Some Responses from c.DPO.DA. Certified Professionals

FDPPI and Cyber Law College recently completed the first Certification program after DPDPA 2023.

Following are some of the responses from the senior professionals who attended the program.

“The course was practice centric and application oriented.”

“I felt the questions were set in such a way that how someone would approach situations practically.”

“Overall good experience.”

“Overall the questions were more relativistic and based on application and overall understanding of our concept”

“You made the exam tougher than IAPP 😄”

“The overall experience of the examination was great! The pattern and questions in itself were very practical in nature and helped us apply our learning’s . Very exciting and enticing format. At the end there a certain level of satisfaction for the time and effort invested by Fdppi and us as students.”

Posted in Cyber Law | Leave a comment

FDPPI ‘s Journey of 5 years

On 17th September 2018, Foundation of Data Protection Professionals in India (FDPPI) obtained its Certificate of Incorporation. It must be considered as a day of great significance to the Privacy and Data Protection industry in India since this organization was an organization of the Professionals, By the Professionals and for the Industry.

It may be considered that GDPR which became effective from 25th may 2018 and caused a big flutter in the Indian industry with the fear of extra territorial jurisdiction was the driving force behind the formation of FDPPI.

By January 2018, India had started working on its own Data Protection Law and on January 13th, the Justice BN Krishna Committee held a public consultation in Bangalore

Naavi started a campaign for building awareness about GDPR and its impact on India highlighting “Today is GDPR Day…Love it or hate it, you cannot ignore it”. Additionally Cyber Law College in June 2018 started a course on GDPR on the Apnacourse.com platform (Presently not available) and called for “Tame the Monster of GDPR”.

By June 21, 2018, Cyber Law College introduced an integrated examination combining the then existing Certified Cyber Law Professional, Certified HIPAA Aware professional and Certified GDPR Aware Professional and called it as “Certified Indian Data Protection Professional”.

By July, a draft of the Bill proposed by B N Srikrishna Committee became available and discussions shifted to the proposed Indian law.

In this background FDPPI was contemplated and with the encouragement of many of the industry friends it was decided to start FDPPI as a Section 8 company. Mr Nagendra Javagal came forward to be the other Promoter Director as FDPPI filed its MOA and got its Certificate of Incorporation.

On December 7, the first batch of Certification Course in PDPA (CPDPA) was started and an era of Indigenous Certification for Privacy was started. Since at that time IAPP nor DSCI did not have a similar course on Indian data protection law, FDPPI became a pioneer in Privacy Education in India in collaboration with Cyber Law College.

By Data Privacy Day 2020 (January 2020), Naavi’s E Book on Personal Data Act was published and became the first such book in India.

By June 29, FDPPI introduced Module G of its certification program covering GDPR and other global laws.

While India struggled with Covid and JPC struggled with PDPB 2019, FDPPI continued to upgrade its programs from PDPB 2018 to PDPB 2019.

In November 2020, FDPPI embarked on IDPS as its flagship program on Data Privacy which has since seen IDPS 2021 and IDPS 2022.

In December 2020, FDPPI introduced the Module A training program based on PDPSI and DTS assessment completing the DPO training loop from Module I, G and A.

In January 2021, the Data Protection Journal of India (DPJI) was started though it remains under suspension after July 2022.

As JPC presented the new version DPA 2021, FDPPI upgraded its certification program and kept in tune with the developments.

Finally when DPA 2021 was withdrawn, there was a sudden lull in the market but we went ahead with discussions on “Shape of things to come” and held IDPS 2022 under this theme.

Now as we prepare for IDPS 2023, the Government has passed DPDPA 2023 and FDPPI Certification programs have been upgraded once again to DPDPA 2023. The first batch of Certified DPO and Data Auditors under the new DPDPA 2023 passed out today .

FDPPI has also recently introduced the Indian National Register of Data Protection Professionals to create a recognition for trained professionals. This is intended to be supported by the FDPC (Federation of Data Protection Professionals in India as a service exchange platform). FDPC and DDMAP (Data Disputes Mediation and Arbitration Platform) are two platforms creating professional engagement opportunities for trained professionals from FDPPI.

