Naavi.org

(Continued from the previous article)

P.S: This series of articles is an attempt to place some issues before the Government of India which promises to bring a new Data Protection Law that is futuristic, comprehensive and Perfect. 

In our previous article we discussed the desired scope of the proposed act in the form of the Preamble. The Preamble recognized the need for the law to recognize all the stake holders including the commercial business, Government, besides the individuals whose “Right to Privacy” need to be protected.

Let us now continue the discussions on fixing the ” Regulatory Structure” of the Act.

The JPC on PDPB 2019 effectively muddied the process of creation of the law by trying to merge “Protection of Non Personal Data” into the data protection law. This reflected the failure of the JPC to understand the technology of “Anonymisation” which was meant to segregate “Personal Data” from “Non Personal Data” so that different laws could address the two segments of data.

Going forward, the Government could complicate matters further by merging the exercise of updating of Information Technology Act 2000 (ITA 2000)  with the passage of the NDPAI. Further there are statements that Telecom Regulation and Non Personal Data Governance may also be combined into this same legislation.

While it is the prerogative of the Government to create a complex mesh of law that could actually render it in-effective , we shall try to identify different components of these laws as different Chapters so that some effort can be made to look at each law differently.

Currently ITA 2000 addresses both personal and non personal data in the following aspects:

a) “Legal Recognition” of electronic documents and authentication,

b) A support system for Digital Signature management

c) Legal System for addressing Contraventions leading to Civil Liabilities

d) Defining Cyber Crimes

e) Defining Cyber Security framework along with the role of CERT-IN and MeitY as the de-facto regulators

The Non Personal Data Governance regulation suggested by Kris Gopalakrishna Committee addressed the following aspects.

a) Adopting the definition of Non Personal Data as “Data” which is not personal under the PDPB 2019

b) Defining Data Business related to the processing of Non Personal Data and roles of different types of types of Non Personal Data generators and processors

b) Creating a structure for monetization of Non Personal Data and their trading

c) Creating a regulatory mechanism for governing the Act

In the process, the PDPB 2019 focussed on the following aspects.

a) Defining Personal Data

b) Prescribing norms for processing of Personal Data

c) Recognizing sub rights related to personal data processing for protection of the constitutional Right to Privacy.

d) Defining compliance measures required by the industry

e) Prescribing deterrent penalties

f) Creating a regulatory mechanism for governing the Act

Now if all these are to be combined into the same Act, we need to ensure that there is clarity for avoiding overlapping of regulations.

One of the main reasons for JPC to think of combining Non Personal Data and Personal Data into one regulation was that they did not want two centres of power in the form of two regulators. However, the role of PDPB was “Protection” while role of “Non Personal Data Governance Act” was “Commercialization of Data Business”. The two regulations required regulators with different mind sets and it was logical to have two different persons responsible for the same.

Just as in a company, the Chief Financial Officer, the Chief Marketing Officer, Chief Technology Officer has different mental attitudes and they contribute towards a balanced development of the company one with a cautious attitude, another with an aggressive attitude and yet another with an innovative outlook, the regulators of ITA 2000, PDPB 2019 and the Non Personal Data Governance need to combine together but maintain different outlooks.

If we try to bring these three different mindsets together into one regulator, then he is likely to skew towards one or the other responsibilities depending on his background and bringing harmony will be tough.

One alternative approach would be to create three sub regulators and a super regulator which if handled professionally could work.

We therefore suggest the Regulatory Framework as follows:

1. Regulator for Personal Data Governance (R-PDG)
2. Regulator for Non Personal Data Governance (R-NPDG)
3. Protection of Personal and Non Personal Data  (R-Protection)

In this model, the regulator for Personal and Non Personal data (R-Protection) would be a “Security Expert” and would not only address setting standards of Cyber Security for Non Personal Data but also the requirements of Security of Personal Data (as envisaged under Section 24 of PDPB 2019). CERT-IN can be provided this role and he can work under the Super Regulator.

