Naavi.org

The Government of India had recently issued a draft India Data Accessibility and Use Policy for public comments. The policy documents  are available here

Draft Policy : Background Note : A copy of the feedback on the policy is available here. 

The India Data Accessibility Policy was meant for Central Government Ministries and public sector bodies and it was suggested that the States could adopt similar policies.

It is creditable to note that Tamil Nadu has been the first State Government off the block with its own Data Policy. This has come as a Gazette Notification and not for public comments.

Copy of the Tamil Nadu Data Policy

It appears that this TN policy has been drafted with the guiding principle of “Data For Public Good” based on the National Data Sharing and Accessibility Policy 2012 (NDSAP 2012)of the Government of India. The recent policy of the Central Government had been developed under a slightly modified objective which took into account the Kris Gopalakrishna Committee report and the Data Protection Bill 2021. Some of the changes that had been observed in the Central Government policy may not be available in the TN State policy. Probably it will be modified as and when necessary to accommodate the changes.

The Tamil Nadu Data Policy (TNDP) is built on 13 key principles such as

Openness,
Privacy, Ethics and Equity,
Flexibility,
Transparency,
Legal Conformity,
IPR protection,
Interoperability and Standards,
Quality,
Security,
Accountability and formal responsibility,
Sustainability and Usability

The policy would be applicable to all the public authorities under the RTI act within the State of Tamil Nadu.

The policy classifies data into 4 categories namely Personally identifiable information, Sensitive personal data, anonymised data and aggregated data. Some of the information could be made automatically available in the Open Data Portal of the Government.

The state is expected to adopt a mix of federated and centralized data storage system. The TN e Governance Agency (TNeGA) will be the nodal agency to monitor the policy. A state level Empowered Data Governance Committee chaired by the Chief Secretary will provide the strategic guidance. The CEO, TNeGA will be the State’s Chief Data Officer (CDO) and there will be a Data Inter-Departmental Committee to take operational level decisions.

A mention has been made on monetization of data also and it would be interesting to see how the Government would approach Data Valuation.

We need to appreciate the efforts of the TN Government for having come out with  such a policy well before other States. We need to await and see how the policy would be implemented.

Naavi

FDPPI in association with Madras Management Association and other partner organizations will be conducting an offline seminar in Chennai on April 23, 2022.

The theme of the seminar is “DPA 2021-Compliance perspective”.

There is a campaign in the media that the JPC modified version of PDPB 2019 need to be re-drafted.

Firstly the set of objections were centered around

“Government has too much powers under Section 35 of the Act”.

The second was on the “Restrictions on Data Transfer” under Sections 33/34 of the Act.

Now the third set of objections cantering around “Difficulties to Start Ups” and “Compliance Cost” has been raised.

The net objective of all these objections are to lobby with the Government that the current weak set of laws continue and the Tech Companies like the Twitter, Meta and Google can continue their Data Exploits in India without accountability.

FDPPI however believes that Compliance to the data protection regulation is in the interest of the community and even if there is some disruptions in the operations of the Data user organizations, it is not the reason to defer the law indefinitely.

In order not to let the industry slip into complacency thinking that the Data protection  law will not be introduced in India,  FDPPI would  like to present the “Compliance Perspective” so that responsible companies start working towards compliance without being under too much of stress.

On April 23rd, over a day long seminar in Chennai, FDPPI along with FDPPI will discuss the DPA 2021, from the perspective of companies who would like to work towards compliance.

Watch out for more details.

Naavi

Some people in the industry think that DPA 2021 is a compliance burden and we need to bring pressure on the Government to delay the passing of the bill.

Unfortunately they are mistaken.

DPA 2021 is already with us in the form of “Due Diligence” and “Reasonable Security Practice” under Section 43A of Information Technology Act 2000.

Courts in Odisha, Delhi and Chennai in some of their decisions last year have quoted from the PDPB 2019 to decide on some issues on Privacy. If Courts have taken cognizance of PDPB 2019, it means that the current version of PDPB 2019 which is DPA 2021 is already in the radar of the Courts as the required data protection practice in India.

