Naavi.org

The first thing one noticed in GDPR when it was implemented in 2018 was the fear it induced in the Data Controllers about the “Penalty” which could go upto 4% of global turnover or Euro 20 million. Since then there have been hundreds of penalties above Euro 20 million on the basis of the turnover.

The biggest GDPR fine is  Euro 746 million imposed by Luxemberg authority on Amazon, followed by 405 million euros on Meta imposed by Ireland authority and 225 million euros imposed on WhatsApp,. There are at least 9 more penalties above Euro 20 million on organizations including Marriot International, British Airwars, Enel Energia, TIM, H & M online shop, and Google.

Not all these fines are based on actual data breaches causing loss to the community. They may be related to non compliance of various issues such as general data processing principles, insufficient legal basis for processing etc.

These fines have left a bitter taste in the mouth of these agencies which have made them distrust all such regulations including the Indian proposals in the past.

There is no doubt that this “Fear” induced some awareness about the law but the feeling that many supervisory authorities were perhaps raising revenue through the penalties to fund their existence rather than enabling the community for  better compliance.

We must appreciate that the Indian DPDPB 2022 has taken a different approach.

Firstly it has pegged the penalty at Rs 500 crores per instance. At the same time it has provided a “Voluntary Undertaking  system” which if accepted can close any penalty proceedings.

DPB may also suggest mediation to resolve the issues before it imposes the penalty.

It has also mandated that any inquiry will not prevent access to any premises or take into custody any equipment or any item that may adversely affect the day-to-day functioning of a person.

To cap it all Section 25 of DPDPB 2022 states that while determining the penalty, the Board will take into account the likely impact of the imposition of the financial penalty on the person.

This is the most humane feature in any penalty system that we can expect. This means that SMEs and MSMEs need not fear that they would be forced to shut shop on one instance of data breach since penalty would be proportionate also to the capacity of the organization to bear. On the other hand, the GDPR approach would shut down most SME/MSMEs and only allow Big Tech companies to be able to bear the brunt of data breach fines.

Let us appreciate this approach that recognizes that if the Data Fiduciaries seize to exist, there will be no data business and hence they cannot be eliminated with a threat of elimination.

May be this soft attitude could dent  the business of many of us who are professionals advising “Compliance” and providing “Consultancy” and “Audit” services. But ultimately we should all support a fair system that does not try to drive compliance by fear. Persuasion and appreciation of the benefit of the society should be the guiding factor for imposing penalties and perhaps that suggestion is available in the draft Bill.

Naavi

The provision in DPDPB 2022 regarding restrictions on Data Transfer outside India has evoked interesting reactions.

While some are rejoicing that Data Localization has been given a go by, some are stating that this is unacceptable to many countries such as the EU countries who may not consider the provisions of DPDPB 2022 as “Adequate” from their standards.

The entire discussions on Data Localization has been dismissed with a short section which states as follows:

17. Transfer of personal data outside India

The Central Government may, after an assessment of such factors as it may consider necessary, notify such countries or territories outside India to which a Data Fiduciary may transfer personal data, in accordance with such terms and conditions as may be specified.

To be fair, the last word on how this provision will roll out after the rules are framed is not known. Given the general approach of India taking independent stand on many international decisions, I would be surprised if India surrenders to the EU in terms of accepting their conditions for transfer into India while forgoing the export of data from India to other countries.

At present, India is predominantly a Data Importing country and hence it may not matter much if other countries are not ready to take Indian data for processing in their countries.

The Bill however has correctly distinguished that Data Imported to India is data of foreign data principals and most of them come through a contractual processing channel where the Indian company will be only a “Data Processor” and there will be a Data Controller abroad. There could be a few Indian MNCs who may be an exception to this rule who may have data of foreign data principals processed in India.

The Bill however provides an exception to Indian Data Processors through Section 18 (1)(d) similar to the erstwhile Section 37 of PDPB 2019.

There is a view that this may not be acceptable to EU due to the Schrems Judgement which insisted that the importing country should provide an opportunity to the EU data subjects to exercise their rights against the Indian Data Processor leaving the EU based Data Controller. This judgement also frowned on the law enforcement agencies of the data importing country and its Government having access to the data even in times of exigencies.

The demand of the Schrems Judgement which later became part of the Standard Contractual Clauses are basically ultra vires the laws of the data importing country. Presently the SCC leaves it to the Data Controller to evaluate the laws of the destinationn country and take necessary steps to comply with the Schrems Judgment expectations.

Even if Indian companies would like to sign on the dotted line for their business, it is unlikely that the Indian law enforcement agencies would accept a situation where their demand for access to data is sought to be stone-walled by the Data Importer because of his contract with the Data Exporter.

However, there is a possibility that through this section, India may provide an innovative option to the Data Exporting countries to be able to remain in compliance with Schrems Judgement and also with the Indian law by drafting suitable conditions for mutual personal data transfer.

With such an instrument, India may be able to convince a group of countries in South East Asia and perhaps countries outside the EU control to form a “Data Union” of countries who will accept Indian leadership.

As a result this Section holds a key for working towards a global leadership of like minded countries where the regulations will be similar to what India proposes.

Instead of toeing the line of EU and surrendering its sovereignty, India may therefore opt to use this as an opportunity to get the globe turn to Indian solution the same way the US attempts on India not importing oil from Russia was effectively avoided  by India.

Naavi

In PDPB 2019 (Now withdrawn) there were two sections namely Section 18 and Section 20 which spoke of Right to Correction and Erasure and Right to Forget

In the New DPDPB 2022,

Section 13 states as follows:

Right to correction and erasure of personal data

(1) A Data Principal shall have the right to correction and erasure of her personal data, in accordance with the applicable laws and in such manner as may be prescribed.

