MOU with iLET Solutions

An MOU was signed between Ujvala Consultants Pvt Ltd as training partner of FDPPI and iLET Solutions Private Limited, an e-Learning platform to provide Learning Management solutions for the different online training programs conducted by Cyber Law College. Mr Ashok Kini, partner Klickstart Solutions and Director FDPPI (Chapter Activity Coordination Committee) and Suresh Balepur, President Bangalore Chapter of FDPPI were present during the occasion.

iLET Solutions was founded in 2018 and offers a wide range of blended learning courses for talent development and enrichment across all age groups. 

Mr Mayank Jaiswal, the Co-Founder and Director executed the MOU which enables FDPPI and Cyber Law College to host the Certification programs on the platform under the URL “Learnwyse.com” .

ILET will also host “Jnaana Bhandar” which is the video repository of FDPPI events which is part of the continuing education of the members. FDPPI will launch the “Jnaana Bhandar” as part of its “Content Membership” program where professionals can subscribe to the different videos produced during FDPPI knowledge sessions and events which should be useful reference information.

Naavi

Posted in Cyber Law | Leave a comment

Hacker’s Attack Indian National Digital Assets

Several Indian Government Entities and energy companies were targeted by unknown threat actors leading to suspected theft of sensitive data both personal and non personal.

Report in the hackernews.com suggests that the information stealing code was delivered through a phishing email concealed as an “Invitation Letter from the Indian Airforce”. Data waas exfiltrated through Slack channels.

The incident should be registered as a “Cyber Terror” activity and potential link to the current political scenario in the country should be investigated.

Naavi

Posted in Cyber Law | Leave a comment

Advertising Industry needs to wake up to the demands of DPDPA 2023..1

Naavi as part of his career development had been in the advertising industry for around 11 years and has closely participated in the activities of a full service advertising industry which creates brands, builds brands, understands consumer behaviour with research, reaches out to consumers, creates effective communication to pass on a message to the masses. Naavi’s involvement in advertising was during the period when Internet made an entry and hence advertising industry was transforming from News papers to TV medium with advertising on websites just appearing on the horizon. At that time Naavi had also thought of and pursued a patent “Adview Certification” which involved implanting an intelligent beacon on the website to monitor the behaviour of the visitors to develop a realisable metric of visitors like the TRP in TV industry or ABC (Audit Bureau of Circulation).

With this background, if we now look at the developments worldwide on “Privacy”, it appears that the digital advertising industry is one sector which has an existential threat on account of the Privacy laws. While Fintech and Health sector also have many hurdles to cross, they are to some extent manageable. But Digital Advertising industry which is at the root of all marketing activities and has to design communication appropriate to the target audience has a real uphill task  to the extent that many may feel that there is no way the industry can be fully compliant and hence the winner is the one who is good in deception.

The Data analytics industry has two parts to its activities namely analysis of anonymized data and analysis of identified personal data. Data Science industry related to anonymized data may not be affected by the privacy laws if we accept that “Anonymization of previously identifiable personal data” is similar to “Deletion” and does not require any explicit consent of the data principal. However, analysis of identifiable personal data is closely associated with “Targeted advertising” and does face the same problem as the advertising industry. In fact the data analytics of identifiable personal data and digital advertising industry work in close unison and hence their problems are similar.

To understand the issue, let us start with the simplest of simple tasks namely “Sending E Mails without prior consent” offering products or services. At present we call these as “Unsolicited emails” and “Spam”. “Causing annoyance” with repeated unsolicited emails is a punishable offence in some laws. (Also applicable to unsolicited phone calls).

Does this mean that the only way an organization can reach out to its prospective customers is through “Search Engines” and “Voluntary walk in enquiries”? . The unsolicited mobile calls are a little more annoying than unsolicited emails since mobiles calls cause a greater disturbance than the emails. However emails provide an opportunity to respond leisurely and hence are less demanding on the critical time of the receiver.