The Regulator for Non Personal Data Governance is a marketing function and he would be responsible for the monetization of data which inter-alia will include the responsibility for defining the standard of anonymisation that segregates personal and Non personal data. He will be like the SEBI and regulate the “Data Exchange” and will work under the overall supervision of the Super Regulator.

This leaves the Regulator of the Personal Data which is the current function of the Data Protection Authority of India under PDPB 2019. In the new model, the primary role of this regulator would be ensuring that the “Principles of Processing of Personal Data and the Rights of Data Principles” are monitored in such a way that the “Right to Privacy” is protected in the information world. He will also work under the Super Regulator.

Currently there are some quasi judicial responsibilities which are entrusted to the “Adjudicators” both under ITA 2000 and PDPB 2019 as well as CERT IN outside the more formal judicial system of “Tribunals” which integrate with the High Court/Supreme Court system.

In the new model, it is recommended that a fourth regulatory position is created under the Super Regulator to focus on the “Adjudication ” alone. The adjudicator would adjudicate both on contraventions presently under the PDPB 2019 as well as under ITA 2000 and the emerging conflicts under the Non personal data governance. These will be set up in multiple cities and appeals go to a Tribunal with benches in different parts of the country and finally appeals landing with the High Court and thereafter the Supreme Court. The criminal justice system is left untouched and hence the  regulatory authority for criminal offences would continue to be the “Police”, the legacy judicial system.

The Super Regulator would be like the CEO in a commercial organization and would be assisted by a group of experts like a Board of Directors. This structure would replace the current system of Data Protection Authority of India with a Chairman and Six Members.

The Super Regulator would be multi member body like the CVC or CEC and supported by a Super Governance Board with appropriate checks and balances. The Super Governance Board may have even broader representation than the current Six member Data Protection Authority of India.

The structure may appear as follows.

Though the regulatory structure looks too elaborate, it would be essential for the type of complex legislation presently planned.

Next article

Naavi

[This is a continuation of the previous article in the series]

P.S: We are aware that the suggestions made in this series of articles could be completely ignored by the Government which says that it already has a draft in an advanced stage. Nevertheless, let us go through suggesting a version from our side so that Government can save time in completing its exercise. It could at least be helpful in finetuning the version of the Government.

We are also aware that Privacy law is a very complex law and it is not possible to satisfy all stake holders fully. It is for this reason that the framing of this law has remained pending for over a decade. 

The suggestions made here in are work in progress and may be modified and corrected with inputs from others. 

The stakeholders for this law are

1. Individuals whose Right to Privacy has to be protected 
2. Business Entities who process data for commercial purpose
3. Government agencies
4. Non Commercial organizations

The preamble of the Act has to capture the identity of the stake holders and the objectives of the law.

PDPB 2019 recognized the need to protect Privacy and fostering growth of digital economy. It also recorded the objectives as “Protection of digital Privacy” of individuals, facilitation of the “flow and usage of data”, protecting rights of individuals, laying down norms for social media platforms, cross border transfer, accountability of entities, remedies for unauthorised and harmful processing as well as to ensure the interest and security of the State, establish a data protection authority etc.

The Preamble needs to be reworded to properly capture the objectives of the Act without limiting the scope of the Act.

One suggested draft is as follows:

Where As, the Right to Privacy of an individual is a fundamental right of an Individual in the society, and it is the duty of the Government to protect the Right to Privacy in accordance with established international norms of countries respecting human rights,

Where As it is also the duty of the Government to effectively Govern the society  and  ensure Security of State, Security of individuals in the country, Maintain law and order as well as  harmony in the society, 

Where As for protecting the Right to Privacy  of an individual, it is necessary to protect personal data from unauthorized use causing harm to individuals,

Where As for protecting personal data of Individuals, an appropriate Data Governance mechanism is required to be established for ensuring that data is processed  in accordance with the need to protect the right to privacy of an individual without adversely affecting the the legitimate needs of Business and the Government or any other members of the society.

