Naavi.org

Naavi and FDPPI are in the forefront of advocating “Compliance by design” as a commitment to creating a Privacy and Data Protection eco system in India.  The logic is that it is the responsibility of the Government to define what compliance measures are required for the purpose of protecting Privacy and Data Security and the industry should focus on putting together Technical and Organizational measures to meet the compliance requirements.

In any Techno legal compliance including the compliance of data protection law, there will be need for several interpretations of the provisions of the law. However it is considered that the Companies who are the subjects of compliance and who are Data Fiduciaries under the law are not the best legal minds to interpret the basic concepts of law such as what is Privacy and it should be left to the Courts and the Legislature to define the legal aspects of compliance so that need for their interpretation at the user level is low.

Hence instead of “Privacy by Default” or “Privacy by Design” we  prefer to focus on “Compliance by Default” and “Compliance by Design”.

“Compliance by Design” in the context of Digital personal Data Protection Bill/Act has the objective of creating a Personal Data Protection Compliance Management System (PDPCSI) . This requires compliance of Chapter II of the new DPDPB 2022 which inter-alia extends to the entire Act. Some of the specific requirements which are recognized as “Obligations” of a Data Fiduciary is recorded under Section 9 of the Act.

The PDPCSI of FDPPI is designed to meet these requirements and proceed further to make an estimate of the maturity of implementation in the form of Data Trust Score (DTS).

PDPSI is built on 12 basic principles as “Standards” and  50 “Model Implementation Specification” (MIS) which covers all aspects of Privacy Governance and Personal Data Security. In order to achieve the targets of Privacy Governance, the Data Fiduciary needs to have  appropriate measures in place to obtain consent, provide appropriate notice, recognize the exemptions available, deemed consent provisions that can be used, identify special provisions related to minor, data transfer to a processor etc.  Additionally it addresses the  need to preserve the confidentiality, integrity and availability of personal information.

PDPSI tries to provide guidance on some basic preparatory requirements such as “Classifying data”, “Recognizing the value of Data”, ” Drawing up an inventory of data, processes and people”, “Conducting a Risk Assessment” etc. Additionally some specific policies such as the “Augmented Whistle Blower Policy”, “Contract Management Policy”, “Pseudonymization Policy”, “Remote Working Policy” etc are suggested as part of the framework.

Overall, PDPSI framework is designed to be inclusive of all best practices under ISO 27701 or IS 17428 or what is normally considered as GDPR compliance.

The DPO practioner’s Certification program conducted by FDPPI is geared towards imparting knowledge and skills to be able to implement, maintain and audit the Personal Data Compliance Management System (PDCMS) just as a IS professional is trained to implement an ISMS system or a Data Privacy professional under GDPR context is trained to implement a PIMS system.

FDPPI has recently launched a program for enrolling Data Protection Consultants into a Federation of Data Protection Consultants (See details in www.fdpc.in) . In the same website, intending Companies who want to avail the services of consultants who can help in the implementation of Data Protection Systems can send their requests. The enrolled consultants may use PDPSI framework if they are FDPPI certified auditors. Otherwise they may use other frameworks in which they have  the necessary expertise.

FDPPI Certified auditors can not only assist in setting up and implementing the DPCMS, but also initiate (Different auditors who have not been involved in the implementation) “Certifiable Audit”. These Certifiable audits will be Certified by FDPPI under a process and only accredited auditors for this purpose can conduct and submit such audits to FDPPI for approval.

Presently around 27 professionals have been fully certified for DPO status based on the earlier version of PDPB 2019. FDPPI will be updating them to the new DPDPB2022 before renewing their Certifications.

The upgradation is part of the periodical requirement for the DPOs Certified by FDPPI so that industry will get the services from professionals who are upto date with the requirements.

We invite both experienced and aspiring professionals to consider registering with FDPPI for new Certification and FDPC for providing their consultancy services.

For clarifications if any contact fdppi@fdppi.in or Naavi.

Naavi

Accessing Naavi.org which many users describe as the Wikimedia of Cyber Laws is now available on Android playstore as a mobile app.

The download link is here.

https://play.google.com/store/apps/details?id=com.naavi.org

Download today.

Kindly note that Naavi has no relationship with Navi.co.in, navi loans etc.

