Naavi.org

The Minister of IT Mr Ashwini Vaishnav recently commented  that there is no plan to scrap the current draft data protection regulation (as has been falsely projected by some journalists) and he hopes that the bill will be passed soon if not in the current session at least in the Monsoon session.

He said that there have been comprehensive consultations and we should be able to resolve differences if any and get the bill passed.

Simultaneously the media campaign has started again to highlight that the Social media Companies are unhappy, the Start Up companies are unhappy etc. Organizations like NASSCOM who have to support the initiative of getting an early law in place are only reflecting the objections of the industry and making it difficult for the Government to go through with the passage of the Bill.

The objections raised are largely excuses and even if they are relevant, it is possible to be corrected either through notifications or in the next amendment. We need to be keep them aside for the time being and see how the law gets assimilated by the industry after which we will have more information on what changes are required.

The tech companies are already in compliance with the GDPR regime and they are aware of how to wade through the data protection law. Indian law cannot be too hard compared to GDPR. Start ups have been given 3 years time under the Sand Box time and hence should not have any complaint.

The Social Media intermediaries are only required to allow the choice to their customers to verify themselves and after such verification insist that their identity be disclosed with their messages. This will not disable the Social Media intermediaries to continue having fake accounts and spread fake messages if they so desire. The viewers will start discounting the posts of un verified accounts and the media need not be bothered.

At the same time, the media has the option to be an “Intermediary” and not be considered as a “Publisher” if they can give up the control on the content. There is a new attempt to pitch the Ministry of I&B against the Ministry of IT saying that there will be overlapping of the domains. We know that the ministers of the two ministries held a joint  press conference to announce the February 25, 2021 Intermediary rules and it is unlikely that they will start objecting to each other now.

IAMAI has also criticised the bill as if it poses a risk to the digital eco system by having an impact on free speech. We donot know how there is a conflict since the Constitution itself has provided for reasonable exceptions to any fundamental right and it would apply even to the right to privacy.

IAMAI has also criticised the expansion of the scope to Non Personal Data is an enabling provision forced on JPC by the earlier objections and can be clarified through the notifications.

The restrictions on data transfer outside India has already been softened to bring it very much below the GDPR standards and compared to the Indian law, GDPR with the recent EDPB guidelines is a more strict data localization law than the DPA 2021.

The DPA 2021 when implemented will have to manage conflicts with several sectoral regulators including the CERT In, RBI, IRDAI and TRAI. It is therefore not a burden for them to handle the Cyber Law division of I & B ministry also as another sectoral regulator.

We can expect that the DPA as a body of 7 senior persons will device a method of consultation with the sectoral regulators as envisaged under Section 56 of the Bill.

There is no doubt that industry will be happy without any regulations and hence are opposing the regulations. Cost of Compliance is associated with every law and cannot be a reason for non regulation. It is strange that the companies  donot complain with cost when GDPR is imposed on them but have only objections when there is an Indian law of similar nature.

The attitude of the industry and the associations that represent them are not sustainable on close scrutiny. The objections are only saying that we donot want any regulation and want to be not accountable for data breaches or for compliance and has to be ignored.

I hope the MeitY will not yield to the pressure tactics and go ahead with the law for early passage. If they yield then they will be liable for Contempt of Court since the bill has been already delayed beyond any reasonable time.

Naavi

India has been struggling to introduce a Data Protection Law for a long time. It was initially at the instance of the IT industry that the earlier Government framed a draft law in 2006. Subsequently Privacy activists created a furore when Aadhaar was sought to be used widely by the Government resulting in the Supreme Court nudge and the Srikrishna committee followed by PDPB 2018, PDPB 2019 and now DPB 2021.

However at each stage there have been so many oppositions that the Bill is still not passed. Even as late as last week,  industry bodies have asked for scrapping of the Bill in its current form and start a new drafting exercise, knowing fully well that this exercise will delay the introduction of data protection by another few years and would be a set back in every sense.

This time it appears that the Social Media Intermediaries who are in the forefront of the move to scuttle the Bill. Even Start Up industry has been made a party to this set of objections.

The media  is a commercial organisation and they will convey only the views of any vested interest, amplifying the objections.