Be it enacted by Parliament ……

Next article

Naavi

With the withdrawal of the PDPB 2019, some parts of the industry feel relieved, some are feeling Déjà vu. Some feel that the dreaded law will never come back.

It is no doubt a disappointment and loss of momentum for those who were looking ahead to India being in the global community of nations, more than 130 of which have data protection laws in one form or the other. The EU personal data vendors will now look down on India as a lost hub for data processing and prefer to move over to Phillipines or other countries where cost efficiencies and other advantages compete with India.

While we hope that the Government may come up with an alternate draft soon, the professionals in the industry should note that there is no vacuum as far as the data protection law is concerned in India.

The PDPB 2019 was expected to repeal Section 43A of ITA 2000 which was directly comparable to PDPB 2019. Now that PDPB 2019 is no longer there, Section 43A will be more relevant as the “Data Protection Law of India”.

Additionally we need to note that Courts are continuing to recognize principles of Data Protection as was envisaged in the PDPB 2019 or those referred to in the international regulations like the GDPR and pronouncing judicial orders related to “Right to Forget” and other privacy principles which have been discussed in the body of the Puttaswamy judgement though they were not part of the final judgement in the Puttaswamy case.

For example, a recent ruling in the Karnataka High Court (WP12596/2022) an order has been issued to provide interim protection related to a “Right to Forget” application by a few respondents who were earlier acquitted in a certain case.  We have seen similar orders earlier from high courts of Odisha, Madras and Delhi.  These orders mean that judiciary already recognizes the provisions of PDPB 2019 and other data protection laws as operative under the Puttaswamy judgement. More appropriately these are considered “Due Diligence” and part of the “Reasonable Security Practice” under Section 43A and Section 79 of ITA 2000 as amended in 2008 with notification of  rules in April 2011.

Hence Section 43A of ITA 2000 qualifies to be called the current Data Protection law of India.

The enforcement agency under ITA 2000 are

a) CERT IN in respect of Data Breach Notifications and contravention of Section 70B

b) Adjudicator in respect of claim of any damages by any person for contravention of any of the provisions of the Act

c) Police for prosecution of any criminal offences under Chapter XI of the ITA 2000

Obviously, these regulatory agencies are not as powerful as the envisaged data protection authority of India (DPAI) under PDPB 2019 nor has the focus on Privacy and Data Protection like what the DPAI was expected to do.

Generally the penal provisions under ITA 2000 and invoking the power of the Adjudicator under Section 43A is accepted only when a victim who has suffered a damage approaches the authority.

However, the rules of 2003 on Adjudication provides powers to the Adjudicator for “Suo Moto” action.  Hence when there is a need any of the Adjudicators (One in each state) can take action against any person who caused damage to any other person even if the victim has not approached the Adjudicator (IT Secretary of the State or UT).

The Adjudicator can impose fines and either make payment to the identified victims or hold it in trust for them and ask them to make the claim. He can also invoke criminal investigation as may be necessary.

Similarly, the CERT IN is the agency to which any data breach has to be reported within 6 hours. CERT IN also can invoke adjudication or prosecution as it may deem fit.

Thus Between the three law enforcement agencies namely, the CERT IN, Adjudicator and the Police, both civil and criminal proceedings can be initiated under ITA 2000 for any contravention of Section 43A and/or other sections.

Organizations can thank themselves that the Adjudicators and CERT IN Director General at present have not shown any inclination for suo moto action. But the law does not bar them from realizing their powers and a sense of duty that may prompt them to take action as would a DPAI would take. In the event of non compliance not leading to a data breach, authorities may not impose a penalty but a disciplinary fine may still be a possibility.

Having therefore taking note of the presence of a “Trinity of Regulators” for Data Protection in India,  we can now focus on the details of Section 43A compliance. While looking at Section 43A compliance we may note that 43A is just one section that can be invoked under ITA 2000 when there is any contravention of law related to “Sensitive personal information”. This does not mean that the law does not address “Non Sensitive personal information” or “Non Personal Information”. ITA 2000 addresses both Personal and Non Personal Information and both Sensitive personal information and Non Sensitive personal information.