The Privacy law makers and the advertising industry have to sit together and sort out this issue and whether a polite “E Mail to request permission to send the next detailed email about the service” say once a year should be considered as a permitted one time activity.

The other points of discussion which we may discuss in continuation are..

1.Profiling a customer for the purpose of market segmentation and targeted advertising

2. “Collecting personal information through cookies set by the advertising agencies/adtech companies on the websites of companies” and consent mechanism for the same

3. “Regulation of information collected by an ad agency/adtech company through cookies from one advertising client to be used for profiling and made available to other clients”.

Internationally there is a discussion on the “Diligence Requirements for the Adtech Industry” for demonstrating lawful consent for collecting and selling personal data. (Refer article in iapp.org).

This article flags the efforts of the Interactive Advertising bureau and SafeGuard Privacy tool called IAB Digital Platform. This platform will contain a set of standardized privacy diligence questions that are specially designed for participants in the digital advertising industry. This is a good industry initiative which is required. 

Some parts of the requirements mentioned here were included in the WebDTS concept which FDPPI promoted but observed a frustratingly large number of non compliance. Perhaps in India we need the Advertising industry regulators to start looking at “Compliance to DPDPA 2023” as a requirement to be considered. At present the advertising industry and more particularly the Ad Tech companies would appear to be completely unconnected with the DPDPA 2023. The end users may escape responsibility by stating that the “Ad Service Provider is a Joint Data Fiduciary” and is responsible for compliance of DPDPA. With many of them operating on AI platforms hosted on websites of their clients and the information collected is that of the customer of a customer, there is very little possibility of “Consent” being obtained. 

While compliance activists like us keep pointing out these issues, the compliance subjects continue to feel that the compliance is “Impractical”. The Advertising industry needs to sit together and find a proper solution to this problem at the earliest.

(Comments welcome)

Naavi

Posted in Cyber Law | Leave a comment

Business Contact Address and DPDPA 2023

Naavi

The applicability of DPDPA 2023 to what can be called “Business Contact Address” is a much debated issue in Privacy circles.

DPDPA 2023 is applicable to “Personal data” and there are many obligations associated with the collection and use of personal data. However whether the same rules apply to “Business Contact Data” such as the business email etc is a point which has been left to Privacy Jurisprudents to debate.

In DPDPA 2023, there is one mention of “Business Contact Address” under Section 8(9) where it states “..A Data Fiduciary shall publish, in such manner as may be prescribed, the business contact information of a Data Protection Officer,…”.

This indicates that the term “Business Contact Information” is recognized in Indian law though it is not defined presently under the definitions section of the Act.

The Singapore PDPA 2012 provides a clear definition as follows:

“business contact information” means an individual’s name, position name or title, business telephone number, business address, business electronic mail address or business fax number and any other similar information about the individual, not provided by the individual solely for his or her personal purposes;

Under GDPR, there may be no definition for Business Contact information but given the general approach of GDPR which has extreme views on Privacy, it is a general understanding that if the information relates to an individual then it would be considered as Personal Data even if it is a work email such as vijay@ujvala.com. On the other hand if Vijay is the Director of Ujvala and the work email is director@ujvala.com, most people agree that it is considered as business contact information and “Not Personal Data”.

In the Cavauto S.R.L case the Italian supervisory authority held that an employee who under an email “Customercare@cavauto” stored his personal data could still be considered owner of such data as personal data and it is not accessible by the company without consent. This  essentially upheld the view  that the corporate email account was  personal data. 

However this extreme view of GDPR authorities cannot be considered as a general guideline and needs to be considered an aberration and not a “Precedent”. Judicial authorities often make mistakes and such decisions are over ridden by superior authorities. This is one such incident where we may say that the decision was a context specific decision and not to be treated as determining a jurisprudential view.

Our view has always been that a property like work email which is assigned by the employer, hosted in the server of the employer, with the company also having the power to deactivate on termination of the employee, should be considered as the property of the employer and not the employee. Hence business email without any doubt should be considered as a “Business Asset” and not “Personal Asset”. Hence work email or any corporate identity provided by the company is better considered as ” Non personal data”.

