DGPSI and Data Valuation

DGPSI or Data Governance and Protection Standard of India has been adopted as a framework for implementing DPDPA 2023 by FDPPI. (Foundation of Data Protection Professionals in India).

In order to ensure that companies donot neglect the importance of recognizing the value of data, DGPSI marks the need for Data Valuation as a model implementation specification under the framework.

Model implementation number 9 (MIS-9) of DGPSI (Full) framework states

“Organization shall establish an appropriate  policy to recognize the financial value of data and assign a notional financial value to each data set and bring appropriate visibility to the value of personal data assets managed by the organization to the relevant stakeholders”

Also Model Implementation number 13 (MIS-13) states

“Organization shall establish a Policy for Data Monetization in a manner compliant with law.”

These two specifications ensure that DGPSI based implementation will draw the attention of the management  to the need for data valuation though the organizations may decide not to implement the recommendation and exercise their option of risk absorption by not complying with this specification.

The data valuation in the personal data scenario is interesting because the data protection laws affect the data value.

Accordingly if Personal data has no consent or consent is restricted for a given purpose, the value will accordingly get adjusted. Data for which consent is withdrawn or purpose has expired should be depreciated. The accuracy of data also influences the value.

These aspects make Data valuation in personal data context a little more complicated than in a non personal data scenario. More discussions are required in this regard to arrive at a consensus.

The DVSI model recommends a two stage valuation of personal data. In the first stage it requires computation of the  intrinsic value based on normal principles such as cost of acquisition, market value etc but later use a weightage based on a value multiplier index indicated in the following matrix which considers the quality of data including the legal implications.

This is a suggestion which requires further discussion by the professional circles. 

Posted in Cyber Law | Leave a comment

Insights on Privacy in Banks

Naavi/FDPPI had recently announced that we would provide a free assessment of DPDPA-2023 compliance on websites and provide an assurance tag “WEB-DTS”. However when we went through some of the requests, it was found that none of the websites met the minimum criteria for Web-DTS certification. It was a disappointment that the simple compliance requirements which should have already been in place now remained unattended.

In this context, it was interesting to find from a report from an company engaged in development of compliance software that in a survey of 10 websites of top Banks, it was found that the simplest of compliance namely “Cookie Management” on the websites was found wanting.  A glimpse of the findings of the cookies is indicated below.

If the most equipped organizations like Banks cannot complete the simplest of compliance requirements such as cookie management on a website, it would be an uphill task to ensure that they have to be compliant with DPDPA 2023 before the year end.

Currently FDPPI is offering DPDPA 2023 assessment service through the DGPSI framework and suggested the first step of Web-DTS for compliance of the website.

For its corporate members, FDPPI is providing some services which could include “Consent Record Management” service. The first milestone for this is the WebDTS and Cookie management. In this context the report on the current status of Cookie management in Banks is revealing.

Naavi

Posted in Cyber Law | Leave a comment

Naavi unveils Naavi-63 as a Consent Recording System under DPDPA

During the Crash course on DPDPA 2023 implementation held in Mumbai and Ahmedabad on March 9th and 10th to groups of CIOs, Naavi announced that as part of the consultancy services offered under the DGPSI framework, a “Consent Recording System” is being introduced to meet the compliance requirements.

The system called Naavi-63 will enable companies to meet the compliance of DPDPA 2023 along with ITA 2000 in obtaining the consents and will be implemented as part of the consultancy.

Naavi

Posted in Cyber Law | Leave a comment

FDPPI- The Privacy Companion of India

Most companies in India have realized that the month March 2024 will soon be over and a new financial year 2024-25 will be before us.

While the politics of the country is keenly following the Lokasabha elections of 2024 and its impact, the corporate world in India is slowly realizing that the financial year 2024-25 will be the year in which DPDPA 2023 will be implemented fully.

Most companies who were considering that the “Rules” are yet to be notified, are realizing that the entire DPDPA 2023 is an extension of ITA 2000 and hence the Courts are already taking cognizance of the presence of the “Privacy Culture”.

As the plans for the year 2024-25 are being drawn up, Companies are asking themselves whether they are Significant Data Fiduciaries (SDF) and need to look for designating a SPO and appoint an external Data Auditor.

To address this concern, FDPPI is emerging as the “Privacy Companion” which can be the friend, philosopher and guide for companies intending to be compliant with DPDPA 2023.

As the undersigned travels round the country conducting awareness training sessions to professionals of different industries, it is clear that the initial lethargy is giving into a sense of urgency in setting in motion in-house training programs and DPDPA Impact Assessment programs for the DPDPA implementation to follow.

With its unique Compliance framework “DGPSI” or “Data Governance and Protection Standard of India, FDPPI is all set to be the much sought after “Privacy Companion” for the industry. The framework encourages the companies to set up a Data Governance and Protection management system (DGPMS) which can achieve DPDPA 2023 compliance by default.