FDPPI has now embarked on another global mission of developing the PDPSI framework into DGPSI framework (Data Governance and Protection Standard of India) incorporating the recommendations of BIS on Data Privacy in its Data Governance Standard.

Thus FDPPI has moved in 5 years to a pole position in the industry. Its weekly Jnaana vardhini sessions are a great resource for continued education and the Unique DDMAP (Data Disputes Mediation and Arbitration Platform ) is ready to provide support to the industry with another first for the country.

Towards this end of the 5th year we had the privilege of honouring Sri K S Puttaswamy (Retd Justice) as Privacy Pitamaha, etching the name of FDPPI in the history of Data Privacy in India.

Future appears bright, with nearly 400 associates who are together promoting FDPPI as members and supporters. The unique concept of “Supporting Members” has created a base of over 23 members who can execute projects in association with FDPPI and generate revenue on an on going basis.

Presently FDPPI can boldly state that with its own Certification Program and Certifiable Framework for Audit and Assessment of Data Protection Compliance for DPDPA 2023, ITA 2000 and BIS data governance standard, FDPPI has firmly entrenched itself as the leader of Data Privacy in India.

I thought it was time to reflect on the past as we look forward to the future with optimism.

Naavi

Posted in Cyber Law | Leave a comment

“Jago Regulators Jago” Roundtable on October 17 2023

On October 17, 2023, FDPPI and Manipal Law School propose to hold a round table to commemorate the Digital Society day on the broad theme of raising Cyber Crimes and how to tackle them.

I propose that the organizers consider the program as not just an awareness of Cyber Crimes to the masses but to elevate them to the regulators with a message as titled above.

My views on why I want this new approach is guided by my observations over the last 25 years since I started my journey on Cyber Law and Cyber Crimes when I have found that it is the apathy of the regulators (though often we keep our criticisms at the level of police only and donot question the Adjudicators and CERT IN for their dereliction of duty) that has contributed to this state of affairs.

Unless the regulators realize their responsibilities and start acting tough, the criminals will only feel emboldened to continue to commit crimes.

Hence we need to awaken the regulators first before we cry out for public awareness of Cyber Crimes as if it is the panacea for all cyber crimes.

I therefore record some of my views in this regard and urge the participants of the roundtable being organized by FDPPI and Manipal Law School on 17th October at 2.00 pm at the Yelahanka Campus of the MLS to be extended to the virtual world both in terms of speakers from outside India and observers of the discussion.

Those experts who want to share their views may kindly contact the organizers through e-mail on fdppi4privacy @ gmail.com

Naavi



There are no two opinions about Cyber Crimes being on the raise in India. As India that is Bharath is trying to promote its digital leadership to the world through globalization of the UPI system and the use of Aadhaar for Direct benefit Schemes, the raise of Cyber Crime hubs in towns like

Bharatpur, , Mewat, Bhiwani, Nuh, Palwal, Manota, Hasanpur, Hathan Gaon (all in Haryana),Ashok Nagar, Uttam Nagar, Shakarpur, Harkesh Nagar, Okhla, Azadpur (all in Delhi) (all in Delhi) Banka, Begusarai, Jamui, Nawada, Nalanda, Gaya (Bihar),Barpeta, Dhubri, Goalpara, Morigaon, Nagaon (Assam), Jamtara,Deoghar (Jharkhand), Asansol, Durgapur (West Bengal), Ahmedabad,Surat (Gujarat), Azamgarh (Uttar Pradesh) and Chittoor (Andhra Pradesh).

raises an alarm.

We are all aware of the “Darkweb”, but the trends in these towns and villages indicate that “Dark Towns” are emerging in physical space and like the Drug lords of Columbia and Mexico these are going to be sore points on the raising status of India as a Digital leader of the world.

Recently a few criminals arrested by Police in one of these towns were released by the villagers who attacked the Police party indicating that law and order is passing on to the mafia.

These organized Cyber Criminals are supported by the eco system of Bankers and Mobile Service Providers in these places who assist them in committing Cyber Crimes. Many business offices have emerged even in Noida where people are recruited into organized crimes and operations are run like a professional company.