Some of the modifications that have been projected in the media are

1. 1. The Government should have no powers to seek exemption from any provisions of the Act even if permitted under the Indian Constitution.
   2. Law Enforcement should not have any power of surveillance even if Crimes in Data Space are a threat to our very existence as a society.
   3. Social Media intermediaries should not be challenged on fake news distribution
   4. Industry should have exemptions for ever to comply with the basic principles of compliance
   5. The fines and penalties should be waived.
   6. Cost of Compliance should be reduced
   7. Financial Information should not be considered as “Sensitive”
   8. Data should be freely transferable abroad even though other countries like EU are opting for more and more restrictions.
   9. Indian Government should give up its sovereignty on Data generated in India and allow the tech  giants to monetize Indian data resources

It is unfortunate that as in other fields the industry institutions which are expected to protect the interests of the country are abdicating their national responsibilities and have been only interested in projecting the commercial interests of companies most of whom are today international companies.

Even home grown companies are dependent on the patronage of International companies and hence take a stand “Business First, Nation Next”.

There is nothing like a “Perfect Law” and seeking a perfect law particularly in the domain of Privacy which has inherent conflicts with other Rights, is only an excuse not to pass the law. I hope people in high places accept this reality and not think that the public are gullible enough to believe such excuses.

Every corporate law in the country has a cost burden and this cannot prevent the law to be passed. Income Tax Law or Company Law have imposed enormous cost on the industry. Does it mean that the industry should oppose them because of “Cost of Compliance”? If not, why this opposition only for “Data Protection law”?

Can the nation exist if we ignore the need of law enforcement and Governance in enforcing the Privacy law? Can speculation on what all can go wrong prevent action of the Government. Every law has a potential to be misused if we have dishonest administrators and dishonest administrators will continue to exist as long as there is greed in the society.

We only have to keep strengthening the law as well as the checks and balances to ensure that law is not mis-applied. The Courts are there to ensure justice if the administrators fail.

We therefore urge all those who have opposed the current draft of DPA 2021 to set aside their differences for some time and let the law come into existence. Let us give it at least one year of existence after which we can pass any amendments that may be necessary.

I therefore appeal to industry bodies such as  NASSCOM, ASSOCHAM, FICCI, CII,  etc to stop complaining about the new draft of DPA 2021 and start co operating with the Government in getting the law passed.

Alternatively the industry can be honest to say that the industry does not want the Data protection law to be passed in India and they can file a petition in the Supreme Court to stop the Government from passing such law.

If the business entities who gladly adopt a EU law such as GDPR but have objections only for the Indian law because they want freedom to plunder the Indian resources, it is natural for the Government also to feel why it should tie its own hands with the law which also imposes restrictions on the Government. Government therefore will not be keen to pass the law unless the industry is ready.

The genuine Privacy Activists also should appreciate that many of the NGOs are funded by the same vested interests who donot want the law to be passed and hence will be happy to raise objections for every version of the Bill. They also should realize that if there is a law in place, it is easy to make amendments. If we push the law further by another 2 years then the current state of “No Data Protection Law” will continue. If this is their intention, they also should be honest to admit that they survive on the prolonging of this uncertainty.

I appeal to the Genuine Privacy Activists to join hands with Naavi.org/FDPPI so that we can try to get a workable Data Protection law in place first and worry about refinements later.

Let us therefore start a “Welcome Data Protection Law in India” campaign under a “Data Protection Law Forum” which will be co-ordinated by FDPPI, the Foundation of Data Protection Professionals in India and Naavi.org.

(Comments are welcome)

Naavi

After the JPC submitted its recommendations on the PDPB 2019, the earlier print version book on the basis of PDPB 2019 required corrections. Hence the print version had been withdrawn.

Now a new version of the Data Protection Act of India on the basis of DPA 2021 has been published as a Kindle version.

Since it is not certain if the Bill will be passed in the current session or not, we have released this book now in E Book format. In case the Bill is passed finally either in this session of the Parliament or later, we will publish the print version.

Until that time this book should be the guidance for all students of Data Protection Law in India.

It is possible that the Book may need further updating and even corrections. I assure that I will endeavour to make corrections as and when required.

As is the custom in Software scenario, release comes first and bug fixing comes later !.

Naavi

REGISTER HERE

REGISTER HERE

Registrants who attend the webinar will receive further benefits of value from FDPPI

While the Data Protection professional circles have been discussing the forthcoming DPA 2021, whether it will be taken up for further discussion in the Parliament or scrapped, the MeitY has sprung a surprise by releasing two documents yesterday the February 21.