The Privacy Enhancement Tools (PET) that accompany the DGPSI framework further increases the convenience of compliance.

The DGPSI-PET is the next big thing that the undersigned is working on with a mission to make DPDPA 2023 compliance a smooth corporate activity.

Naavi’s DGPSI-PET system encompasses several companion tools such as

  • Consent Management and Recording Companion
  • Personal Data Discovery Companion
  • Personal Data Classification Companion
  • AI algorithm Privacy companion

Watch out for more on these tools to be unleashed during the year.

Naavi intends to shortly release the Consent Management system in a customized building mode under the name Naavi-63. …More information will follow.

Naavi

Posted in Cyber Law | Leave a comment

New Indian Evidence Act and the new Section 65B Certification

With the notification of the Bharatiya Sakshya Adhiniyam 2023 as the new Indian Evidence Act (NIEA), time has come to take a fresh look at Section 65B Certification and the operations of Cyber Evidence Archival Center (CEAC) of which Naavi was the pioneer. The act will be effective from 1st July 2024.

It is well known that the first ever Section 65B certificate to be produced in the Court was the one presented by Naavi at the AMM Court in Egmore Chennai in the case of State of Tamil Nadu Vs Suhas Katti.

This case involved a message posted on an Yahoo group which was accused of being “Obscene” under the then Section 67 of ITA 2000. The copy of the content was produced by Naavi with a Section 65B certificate as an observation on the Internet and based on the same the Court convicted the accused. The decision was upheld by the Session Court and the accused completed the 9 months of imprisonment that the Session Court imposed though the trial court had imposed a 2 year imprisonment under Section 67 of ITA 2000.

During the trial questions had been raised about whether a private person can provide the Certificate. Subsequently the same Court had further validated the system in another case where some material on CD seized by the police need to be taken up for trial.

After this 2004 incident, there was the 2005 Supreme Court trial of Afzal Guru in which the Supreme Court took oral evidence as a substitute of a Section 65B evidence. This was over ruled and a complete ratio was indicated in the Basheer judgement. Subsequently came the contradictory judgement of Shafi Mohammed followed and later over turned in the Arjun Pandit Rao judgement.

Naavi has been the person who has contributed to the development of Cyber Jurisprudence in this regard.

Now with the passage of the Bharatiya Sakshya Adhiniyam, the old Indian Evidence Act with Section 65B has been replaced with the new Act with Section 63 which states as under.

63.(1) Notwithstanding anything contained in this Adhiniyam, any information contained in an electronic record which is printed on paper, stored, recorded or copied in optical or magnetic media or semiconductor memory which is produced by a computer or any communication device or otherwise stored, recorded or copied in any electronic form (hereinafter referred to as the computer output) shall be deemed to be also a document, if the conditions mentioned in this section are satisfied in relation to the information and computer in question and shall be admissible in any proceedings, without further proof or production of the original, as evidence or any contents of the original or of any fact stated therein of which direct evidence would be admissible.
(2) The conditions referred to in sub-section (1) in respect of a computer output shall be the following, namely:—

  • (a) the computer output containing the information was produced by the computer or communication device during the period over which the computer or communication device was used regularly to create, store or process information for the purposes of any activity regularly carried on over that period by the person having lawful control over the use of the computer or communication device;
  • (b) during the said period, information of the kind contained in the electronic record or of the kind from which the information so contained is derived was regularly fed into the computer or communication device in the ordinary course of the said activities;
  • (c) throughout the material part of the said period, the computer or communication device was operating properly or, if not, then in respect of any period in which it was not operating properly or was out of operation during that part of the period, was not such as to affect the electronic record or the accuracy of its contents; and
  • (d) the information contained in the electronic record reproduces or is derived from such information fed into the computer or communication device in the ordinary course of the said activities.


(3) Where over any period, the function of creating, storing or processing information for the purposes of any activity regularly carried on over that period as mentioned in clause (a) of sub-section (2) was regularly performed by means of one or more computers or communication device, whether—

  • (a) in standalone mode; or
  • (b) on a computer system; or
  • (c) on a computer network; or
  • (d) on a computer resource enabling information creation or providing information processing and storage; or
  • (e) through an intermediary,


all the computers or communication devices used for that purpose during that period shall be treated for the purposes of this section as constituting a single computer or communication device; and references in this section to a computer or communication device shall be construed accordingly.


