Naavi.org

Naavi has embarked on a major project to bring together all Data Protection Consultants into one common platform.

By “Data Protection Consultants”, I mean individuals who  are capable of providing guidance to an organization in implementing Privacy or Information Security related compliances.

The set of such consultants also include  firms which have teams of multiple consultants and divisions of some large companies which have a vertical for extending such services.

The instrument through which these consultants would interact is a techno legal platform presently identified as “Federation of Data Protection Consultants” (FDPC).

The platform will have multiple objectives.

The first objective is to get together all consultant and consultancy organizations in the domain of Privacy, Data and  Protection as well as and Information Security consultancy on one platform as a “Self help Group” with its own self regulatory practices for Ethical business.

The second objective is to enable the consultants to offer their services through the platform.

The third objective is to enable the organizations most of whom may be SME/MSMEs to access the services of these consultants through the platform.

The platform may be considered as a “Data Protection Services Exchange”

The platform will be managed by a “Registrar” who will maintain the technical services.

The platform will be an affiliate of FDPPI but will be a subcontractor.

The platform will be an “Intermediary” under ITA 2000 and act as an aggregator of services and not the service provider himself.

The actual consultancy contract would be between the consultant and the client which will be facilitated by the platform.

In order to improve the credibility and ensure smooth service, the platform may organize secondary back up services under a separate “Contingent Service Contract”.

The process of empanelment of consultants, receiving enquiries from prospective clients, short listing of consultants to a given project, receiving bids, managing preliminary negotiations, as well as dispute resolution will be provided as the platform service. In this process principles used in Arbitration Councils, Tendering processes, Service aggregators etc will all be used appropriately.

It is envisaged that the platform could emerge as a Service Start up under Ujvala Consultants Private Limited and partners to such a project are welcome.

In order to explain the concept further, Naavi conducted an open house discussion today the 11th December 2022 at 11.00 am on Zoom.

The recording of the session is here:

Naavi

We  are aware that RBI is implementing a pilot project to introduce E Rupee as its CBDC. The E-Rupee or CBDC-Retail will be a tokenized version of a currency denomination. It will therefore be a digital document that is stored in a digital container which can be a software wallet or a hardware device.

The critical part of the implementation which we are not certain if the RBI  has sorted out is the ability for the public to view the Digital Token, identify it as a digital currency, validate  its authenticity and transfer it from one wallet to another.

As long as there is a Bank as an intermediary, the transferee can rely on the Bank to confirm the authenticity of the transaction. This happens in the Virtual currency transactions today. But the RBI seems to have a necessity to introduce a Digital Currency that may or may not have  an intermediary like the Bank

The undersigned is not in favour of complete disintermediation which will enable the digital currency to be “Anonymous” since it may then be used easily like cash for corruption and holding of black wealth.

Whether RBI finally adopts an anonymous version or an identifiable version of the digital currency, the E Rupee will be ultimately an electronic information which is stored somewhere.

If it is associated with the identity of the owner it would be “Personal Data”, If it is completely anonymous, it would be “Non personal Data”.

There will be  in future some instances where a owner of a digital currency may die leaving the  Digital Currencies held by him in his wallet with a bank or a private sector service provider or on his personal digital wallet device. This needs to be passed on to the legal heir like any other property.

In case there is no claimant to such digital currency, it cannot be left to be used by the wallet service provider but surrendered to the Government.

If the digital currency is held in a bank Wallet, it can be settled just like settling a claim on the Bank accounts.

While a “Will” cannot be made in digital form, a “Will” can be made in writing for a “Digital Property” and hence the owner may leave a written will and the digital currency would become a property that is settled through a succession certificate or a probate.

Since it is possible that non banking institutions may hold the digital currency and it may even be found as attachments to an e-mail or whatsApp message etc, the digital currency assets will be left with private people and  in case of death of the owner, the asset may illegally be appropriated by such intermediaries.

In the DPDPB 2022, a provision has been introduced for “Nomination” of personal data and this may apply to e-mails or WhatsApp accounts or other digital data. Legally this nomination may also include the digital currencies and will be subject to the limitations imposed by Section 1(4) of ITA 2000 which requires a written will to be made for digital assets.

