Naavi.org

There are many services in the FINTECH arena where the service provider tries to assist the account holder to make payments of pending bills. For this purpose the service provider takes the permission to view the SMS of the account holder and periodically reads the SMS.

Under DPDPA, this permission is mandatory and is covered under the DPDPA consent regulations. This consent is purpose specific and has to be considered as closed once the purpose is served.

I recently have come across such “Bill Alerts” from CRED on the CRED application linked to my mobile number. These bills were not related to me and had I mistakenly clicked “Pay Now”, the payment could have been effected.

I therefore consider the message as an “Attempt to induce me to make payment to a third party” which is an offence under ITA 2000 and BNS.

last time, CRED had indicated that the message could have been picked up from my SMS store and I also presumed that the mistake might have been at the HESCOM side in wrongly linking my mobile with another account.

I am now given to understand that the mobile number associated with the account in HESCOM is not my mobile. However, I have received the CRED alert again today. I am not able to view the corresponding SMS in my SMS inbox.

Under the circumstance, I feel that CRED has picked up the bill from a source other than my SMS inbox.

If so, the mistake lies with CRED and not HESCOM. If this is true, I owe an apology to HESCOM and I am duty bound to apologize. I am yet to get the confirmation but my advance apologies to HESCOM if the mistake lies with CRED.

We can now surmise that CRED has my account as well as the account of the individual whose bills are coming to my CRED account. Perhaps CRED has mis configured the accounts or their technical system is sending bills of one client to another. Alternatively, it is possible that HESCOM has corrected its mistake but there is a Cache maintained by CRED where the bills related to another account are getting diverted to my account.

I have raised a query with CRED now and am expecting a reply.

Once DPDPA 2023 penalties kick in, these are mistakes for which RS 250 crore penalties may be applicable. Until then remedy is under ITA 2000 which is even more serious. I hope corporate entities do understand their responsibilities when they take “Data Access permissions” particularly if they are not capable of managing the data collected.

While I have used the example of CRED here because it is out of my personal experience. this could be happening with others also including Banks.

Looking forward to get more information on this case.

Naavi has been repeatedly requesting Niti Aayog to clarify that registration of Section 8 companies is not mandatory for all Section 8 Companies. Unfortunately NITI Aayog does not respond to the query and prefers to remain silent.

In the meantime some REs like PayU and Razor Pay consider that registration on Darpan Portal is mandatory for Section 8 company and are not completing the KYC process.

It is highly irresponsible for Niti Aayog and RBI not to make a proper announcement that Darpan Registration is not mandatory for KYC. At the same time it is disappointing to note that companies like PayU and Razor Pay are unable to complete KYC ignoring the Darpan portal Registration.

Further registering a Section 8 company like FDPPI in Darpan Portal is not possible and the portal returns error page every time.

Further registering a Section 8 company like FDPPI in Darpan Portal is not possible and the portal returns error page every time.

I hope some senior person like Mr Amitabh Kant looks into this issue and set right this anomaly.

Naavi

I am informed that spam mails are being sent from the optimum.net server to many using the email Vijayashankar Nagarajarao (archer83@optimum.net).

Kindly ignore them and if possible file a complaint with abuse@optimum.net.

I don’t use any service from optimum.net and the email archer83@optimum.net does not belong to me. This scam seems to originate from a compromised optimum.net server which is extracting emails of contacts from the customers and using it for spamming.

Naavi

It is observed that UIDAI website is experiencing some serious technical issues. It is downloading aadhaar cards of persons other than for which a request is submitted and OTP is authenticated.

Though the downloaded file is protected by the password, this is a serious flaw which needs to be corrected.

UIDAI has recognized the bug and has posted a message on the website. I hope it would be set right soon.

