Naavi.org

Now that the DPDPA 2023 is on the verge of being implemented, the industry is discussing on how to be “DPDPA Compliant”. While discussing the draft rules with the professional community, I often get a feeling that the industry experts are looking forward to a checklist from the MeitY on what to do not so much to do what is prescribed but to do what is not prohibited from being done.

We have often heard some views that what is “Lawful” is what is “Not prohibited by Law”. This may be technically correct and even the Supreme Court may uphold the view. But morally and ethically, it is not correct to interpret what is lawful by searching for what is not prohibited by law but to implement the spirit of the law in its true sense.

The DPDPA has rightly identified that the industry is classified as “Data Fiduciaries” and others and it is the collective responsibility of Data Fiduciaries to ensure that the DPDPA is implemented in letter and spirit. Being a “Fiduciary” of the data principal and not a “Controller” of the personal data, the Data Fiduciaries are legally bound to process personal data only in a manner that protects the Rights of the Data Principal. The spirit of the law is to protect the “Right to Privacy” which is translated for practical purpose into the four rights under Chapter III and 10 obligations under Chapter II of the DPDPA 2023.

In interpreting the laws therefore Companies can be innovative but should not apply their creativity in finding ways of bypassing the law.

It is for this reason that we are circumspect of the MeitY providing too many prescriptions in the law through the rules . Each prescription may be analysed by the unscrupulous entities on what loopholes it opens up.

Less the detailing, less are the opportunities for loopholes.

We therefore believe that the Rules should not be prescriptive and detailed and restrict itself to the “required clarity” derived from the “Principle based law”.

It should be considered that “Due Diligence” by the “Data Fiduciary” is the only road to compliance.

Naavi

The Data Protection Board under DPDPA is likely to be a very important Government office and symbolically represents “Data Security” in India.

As a result it is likely to be a target of attack by the Hackers who have an anti India agenda.

It is therefore necessary to ensure that the DPB website is well protected and at the same time declared as a protected system under ITA 2000.

DPB should also not use any data storage outside India even in cloud of Amazon or Microsoft.

With such a declaration, any attempt to unauthorizedly enter the site becomes a crime with 10 year imprisonment and CERT IN becomes responsible for the security.

Similar declaration should also be made in respect of “Consent Managers” if they are provided “Visibility” to the data exchanged.

Naavi

The draft rules on DPDPA suggest that the rules related to the setting up of the Search Committee for selecting the Chairman and members of the DPB, the rules related to the terms of appointment of the DPB chairman, Members and employees will become effective immediately. However the draft rules is silent on when the other provisions of the Act will become effective.

In our interactions with the industry it has been noticed that the industry is still complacent and expects an unlimited time to be available to them for compliance. This perception needs to be changed by the Government setting some target time line for itself through the rules.

We therefore recommend that Rule 1 be expanded and include the following.

a) The DPB shall be formed within 3 months of this notification and commence its operational website within 4 months of the notification.

b) Provisions related to Registration of Consent  Manager shall commence as soon as the DPB becomes operational.

c) Compliance requirements such as Consent, Data Breach Notification and Restrictions on transfer of data outside India (Where applicable) shall be required before 9 months from the notification.

d) Penalties under Section 33 shall be effective after one year from notification. (DPB may use its discretion to use the provision of voluntary undertaking to grant time where it is considered necessary).

e) Section 44 DPDPA 2023 shall be effective along with Section 33 ( so that Section 43A of ITA 2000 (Information Technology Act-2000) will be replaced only after the penalty clauses under DPDPA 2023 becomes effective. )

f) Provisions of 10(2)(a) [DPO] may  be made effective within 9 months from the date of notification.

g) All other residual requirements under the Act shall be deemed applicable at the end of one year from notification.

h) Non Corporate Data Fiduciaries and those who fall under the category of SME/MSME  shall be provided an additional time of 6 months over and above the time given for other entities for each of the different provisions.

Your comments are welcome.

Naavi

Under the proposed draft rules, the DPB consists of a Chairman and several members to be appointed by two Search Committees which will be set up after the notification of the Draft Rules. One Committee will select the Chairman and the other the Members.

We donot know at this point of time, how many members would be there in the DPB. WE also do not know if the search committees will complete their task quickly and the DPB becomes operational soon.

In order to spur the next level of compliance the DPB needs to come into action.

In this context, the following recommendations are placed before the MeitY.

a) The minimum number of members (excluding the chairman) shall be Six and Maximum shall be Twenty.

b) DPB shall commence its operation with the minimum number of members and MeitY shall review the requirement of the DPB once in a year and increase the number of members as required.

c) The Search Committee may function for one year at a  time and shall review the functioning of the DPB annually and submit a report to the MeitY before a new Search Committee is  set up for the following year.

d) The respective Search Committee shall be responsible for evaluating any complaints received against the Chairman/Members or observations recorded during the monitoring of the activities of the DPB and recommend disqualification if required.  

e) The Search Committee shall meet each quarter or as often as otherwise required to review the activities of the DPB and recommend corrective action if necessary.

f) The external members of the search committee may be paid remuneration as may be determined by the Ministry for the services rendered including sitting fees for meetings.

g) The external members of the Search Committee shall retire each year and shall not be eligible for re-appointment for a continuous second term.

We also hope that the DPB will be operative within the next 3 months.

Naavi

While deliberating on the DPDPA rules, I have been suggesting that the Government needs to set up a “National Personal Data Archive” so that “unclaimed personal data” and “personal data under dispute” may be shifted out of the custody of the Data Fiduciary so that they can be retrieved if required on a later date subject to an appropriate legal process.