The recent changes made on October 4 2022, removing the immovable property documents from exceptions under Section 1(4) which we consider as an ill advised move has also increased the financial stake in digital documents since we may now find a property worth crores of rupees for which a digital document may exist as sale deed or partition deed and may surface after the death of the property owner. This will be a new form of Cyber Crime which the Government has now unleashed on the public in India with the amendment of Section 1(4) of ITA 2000 and deletion of one of the sub clauses on immovable property.

It is possible that the DPDPB 2022 has not taken into account the huge values that may be contained in the personal data that may lie around or may be fraudulently created to commit frauds related to property.

Even if “Nomination” is considered only an authority to operate the property and not to transfer the ownership, the current provisions on “Nomination” is not robust enough to take care of the risks.

It would be necessary to ensure that DPDPB 2022 either deletes the nomination feature completely and makes it an obligation on the Data Fiduciary to settle the claim on personal data like settling the Bank assets.

Alternatively the DPDPB2022 should  make specific mention that “Nomination” does not amount to transfer of the right to the digital property, Will cannot be made in digital form and the responsibilities of the Data Fiduciary to ensure that the genuine legal heirs receive the property is not extinguished because of nomination.

Further any consent to Nomination should be suitably witnessed and not be subject to the usual “Click here” option.

Hope the MeitY takes note of this aspect when they finalize the draft of DPDPB 2022.

Naavi

Comments are welcome.

Naavi and FDPPI are in the forefront of advocating “Compliance by design” as a commitment to creating a Privacy and Data Protection eco system in India.  The logic is that it is the responsibility of the Government to define what compliance measures are required for the purpose of protecting Privacy and Data Security and the industry should focus on putting together Technical and Organizational measures to meet the compliance requirements.

In any Techno legal compliance including the compliance of data protection law, there will be need for several interpretations of the provisions of the law. However it is considered that the Companies who are the subjects of compliance and who are Data Fiduciaries under the law are not the best legal minds to interpret the basic concepts of law such as what is Privacy and it should be left to the Courts and the Legislature to define the legal aspects of compliance so that need for their interpretation at the user level is low.

Hence instead of “Privacy by Default” or “Privacy by Design” we  prefer to focus on “Compliance by Default” and “Compliance by Design”.

“Compliance by Design” in the context of Digital personal Data Protection Bill/Act has the objective of creating a Personal Data Protection Compliance Management System (PDPCSI) . This requires compliance of Chapter II of the new DPDPB 2022 which inter-alia extends to the entire Act. Some of the specific requirements which are recognized as “Obligations” of a Data Fiduciary is recorded under Section 9 of the Act.

The PDPCSI of FDPPI is designed to meet these requirements and proceed further to make an estimate of the maturity of implementation in the form of Data Trust Score (DTS).

PDPSI is built on 12 basic principles as “Standards” and  50 “Model Implementation Specification” (MIS) which covers all aspects of Privacy Governance and Personal Data Security. In order to achieve the targets of Privacy Governance, the Data Fiduciary needs to have  appropriate measures in place to obtain consent, provide appropriate notice, recognize the exemptions available, deemed consent provisions that can be used, identify special provisions related to minor, data transfer to a processor etc.  Additionally it addresses the  need to preserve the confidentiality, integrity and availability of personal information.

PDPSI tries to provide guidance on some basic preparatory requirements such as “Classifying data”, “Recognizing the value of Data”, ” Drawing up an inventory of data, processes and people”, “Conducting a Risk Assessment” etc. Additionally some specific policies such as the “Augmented Whistle Blower Policy”, “Contract Management Policy”, “Pseudonymization Policy”, “Remote Working Policy” etc are suggested as part of the framework.

Overall, PDPSI framework is designed to be inclusive of all best practices under ISO 27701 or IS 17428 or what is normally considered as GDPR compliance.

The DPO practioner’s Certification program conducted by FDPPI is geared towards imparting knowledge and skills to be able to implement, maintain and audit the Personal Data Compliance Management System (PDCMS) just as a IS professional is trained to implement an ISMS system or a Data Privacy professional under GDPR context is trained to implement a PIMS system.

FDPPI has recently launched a program for enrolling Data Protection Consultants into a Federation of Data Protection Consultants (See details in www.fdpc.in) . In the same website, intending Companies who want to avail the services of consultants who can help in the implementation of Data Protection Systems can send their requests. The enrolled consultants may use PDPSI framework if they are FDPPI certified auditors. Otherwise they may use other frameworks in which they have  the necessary expertise.