This could be considered as a “Potential Data Breach” and needs to be addressed as such under ITA 2000/DPDPA

Naavi

One of the queries I have received on Linked in by a discerning Privacy Professional is

” As we observe, organizations have begun aligning with the Digital Personal Data Protection (DPDP) Act in India. However, several provisions remain ambiguous, awaiting further clarification through governmental rules. For instance, the practical implementation of roles like the Consent Manager is still not fully defined.​

In light of these uncertainties, how can organizations proactively work towards compliance? What preliminary steps can be undertaken even before the complete regulatory framework is established?”

Let me try to provide my feedback on this.

Compliance to DPDPA is a cost that any organization have to absorb. Even conduct of a DPDPA Gap assessment will need a budget. If an organization is a Data Fiduciary of some responsibility, the costs are likely to be higher since they have to immediately take the decision to designate a new senior position of the Data Protection officer with a team of his own. Once the DPO is in place, he will demand an “Implementation Plan” which includes in house measures such as drawing up of policies which may need external consultancy of expert organizations like FDPPI which also requires investments. Then comes the bigger investment and a decision about acquisition of software for compliance which is a long term higher level investment.

The CFOs, CEOs and the Board members of any organization would naturally take their time to commit on these expenses and would like to take as many excuses as possible not to sign on the DPDPA implementation budget. However this “Judicious Contemplation” should not turn into procrastination and policy paralysis.

The first action required for any responsible corporate entity is to pass a resolution at the Board level to the effect

“The Board has taken note of the passage of DPDPA2023 and the imminent release of detailed rules and

a) has resolved to conduct and document a Business Impact Analysis on the passage of DPDPA 2023 on our organization immediately.

b) resolved that a committee of Directors consisting of …….., ….. and ….. is formed with immediate effect under the chairmanship of the independent Director ……………, to consult relevant experts and report to the Board by the next Board meeting on further actions to be taken.

c) resolved that the following shall be the terms of reference shall be addressed by the Committee

i) To determine when should the Company start a DPDPA Gap assessment program.

ii) To determine if we designate a “DPO” for our organization

iii) To determine the budget to be allocated for the next quarter and the current year for DPDPA Compliance

The above actions are necessary and can be implemented immediately by the Company Secretary who is drafting the minutes for the next Board meeting. If an organization has already passed through this stage, they may encounter the questions raised in the query above. This needs to be discussed by the committee and their views presented to the Board. In that process, they can take into account the following thoughts.

Ambiguity of provisions

DPDPA is a law and the law is by nature meant to provide broad principles which are to be interpreted in the context of its implementation.

Rules are expected to provide the procedural guidelines and cannot re-interpret the law. Rules cannot therefore be expected to provide “Legal Clarity” where the law has failed to do so.

Hence if there are any ambiguities in the law as we perceive, we need to live with it. As regards the Consent Manager the law is clear and it is the Draft rules that are creating complications. But “Consent manager” is not “mandatory” for implementation of DPDPA by an organization and hence organizations need not wait for this ambiguity on “Consent Manager” if any to be cleared.

Consultants like FDPPI and the Frameworks like DGPSI has provided a “Jurisprudential Interpretation” of all aspects of DPDPA 2023 and unless a company wants to ignore them, there is no reason to delay the start of implementation waiting for further clarification from the Government.

Government cannot provide a clarification that is not in tune with the Act and if they do so by a mistaken interpretation, there is a possibility of the law being challenged in a Court of law.

The current mood of the Supreme Court which in the past has been aggressive in taking on the executive’s role of drafting rules for the Act and adding its own interpretations to the laws is not to pass any “Stay” on the operation of the law. If therefore any “Andolan Jeevies” challenge the specific provisions of the law as “Ambiguous”, the issues will be taken up for discussion but no decision is expected immediately.

We therefore consider that it is not wise for companies to keep waiting for clarifications from the Government.

Our view on this is clear as follows:

1.DPDPA 2023 is an expansion of Section 43A of ITA 2000 and is therefore considered as “Due Diligence” under the current law which is ITA 2000.

2. DPDPA 2023 provides a detailed clarity on the concept of “Reasonable Security Practice” under Section 43A of the ITA 2000.