Non sensitive personal information is covered under Section 72A as a criminal offence as well as Section 43 as a Civil wrong. When Section 43 is invoked,, Section 66 also becomes relevant and can impose 3 years of imprisonment to a person who causes a data related loss. The criminal offences extend to individuals through the operation of Section 85.

Additionally Section 67C speaks of data retention, Section 69,69A,69B are related to disclosures.

If we look at the India Information Security Framework created by Naavi, the following risks are identified in non compliance of ITA 2000.

The corresponding compliance framework IISF shown below describes the compliance requirements in general.

The above compliance requirements are already integrated to the DPCSI (Data Protection Compliance Standard of India” and the DTS mechanism developed by Naavi/FDPPI.

If we carefully observe the Risk areas mentioned above, ITA 2000 goes much beyond Section 43A in imposing data protection without distinguishing between whether they are personal or non personal.

While Section 43A is restricted to Body Corporates (Which includes all non Government bodies) and imposes pre-emptive compliance measures in respect of Sensitive personal data as defined in ITA 2000, Section 43 applies where ever the value of data residing inside a computer resource is diminished. This is a pretty broad definition and covers all aspects of “Harm” that the data protection bill envisaged.

As regards compliance of Section 43A, even organizations other than Naavi, such as DSCI have come up with their own frameworks for compliance. Naavi has expanded it into a comprehensive  IISF framework and also integrated the PDPB provisions as “Due diligence” elements in the DTS assessment.

In the recent days, CERT IN has shown a tendency to start invoking its powers to some extent and if they so desire, they can be more stringent than the DPAI under PDPB 2019.

In view of the above, organizations need to avoid complacency and continue their efforts on Data Protection.

Naavi

(This is a continuation of the earlier article in which the framework of the New Data Protection Act of India -NPDAI was discussed)

We expect that soon Government will release a draft of  a “Personal Data Protection Act” in lieu of  the PDPB 2019-scrapped”.

However, we as professionals can place our suggestions before the Government and steer the discussion so that we will be assisting the drafting committee.

We shall therefore discuss the contours of this law as a “Draft of NDPAI in the making” in the coming articles starting with

1) Scope of the Act and Definitions of Privacy and other terms

2) Definition of the Protected Information and roles of different organizations

3) Principles of Personal Data Protection including grounds of processing

4) Rights of the Data Principal including children

5) Exemptions

6) Cross Border Transfer

7) Penalties, Punishments

8) Regulatory Mechanism

9) Compliance Requirements from the industry including Data Breach Notification, Audit, DPO etc

10) Miscellaneous provisions

We hope the discussions on these aspects will create a background for discussing the Bill as may be presented by the Government in due course.

Request all readers to participate in this development of a draft law as a “Draft of the Privacy and Data Protection Professionals”.

Next article

Naavi

With the Government of India withdrawing the Personal Data Protection Bill 2019  with a ministerial assurance that the new draft for a “Comprehensive Perfect”, “Digital India Act” which could replace Information Technology Act 2000, PDPB 2019 as well as “Telegraph Act”, “Crypto Currency Bill” etc., the road to a new Data Protection Regime in India is now open.

The ministers and those who are politically supporting the move have been making some illogical statements to give some logic to the decision. However, the logic presented lack conviction and the truth is that the Government has been persuaded to drop the Bill by the US based Big Tech firms and supported by their Indian counterpart namely NASSCOM.

Both Mr Ashwini Vaishnaw and Mr Rajeev Chandrashekar are now making statements which look like the explanations of Sanjay Jha or Sumant Sriraman on many of the TV debates supporting Rahul Gandhi or Partho Chatterjee. Less said about these justifications, better it is.

Excuses like high cost of compliance, the non existent data localisation, too many amendments to contend with, criticism on extra constitutional powers to Government, need to modernise etc are quoted as reasons for the withdrawal of the Bill. These are the typical statements of the political spokespersons who try to defend the indefensible.

