Naavi.org

(Continued from the previous article)

P.S: This series of articles is an attempt to place some issues before the Government of India which promises to bring a new Data Protection Law that is futuristic, comprehensive and Perfect. 

Naavi has been discussing some aspects of Neuro Rights which are also presented through the website www.neurorights.in.

Neuro Rights are an extension of “Privacy Rights “as defined by the current generation of Privacy Activists. The Puttaswamy judgement referred to “Information Privacy” as an extension of the “Right of Privacy” to the information world. This translated into the PDPB 2018/2019 etc.  The core definition of the “Right to Privacy” is however the “Right to be left alone” and is a mental state of an individual which is dynamic and inconsistent, but nevertheless is a Right. It can only be exercised by the individual by stating what is his “Choice” for collection and processing of his personally identifiable data.

Neuro technology however could change the “Free Will” or the “Choice of an individual” because it establishes direct contact with the electro-magnetic emissions that emanate from the human brain as a result of the Electro Chemical changes induced in the neurons.

This therefore requires to be recognized as a threat to the Right to Privacy by interfering with the exercise of “Right to Choice of an individual”.

In the proposals so far discussed under this series, we have suggested inclusion of a definition of “Neuro Privacy” and “Neuro Data”. The suggested definitions are as follows.

• “Neuro Privacy” means the choice of an individual to determine to what extent the individual may share his neuro space with others
• “Neuro Data” means the electromagnetic signals that are collected from or fed into the human brain by a Brain Computer Interface in binary form.

The principles of “Informed Consent” applies to Neuro Privacy also. However, Neuro Data could be considered as “Super Sensitive Data” and consent may be made effective only on the confirmation of independent witnesses like what a Brain Surgeon would do before undertaking brain surgery.

Consent for “Anaesthesia” (particularly total anaesthesia as different from local anaesthesia) which interferes with the nerve functions and is used in all major surgeries should be considered as an issue of neuro privacy and subjected to this form of special third party witnessed consent.

This requires a modification of the definition of “Consent” to include three types of consent namely

“General Consent” : For multiple usage scenario including deemed consent

“Explicit Consent”: For specific usage and identifiable consent linked to the purpose.

“Witnessed Consent”: For special usage scenarios with a third party confirmation of consent.

All three forms of consent should be legally enforceable.

GDPR defines consent under article 4(11) as follows:

‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;

The current definition of “Consent” under Section 11 (2) of PDPB 2019 is

The consent of the data principal shall not be valid, unless such consent is—

(a) free, having regard to whether it complies with the standard specified under section 14 of the Indian Contract Act, 1872;(9 of 1872.)
(b) informed, having regard to whether the data principal has been provided with the information required under section 7;
(c)specific, having regard to whether the data principal can determine the scope of consent in respect of the purpose of processing;
(d) clear, having regard to whether it is indicated through an affirmative action that is meaningful in a given context; and
(e) capable of being withdrawn, having regard to whether the ease of such withdrawal is comparable to the ease with which consent may be given.

Explicit Consent is defined under PDPB 2019 as

 the consent of the data principal in respect of processing of any sensitive personal data shall be explicitly obtained

(a) after informing him the purpose of, or operation in, processing which is likely to cause significant harm to the data principal;
(b) in clear terms without recourse to inference to be drawn either from conduct or context; and
(c) after giving him the choice of separately consenting to the purposes of operations in the use of different categories of sensitive personal data relevant to processing.

Now it is necessary to add an additional sub clause to define “Witnessed Consent” and could be on the following lines.

Consent shall be obtained with witness of  two independent witnesses who are considered responsible to the interests of the individual where the purpose of consent includes a situation where the withdrawal of consent is disabled by the nature of processing.

IDPS 2022 is set to discuss this aspect. Be there to participate and contribute.

Naavi

P.S: These discussions are presently for a debate and is a work in progress awaiting more inputs for further refinement. It is understood that the Government may already have a draft and may completely ignore all these recommendations. However, it is considered that these suggestions will assist in the development of “Jurisprudence” in the field of Data Governance in India and hence these discussions will continue until the Government releases its own version for further debate. Other professionals who are interested in participating in this exercise and particularly the Research and Academic organizations are invited to participate. Since this exercise is too complex to institutionalize, it is being presented at this stage as only the thoughts of Naavi.  Views expressed here may be considered as personal views of Naavi and not that of FDPPI or any other organization that Naavi may be associated with.  Continue reading →

Laws are often created by the law makers without adequate consultation with the industry. Professionals also have the habit of not interacting with the Government before the law is made but criticise the law once it is made.

Naavi and FDPPI would like to be an exception to both these.

We would provide  suggestions before the law is made and try to support compliance once the law is made.

At present we has adopted the provisions of Section 43A and the Intermediary Guidelines as part of the Personal data protection compliance requirements. The DPCSI (Data Protection Compliance Standard of India) therefore adopts the ITA 2008 compliance as the current compliance standard of India with PDPB 2019 as the “Due Diligence guideline (though withdrawn)”.