3. The limitation of applicability of Section 43A of ITA 2000 to “Sensitive Personal Information” has now lost the meaning since there is no specific definition of Sensitive personal information under DPDPA and it is the responsibility of all Data Fiduciaries to determine the harm likely to be caused to a Data Principal on account of their processing and take appropriate action to protect their interests.

4. Since the “Data Fiduciary” is a “Fiduciary”, he is self responsible for determining what is the harm likely to be caused and accordingly expected to develop the compliance.

5. While section 43A is limited to the provision of compensation to a data principal, it does not bar the Adjudicator under ITA 2000 to impose any penalty on the Data Fiduciary.

6. Section 43A of ITA 2000 remains in tact till Section 44 of DPDPA 2023 along with the penalty section 33 is not specifically notified. Till then, Penalty under Schedule I of DPDPA 2023 may be considered only as a “Legislative intent” and the Adjudicator under his powers to pay compensation upto Rs 5 crores can provide compensation to the affected victim and also exercise its Suo-Moto powers to impose deterrent penalties as well as recommend action under Section 43 and Section 66 of ITA 2000.

7. Ambiguity if any on the role of a “Consent Manager” may be ignored. If any organization has the intention of registering themselves as “Consent managers”, they may do so after the Data Protection Board is set up.

8. When in doubt, the Company may obtain and document an opinion from an appropriate management consultant or a legal consultant. Such opinion may be a Legal Opinion from a law firm or a Management Advise from a Management consultancy firm.

I suppose this provides a reasonable response to the query raised. Further comments are welcome.

Naavi

The ongoing discussion on Linked in has brought a query which I thought could be answered in greater detail here.

Query:

“I would really love to hear your thoughts on why India is adapting the path of “data should not be transferred to certain countries, which is completely a different approach from GDPR wherein they have taken a positive approach of transferring data to the listed countries who has adequate safeguards”. Do you think this is the right approach?”

The provision under Section 16 of DPDPA 2023 states that

“the Government may by notification restrict the transfer of data by a Data Fiduciary for processing to such country or territory outside India as may be so notified”.

It goes on to further state

“Nothing contained in this section shall restrict the applicability of any law for the time being in force in India that provides for a higher degree of protection for or restriction on transfer of personal data by a Data Fiduciary outside India in relation to any personal data or Data Fiduciary or class thereof.“

Under the draft rules proposed, it is stated that “transfer of personal data within India or outside shall meet such requirements as the Central Government may, by general or special order, specify in respect of making such personal data available to any foreign State, or to any person or entity under the control of or any agency of such a State.”

The minister has made a statement publicly that the Meity will form a committee which from time to time review the requirements and suggest what restrictions should be applied and under what context.

The provisions read together is flexible and will cover the provisions of EU GDPR under article 45 as well as 46,47,48 and 49.

The Committee can take a decision like “Biometric data will not be transferred to any country including USA or EU Countries” and ignore the claim that in that country there is a stringent data protection law. On the other hand Committee may allow transfer of data for a social media company handling non-sensitive information to most countries. Committee can also decide that a particular Data Fiduciary is in defence sector and it shall not transfer data anywhere even within the country and the data centres of the company shall reside in premise.

Thus We have taken a fair and flexible approach. EU approach cannot be called “Positive” just because they give 11 countries out of 193 plus UN members, the status of adequacy and consider other 182 countries as “Prohibited countries”. Even GDPR adequacy has a restricted sectoral permissions within the adequacy countries. EU thinks that it has the right to decide what are “Adequate Security Safeguards” and suggests that other countries should follow its norms. India thinks that it is a sovereign country and we decide which processing outside the company is safe and should be allowed and which should be prohibited.

From the practical perspective, instead of hardcoding a list of countries, the committee reserves the right to make decisions from time to time.

Let us hope that the Committee will do its duty properly and if so it would be a better proposition than what GDPR proposes. It also gives us an opportunity to create our own “Data union/Trusted Counties for data transfer” as Naavi had proposed to MeitY during the JPC discussions on PDPB.

Naavi