Apart from these types of criminals there is also a gang of Cyber Urban Naxalites who try to target attacking Government assets as a target practice and hack into any Government service just to prove their hacking skills. In many such instances instead of strongly responding to such white collared criminals, CERT In remains a mute spectator and MeitY behaves as if it is not concerned. This lack of action by these regulators is worse than a Police inspector in a station refusing to register an FIR.

While MeitY and MHA are focussing on bringing new laws such as DIT or new IPC, there is little attention on ensuring that there is a national Cyber Crime policing outfit which will provide a long term cadre to experts in Cyber Crime police and render Cyber Crime Police stations as training ground for officers who after three years go back to bandobast duties.

Change is required more than in the law int he way law is administered. This requires the regulators to be educated on what the public think is their commitment to prevent Cyber Crimes. For the last 23 years we have been blaming the public for lack of awareness and always protecting the intermediaries and others who fail to do their duty.

In the Umashankar Vs ICICI Bank case as well as an earlier SBI case iN Kerala and a recent Gauhati High Court case, Judiciary has been open to hold the intermediaries liable for Cyber Crimes.

But this message that Intermediaries are the key to control Cyber Crimes has not gone to the regulators.

Otherwise, how can RBI give any banking license to Bankers in Jamtara like towns who are laundering money of innocent cyber crime victims? How is that the army is not called in to sweep these towns of “Cyber Weapons” in committing Cyber Crimes? Why is MHA not recognizing that Cyber Crimes are irretrievably linked to Terrorism, drug trade etc, Why is our Finance Ministry reluctant to ban the Criminal’s currency called Bitcoins?

These are the questions that need to be raised today on “Awareness”. Let us not treat the public as facilitators of Cyber Crimes by ignorantly passing on OTP. The OTP is not considered the safest measure of authentication and it is being used as the best available option for the time being. Without control of SIM cloning and other forms of OTP stealing, there is no technical safeguard which can be used by an ordinary citizen to protect himself.

Hence all financial cyber crimes should be the responsibility of the Intermediaries, no questions asked. If Bankers and mobile operators feel the pinch they will be more responsible in doing their KYC and distribute the weapons of crime.

Banks harass genuine customers with KYC demands again and again and in the process keep the KYC details every where in the network exposing the customers to greater danger.

We cannot ask these Banks what happened to my KYC last year and why are they asking for KYC once again.

We cannot ask them why it is so difficult for my ID to be verified while the criminals can very easily get their IDs verified and Banks accounts opened?

Why are we not questioning why Domain Name Registrars are able to hide the Domain Name registrant’s identity to facilitate phishing?

Why are the e-mail providers substituting the IP address of criminals with their own proxy addresses and creating hurdles for investigators?

Why are we not implementing the TRAI suggestion for Caller ID display on phone calls and why are we not introducing a similar system for E-Mail providers? though we are trying to implement such user ID display for WhatsApp and Twitter?

Why is that Meity succumbed to the pressures of business and gave up on Data Localization in the DPDPA to make it difficult for Police even to start an investigation?

These are the questions I would like to ask ..who else but Sri Rajeev Chandrashekar the MOS and Sri Ashwini Vaishnav the Minister of IT, Amit Shah, the MOH and ultimately Mr Narendra Modi the PM.

Let this “Jago Regulator Jago” campaign spread and every citizen of this country raise their voice that “Awareness is not only for the public but also for the Regulators”.

Naavi

Posted in Cyber Law | Leave a comment

Expected Rules under DPDPA 2023

The Government of India Gazetted the DPDPA on August 11 2023. The Minister of IT Sri Rajeev Chandrashekar has announced that the DPB will be constituted and some rules will be notified within the next 3 weeks.

Under the DPDPA at least 26 rules are required to be notified. Not all of these may be notified immediately but they may come in stages.