Now that the Government is considering a new Bill, the time is ripe for placing suggestions for the Government to consider and incorporate in the Bill. Once the Government brings in a Bill until it is passed, we will focus on the suggestions for modifications and once it is passed as an Act will start advocating the compliance as per the Act.

The annual flagship event of FDPPI namely the Indian Data Protection Summit 2022 (IDPS 2022) is the platform with the theme “Shape of Things to Come” where we shall discuss the law as professionals would like it to be and document the suggestions at the end of the conference.

Mark the dates November 11th 12th and 13th for this event and participate both for enhancing your knowledge and to contribute to the suggestions.

Naavi

The Government of India reportedly released a draft guidelines on Data Anonymisation for public comments before September 21. Public comments may be sent by  Email to Shubhanshu Gupta, Principal Technical Officer at CDAC: shubhanshug[at]cdac[dot]in. with copy the following email address when making your submission: headits[at]stqc[dot]gov[dot]in.

A PDF of the guideline can be accessed here.

This guideline will be part of the compliance requirements for Personal Data Protection since “Anonymisation” is a means of de-linking privacy risks from the personal data.

This has to be read as part of the “Reasonable Security Practices” under Section 43A of ITA 2000.

Though not mandatory, they shall be considered as part of “Due Diligence” and the DPCSI (Data Protection Compliance Standard of India) will take note of this.

We therefore feel that it is important for the public to send their comments.

According to the Medianama article the draft guidelines have been taken out of the MeitY website since September 6th. We donot know the reasons for the taking down of the guidelines and whether it should be considered as “withdrawn”.

One immediate observation that can be made is that “Fear of Re-identification” need not be a constraint to adopt the guideline since “RE-identification” constitutes an offence under Section 66 of ITA 2000 (Diminishing the value of information residing inside a computer) and hence it is wrong to assume that in the absence of Data Protection Act, anonymisation guideline has no meaning.

It should be emphasised that “Anonymisation” is more than “De-identification” or Pseudonymization since it involves irrecoverable destruction of the mapping information between anonymised and identified data sets.

Just as any encryption or access control measure could be defeated by hackers, anonymisation may also be defeated with criminal effort. Law can only define some standards and prescribe deterrence which is available in ITA 2000 as regards Anonymisation. Hence De-anonymisation is a technology risk that should be absorbed in law.

However, in view of the importance of the guideline, it is suggested that comments can be sent as indicated above.

Naavi

The IT Minister, Sri Ashwini Vaishnaw has called upon the experts to suggest changes to the current laws including ITA 2000.

While we donot claim to be part of the “Experts” which the Ministry would like to take suggestions from, it is necessary to point out that it is not only now that we are placing our suggestions on the law through the series of articles under “Shape of Things to Come”., we have been doing so since 1998 when the first draft of ITA 2000 came into existence.

While detailed articles are spread across this blog over these 20 years, the following links specifically address the suggestions made earlier some of which if not all are relevant even today.

We leave it to the research team supporting the ministry to go through these suggestions and incorporate them in the new draft if they find it suitable.

https://www.naavi.org/naavi_comments_itaa/index.htm

https://www.naavi.org/naavi_comments_itaa/naavi_recommendations/index.htm

https://www.naavi.org/cl_editorial_05/naavi_org_comments_sept19.htm

Digital India Act-Discussions 3-Blockchain

Digital India Act-Discussions 2-Metaverse

The Age of Neuro Rights Dawns in India

Naavi

As per the report of Economic Times , IT Minister , Sri Ashwini Vashnaw has sought suggestions from experts on the proposed new Data Protection Bill. The indications are that there will be three sets of laws namely the New Data Protection Bill, The New ITA 2000 and a new law for Data Governance.

We at Naavi.org are already presenting our views on the “Shape of Things to Come” and so far 15 articles are available as per links below.

We urge the community to add their comments to the suggestions.

Indians have been provided a tragic reminder that car passengers not wearing seat-belts in the rear seat could make them vulnerable to the risk of fatalities in case of an accident. While we express our regrets on the recent tragedy where the precious life of Mr Cyrus Mistry was taken away,  and with due respects to the departed soul, we cannot but remind ourselves of the parallel in the Data Security scenario in India in terms of compliance.

For organizations trying to cover themselves against risk of regulatory backlash due to non compliance of data protection laws, GDPR Compliance was like the driver’s seat belt the need of which they were fully aware and were trying to be compliant with.

The PDPB 2019 compliance was like the front passenger seat belt about which people were aware and were trying to start using.

But just like rear seat passengers never thought it necessary to wear seatbelts since they did not perceive the risk of non compliance, Indian industry does not consider ITA 2000/8 compliance or CERT IN guidelines compliance as requirements that they should consider.

I hope they realize that some times non compliance of ITA 2000/8 and CERT IN guidelines could lead to serious injuries and start wearing the Compliance seatbelts from now on.

Naavi