One of the prime benefits of this system is that when the processing of data with a data fiduciary has completed the process for which the data was collected but the consent may not be renewed after DPDPA 2023 becomes effective either because the contact cannot be established with the data principal or the data principal cannot be properly identified or the transfer back is legally disputed for some reason, the data fiduciary can get rid of the custody of the data instead of carrying the dead burden which he cannot use nor delete.

When I discuss this proposition with experts many have expressed distrust with a Government machinery having control of such data because it can be misused for surveillance. Though the Government will have the power to call for any information for National Security purpose which includes certain basic level of surveillance, the fear that the data may be misused by the corrupt system cannot be ruled out.

We may however discuss separately if it is more safe to leave the data with the private sector data fiduciary even after he no longer requires the data for processing but would like to holds onto it under some excuse, than transfer it to the sovereign state which any way is the owner of all unclaimed properties.

For the time being we may however discuss and elicit the views of the experts on whether there is no way that a data base of Personal Data of Citizens can be kept secure against misuse.

In the past, we have discussed a concept of “Regulated Anonymity” . With the advent of DPDPA 2023 every personal data store manager is also a data fiduciary with his own responsibilities which also applies to a Government managed national archive of personal data. The central idea of the suggestion was “Distributed Ownership of Custody” of a data base.

This concept has been well developed in the ICANN system of both Internet Governance and Domain Name Root Server administration.

Refer : https://www.cloudflare.com/en-gb/learning/dns/dnssec/how-dnssec-works/

A similar system can be managed to secure this National Archive of Personal Data. This system requires

a) Strong Encryption of Data at rest

b) Distributed key control with an administration team

c) Administration team to consist of non Government persons

d) Some of the members of the administrative team to be elected by digitally identified Netizens through a democratic process.

I want experts to debate on creation of such secure data base and put pressure on the Government to introduce the National Personal Data Archive.

Naavi

Rule 7 of the draft DPDPA Rules prescribe that on “becoming aware of any “Personal Data Breach” , the Data Fiduciary shall to the best of its knowledge intimate to each affected Data Principal the information of the breach. Similarly the DPB shall be informed without delay and subsequently before 72 hours more details of the breach.

It is necessary to recognize that there are cases of false alarms and incidents which may be whistle blowing reports which if confirmed may become breaches but could turn out to be false.

Hence the report to be submitted immediately should be termed as “Provisional”. The confirmed report filed within 72 hours may be called “Personal Data Breach Report”.

Further some “Personal Data Breaches” recognized as such as per the definition under DPDPA 2023 may involve infringement of Data Principal Rights and not exfiltration or “Loss” of personal data from the custody of the data fiduciary. (eg: when data access is compromised within the organization from one employee to another).

These are not as harmful as the data breaches involving exfiltration of data or modification of data.

This has to be factored in to the definition of “Personal Data Breach”.

Hence there is a need to recognize three categories of personal data breaches namely

1. Provisional Data Breach
2. Personal Data Breach not resulting in exfiltration or modification of data
3. Personal Data Breaches resulting in exfiltration or modification of data

The rules should treat these differently.

It is necessary to recognize that every personal data breach involving loss or damage to data creates a liability under Section 43 of ITA 2000 and is also a data breach reportable under CERT IN guidelines even after the repealing of Section 43A.

There should be a process where the DPB and CERT IN act in harmony dealing with the Personal data breach report. Since CERT IN has an infrastructure to provide technical guidance of remediation, there is no need to duplicate the efforts at DPB. Regulatory investigation of technical nature if required should be left to CERT IN and adopted by DPB. For  this purpose, a “DPB-CERT IN Data Breach investigation policy” should be created by MeitY which may specify that the ITA 2000 Compliance Manager and DPDPA Compliance Managers designated by MeitY shall jointly resolve Personal Data Breach related conflicts between CERT IN and DPB if any.

Alternatively, changes should be notified under ITA 2000 stating CERT IN would refrain from investigating such cases which are taken up for investigation by the DPB under DPDPA 2023. This would however require additional technical investigation capabilities to be built up by DPB.

There is a need to recognize that DPB would be more interested in identifying noncompliance of law which may affect the rights of the data principal and hence would like to track even such personal data breaches which do not result in exfiltration of data that causes irreversible damage to the data principal. On the other hand, CERT IN is more interested in prevention of Cyber Crimes and hence focussed on data breaches involving exfiltration of personal data.

Hence there is a need for a simultaneous change in the CERT IN rules related to data breach while these rules are being notified.

Additionally, there is a need to build a knowledge base of Data Breaches occurring in India so that DPB is aware of how the industry is addressing the issue. Hence under the powers of Section 36, MeitY may gather information on data breaches already occurred though no penalties may be imposed on them.

In view of the above, the following suggestions may be made.

1. Provisional Personal Data Breach shall be reported only to DPB  immediately on being aware. Confirmed data breach involving exfiltration or modification of personal data  shall be reported to the data principal as soon as the data fiduciary becoming aware of the “Confirmed Data Breach”
2. All Data Breaches recorded since 11th August 2023 may be reported to DPB under the powers of Section 36 of DPDPA 2023
3. Detailed Report within 72 hours or as extended shall be submitted as proposed to the DPB.
4. A notification of the report sent to DPB on the website of the Data Fiduciary  should be mandatory.

A link to the detailed report should be sent to the Data Principals through e-mail or SMS where available