Guardian of Privacy is meant to be a Transformation Agent

Posted on December 18, 2023 by Vijayashankar Na

The Book, Guardians of Privacy is not another book on DPDPA 2023. It is meant to be a Transformation Agent for those who are today looking at GDPR and trying to understand DPDPA 2023 or looking at ISO 27701 and looking for compliance under DPDPA 2023.

There are a set of CIOs,CISOs or CEOs, who have not looked at the concept of Privacy serious enough to understand the obligations of being a “Data Fiduciary” and needs to go through the drill of understanding the concept of privacy and how it relates to the concept of Personal Data and the DPDPA 2023.

Law impacts on the society through not only what is written in the “Act” and extends to the interpretation provided by the Judiciary and is likely to be provided by the Judiciary. Presently the law of data protection in India is present in the form of “ITA 2000” and “DPDPA 2023”. It will get expanded when the rules are notified by the Government.

Judiciary has already spoken a lot on the concept of Privacy. Puttaswamy Judgement was a watershed moment in India declaring that Privacy is a fundamental right. It also did expand the meaning of Privacy through the individual detailed judgements which formed the “Obiter dicta”. The views expressed focussed on Privacy as a right as well as the Information Privacy which was specifically mentioned. It will take some time for Judiciary to expand on these concepts and how Information Privacy in practice need to be handled by the industry. This “Privacy Jurisprudence” will develop over time and it is the duty of experts to keep building up this Jurisprudential thoughts.

In the meantime, practitioners in the industry are looking at implementation of Information Privacy in a manner that they would remain compliant with the law. However the translation of law into implementation practice in an IT environment is a challenge to most technological people.

It is here that the title “Data Fiduciary” used in the law assumes importance. In GDPR, the comparative word used is “Data Controller”. One can control what is handed over to him to control. The GDPR therefore considers that “Personal Data” handed over to it by a Data Subject can be “Controlled” as desired by the data subject or as permitted under law.

One can recall the Privacy Standard under HIPAA which stated that “A covered entity or business associate may not use or disclose protected health information, except as permitted or required by this subpart or by subpart C of part 160 of this subchapter.” The law then went into the details of how the act can be implemented. Hence this law was a self contained implementation framework.

However, DPDPA 2023 as well as GDPR do not have detailed prescriptions. The operating part is defined under words such as “Reasonable”, “Necessary and Proportionate”, “Risk Based” etc. This leaves a lot of responsibility to the implementation agency.

In this respect, Indian law goes a step further than GDPR by choosing to replace the Data Controller as a Data Fiduciary. This nomenclature essentially means that “Personal Data” is a property entrusted to the Data Fiduciary who is a “Trustee” with a certain objective. A trustee is bound by the objective of trust and not necessarily by the written instructions. In view of this, even where a “Consent” is taken, if certain action is not in the interest of the beneficiary (Data Principal in this context), the Trustee (Data Fiduciary in this context) has a duty to protect the interests of the Data Principal.

In discharging this obligation, Privacy Jurisprudence may have to define what is the “Beneficial Interest” that needs to be protected.

While the Act only talks of “Reasonable Safeguards” the “Safeguards” themselves may have to be determined on the basis of “Risks” and the “Risks” depend on the “Risk” and “Risk” depends on what the law expects as “Privacy”. This takes us back to the Judicial interpretation of “Privacy” though DPDPA 2023 meticulously avoids the word.

It is in this context that the Guardians of Privacy as a book tries to identify a “Compliance Framework” in the form of Digital Governance and Protection Standard of India (DGPSI) which is an attempt to capture the requirements of how a Privacy Protection System can be put in place, can be audited and assessed.

While the book discusses the top line requirements of the standard framework in the DGPSI-Lite and DGPSI-Full versions, the consultants are expected to absorb the concepts of the framework and design their own templates for implementation.

With the three components of Law, Governance and Audit, this book is expected to be an instrument for transformation of present ISO 27001 auditors into Data Auditors and present ISMS/PIMS systems to DGPMS.

In the coming days there could be updates for the book which will be not only because of the rules to be notified but because of other developments. We shall try to keep the readers suitably informed either through a supplementary E-Book or through a new edition.

Naavi

About Vijayashankar Na

Naavi is a veteran Cyber Law specialist in India and is presently working from Bangalore as an Information Assurance Consultant. Pioneered concepts such as ITA 2008 compliance, Naavi is also the founder of Cyber Law College, a virtual Cyber Law Education institution. He now has been focusing on the projects such as Secure Digital India and Cyber Insurance
This entry was posted in Cyber Law. Bookmark the permalink.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.