They are

1. 1. Background Note for India Data Accessibility and Use Policy
   2. India Data Accessibility and Use Policy

It appears that the Government was waiting for the release of these documents before taking up the DPA 2021 for further discussion to protect the operational interests of the Government entities which will also be required to be compliant with  the new DPA 2021. We are aware that while private companies need to move up in their compliance ladder from the present levels to whatever DPA 2021 expects, Government agencies need to start from the zero level. Hence the challenge before Government institutions and Departments were more than the private sector.

In the light of the above, MeitY has tried to formulate a policy for the Central Government and suggested policy for State Governments in the form of a Framework that can be adopted for Privacy Management. These are likely to be adopted as “Codes of Practice” for Government establishments when the DPA 2021 becomes effective.

This will now have to be incorporated as part of the DPSI or the “Data Protection Standard of India which FDPPI is using for Compliance audits.

The Objectives of the Policy as declared are as follows:

1.Maximising access to and use  of quality public sector data

2. Improving policy making, evaluation and monitoring

3.Enhancing the efficiency of service delivery

4. Facilitating the creation of public digital platforms

5. Protecting the privacy and security of Citizens

6. Streamlining inter-government data sharing

7. Promoting transparency, accountability and ownership in data sharing and release

8. Building digital & data capacity, knowledge & competency of Government officials

9. Promoting data interoperability & Integration to enhance data quality and usability

10. Ensuring greater citizen awareness, participation, and engagement with open data

11. Enabling secure pathways to share detailed data sets for research and development

12. Increasing the availability of high value data sets of national importance

13. Improving overall compliance to data sharing policies and standards.

Though the policy makes reference mainly to “Data Sharing”, it would also be the policy for protecting the Privacy of the Citizens.

One of the immediate requirements for the Government agencies is to develop an inventory of “Data Assets” which may have to include both Personal and Non Personal Data of Citizens and Employees. It has to be a federated government wide searchable data base so that duplication is avoided.

An interesting concept is that there will be a new entity called India Data Office (IDO)  and every Ministry/Department shall have Data Management Units headed by Chief Data Officers (CDO) which will work closely with the IDO.

Given the responsibilities of the CDO which go beyond the Privacy and Personal Data Protection, it may be necessary for each department to separately identify a Data Protection Officer satisfying the requirements of Section 30 of DPA 2021.

The India Data Officer and the Chief Data Officers will together function as India Data Council (IDC) for coordination. In case the State Governments also join this IDC, it will be like the GST Council and cover all data interests of the nation. However since there are some rogue states which donot believe in being part of the  national body, the IDC may remain a Central Government entity.  The State Governments can however replicate the system with a State level IDC and State CDO s .

One of the objectives set by this policy is to promote the “Open Data” concept and by default all data of every Government Ministry/Department/Organization will be considered as open.

The exceptions however may be defined and a negative list of data which shall remain restricted would be separately announced.

By focussing on “Data Sharing”, the policy has also considered the possibility of monetization of data available to the Government and a mechanism for Data Pricing and Data Licensing may be developed.

The Policy promotes “Data Anonymisation” and may assist the departments  with necessary support including tool kits for  data sharing.

In anticipation of the objections from the activists, the policy states that “Any Data sharing shall happen within the legal framework in India, its national policies and legislation as well as the recognized international guidelines” and “All data being shared must ensure compliance to guidelines for legal, security, IPR, Copyrights and Privacy Requirements”.

The policy states that Data shall remain the property of the agency/department/ministry etc and access shall not be in violation of any acts and rules of the Government in force.

The legal framework of this policy will also be aligned with various acts and rules covering data.

We hope the publication of this policy will now clear the path for DPA 2021 being passed.

We welcome the approach of this policy to get ready before the DPA 2021 becomes a law. The policy will require a whole “Data Governance System” to be set up with the IDC,  IDO, CDOs and DPOs at the Central Government level and also paving the way for State Governments to adopt a similar module. Interesting developments to watch.

Naavi

If this system works, we will be able to control a good part of cyber crimes. This will put brakes on crimes involving transfer of proceeds in INR.

Next we need to ban Cryptocurrency to tackle the crimes at the next level.

Naavi