As regards classifying an email address as personal or business, it is also necessary to look at the context.  Since Privacy is the “Right of Choice” of an individual to share what he considers as a “personal Data”, the final choice of whether vijay@ujvala.com is a personal mail or not is left to the individual himself. If he uses it in a personal context, then in that context it becomes personal email though by default it may not be. On the other hand vijay@gmail.com may be considered by default as personal email but could be declared by the individual as a business email also.

Hence it is un-necessary and improper to discuss whether an email is personal or not based on the domain attached to the email server.  It is for the information gatherer (data fiduciary) to get the indication from the data principal whether a certain email is to be treated as personal email or business email. This should be taken care of during the stage of consent gathering.

Under DPDPA 2023, since the act recognizes that an email can be “Business contact”, the  argument that

@company name is by default a non personal data but could be considered as personal data under the choice of the individual”

and also that a

personal name@gmail.com is by default a personal data though the person has the choice of making it a business contact (non personal data)”

should be considered relevant.

An email address such as designation@company name is also by default a non personal data but perhaps requires an explicit confirmation to be treated as personal data and not be treated entirely on the context.

i.o.w: our view is personalname@company.com can by context be considered as business contact while designation@company.com can be converted to a personal email by explicit consent only and not deemed as per the context.

..Open for debate

Naavi

Posted in Cyber Law | Leave a comment

AI Risk Management under DPDPA 2023

“Artificial Intelligence” is a new term that is sweeping the software world and naturally it has also percolated into the discussions of “Privacy” and DPDPA 2023.

The industry is now presented with a new ISO standard 42001 so that along with ISMS, PIMS, the concept of AIMS has now become the buzzword.

ISO 42001 is a standard that tries to establish the requirements of an AIMS (Artificial Intelligence Management System” that will focus on the system being a “Responsible AI System”. The standard can be used both by the Ai developer as well as the user.

Though the standard should be a good guideline for many companies, it appears that as regards privacy, the AIMS as suggested needs some more tweaking.

AIMS as is envisaged is like PIMS and has to be considered part of the ISMS. In otherwords, though a stand alone certification is envisaged under ISO 42001, an organization cannot avoid ISO27701 and ISO 27001 if it has to adopt ISO 42001 for Privacy. In other words about 40 new controls will get added to 93 controls of ISO 27001 and 49 controls of ISO 27701.

In the DGPSI system FDPPI proposes to consider AIMS, PIMS and ISMS as part of the DGPMS and accommodates all the controls within 50 implementation specifications. In this approach most of the individual controls of the ISO system that makes it bulky and unwieldy get absorbed in the customization of controls through the policies and processes developed in the user environment.

We hope this simplification would be useful to the industry and leave the scope for designing the controls by the implementers as per their specific needs.

Naavi

Posted in Cyber Law | Leave a comment

Implications of US Bill on Cross border data transfer

A Bill has been passed in US to protect the sensitive data of US citizens by restricting cross border data to countries considered as “Adversaries”. To some extent this reflects the thought behind Section 16 of DPDPA 2023 which also has an enabling provision to restrict transfer of personal data collected in India to other countries which may be notified as “Blacklisted Countries”. China, Iran, North Korea, Cuba, Russia and the Maduro government in Venezuela are currently in the list of such adversaries. India is yet to declare the black list of countries under Section 16.

(Refer report in cnbc.com)

The bill bans organizations that profit from selling personal data, known as data brokers, from making data accessible to a foreign adversary country or entities controlled by adversaries.

It also authorizes the Federal Trade Commission to seek civil penalties of more than $50,000 for each violation.

India has to keep on guard that this list of countries donot become too flexible to include any country on which adhoc sanctions are imposed. We may recall that in the early days of Ukraine war many US companies cited the US sanctions to threaten stoppage of IT services in India. This makes the dependence of the country on US companies including companies like Microsoft and Google a long term national security risk.

Naavi

Posted in Cyber Law | Leave a comment