The set of rules that can be expected are as follows

Sl NoSection 40Description
1(r)the manner of appointment of the Chairperson and other Members of the Board under sub-section (2) of section 19;
(s)the salary, allowances and other terms and conditions of services of the Chairperson and other Members of the Board under sub-section (1) of section 20;
3(t)the manner of authentication of orders, directions and instruments under sub-section (1) of section 23;
4(u)the terms and conditions of appointment and service of officers and employees of the Board under section 24
5(v)the techno-legal measures to be adopted by the Board under sub-section (1) of section 28;
6(w)the other matters under clause (d) of sub-section (7) of section 28;
7(a)the manner in which the notice given by the Data Fiduciary to a Data Principal shall inform her, under sub-section (1) of section 5; (purpose)
8(b)the manner in which the notice given by the Data Fiduciary to a Data Principal shall inform her, under sub-section (2) of section 5; ( Rights)
9(h)the manner of publishing the business contact information of a Data Protection Officer under sub-section (9) of section 8;
10(g)the time period for the specified purpose to be deemed as no longer being served, under sub-section (8) of section 8;
11(k) the other matters comprising the process of Data Protection Impact Assessment under sub-clause (i) of clause (c) of sub-section (2) of section 10;
12(l)the other measures that the Significant Data Fiduciary shall undertake under sub-clause (iii) of clause (c) of sub-section (2) of section 10;
13(m) the manner in which a Data Principal shall make a request to the Data Fiduciary to obtain information and any other information related to the personal data of such Data Principal and its processing, under sub-section (1) of section 11;
14(n)the manner in which a Data Principal shall make a request to the Data Fiduciary for erasure of her personal data under sub-section (3) of section 12;
15(p)the manner of nomination of any other individual by the Data Principal under sub-section (1) of section 14;
16(o)the period within which the Data Fiduciary shall respond to any grievances under sub-section (2) of section 13
17(x)the form, manner and fee for filing an appeal under sub-section (2) of section 29
18(y)the procedure for dealing an appeal under sub-section (8) of section 29;
19(c)the manner of accountability and the obligations of Consent Manager under sub-section (8) of section 6;
20(d)the manner of registration of Consent Manager and the conditions relating thereto, under sub-section (9) of section 6;
21(e)the subsidy, benefit, service, certificate, licence or permit for the provision or issuance of which, personal data may be processed under clause (b) of section 7;
22(f)the form and manner of intimation of personal data breach to the Board under sub-section (6) of section 8
23(i)the manner of obtaining verifiable consent under sub-section (1) of section 9;
24(j)the classes of Data Fiduciaries, the purposes of processing of personal data of a child and the conditions relating thereto, under sub-section (4) of section 9;
25(q)the standards for processing the personal data for exemption under clause (b) of sub-section (2) of section 17;
26(z)any other matter which is to be or may be prescribed or in respect of which provision is to be, or may be, made by rules…including who is a Significant Data Fiduciary

Naavi

Posted in Cyber Law | Leave a comment

What is the legal status of Humanoid robots?

The world has crossed an important red line with the humanoid robot namely Mika, which is functioning as a CEO of a company. Mika is said to be the sister of Sophia, which earlier had created history by being the first robot to be granted citizenship of a country.

In India we are seeing humanoid robots being teachers in schools, receptionists in Banks, news readers in TV stations. I am sure that apart from the “Drones”, “Robotic soldiers” are being developed across the globe by all countries including China, US, Japan and perhaps India too.

At the same time Neuroscientists are also creating “Cyborgs” who are humans with implanted computing devices.

The question we want to ask ourselves today is how does law respond to these kind of developments where AI is merging with humans and humans are merging with AI?

At present AI is a creation of a human being and in Jurisprudence it is a “Tool” operated by the human and hence the legal consequences of the actions of AI are attributed to the human behind the creation. But just as a parent is responsible for the actions of his minor upto a certain age and thereafter the responsibilities pass on to the erstwhile minor who is now a “Major”, the AI remains a “Subordinate AI” upto a point of time and thereafter becomes “Independent AI”.

We need to decide if “Independent AI” which has near human like cognitive capabilities and decision making capabilities not entirely dependent on the past instructional inputs should be given a legal status independent of its creator and made responsible for its own decisions.

The “Cyborgs” like Neil Harbisson are a different category. They were born human but endowed with super human capabilities through an implant. These cyborgs have come to existence because of a medical necessity that prompted them to take the adventurous life but other instances of similar kind indicate that the future of humanity is that of Cyborgs. It is expected that many individuals will provide consent to become cyborgs to improve their functionality.