The absence of an implementing agency or a regulator like the Data Protection Authority of India may be a relief. But the powers given under ITA 2000 (Sec 46) to the Adjudicators include the powers to impose reasonable penalty on a suo moto basis for “Data Breach” and hence the possibility of penalties is already hanging over the heads of those who think there is no data protection law in India.

It is like the Amazon Pay…. It is already there…and most donot know it.

Come, let us discuss the Compliance View of DPA 2021 at the seminar in Chennai on April 23, 2022.

Contact FDPPI for more details.

Naavi

Business leaders are often confronted with the dilemma… Should I make a move now….or Should I wait… Should I lead… or Should I follow…

Indian industry is flying on the wings of Technology and Data is driving the business. Data however is the new Commodity that is at the centre of a new regulatory mechanism called the Data Protection Act 2021.

It is natural for organizations to be uncomfortable with any new regulation and more so when the regulation requires  a re-structuring of some of the existing business architecture.

But there are certain regulations which are the global norms and are inevitable. They  can be delayed but not avoided. The Data Protection Regulation is one such legislation which is likely to arrive soon in the industry environment.

This is a regulation that holds a penalty risk of 4% of our turnover for non compliance. We can only ignore it at our peril.

So, irrespective of the media campaign against the immediate introduction of the bill DPB 2021 in the Parliament, industries need to look for ways to build the path towards compliance.

Come, let us discuss the Compliance View of DPA 2021 at the seminar in Chennai on April 23, 2022.

Contact FDPPI for more details.

Naavi

Digital Forensics is the art and science of discovering information. We often use this term related to a situation where we need to find information which is not clearly visible in the ordinary course of a transaction. The key aspect of  “Forensics” is that the information discovered through the process has to be  acceptable to an independent third party leading the investigation or judicial process. Hence the information discovered through a forensic process need to be capable of being an “Evidence” in a judicial process.

A Discovery that does not lead to an “Acceptable Evidence” is of limited use. In an investigation of a crime, Police often extract statements from the accused which are used for further investigation but are not admissible as evidence at the time of trial. However, a statement made before a magistrate may be acceptable as “Admissible Evidence” at the time of trial. Similarly, a technical extraction of information could be loosely called “Forensic Discovery” but for it to be respected as “Forensic Discovery”, it needs to be acceptable as “Evidence”.

How a piece of information becomes acceptable as “Evidence” is a mater determined by the “Law of the Land”. What is accepted as evidence in Courts in USA may not be acceptable as Evidence in a Court in India. Similarly, what is accepted in a Civil Court may not be accepted in a Criminal Court. What is accepted in a departmental enquiry or a Family Court or an Arbitration may not be acceptable in another forum.

Thus, a Forensic investigator needs to always keep in mind the objective of his forensic activity and ensure that the end result of his effort becomes useful as a “Forensic Evidence”.

Sometimes an investigator may acquire information through means which are not straight forward or may involve deception or even illegal methodology. In such cases, the Courts may hold different views about the admissibility of the evidence in the first place and on the liability of the investigator who has used unethical or illegal methods of acquisition of evidence.

In the case of Digital Forensics in India there are two specific laws that need to be taken note of by the Forensic investigator to ensure that his work is admissible as evidence in a Court without dispute or do not create a reverse charge of illegality.

First is the more familiar requirement of a Certificate under Section 65B of Indian Evidence Act 1872 as amended by the Information Technology Act 2000 effective from 17^th October 2000. According to this 20-year-old law, the forensic investigator presenting a report about information in electronic form has to be provide an appropriate description of the process through which the evidence was obtained, and the tools or devices used for observation along with his signature and certain warranties that the presented material (say in print out) is a faithful copy of what he observed, the computer used was working in a proper condition etc. As regards the legality of the forensic investigation, the investigator is required to hold an authorization from the person who is the owner of the device in which the observation was made. In this context it is immaterial who owns the data residing inside the computer resource as long as the permission is obtained from the person in charge of the device.

