Naavi.org

India is planning to pass a law on Privacy and Data Protection and the Bill titled Data Protection Act 2021 (DPA 2021) which is pending in the Parliament. The copy of this Bill originated in 2018 following the Srikrishna Committee report and was later modified as Personal Data Protection Bill 2019 (PDPB 2019)  and a Joint Parliamentary Committee (JPC) has deliberated on the bill for more than two years, held consultations with many stakeholders and has now revised the PDPB 2019. The revised version now referred to as DPA 2021 is ready for final debate in the Parliament and being passed into a law.

Like all laws that have a significant impact on the society, DPA 2021 has also been facing opposition from a section of the industry. As a result,  the mainstream industry has been presented with a skewed view of the proposed law and creating uncertainty in the minds of the industry professionals on whether the law  will be passed and whether it is desirable or not. This has resulted in many organizations delaying the implementation of their compliance program.

We need to  realize that  DPA 2021 is  a continuation and expansion of the currently applicable law namely, Information Technology Act 2000 (ITA 2000) and forms the part of the “Due Diligence” under Section 43A of the ITA 2000. Several Courts have taken cognizance of the Bill and incorporated the provisions in their decisions. Prudent Companies therefore think that the time for compliance has already come and the time upto the actual passage of the Bill and further implementation time that may be provided there in is a cushion against being held liable to the potential penalties envisaged in the Act for non compliance.

FDPPI (Foundation of Data Protection Professionals in India) is an organization that  is  dedicated to the cause of “Data Protection” in India and building a Data Protection Compliance Eco system in India. FDPPI since 2018 has been engaged in outreach programs to build awareness of the Privacy and Data Protection concepts and also the development of professionals who are certified in the relevant skills to provide consultancy to organisations and conduct audits of the “Data Protection Compliance Management Systems”.  FDPPI is today the apex organization in India dedicated to the establishment of the Data Protection compliant environment in India.

During the pandemic times, FDPPI conducted nearly 100 online events on Data Protection regulations and related issues which has already created wide awareness of the forthcoming laws.

As a part of the activities in the post-pandemic scenario, FDPPI is now conducting a series of physical programs in different parts of the country in association with multiple organizations to spread the awareness of the regulation from the compliance perspective.

In this series, FDPPI conducted one program in Bangalore in association with Indo American  Chamber of Commerce (IACC) on 04^th March, 2022. On April 23^rd 2022, FDPPI is conducting a program in Chennai in association with Madras Management Association, ISACA Chennai Chapter, Cyber Society of India and IACC.

During these programs, we discuss the compliance measures that are required to be followed by the industry steering clear of the controversies. The discussions cover the overview of the law as presented in DPA 2021, the Technology and Business Challenges that the law presents, the Professional opportunities created for Data Protection Officers and Data Auditors and also the Compliance framework exclusively designed for compliance of the law.

FDPPI presently has developed a Compliance framework called “Data Protection Compliance Management Standard of India (DPCMS)” which is focussed on the compliance of DPA 2021 incorporating the best principles of other international frameworks. This is an indigenous approach designed to be a Unified Framework for Indian companies to be compliant with all Personal Data Protection laws and includes some aspects of compliance of Non-Personal Data protection which is part of DPA 2021.

The framework includes innovative and globally unique concepts such as “Data Valuation”, “Distributed Implementation Responsibility”, “ Generation of Data Trust Score” etc. It is flexible enough to be customized and adopted by different industry segments.

Recognizing the difficulties that arise when implementing one law applying  equally to all industries and entities of all sizes, FDPPI is now in the process of developing different “Sector Specific Compliance Code of Practice” which meet the requirements of law under Section 50 of DPA 2021. The Data Protection Authority of India (when operative) can approve such codes of practice after due consideration whether they meet the requirements of the law. This should substantially ease compliance and encourage increased voluntary compliance in the industry. FDPPI has a vision to create tailor made Compliance frameworks for different industry segments with  the participation of  industry representatives.  This is a “First in the World” approach to the customization of data protection law compliance to different sectors and would help in reducing the pain of compliance.

FDPPI however is a Not-for-Profit organization and its bandwidth to conduct the outreach programs in different locations is dependent on the partner organizations. Presently we are working with organizations like IACC and ISACA which have presence in multiple locations. However we are looking for other  suitable partners who are interested in associating with FDPPI for this “National Data Protection Compliance Movement” where we disseminate knowledge, motivate companies to start compliance initiatives and develop sector specific codes of practice.

Come, Let’s together  bring about a Data Protection Revolution in the country.

