Naavi.org

Laws are often created by the law makers without adequate consultation with the industry. Professionals also have the habit of not interacting with the Government before the law is made but criticise the law once it is made.

Naavi and FDPPI would like to be an exception to both these.

We would provide  suggestions before the law is made and try to support compliance once the law is made.

At present we has adopted the provisions of Section 43A and the Intermediary Guidelines as part of the Personal data protection compliance requirements. The DPCSI (Data Protection Compliance Standard of India) therefore adopts the ITA 2008 compliance as the current compliance standard of India with PDPB 2019 as the “Due Diligence guideline (though withdrawn)”.

Now that the Government is considering a new Bill, the time is ripe for placing suggestions for the Government to consider and incorporate in the Bill. Once the Government brings in a Bill until it is passed, we will focus on the suggestions for modifications and once it is passed as an Act will start advocating the compliance as per the Act.

The annual flagship event of FDPPI namely the Indian Data Protection Summit 2022 (IDPS 2022) is the platform with the theme “Shape of Things to Come” where we shall discuss the law as professionals would like it to be and document the suggestions at the end of the conference.

Mark the dates November 11th 12th and 13th for this event and participate both for enhancing your knowledge and to contribute to the suggestions.

Naavi

The Government of India reportedly released a draft guidelines on Data Anonymisation for public comments before September 21. Public comments may be sent by  Email to Shubhanshu Gupta, Principal Technical Officer at CDAC: shubhanshug[at]cdac[dot]in. with copy the following email address when making your submission: headits[at]stqc[dot]gov[dot]in.

A PDF of the guideline can be accessed here.

This guideline will be part of the compliance requirements for Personal Data Protection since “Anonymisation” is a means of de-linking privacy risks from the personal data.

This has to be read as part of the “Reasonable Security Practices” under Section 43A of ITA 2000.

Though not mandatory, they shall be considered as part of “Due Diligence” and the DPCSI (Data Protection Compliance Standard of India) will take note of this.

We therefore feel that it is important for the public to send their comments.

According to the Medianama article the draft guidelines have been taken out of the MeitY website since September 6th. We donot know the reasons for the taking down of the guidelines and whether it should be considered as “withdrawn”.

One immediate observation that can be made is that “Fear of Re-identification” need not be a constraint to adopt the guideline since “RE-identification” constitutes an offence under Section 66 of ITA 2000 (Diminishing the value of information residing inside a computer) and hence it is wrong to assume that in the absence of Data Protection Act, anonymisation guideline has no meaning.

It should be emphasised that “Anonymisation” is more than “De-identification” or Pseudonymization since it involves irrecoverable destruction of the mapping information between anonymised and identified data sets.

Just as any encryption or access control measure could be defeated by hackers, anonymisation may also be defeated with criminal effort. Law can only define some standards and prescribe deterrence which is available in ITA 2000 as regards Anonymisation. Hence De-anonymisation is a technology risk that should be absorbed in law.

However, in view of the importance of the guideline, it is suggested that comments can be sent as indicated above.

Naavi

The IT Minister, Sri Ashwini Vaishnaw has called upon the experts to suggest changes to the current laws including ITA 2000.

While we donot claim to be part of the “Experts” which the Ministry would like to take suggestions from, it is necessary to point out that it is not only now that we are placing our suggestions on the law through the series of articles under “Shape of Things to Come”., we have been doing so since 1998 when the first draft of ITA 2000 came into existence.

While detailed articles are spread across this blog over these 20 years, the following links specifically address the suggestions made earlier some of which if not all are relevant even today.

We leave it to the research team supporting the ministry to go through these suggestions and incorporate them in the new draft if they find it suitable.

https://www.naavi.org/naavi_comments_itaa/index.htm

https://www.naavi.org/naavi_comments_itaa/naavi_recommendations/index.htm

https://www.naavi.org/cl_editorial_05/naavi_org_comments_sept19.htm

Digital India Act-Discussions 3-Blockchain

Digital India Act-Discussions 2-Metaverse

The Age of Neuro Rights Dawns in India

Naavi

As per the report of Economic Times , IT Minister , Sri Ashwini Vashnaw has sought suggestions from experts on the proposed new Data Protection Bill. The indications are that there will be three sets of laws namely the New Data Protection Bill, The New ITA 2000 and a new law for Data Governance.

We at Naavi.org are already presenting our views on the “Shape of Things to Come” and so far 15 articles are available as per links below.

We urge the community to add their comments to the suggestions.

Indians have been provided a tragic reminder that car passengers not wearing seat-belts in the rear seat could make them vulnerable to the risk of fatalities in case of an accident. While we express our regrets on the recent tragedy where the precious life of Mr Cyrus Mistry was taken away,  and with due respects to the departed soul, we cannot but remind ourselves of the parallel in the Data Security scenario in India in terms of compliance.