(4) In any proceeding where it is desired to give a statement in evidence by virtue of this section, a certificate doing any of the following things shall be submitted along with the

  • (a) identifying the electronic record containing the statement and describing the manner in which it was produced;
  • (b) giving such particulars of any device involved in the production of that electronic record as may be appropriate for the purpose of showing that the electronic record was produced by a computer or a communication device referred to in clauses (a)to (e) of sub-section (3);
  • (c) dealing with any of the matters to which the conditions mentioned in sub-section (2) relate, and purporting to be signed by a person in charge of the computer or communication device or the management of the relevant activities (whichever is appropriate) and an expert shall be evidence of any matter stated in the certificate; and for the purposes of this sub-section it shall be sufficient for a matter to be stated to the best of the knowledge and belief of the person stating it in the certificate specified in the Schedule.

(5) For the purposes of this section,—

  • (a) information shall be taken to be supplied to a computer or communication device if it is supplied thereto in any appropriate form and whether it is so supplied directly or (with or without human intervention) by means of any appropriate equipment;
  • (b) a computer output shall be taken to have been produced by a computer or communication device whether it was produced by it directly or (with or without human intervention) by means of any appropriate equipment or by other electronic means as referred to in clauses (a) to (e) of sub-section (3).

Additionally, a Schedule has been added with the format of a Certificate to be issued under section 63(4)(c).

The narrative on Section 65B has therefore changed to some extent. Watch out for a new E Book on this topic.

The new Certifications that Naavi would be providing under the new section will henceforth  be called “Section 63 BSA Certificate”. 

The Cyber Evidence Archival Center (CEAC) is presently restricting its  operations to certificates being issued through franchisees. Naavi personally has stopped issuing such certificates to restrict the attendant Court appearances.

However, consequent to the introduction of DPDPA 2023, one of the services of CEAC namely the CEAC-EDB is being modified as a service for DPDPA 2023 compliance details of which will be provided separately.  

Naavi

Posted in Cyber Law | Leave a comment

“Responsible AI” and “Accountable AI”

As the use of AI proliferates, we are often hearing a demand for “Responsible AI”. We are however repeating that the foundation of AI being responsible is in AI being accountable. This accountability means that there should be an organization that takes up the responsibility to own the consequences of AI. This is precisely what the recent AI advisory for intermediaries from MeitY has done. 

It is important to consider that AI cannot be  treated as an independent juridical entity. It is either owned by the developer or the company developing the AI algorithm/product or the licensee. The advisory captures this aspect and hence brings in “Accountability” as the leading requirement of AI. Hence “Responsibility” of AI is embedded in the “Accountability” of the licensee/owner. 

It is the Accountability that has to be in place to make “Responsibility” an automated consequence.

While on the subject, I came across a discussion on TV about a start up “AI-Kavach” developing a Cyber Security product using AI. The promoter Ms Pratyusha Vemuri was successful in getting a funding support in the Shark Tank India Season 3 and made news.

The discussions on the shark tank is interesting since the company got a valuation of around Rs 20 crores with a funding of Rs 1 crore for a total equity of 5%. The company currently sports a modest 20000 downloads and 1500 paid downloads (at Rs 99 per year subscription) in the consumer segment. I am sure that many know that these downloads occur in a day in most of the cases if the product catches the imagination of the market. But as of today, the downloads in consumer segment seems to have been currently suspended and the Company wants to operate on the B2B segment for the time being. Not sure if this decision was after the MeitY advisory.

We wish goodluck to the entrepreneur for harnessing the power of the AI.

One of the sharks rightly took note that the algorithm has to work in the B2B environment and learn consumer behaviour by profiling which would be used for fraud detection. In other words the business model is to watch the internet and mobile behaviour by sitting on the intermediaries like Airtel and Jio networks of the entire universe of users and derive intelligence from which fraud customers can be identified. This is “Personal Data Mining” and “Big Data Processing”. For Airtel and Jio it would mean selling of personal data of their customers.

While the entrepreneur indicated that a patent is pending in India, I am doubtful whether the novelty feature would be adequate to get the approval of patent.

Using AI based processing to detect and prevent frauds is an established existing Cyber Security activity and therefore lacks patentable novelty. RBI has also made it mandatory through “Adaptive Authentication”. However, the labelling of the product as “AI” has given it a marketable value.

It is not clear if the entrepreneur nor the funding sharks  have identified the Privacy/DPDPA risks. However anonymous the process of collection is, such mass profiling  carries a high level of Privacy risks. 

In another TV interview, the entrepreneur appeared to be banking on anonymisation of the data analysis. I hope the company is able to cover the Privacy Risks with whatever  processing  they plan to do as part of the AI processing.

The B2B users would however remember that they need to adopt certain compliance measures themselves before adopting such products into their processes.

The Shark tank episode was about a month ago and the AI advisory of 4th March 2024 should be considered as a jolt to the company.

(Comments welcome)

Naavi

Also Read

https://www.reddit.com/r/sharktankindia/comments/1abqtgl/ai_kavach_is_gone/?rdt=43204

Posted in Cyber Law | Leave a comment