(Press note issued by Mumbai High Court for not providing timely hearing of Adjudication case)

The Adjudication system in ITA 2000 was one of the commendable features of Cyber Law in India trying to provide a fast track settlement of cases under ITA 2000. Unfortunately, many IT Secretaries donot take up adjudication cases. Some take up the cases and come  out with questionable decisions. The intention of the law to get a decision within 6 months often remains a dream.

The undersigned was fortunate to lead the first adjudication case in Chennai in 2008 which took 2 years but was held briskly. Mr PWC Davidar was the adjudicator at that time and he was highly professional in his approach. However in the case against PNB, the Bank’s advocate played all tricks of delaying and the case got held up to such an extent that the case is yet to be decided. In Mumbai,  one of the earlier IT secretaries, Rajesh Aggarwal  was a very active Adjudicator who decided many cases in his tenure.

It now appears that all adjudicators have lost interest in such cases and it is very difficult to suggest cyber crime victims to approach the Adjudication.

The Cyber Judicial system has irrevocably failed.

In such a scenario, we must  appreciate the efforts of Advocate Dr Mahendra Limaye who has approached the Mumbai High Court (Nagpur Bench) and got a notice issued to the Maharashtra adjudicator for not providing timely hearing.

A press note issued by the High Court in this regard is reproduced below.

“In a writ petition No.5058/2021 filed by Shikshak Sahakari Bank Ltd. Nagpur against 1) Govt of India through Department of Electronics and Information technology and 2) Adjudicating Officer Maharashtra, which was heard today by Hon. High Court’s Division bench consisting of Hon. Justice Atul Chandurkar and Justice Mrs. M.S. Jawalkar, a notice was issued to both the parties.

The petitioner has prayed for directions to be issued to Information Technology Secretary Maharashtra who is designated as Adjudicating Officer for timely conduction of Civil matters as mandated under Information technology Act.

It was contended by Adv. Dr. Mahendra Limaye, the lawyer for petitioner that complaint filed by petitioner bank since April 2019 has not been heard till date and many such matters are pending before Adjudicating Officer since more than 4 years. As per provisions of The Information Technology (Qualification and Experience of the Adjudicating Officers and manner of Holding Enquiry) Rules,2003, Section 4 – Scope and Manner of Holding enquiries at subsection (k) states that, “As far as possible, every application shall be heard and decided in four months and the whole matter in six months” but the respondent no.2 has not initiated and concluded the complaint filed before him on 20 April 2019, i.e. almost 35 months have been passed but no meaningful enquiry/hearing is conducted by the A.O. This amounts to non-following the due procedure established by respondent no.1 and also gross injustice to the petitioner who is also repository of public money being a Cooperative Bank.

The cyber crimes are increasing every passing day and there needs effective Civil as well as Criminal remedial measures for the same to provide justice to the victims. The statutory provisions of effectively providing the justice between 4 to 6 months, as far as possible, from reporting of the complaint is getting defeated by such inefficient judicial system which needs to be directed for speedier disposal of the matters.

Hon Court has issued directions for issuance of notices to the respondents.

Advocate Dr. Mahendra Limaye represented petitioner Shikshak Sahakari Bank Ltd. Nagpur.”

I hope this will prompt other Adjudicators  also to speed up their cases now.

We congratulate Dr Limaye for drawing the attention of the Judiciary on the lethargy of the State Government and the IT Secretary of Maharashtra.

Naavi

As India continues to dither on the passing of the Indian version of Data Protection law, our neighbour, Sri Lanka has gone ahead and passed its “Personal Data Protection Act 2022”. 

It is interesting to note the comment made by Justice Minister Ali Sabry that

“There is nothing called perfect legislation..we cannot sit and wait for tomorrow to do the legislation….Will accommodate amendments if there are serious concerns”. 

This appears to be a direct comment on the Indian approach to the legislation which is one of procrastination and lack of commitment. (Refer this article).

It is clear that even in Sri Lanka there is the same kind of opposition to the Act as in India but the Government has shown the resolve to go ahead with the legislation.

Indian law may be better in terms of the protection of privacy but still the Government seems to lack the will to pass the law. It is possible that the commercial lobbies in India are strong and have the  support of the political opposition to the Government and hence the Government is hesitant to pass the law.

Indian Parliament needs to take a lesson from Sri Lanka in this regard.

P.S: we are watching for the final published version to make further comments

Naavi

Copy of the final version of the Act is here

The Government of India had recently issued a draft India Data Accessibility and Use Policy for public comments. The policy documents  are available here

Draft Policy : Background Note : A copy of the feedback on the policy is available here. 