We shall therefore ignore these comments and focus only on the new draft which they promise is almost ready to be released for public comments so that they can keep the dissenting voices shut for some more time.

Yesterday we speculated that NASSCOM and Crypto Lobby were possibly behind the move to the withdrawal of the Bill which wasted 4 years of work on the bill instead of working around the suggested amendments of the 30 member JPC. This view has now been vindicated by further reports that are emerging.

We are also seeing some crocodile tears being shed by some to say that withdrawal of the bill is a set back to the citizens and their privacy.

We must accept that different ministries of the Modi Government are slowly succumbing to the pressures of lobbies for whatever reasons that could lie behind and compromising their activities.

Naavi.org expresses its deep dissatisfaction about these developments but would as always redouble its efforts to see that we focus on what needs to be done in future rather than what mistakes have been committed in the past.

Let us therefore look at the framework of the shape of things to come…

The first task before us in the designing of the new data protection act of India (NPDPAI) is to decide whether we are looking at a “Stand alone Privacy and Data Protection Act” or an act that combines “ITA 2000”, “Non Personal Data Governance Act” and “Telegraph Act”.

Prudence indicates that “Personal Data Protection Act” has to be distinct from “Non Personal Data Governance Act”,  “Information/Cyber Security Act”, “E Commerce Act”, “Digital Signatures Act”, “Digital Data Disputes Act”, “Payment and Settlement Act”, “Communication Convergence Act” “Crypto Assets Regulation Act”, “UIADAI Act”, “Digital Copyright Act” etc.

If we try to combine all of this into a “Digital India Act”, then it will be a disaster.

We shall therefore presume that separate legislation would be required for “Privacy and Data Protection” and work on it. In case the Government opts for the Kichdi Act, the Privacy and Data Protection Act can be a chapter of the Kichdi Act.

Similarly the Non Personal Data Governance Act as envisaged under the Kris Gopalakrishna Committee could be another chapter.

Information Technology Act with its amendments combines today aspects that could have been split into Digital Contract Act, E Commerce Promotion Act, “Adjudication of Digital disputes Act” is better left out as a separate act as it deals with the basics of “Recognition of Electronic Documents”, “Definition of Digital Authentication” and “Intermediary Liability”.  However, if the Government wants to kill even this Act as it is inconvenient to the Social Media Platforms due to the recent Intermediary Guidelines and CERT-IN Guidelines, then we can look at a massive and complex law.

A Government which could not draft a simple Personal Data Protection Act (eg; Personal Data Protection Bill 2006)it would be a herculean task to design a “Comprehensive” and “Perfect” law which their utopian dream. It is possible that this is like a manifesto item in the election campaign and is only meant  to be a promise and an excuse not to make any law.

However, Naavi.org starts a discussion on the “Shape of Things to Come” through a series of articles that will follow.

Watch out this column…

Next article

Naavi

The withdrawal of the PDPB 2019 with a cryptic statement by the honourable Minister of Railways and IT, Sri Ashwini Vaishnaw indicates that India does not want to do anything which the Big Tech companies of the west does not want us to do. Our own NASSCOM is a powerful ally of the Big Tech and now the Ministry has exposed the chinks in its armour.

But we, the Indians understand through our Colonial Experience that we are comfortable as citizens of a colony whether it is geographical colony or Data Colony.

The following news item reflects how insensitive we are to the cause of Privacy and Data Protection.

There appears to be no discussion in the Parliament on why the Bill was being withdrawn though subsequently several reasons are being given.

Some of the reasons were

1. There are 81 amendments in a 99 section bill. It is therefore a total overhaul by JPC.
2. Big Tech are concerned with the Data Localization aspect of the Bill
3. Section 35 gives too much power to Government for surveillance

Though the number of amendments look large, most of it are cosmetic changes and language corrections. Basically there were 12 major recommendations only.

There was no “Data Localization” requirement and it is false to say that it was a concern. PDPB 2018 had more stringent provisions and not PDPB 2019.