FDPPI Certified auditors can not only assist in setting up and implementing the DPCMS, but also initiate (Different auditors who have not been involved in the implementation) “Certifiable Audit”. These Certifiable audits will be Certified by FDPPI under a process and only accredited auditors for this purpose can conduct and submit such audits to FDPPI for approval.

Presently around 27 professionals have been fully certified for DPO status based on the earlier version of PDPB 2019. FDPPI will be updating them to the new DPDPB2022 before renewing their Certifications.

The upgradation is part of the periodical requirement for the DPOs Certified by FDPPI so that industry will get the services from professionals who are upto date with the requirements.

We invite both experienced and aspiring professionals to consider registering with FDPPI for new Certification and FDPC for providing their consultancy services.

For clarifications if any contact fdppi@fdppi.in or Naavi.

Naavi

Accessing Naavi.org which many users describe as the Wikimedia of Cyber Laws is now available on Android playstore as a mobile app.

The download link is here.

https://play.google.com/store/apps/details?id=com.naavi.org

Download today.

Kindly note that Naavi has no relationship with Navi.co.in, navi loans etc.

Naavi

The uncertainty over the Data Protection Regulations in India are now behind us. The law in India at present is Section 43A of ITA 2000 until the DPDPB 2022 becomes an Act and notified for implementation. The law even if passed in February may become operative after 1 year.

However, as per the current legal environment today, DPDPB 2022 will be a “Due Diligence” under ITA 2000 and hence “Section 43A of ITA 2000 plus DPDPB 2022” will be the Data Protection Law of India.

Organizations need to therefore start working on compliance based on this framework.

Ujvala  has now designed a new consultancy window for corporates on implementing Data Protection Compliance programs in their respective organizations.

Cyber Law College which is a division of Ujvala is introducing a DPO training program to meet the current requirements.

These services would be exclusively offered through FDPPI of which Ujvala is a Patron member.

The consultancy will be a two stage process. The first would be based on current version of the DPBB 2022 and the follow up consultancy would be up to one month after the release of the first set of rules.

FDPPI has thrown open it’s platform to other consultants also to offer services under the banner of FDPPI which will be like a Federation of such organizations. Presently  this is open to all supporting members of FDPPI. Others who want to associate with FDPPI may contact fdppi.

Naavi

The discussions on DPDPB 2022 in the professional circles have reminded us of the dilemma about the Glass-Half-Half-empty syndrome.

Those of you who followed my series of articles on “Shape of Things to Come” are aware that I myself have many expectations and probably DPDPB 2022 is far different from what I myself would have liked.

However, instead of worrying about what is not done, it is time to reflect what can be done now. After all a glass half full is actually full with half water and half air. It is left to us to pour more water and make it full if that is what we want.

I therefore urge all professionals and present day critics to look at the positive aspects of the Bill and facilitate its passage.

In fact, had the Bill been as complicated as PDPB 2019 or GDPR, consultants like us will have more work to do. If it is too simple, the role of consultants would be less. If the penalty is thousand crores we can scare companies in to investing more into compliance than when the penalty is not more than Rs 500 crores peppered with Voluntary undertaking, Mediation etc.

But our commitment need not be to our making ourselves indispensable as consultants. It is to make the society better. If Privacy law will make the society better, we do support it. But if Government adopts a simple law and wants to make compliance less painful, we need to welcome it.

We will give our suggestions to the Government when the public comments are submitted which may point out many omissions. But it is not necessary to pick any shortcomings and start criticising the Bill.

We all know that this Bill will be supplemented with the Rules and every detail which has been left out can be brought back in the rules. Some legal professionals may challenge this approach as dependency on subordinate legislation. But this will provide flexibility to the legislation and hence will be more practical.

Those critics who are objecting to the lack of clarity of DPB constitution should look at how Supervisory authorities are appointed in EU countries. Do they have the same rigorous standard that they should be a retired Supreme Court judge only? If DPB is made into a “Tribunal” then who will take care of all the developmental requirements?

DPB has to be therefore led by a Corporate CEO type person. If critics force the hands of the Government by going to the Court, the Government has the option of reducing the DPB into a glorified Adjudication office and take over all aspects of Governance of the law into a department of MeitY which will be headed by a Deputy Secretary level official.

I therefore urge those who are contemplating on challenging the Bill after it is passed or during the Parliamentary debate to consider whether it is good for the society to elt this Bill pass and later try to contribute through the DPB to ensure that the rules are designed properly.

Naavi