The India Data Accessibility Policy was meant for Central Government Ministries and public sector bodies and it was suggested that the States could adopt similar policies.

It is creditable to note that Tamil Nadu has been the first State Government off the block with its own Data Policy. This has come as a Gazette Notification and not for public comments.

Copy of the Tamil Nadu Data Policy

It appears that this TN policy has been drafted with the guiding principle of “Data For Public Good” based on the National Data Sharing and Accessibility Policy 2012 (NDSAP 2012)of the Government of India. The recent policy of the Central Government had been developed under a slightly modified objective which took into account the Kris Gopalakrishna Committee report and the Data Protection Bill 2021. Some of the changes that had been observed in the Central Government policy may not be available in the TN State policy. Probably it will be modified as and when necessary to accommodate the changes.

The Tamil Nadu Data Policy (TNDP) is built on 13 key principles such as

Openness,
Privacy, Ethics and Equity,
Flexibility,
Transparency,
Legal Conformity,
IPR protection,
Interoperability and Standards,
Quality,
Security,
Accountability and formal responsibility,
Sustainability and Usability

The policy would be applicable to all the public authorities under the RTI act within the State of Tamil Nadu.

The policy classifies data into 4 categories namely Personally identifiable information, Sensitive personal data, anonymised data and aggregated data. Some of the information could be made automatically available in the Open Data Portal of the Government.

The state is expected to adopt a mix of federated and centralized data storage system. The TN e Governance Agency (TNeGA) will be the nodal agency to monitor the policy. A state level Empowered Data Governance Committee chaired by the Chief Secretary will provide the strategic guidance. The CEO, TNeGA will be the State’s Chief Data Officer (CDO) and there will be a Data Inter-Departmental Committee to take operational level decisions.

A mention has been made on monetization of data also and it would be interesting to see how the Government would approach Data Valuation.

We need to appreciate the efforts of the TN Government for having come out with  such a policy well before other States. We need to await and see how the policy would be implemented.

Naavi

FDPPI in association with Madras Management Association and other partner organizations will be conducting an offline seminar in Chennai on April 23, 2022.

The theme of the seminar is “DPA 2021-Compliance perspective”.

There is a campaign in the media that the JPC modified version of PDPB 2019 need to be re-drafted.

Firstly the set of objections were centered around

“Government has too much powers under Section 35 of the Act”.

The second was on the “Restrictions on Data Transfer” under Sections 33/34 of the Act.

Now the third set of objections cantering around “Difficulties to Start Ups” and “Compliance Cost” has been raised.

The net objective of all these objections are to lobby with the Government that the current weak set of laws continue and the Tech Companies like the Twitter, Meta and Google can continue their Data Exploits in India without accountability.

FDPPI however believes that Compliance to the data protection regulation is in the interest of the community and even if there is some disruptions in the operations of the Data user organizations, it is not the reason to defer the law indefinitely.

In order not to let the industry slip into complacency thinking that the Data protection  law will not be introduced in India,  FDPPI would  like to present the “Compliance Perspective” so that responsible companies start working towards compliance without being under too much of stress.

On April 23rd, over a day long seminar in Chennai, FDPPI along with FDPPI will discuss the DPA 2021, from the perspective of companies who would like to work towards compliance.

Watch out for more details.

Naavi

Some people in the industry think that DPA 2021 is a compliance burden and we need to bring pressure on the Government to delay the passing of the bill.

Unfortunately they are mistaken.

DPA 2021 is already with us in the form of “Due Diligence” and “Reasonable Security Practice” under Section 43A of Information Technology Act 2000.

Courts in Odisha, Delhi and Chennai in some of their decisions last year have quoted from the PDPB 2019 to decide on some issues on Privacy. If Courts have taken cognizance of PDPB 2019, it means that the current version of PDPB 2019 which is DPA 2021 is already in the radar of the Courts as the required data protection practice in India.

The absence of an implementing agency or a regulator like the Data Protection Authority of India may be a relief. But the powers given under ITA 2000 (Sec 46) to the Adjudicators include the powers to impose reasonable penalty on a suo moto basis for “Data Breach” and hence the possibility of penalties is already hanging over the heads of those who think there is no data protection law in India.

It is like the Amazon Pay…. It is already there…and most donot know it.

Come, let us discuss the Compliance View of DPA 2021 at the seminar in Chennai on April 23, 2022.

Contact FDPPI for more details.

Naavi