Naavi

The uncertainty over the Data Protection Regulations in India are now behind us. The law in India at present is Section 43A of ITA 2000 until the DPDPB 2022 becomes an Act and notified for implementation. The law even if passed in February may become operative after 1 year.

However, as per the current legal environment today, DPDPB 2022 will be a “Due Diligence” under ITA 2000 and hence “Section 43A of ITA 2000 plus DPDPB 2022” will be the Data Protection Law of India.

Organizations need to therefore start working on compliance based on this framework.

Ujvala  has now designed a new consultancy window for corporates on implementing Data Protection Compliance programs in their respective organizations.

Cyber Law College which is a division of Ujvala is introducing a DPO training program to meet the current requirements.

These services would be exclusively offered through FDPPI of which Ujvala is a Patron member.

The consultancy will be a two stage process. The first would be based on current version of the DPBB 2022 and the follow up consultancy would be up to one month after the release of the first set of rules.

FDPPI has thrown open it’s platform to other consultants also to offer services under the banner of FDPPI which will be like a Federation of such organizations. Presently  this is open to all supporting members of FDPPI. Others who want to associate with FDPPI may contact fdppi.

Naavi

The discussions on DPDPB 2022 in the professional circles have reminded us of the dilemma about the Glass-Half-Half-empty syndrome.

Those of you who followed my series of articles on “Shape of Things to Come” are aware that I myself have many expectations and probably DPDPB 2022 is far different from what I myself would have liked.

However, instead of worrying about what is not done, it is time to reflect what can be done now. After all a glass half full is actually full with half water and half air. It is left to us to pour more water and make it full if that is what we want.

I therefore urge all professionals and present day critics to look at the positive aspects of the Bill and facilitate its passage.

In fact, had the Bill been as complicated as PDPB 2019 or GDPR, consultants like us will have more work to do. If it is too simple, the role of consultants would be less. If the penalty is thousand crores we can scare companies in to investing more into compliance than when the penalty is not more than Rs 500 crores peppered with Voluntary undertaking, Mediation etc.

But our commitment need not be to our making ourselves indispensable as consultants. It is to make the society better. If Privacy law will make the society better, we do support it. But if Government adopts a simple law and wants to make compliance less painful, we need to welcome it.

We will give our suggestions to the Government when the public comments are submitted which may point out many omissions. But it is not necessary to pick any shortcomings and start criticising the Bill.

We all know that this Bill will be supplemented with the Rules and every detail which has been left out can be brought back in the rules. Some legal professionals may challenge this approach as dependency on subordinate legislation. But this will provide flexibility to the legislation and hence will be more practical.

Those critics who are objecting to the lack of clarity of DPB constitution should look at how Supervisory authorities are appointed in EU countries. Do they have the same rigorous standard that they should be a retired Supreme Court judge only? If DPB is made into a “Tribunal” then who will take care of all the developmental requirements?

DPB has to be therefore led by a Corporate CEO type person. If critics force the hands of the Government by going to the Court, the Government has the option of reducing the DPB into a glorified Adjudication office and take over all aspects of Governance of the law into a department of MeitY which will be headed by a Deputy Secretary level official.

I therefore urge those who are contemplating on challenging the Bill after it is passed or during the Parliamentary debate to consider whether it is good for the society to elt this Bill pass and later try to contribute through the DPB to ensure that the rules are designed properly.

Naavi

The first thing one noticed in GDPR when it was implemented in 2018 was the fear it induced in the Data Controllers about the “Penalty” which could go upto 4% of global turnover or Euro 20 million. Since then there have been hundreds of penalties above Euro 20 million on the basis of the turnover.

The biggest GDPR fine is  Euro 746 million imposed by Luxemberg authority on Amazon, followed by 405 million euros on Meta imposed by Ireland authority and 225 million euros imposed on WhatsApp,. There are at least 9 more penalties above Euro 20 million on organizations including Marriot International, British Airwars, Enel Energia, TIM, H & M online shop, and Google.

Not all these fines are based on actual data breaches causing loss to the community. They may be related to non compliance of various issues such as general data processing principles, insufficient legal basis for processing etc.

These fines have left a bitter taste in the mouth of these agencies which have made them distrust all such regulations including the Indian proposals in the past.

There is no doubt that this “Fear” induced some awareness about the law but the feeling that many supervisory authorities were perhaps raising revenue through the penalties to fund their existence rather than enabling the community for  better compliance.

