that of FDPPI or any other organization that Naavi may be associated with. 

In the absence of Data Protection Authority as envisaged under the PDPB 2019 (Since withdrawn) , the regulation of Data Security under the general provisions of Information Security as envisaged under Information Technology Act 2000 as amended in 2008 assumes greater importance. Though the MeitY has also indicated that it would like to revise ITA 2000/8, we presume that they would not scrap ITA 2000 before a new law is passed as they did in withdrawing the PDPB 2019. 

Hence until the new “Comprehensive” and “Perfect” “Digital India Act” (NDPAI) is passed into a law and notified, ITA 2000/8 will continue to be the ruling law on Data Protection in India and  compliance of ITA 2000/8 continues to be the requirement  for all IT Users.

ITA 2000/8 has three regulators namely “Adjudicators appointed under Section 46 of ITA 2000”, “Director General- Indian Computer Emergency Response Team” designated under Section 70A of ITA 2000/8 and the Police as per powers under Section 80 of ITA 2000/8.

All these agencies have  Suo Moto powers of investigation . Police have the powers under cognizable offences. CERT IN has a duty to exercise monitoring of national cyber security and therefore accompanying suo moto powers. Though Adjudicators normally start acting on the basis of a complaint from a cyber crime victim, they also have the suo moto powers under the notifications of MeitY if they chose to exercise. 

Hence all IT organizations who may be feeling comfortable with the withdrawal of PDPB 2019 may be under a false sense of security since ITA 2000 has more powers than what was envisaged under PDPB 2019 for the Data Protection Authority since ITA 2000 applies both to the handling of personal information and non personal information, both sensitive or otherwise and covers both civil penalties and imprisonment. Penalties may not be expressed in terms of 4% of global turnover but there is no upper limit. At the same time, criminal punishments can go upto life imprisonment.

Hence compliance of ITA 2000/8 becomes more onerous than compliance of PDPB 2019.

In the light of the above, the recent CERT In Guidelines assume greater importance since it indicates that the sleeping giant called CERT-In might have woken up to its duties, responsibilities and powers.

We therefore consider it necessary for organizations to work on compliance of ITA 2000 in general and CERT IN guidelines in particular are essential for compliance in the Corporate circles.

Naavi and Ujvala Consultants Pvt Ltd are therefore working on a framework for Compliance Rating under CERT In Guidelines similar to the DTS-GDPR and DTS-DPA 2021 which had been released earlier under the Data Protection Compliance  Standard (DPCSI).

The details will be published shortly. The rating will be called CMR-CERT-IN.

Special Note

We would like to emphasize  that this is a voluntary exercise from Naavi and CERT-In has no role as an organization in this CMR development.

Naavi/Ujvala does not have any accreditation with CERT In for this purpose. However, Compliance is a voluntary exercise and we hope and believe that CERT In should be happy if organizations start complying voluntarily without the wielding of stick by CERT In.

A good rating under this scheme does not legally mean compliance of CERT IN guidelines though it is meant exactly for the purpose.

It may be noted that Naavi has been the Compliance evangelist since 2000 and had floated the idea of CERT-In in private sector 4 years prior to the formation of CERT IN as a division of the Ministry of IT.