(2) A Data Fiduciary shall, upon receiving a request for such correction and erasure from a Data Principal:

(a) correct a Data Principal’s inaccurate or misleading personal data;

(b) complete a Data Principal’s incomplete personal data;

(c) update a Data Principal’s personal data;

(d) erase the personal data of a Data Principal that is no longer necessary for the purpose for which it was processed unless retention is necessary for a legal purpose.

It can be observed that section 13 of  DPDPB 2022  is closely aligned to Section 18 of PDPB 2019.

PDPB made a distinction between “Erasure” and “Stopping disclosure” and associated Right to be forgotten with stopping of disclosure. Though it used the term “Processing” along with “Disclosure” it could be interpreted as “Processing Associated with Disclosure” where as processing associated with Section 18 was related to the purpose for which the information was collected.

In the GDPR however, Article 17 was titled Right to erasure (right to be forgotten) as if the two are same.

Now with DPDPB 2022 using only one section on “Erasure” a doubt does occur whether the definition of erasure should include the “Right to be forgotten” or not.

In the PDPB 2019, Right to be forgotten was dependent on a review by the Adjudicator and the Data Fiduciary was not permitted to implement the right to be forgotten without an intervention of a Judicial authority.

Some of the Court cases in which the “Right to be forgotten” was applied  in India were cases where published judicial verdicts carried the names of accused who were later exonerated and claimed that their names should be removed from published judgement information found in websites like IndiaKanoon.com etc. and the search engines. It could not be said that the Courts wanted the names to be erased from the primary Judgement copy itself which could still carry the identity. If one picked up a Certified Copy and processed it for an appeal, it was perhaps acceptable to use the identification in the Certified Copy.

Both the law and the Court interpretation related to “Disclosure” being different from “Processing” for a given purpose.

Now whether the DPDPB 2022 has to be interpreted with reference to the jurisprudence arising from the Indian Context or from the EU Context is a matter which may pose some difficulty to establish at this point of time. The Courts may have the last word on this unless the rules provide the necessary clarification.

If possible the Government can resolve this problem by adding an explanation to Section 18 as follows.

Explanation: Right to erasure under this section is subject to the Rights of retention and disclosure under any other law for the time being.

Naavi

(This is a continuation of the previous article)

As per the ITA 2000, every website of an Indian Company must have information about a compliance officer and a grievance redressal officer. If the Company is collecting personal information, they also need o appoint a Data Protection Officer.

CERT In is responsible for monitoring this compliance.

I would like to bring to the notice of CERT In that L G Electronics which owns the Smart TV service in India has suddenly caused Denial of Service by demanding a mandatory acceptance of terms of service which have no relation to the purpose for which the TV service is offered. Also the Company as a hardware manufacturer does not justify the need for acceptance of certain terms such as Advertising over content that belongs to OTT players.

The Company at present does not provide copies of policies in easily comprehensible language and is therefore in violation of normal principles of Personal Data Collection.

I request the Director CERT In to conduct a suitable enquiry and prevent this strange practice of a hardware manufacturer forcing the users to accept terms which were not part of the sale agreement.

I also request appropriate persons in the Company to clarify on the matter through e-mail.

Since the contact information of relevant persons are not available on the website, I am forced to send this notice through this channel.

Naavi

From Today, L G Electronics has introduced a new provision for access to the Smart TV feature requiring acceptance of 5 different agreements including the Terms of Service, Privacy Policy, Viewing Information Agreement, Voice Information and Interest based advertisement agreement.

Without accepting the agreement the part of the service related to access to apps are not available. hence it is causing denial of access to part of the service and this agreement is being imposed now though the TV was sold without this agreement.

Further the agreements are only available in Hindi and English after scrolling down. It is not convenient to read and accept the agreement as presented. Also there is no option to seek the information in  other languages as provided in the latest draft bill on Digital Personal Data Protection Bill 2022.

I am flagging this issue here so that at the appropriate time this can be addressed by the Data Protection Board.

A request has been sent to serviceindia@lge.com  to send me copies of  the agreement so that it can be studied further and whether the provision of advertisements in the content can be imposed by the hardware supplier.

This appears to be some thing like Microsoft displaying its advertisements when  you are using a Windows Computer. Some of the provisions included in the policies are not necessary for the provision of the services and are extraneous. There is also no option to opt out.

This needs further study by Privacy experts and the Ministry of Information and Broadcasting and Ministry of Information Technology.

Naavi

Reference

Washington post article

Digital Personal Data Protection Bill 2022 (DPDPB 2022) provides the following rights to the data principals namely

1.Right to Access

2.Right to Correction and erasure

3.Right to Grievance Redressal

4.Right to Nominate

There is no specific mention about the “Right to Compensation” as was available under section 62 of the earlier Bill.

Does this mean that the Data principal has no right to seek compensation?

It is possible that at the next stage Government may add “Right to Seek Compensation” as another right associated with the “Grievance Redressal” since the  harm as defined under the Act do recognize the financial gain or loss.

It is also possible to achieve a similar effect by adding a definition of “Grievance”  as any perceived harm caused to the data principal in the course of the processing of the personal data of the individual.

Since “Causation of significant loss” loss is one of the harms recognized despite the use of the word “Significant” causing its own problems, the data principle aggrieved by the breach of DPDP provisions can raise a grievance for being compensated.

However one may also take a view that the  passage of DPDPB 2022 into an act only takes down Section 43A of ITA 2000. However, the provisions of Section 43 of ITA 2000 still remains. Under Section 43, compensation can be claimed for any contravention of ITA 2000 and harm caused in a Data Breach situation can also be considered as a contravention of ITA 2000 under one of the provisions of Section 43. With this there may be a possibility of invoking ITA 2000 for compensation of the data principal as an additional remedy.

Naavi