We must appreciate that the Indian DPDPB 2022 has taken a different approach.

Firstly it has pegged the penalty at Rs 500 crores per instance. At the same time it has provided a “Voluntary Undertaking  system” which if accepted can close any penalty proceedings.

DPB may also suggest mediation to resolve the issues before it imposes the penalty.

It has also mandated that any inquiry will not prevent access to any premises or take into custody any equipment or any item that may adversely affect the day-to-day functioning of a person.

To cap it all Section 25 of DPDPB 2022 states that while determining the penalty, the Board will take into account the likely impact of the imposition of the financial penalty on the person.

This is the most humane feature in any penalty system that we can expect. This means that SMEs and MSMEs need not fear that they would be forced to shut shop on one instance of data breach since penalty would be proportionate also to the capacity of the organization to bear. On the other hand, the GDPR approach would shut down most SME/MSMEs and only allow Big Tech companies to be able to bear the brunt of data breach fines.

Let us appreciate this approach that recognizes that if the Data Fiduciaries seize to exist, there will be no data business and hence they cannot be eliminated with a threat of elimination.

May be this soft attitude could dent  the business of many of us who are professionals advising “Compliance” and providing “Consultancy” and “Audit” services. But ultimately we should all support a fair system that does not try to drive compliance by fear. Persuasion and appreciation of the benefit of the society should be the guiding factor for imposing penalties and perhaps that suggestion is available in the draft Bill.

Naavi

The provision in DPDPB 2022 regarding restrictions on Data Transfer outside India has evoked interesting reactions.

While some are rejoicing that Data Localization has been given a go by, some are stating that this is unacceptable to many countries such as the EU countries who may not consider the provisions of DPDPB 2022 as “Adequate” from their standards.

The entire discussions on Data Localization has been dismissed with a short section which states as follows:

17. Transfer of personal data outside India

The Central Government may, after an assessment of such factors as it may consider necessary, notify such countries or territories outside India to which a Data Fiduciary may transfer personal data, in accordance with such terms and conditions as may be specified.

To be fair, the last word on how this provision will roll out after the rules are framed is not known. Given the general approach of India taking independent stand on many international decisions, I would be surprised if India surrenders to the EU in terms of accepting their conditions for transfer into India while forgoing the export of data from India to other countries.

At present, India is predominantly a Data Importing country and hence it may not matter much if other countries are not ready to take Indian data for processing in their countries.

The Bill however has correctly distinguished that Data Imported to India is data of foreign data principals and most of them come through a contractual processing channel where the Indian company will be only a “Data Processor” and there will be a Data Controller abroad. There could be a few Indian MNCs who may be an exception to this rule who may have data of foreign data principals processed in India.

The Bill however provides an exception to Indian Data Processors through Section 18 (1)(d) similar to the erstwhile Section 37 of PDPB 2019.

There is a view that this may not be acceptable to EU due to the Schrems Judgement which insisted that the importing country should provide an opportunity to the EU data subjects to exercise their rights against the Indian Data Processor leaving the EU based Data Controller. This judgement also frowned on the law enforcement agencies of the data importing country and its Government having access to the data even in times of exigencies.

The demand of the Schrems Judgement which later became part of the Standard Contractual Clauses are basically ultra vires the laws of the data importing country. Presently the SCC leaves it to the Data Controller to evaluate the laws of the destinationn country and take necessary steps to comply with the Schrems Judgment expectations.

Even if Indian companies would like to sign on the dotted line for their business, it is unlikely that the Indian law enforcement agencies would accept a situation where their demand for access to data is sought to be stone-walled by the Data Importer because of his contract with the Data Exporter.

However, there is a possibility that through this section, India may provide an innovative option to the Data Exporting countries to be able to remain in compliance with Schrems Judgement and also with the Indian law by drafting suitable conditions for mutual personal data transfer.

With such an instrument, India may be able to convince a group of countries in South East Asia and perhaps countries outside the EU control to form a “Data Union” of countries who will accept Indian leadership.

As a result this Section holds a key for working towards a global leadership of like minded countries where the regulations will be similar to what India proposes.

Instead of toeing the line of EU and surrendering its sovereignty, India may therefore opt to use this as an opportunity to get the globe turn to Indian solution the same way the US attempts on India not importing oil from Russia was effectively avoided  by India.

Naavi