The Problem for Jurisprudents is to determine how to treat these Cyborgs, Humanoid robots , Generative AI algorithms in terms of law. Are these different classes of Juridical entities to whom the law has to be defined?

Just as a ANI/AGI develops into ASI and we can consider it like the human attaining maturity through the aging process from a minor to a major, the Cyborg before implant and after implant is a different individual and Jurisprudence has to recognize this transition from a human to Cyborg as a difference in status. May be we have to trat this like a “Sex Change” operation of a human where a “male” may become a “female” and vice versa which may have already come for discussion in the Jurisprudential circles at present.

Thus we need to not only define these new humanoid types in law but also enable the law to recognize the transition of an entity from one state to another.

As we continue this discussion, we will be entering into philosophical discussions also when we visualize the future of Cybernetics and how human race will change over the next few decades.

I will keep Cyber Philosophy discussion for another day.

Naavi

Posted in Cyber Law | Leave a comment

Can Courts declare death sentence to a Humanoid Robot”… A Criminal Jurisprudential Challenge

India is in the process of revising its age old Criminal law namely the Indian Penal Code 1872 and Criminal Procedure Code 1973 with the new laws Bharatiya Nyaaya Samhita and Bharatiya Nagarik Surakshita samhita 2023 drafts of which are already presented in the Parliament.

In the meantime India is also expected to revise the ITA 2000 with the Digital india Act which may alter the Cyber Jurisprudence that has been developing since last two decades of the existence of ITA 2000.

The Artificial Intelligence itself as a technology is growing along with the developments of Neuro Science, Meta Verse etc.

The society will soon have many confrontations between AI and law and most complicated aspect of this would be in criminal Jurisprudence.

We have seen that evidentiary aspects introduced by ITA 2000 (Section 65B of IEA) have not been absorbed by the Judicial community till date since unlearning the past is that difficult. Now to unlearn the criminal jurisprudence and think of any change arising out of Artificial intelligence is a challenge.

How the Higher Judiciary would react to this need and come up with its own jurisprudential guideline is for the future society to witness.

However we can try to highlight some of the issues that need to be sorted out immediately to avoid a blackout when the new DIA becomes operative.

The essence of Criminal Jurisprudence is the definition of a Crime, definition of a criminal and definition of justice.

Crime can be defined as “an act that is deemed by statute or by the common law to be a public wrong and is therefore punishable by the state in criminal proceedings”

Law and Justice donot always converge and experts define Justice as “A moral ideal that the law seeks to uphold in the protection of rights and punishment of wrongs.”.

Many times Justice has to be an interpretation of the written law and herein lies the domain of “Jurisprudence”.

Jurisprudence has to interpret what is “Ethics” which can be considered as an extension of written law. The distinction of what is a crime in written law and what is a crime in the minds of a victim is always a tough challenge to the Judiciary.

Most of the time criticism of judiciary arises because Judiciary may either stick to the law in words and ignore the law in spirit. Some times Judiciary goes to the other extreme and interprets law as they consider necessary invoking principles such as the “Basic Structure of the Constitution” etc and take complete control of defining what is law irrespective of what is written in the statute and what the public think is ethics.

If we look at Criminal Jurisprudence in the light of emerging technologies such as Artificial Intelligence, Humanoid robots, Virtual Reality, Augmented reality etc there is a basic problem of identifying the “Actor” who has committed a Crime and the “Act” which constitutes a Crime.

The “Act” which constitutes a “Crime” is being defined in the law. For example Section 66 of ITA 2000 defines an offence punishable with 3 years of imprisonment as

“if any person dishonestly or fraudulently does any act refered to in section 43, he shall be punishable with imprisonemnt which may extend to three years or fine which may extend to five lakh rupees or both”

Section 43 associated with this section is a compendium of 10 subsections and commission of any of these 10 acts without the “Permission of the owner or any person who is in charge of a computer, computer system or computer network” shall be liable ….

The 10 acts represented by the subsections of Section 43 of ITA 2000 are ….