In case the owner of the data is different from the owner of the device and suffers a damage on account of the activity of the forensic investigator, he may make claim for compensation from the investigator but he may be indemnified from the liability in case he has a proper authorization. The vicarious liability for the damage if any falls on the device owner unless the investigator has exceeded the authority given to him by the device owner as regards what data he can observe and whether any collateral damage is properly indemnified.

In the coming days, another important law of the country is likely to have a significant impact on the activities of a forensic investigator and expected to add more complication to the above situation. This would be the “Data Protection Act of India” which is presently in the form of a Bill (DPB2021) in the Parliament and is expected to be passed in February of 2022.

The DPB 2022 is a law that is designed to protect the Right to Privacy of an individual which is recognized as a fundamental right of the citizens of India under Article 21 of the Constitution, subject to reasonable exceptions as enumerated in Article 19(2). A decision to this effect was provided by a Nine Member bench of the Supreme Court of India in its verdict on 24^th August 2017 in the now well known case referred to as Justice K S Puttaswamy Vs Union of India.

This act is applicable for “Personal Information” in most of its scope but has one provision regarding the need to disclose a data breach of even “Non-Personal Information”.

The organization which has the control on the personal data of an individual and determines its purpose of usage and means of usage is called the “Data Fiduciary” under the Act and is expected to take care of the right of privacy of the individual to whom the personal information relates. The act also recognizes that a Data Fiduciary may engage the services of a “Data Processor” under a contractual arrangement to whom the personal data may be entrusted for further processing. Such a data processor will be bound to follow the contractual obligations and to some extent also the provisions of the law during the process of process.

The Act has provisions to impose hefty fines upto 4% of the total worldwide turnover of an organization in case of any failure of the data fiduciary to comply with any of the provisions of the law. Some of the provisions also apply to the Data Processor who also may be liable for penalties. If an organization is projecting itself as a “Forensic Company” then the expectation is that the company has its own tools and methods of investigation (considered as “Processing” under the DPB 2021) and the contract with the data fiduciary cannot specify the complete details of how the process can be undertaken. In such circumstances the forensic company may take on the role of a “Joint Data Fiduciary” and cannot rely entirely on the contractual document with the Data Fiduciary which may have a clause indemnifying the investigator from any consequential liabilities.

In the case of an individual forensic investigator, if he is using his own tools and methods of investigation which is often the case, he would be also considered as a “Joint Data Fiduciary”.

In view of the above, the Forensic professionals need to be fully aware of the liabilities that may arise in the course of their professional activity and prepare themselves for compliance like a “Data Fiduciary” and ensure that the contract with the company appointing them as a forensic investigator is comprehensive and sufficient  to protect the interest of the investigating company as well as its investigators.

It may be noted that the essence of “Privacy” is keeping information “Confidential “and not disclosed except as “Permitted by law” or as “Consented” by the data principal to whom the personal information belongs to. On the other hand, the essence of “Forensic investigation” is to “dig for truth”. Often the investigator does not know what will come forth of his investigation.  Most of the times a successful forensic investigator will dig up such information which not only unravels the truth behind a transaction which he is appointed to investigate and is investigating, but also information which is not related to the designated investigation and many times information belonging to other  persons. Some of these may reveal what could be considered as misdemeanours or even cognizable offences.

In such a situation, the investigator would come under an ethical and legal scrutiny of whether he is obligated to keep the information confidential to himself or reveal it to his employers or reveal it to the company whose information is being investigated.  Even if he wants to keep the information confidential, he needs to decide how does he archive the information and keep it secure so that the information does not leak out from his custody unintentionally.

The Information Technology Act 2000 already has both civil and criminal penalties prescribed for acts that contravene the act. Though Courts do accept evidence as a revelation of truth even when it is obtained illegally, the persons who provides the evidence may not automatically be protected from the legal liabilities arising out of the illegal collection of the evidence.