Section 35 was subordinated to Article 19(2) of the constitution and did not create any Orwellian state as was alleged. “Security” of the citizens of India does require surveillance at some level and there has to be some exemptions provided to the law enforcement agencies. What may be debated is the control to ensure that there is no misuse.

Unfortunately, the Government is mortally afraid of the opposition parties and their disruption tactics in the Parliament and instead of instilling discipline in these ‘Andolan Jeevis” prefers to run away from the battle field like a coward. The developments remind us of the Mahabharata Incident of “Uttara” going to war against the Kauravas and running away from the battle field.

Independent observers feel that the Government in this instance has succumbed to the pressures from the industry led by NASSCOM and representing the interests of the big tech.

There is still a mindset among our rulers that we cannot do what the Big Tech does not want us to do. This is letting the Big Tech create “Data Colony” in India and control our future.

Mr Ravishankar Prasad was eased out of the ministry because he was too aggressive against Twitter. Now the ministry is more friendly to the industry and hence after several rounds of extensions, pretexts etc, they have withdrawn the Bill in its entirety. One should be too naïve not to understand what is going on behind the scenes.

It is easy to lose credibility and reputation and it will take several more years to regain the international credibility for India’s commitment to data protection. Those of us who interact with the data protection professionals from across the globe know that India has become a laughing stock before the world at least in the Data Protection area.

This loss of credibility cannot be regained quickly even of a modified bill is presented in the proverbial “next or next to next” Parliamentary session.

If we have to believe the sources, we can look for a “More Comprehensive” and “Perfect” law for the entire Technology domain which is contemporary and for the future generation.

Great… We all know that the Supreme Court itself has not been able to give a good definition of Privacy even in the Puttaswamy judgement and the definition of “Personal Data” itself is an enigma. The first step before the Government is therefore to find a proper definition of “Privacy” and “Data” before they can search for a “Perfect” law.

Finding a comprehensive legislation which is also perfect, to combine the Information Technology Act, the Telecom regulations and the Data protection legislation is a utopian dream which we shall now try to pursue since life without a positive dream is not worth living.

My hunch is that there is a conspiracy of the industry  which has effectively taken over the decision making in the IT ministry. This industry lobby is capable of taking day to day decisions in the IT ministry. Whether it is the NASSCOM or GOOGLE, FACEBOOK or JIO, we donot know and probably we will never know. But it is clear that there exists a force that is driving the Government into taking decisions which are prima facie illogical.

I personally believe that the Crypto Lobby which has become part of the “Meta” lobby today is behind the financing of this Big Tech influencing of our politicians. We have not forgotten that this lobby had compromised the Judiciary already and rendered RBI to an impotent regulator some time back. The Finance ministry has always been subjugated to the interests of the Crypto lobby which even tried to influence the JPC into adding some recommendations in favour of the use of Crypto Currencies in international transactions though this was completely out of scope of the JPC’s frame of reference.

Otherwise, it would not have been necessary to withdraw the Bill which had already been presented, gone through 78 sittings of JPC, 184 hours and 20 minutes of deliberations. The same bill could have been refined further if required and could have been made more “Contemporaneous” to accommodate whatever was the dream of the Ministry. If we can change the title of the Bill itself through an amendment, it would have been possible to change the preamble also and convert the DPA 2021 or DPA 2022 into a “Comprehensive, Perfect Digital Act which regulated the entire universe of technology”.

Despite the disillusionment that surrounds us, for some more time however, we continue to keep our faith in Mr Narendra Damodar Das Modi as an individual to ensure that vested interests donot succeed in their lobbying in converting India into a “Data Colony” in the year of Amrit Mahotsav of our 75 years of independence.

But Mr Modi needs to understand the power of digital black money which in the coming days will rule the world more than the US dollars. It appears that he is today ignoring this threat and letting the Crypto lobbies to have a free rein first in the Finance Ministry and now apparently in the IT Ministry.

May God give strength to Modi to extend the struggle of independence to the Digital World.

Naavi

Copy of the JPC report in full

Dissent Notes filed for JPC Report