Determining an offence under Section 66 therefore involves the interpretation of “Dishonesty” and “Maliciously acting” and also “diminishing of value of information” , “Causing injury to information” etc.

(1) accessing or securing access to such computer, computer system or computer network or computer resource

(2) downloading, copying or extracting any data, computer data base or information from such computer, computer system or computer network including information or data held or stored in any removable storage medium;

(3) introducing or causing to be introduced any computer contaminant or computer virus into any computer, computer system or computer network;

(4) damaging or causing to be damaged any computer, computer system or computer network, data, computer data base or any other programmes residing in such computer, computer system or computer network;

(5) disrupting or causeing disruption of any computer, computer system or computer network;

(6) denying or causing the denial of access to any person authorised to access any computer, computer system or computer network by any means;

(7) providing any assistance to any person to facilitate access to a computer, computer system or computer network in contravention of the provisions of this Act, rules or regulations made thereunder,

(8) charging the services availed of by a person to the account of another person by tampering with or manipulating any computer, computer system, or computer network,

(9) destroying, deleting or altering any information residing in a computer resource or diminishing its value or utility or affecting it injuriously by any means

(10) Stealing, concealing, destroying or altering or causing any person to steal, conceal, destroy or alter any computer source code used for a computer resource with an intention to cause damage,

Here in lies the jurisprudential requirements to be taken into account in defining an act as a crime.

The second aspect of Cyber Crime jurisprudence is the interpretation of who is the “Person” who is responsible for the offence.

In the Artificial Intelligence scenario, an attempt is made to make computer program so sophisticated that it appears that decisions are taken “Automatically”.

When a computer output directly comes out of an input and the process of interpretation of the program, the output follows the principle of GIGO (Garbage in Garbage out) and the programmer takes the responsibility for determining “Means of processing”. The person who provides the input is the user of the software who takes the output as the result of the Computer based automated decision and acts further on the basis of this decision.

We shall take the example of an industrial process in which a Chemical process takes into account the temperature, composition of the processed material etc and determines the time upto which the process should run to generate a required chemical process resulting in a output finished product. If the parameters of input in such a process are dishonestly altered, the process would result in a loss or may even lead to an accident and cause death or injury.

Is this a Section 66 offence? If so who is responsible for it?..is it the programmer? or the process owner who provided the input? or is it the fault of the sensors which gave a certain reading based on which the operator pressed a button to continue the process?. What if the operator wanted to stop the process but the buttons were mis-wired that the process was triggered instead of being stopped?

These are the issues which require Cyber Jurisprudents to resolve.

When we term certain software as “Artificial Intelligence”, either ANI (Artificial Narrow Intelligence) or even AGI (Artificial General Intelligence), it still follows instructions already in the library and hence the actions of the AI depends entirely on the owner of the library or creator of the library. Hence in such circumstances criminal jurisprudence requires the owner of the software to take the responsibility for the actions of the software and if the creator of the software has not provided the necessary disclosures, the creator (Developer) may also have back to back responsibility. This is clear even in ITA 2000 by virtue of Section 11. (Attribution of an automated activity).

When we enter the realms of “Generative AI” or ASI (Artificial Super Intelligence) where, by design the creator of the algorithm has enabled the software to hallucinate, predict and give out decisions and also learn from its own decisions and modify the next set of outputs on similar inputs, then we are looking at a system which is behaving beyond the original instructions input by the developer.

It is in such circumstances that Cyber Jurisprudence has to interpret whether even the modification of code based on the learnings are to be attributed to the original creator of the algorithm or should the AI itself be considered as a juridical person.

With the emergence of humanoid robots at least one of which is presently acting as Chief Executive of a Company which bears health risks in its products, the consequences of malfunctioning of AI has to be determined in law. Will you put the humanoid robot acting as CEO of a company taking a bad decision that causes death and destruction in the jail for 10 years or for life? or will you give it a death sentence? … is the Criminal Jurisprudence challenge.

I welcome a debate on this aspect so that Meity and MHA may take these into account during the framing of the new IPC law and DIT.

Naavi

Posted in Cyber Law | Leave a comment