Often Journalists engage in “Sting” operations which could be not legal and may even involve “Unauthorised access to information amounting to hacking”, they normally try to claim immunity because they do the sting operation in “Public Interest” and in the course of their journalistic activities. In the case of forensic investigators, there may or not be “Public Interest” in the primary investigation and whether there is public interest in disclosure or non disclosure of information unearthed during the investigation is left to the wisdom of the investigator. The investigator may have to exercise his mature judgement on whether the information has to be disclosed and if so to whom. If the disclosure was inappropriate, then it could cause damage to the reputation of some innocent persons and cause harm that could lead to penalties under the DPB 2021 besides ITA 2000.

The harm recognized under DPB 2021 is more complex than under ITA 2000 and without a proper understanding of the law, an investigator would be endangering his profession if he does not ensure that both the “Contract” and the “Conduct” are well within the legal boundaries.

DPB 2021 does provide certain exemptions whereby an organization may undertake fraud investigations or information security related activities involving processing of personal data without the specific consent of the data principal. Similarly, law enforcement and Judiciary may enjoy some exemptions. Further public interest and Medical emergencies may also be having exemptions from consent.

Where the activity of processing of personal information is not covered under exemptions, the investigator needs to be ready to face the liabilities either directly or under the shield of an effective indemnity built into the contract.

Since this subject is new and “Consent” for “information that a data principal or the data fiduciary does not know it exists” is not clearly addressed in law, the professional forensic investigator needs to arm himself with sufficient knowledge of data protection law and develop a proper methodology to address the compliance requirements.

Foundation of Data Protection Professionals in India (FDPPI), an organisation that leads the data protection related activities in India and is lead by the author, has developed a standard called “Data Protection Compliance Standard of India (DPCSI) where an attempt is made to suggest some methodologies for compliance by the forensic investigating organizations. This is a pioneering effort on a global scale and also includes the evaluation of an organization for its maturity in implementing the data protection measures in the form of “Data Trust Score”. Forensic investigators need to make themselves equipped with the DPDPSI framework which is applicable not only for the Data Fiduciaries being investigated but also to the investigator himself to set up his own systems and practices.

Thus the advent of the new legislation in the form of DPB 2021 will make a significant change to the activities and operations of a forensic investigator and a professional forensic investigating agency. To preserve and promote the career in Digital Forensics it is required that professionals take efforts to be also proficient in the emerging legal changes in he country.

Naavi

We are  mostly informed from time to time about the GDPR fines imposed by supervisory authorities on different companies for non compliance. However GDPR also provides that a data subject may claim compensation on account of GDPR data breach through an action in the Court.

In this connection it is interesting for academic students of GDPR to follow the recent cases in Germany.

Article 82 of GDPR states:

Article 82: Right to compensation and liability

1. Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.

2. Any controller involved in processing shall be liable for the damage caused by processing which infringes this Regulation. A processor shall be liable for the damage caused by processing only where it has not complied with obligations of this Regulation specifically directed to processors or where it has acted outside or contrary to lawful instructions of the controller.

3. A controller or processor shall be exempt from liability under paragraph 2 if it proves that it is not in any way responsible for the event giving rise to the damage.

4. Where more than one controller or processor, or both a controller and a processor, are involved in the same processing and where they are, under paragraphs 2 and 3, responsible for any damage caused by processing, each controller or processor shall be held liable for the entire damage in order to ensure effective compensation of the data subject.

5. Where a controller or processor has, in accordance with paragraph 4, paid full compensation for the damage suffered, that controller or processor shall be entitled to claim back from the other controllers or processors involved in the same processing that part of the compensation corresponding to their part of responsibility for the damage, in accordance with the conditions set out in paragraph 2.

6. Court proceedings for exercising the right to receive compensation shall be brought before the courts competent under the law of the Member State referred to in Article 79(2).

One of the  issues that arise in implementing this provision is  whether  the data subject entitled to compensation even if they have not suffered any kind of material damage?

In 2019 a case had been filed by a customer of an organization who had received a marketing mail from a data controller claiming a compensation of EUR 500, in the Gulsar Local Court. The Magistrate Court rejected the claim ruing that he failed to show suffering of any relevant damage from the unsolicited email that met the “Minimal threshold of impairment”.