For organizations trying to cover themselves against risk of regulatory backlash due to non compliance of data protection laws, GDPR Compliance was like the driver’s seat belt the need of which they were fully aware and were trying to be compliant with.

The PDPB 2019 compliance was like the front passenger seat belt about which people were aware and were trying to start using.

But just like rear seat passengers never thought it necessary to wear seatbelts since they did not perceive the risk of non compliance, Indian industry does not consider ITA 2000/8 compliance or CERT IN guidelines compliance as requirements that they should consider.

I hope they realize that some times non compliance of ITA 2000/8 and CERT IN guidelines could lead to serious injuries and start wearing the Compliance seatbelts from now on.

Naavi

.S: This series of articles is an attempt to place some issues before the Government of India which promises to bring a new Data Protection Law that is futuristic, comprehensive and Perfect. 

In our continued discussion on “The Shape of Things to Come”, we have so far discussed the following.

We now proceed further….

Naavi.org has been speculating many times that the opposition to the passage of Data Protection legislation in India mainly comes from those companies which are interested in “Data Laundering”. They are afraid that if the law comes in, they will be finding it difficult to continue their present practice of transferring data abroad for their commercial benefit.

This opposition is

a) Against Data Localization or even keeping a copy locally

b) Ensuring absence of malware in data processing devices and software

c) Maintaining KYC of subscribers to VPN kind of services

The Policy Bazaar data breach as reported at the 420.in highlights why all the above three requirements have a national security implications.

The policybazaar data breach is reported to have exposed the data of 50 million customers and the data involves sensitive and super sensitive data.

Some of the data exposed include

customers’ photo, full name, date of birth, complete residential address, email address, mobile number, credit report, PAN number, policy details including nominee details, family members’ policies details, bank account statements, income tax returns, Passport, immigration visa, records of country entry and exit, Aadhaar card (both sides), driving license, health records, payslips.

– sensitive details of defense personal who are Policybazaar customers

– copies of customers past policy documents

– copies of customers birth certificate

– copies of customers vehicle registration certificate

In case of the defence personnel, the data breach may include data of the following kind.

– Details of which specific branch of Indian defense forces someone is in like Indian Army, Navy, Air force, and even specifics if someone is in one of the Indian special forces like SPG, Black Cat commando, CoBRA, Anti Terrorist Squad.

– Current rank and designation in that defense force

– Current location of posting (which is very confidential many times)

– Details if someone is engaged in any hazardous activities, e.g. aviation, diving, parachuting, bomb disposal or special service groups, and length of service in those roles.

– Specific nature of role

– Details if someone in Indian defense is currently serving in or is under orders to proceed to any troubled area, or around border areas of India

– Details if someone handles weapons or explosives. If yes, details of such weapons and explosives.

It is needless to say that the data breach has a national security angle particularly the company is funded by Chinese investors and this information is of interest to the Chinese Government.

We had earlier pointed out “Data Laundering” arising out of Acquisition of CIBIL by TransUnion. The present data breach in Policybazaar is another instance where data laundering might have occurred through a deliberate back door. We have pointed out earlier also about the China Risk in Telecom sector, Manchurian Chips in POS machines and Mother boards from China etc..

It is now time to check if this Policybazaar data breach is also a case of Data Laundering. If “Data” is money, “Data Laundering” is also “Money Laundering”. We need stringent provisions in our Data Protection law to prevent such occurences and to take stringent action if such incidents take place.

In the light of the new Data Protection Act being designed, the incident indicates that the following provisions should be considered.

a) The provision for Data Processing devices and software to carry assurance certificate that they donot contain any malware (Refer Section 49(2)(o) of PDPB 2019) should not be withdrawn as demanded by some Big Tech Companies

b) Disclosure of the estimated value of data assets of an organization being acquired in a process of merger or acquisition must be disclosed to the authorities including DPA.

c) While processing of personal data during mergers and acquisitions may be exempt from consent as provided under Section 14 of PDPB 2019 (now withdrawn), the continuation of the processing by the merged entity must require a notification to the data principal and an option for opting out. 

d) Failure to inform the data principals of the transfer of beneficial ownership of the Data Fiduciary to a new entity must be considered as an attempt for Data Laundering and it should be one of the criminal offences that should be recognized under the Act.

Naavi

P.S: These discussions are presently for a debate and is a work in progress awaiting more inputs for further refinement. It is understood that the Government may already have a draft and may completely ignore all these recommendations. However, it is considered that these suggestions will assist in the development of “Jurisprudence” in the field of Data Governance in India and hence these discussions will continue until the Government releases its own version for further debate. Other professionals who are interested in participating in this exercise and particularly the Research and Academic organizations are invited to participate. Since this exercise is too complex to institutionalize, it is being presented at this stage as only the thoughts of Naavi.  Views expressed here may be considered as personal views of Naavi and not that of FDPPI or any other organization that Naavi may be associated with.