The complainant later made a complaint with the Constitutional Court arguing  that the Magistrate Court had wrongly applied its own interpretation of the law rather than referring to the ECJ the question of whether it is necessary to meet a de minimis threshold of impairment to be entitled to compensation of non-material damages under Article 82 GDPR.

The FCC (Federal Constitutional Court) agreed with Plaintiff, ruling that the Magistrate Court was indeed obliged to turn to the ECJ in accordance with Article 267 para. 3 TFEU. The  FCC  found, whenever a question of EU law arises in a proceeding to be decided by the national court unless (i) the court has determined that the question is not relevant to the decision, (ii) the provision in question has already been interpreted by the ECJ , or (iii) the correct application of the law is so obvious that there is no room for reasonable doubt .

The FCC referred the matter to the Magistrate Court, which is to hear it once again and is to decide on it, in particular on the referral to the ECJ.

On 14th January 2021,  the Constitutional Court of Germany held that the question has to be referred to the European Court of Justice. (Refer here)

In case the EUCJ holds that it is not essential for the data subject to prove suffering of a quantifiable damage to make claim of compensation, it is expected that there would be a flood of litigations from the public whenever a data breach occurs. The “Data Subject Compensation Risk” would be additional to the risk of penalty to be imposed by the supervisory authorities and will be an additional burden to the industry though it could be covered by an insurance policy.

In the meantime, there was another Regional Court of Munich order related to Scalable Capital which was ordered to pay non material damages of EUR 2500 to a data subject. (Refer here) The data breach through a cyber attack had been reported to the data subject on 19.10.2020. A total of 389,000 records of 33200 affected persons had been breached in this incident. Because data subject feared for identity theft and other fraud, they brought the action before Court and claimed compensation.

In this case of appeal against the compensation granted by the lower Court,  the personal information of the customers had been transferred to a data processor whose contract had been terminated  at the end of 2015. The company assumed that the data had been deleted but not verified it. The credentials of the data processor was used by the hackers for the attack.

The Court held that , when assessing the amount of the non-material damages, it must be taken into account that the data in dispute has obviously not yet been misused, at least not to the detriment of the plaintiff, and therefore at most a more or less high risk can be assumed. However, the deterrent effect of the damages intended by the legislator must also be taken into account – as mentioned above. Weighing up all these aspects, the court considers (non-material) damages in the amount of 2,500 euros to be appropriate.

It appears that in this case the need for ECJ reference was not insisted for certain technical reasons. The Court said in this reference

“Insofar as the defendant believes that a preliminary ruling by the ECJ is mandatory, which was recently established by the BVerfG, decision of 14.1.2021 – 1 BvR 2853/19, it overlooks Article 267 (3) TFEU.* Whereas in the facts underlying the aforementioned decision, neither the appeal complaint had been reached nor the Local Court had allowed the appeal, this is undoubtedly given in the present case (cf. section 511 (1), (2) no. 1 of the Code of Civil Procedure), so that no decision of last instance is given.”(Decision published on 21.12.2021”

(Comments are welcome)

Naavi

• Article 267(ex Article 234 TEC)

  The Court of Justice of the European Union shall have jurisdiction to give preliminary rulings concerning:

  (a) the interpretation of the Treaties;

  (b) the validity and interpretation of acts of the institutions, bodies, offices or agencies of the Union;

  Where such a question is raised before any court or tribunal of a Member State, that court or tribunal may, if it considers that a decision on the question is necessary to enable it to give judgment, request the Court to give a ruling thereon.

  Where any such question is raised in a case pending before a court or tribunal of a Member State against whose decisions there is no judicial remedy under national law, that court or tribunal shall bring the matter before the Court.

  If such a question is raised in a case pending before a court or tribunal of a Member State with regard to a person in custody, the Court of Justice of the European Union shall act with the minimum of delay.

Reference:

Article in lexology.com

Article in gdprhub.eu