Naavi.org

If media reports are to be believed, Meity is looking like a Mohamad Bin Tughlaq changing its stand again and again…. and again. It appears that there is no clarity on what is to be done in respect of the data protection law in India.

This is the inference one can draw from the article which has appeared in Hindustan Times under the title “Non Personal Data likely to be dropped from new data law”under the byline of Deeksha Bharadwaj.

There is every possibility that the report might have been planted by the vested interests who donot want the law to be passed, which includes the top Tech Companies and is an attempt to project Indian Government as indecisive.

The inclusion of two amendments  in the Act namely one which included “Non Personal Data including Anonymised Personal Data” under applicability and the “Reporting of Non personal data breach to the regulator” were suggested by the Joint Parliamentary Committee.

If these two amendments are dropped, there will be no serious effect on the law. It may even be considered as a welcome move. CERT IN will take care of the data breach report of Non Personal Data and the concept of “Anonymisation” which is an irreversible process subject to a standard approved by the regulator keeps the ITA 2000 and data protection law different.

The other consequential change that will be required would be the dropping of the change of name of the Act from DPA 2021/22 back to PDPA2022.

The need to include non personal data was felt because of the opposition to Section 92 which states

“The Central Government may, in consultation with the Authority, direct any data fiduciary or data processor to provide any personal data anonymised or other non-personal data to enable better targeting of delivery of services or formulation of evidence-based policies by the Central Government, in such manner as may be prescribed.”

This is an enabling provision and with or without the law considered as a legitimate right  of the sovereign Government. Even if it remains in the statute there is going to be no impact on the constitutionality of the law though the Andolan Jeevies” may continue to raise their  voice.

All the dilly dallying by the MeitY is indicative of complete lack of conviction on its part on how to go about the law. MeitY needs proper guidance to take decisions which are routine but are needlessly portrayed as “Controversial”.

Government must accept  that as long as Andolan Jeevies are alive, any thing done by the Government would be challenged in the Court and this is now part of the law making process. Hence expected objections from them cannot be excuses for the Government to look like a spineless body.

I hope that the views expressed in Hindustan Times is not indicative of Meity’s reluctance to pass the law and the issues referred to there in would be suitably factored into the current draft whether the act  is called PDPA 2022 or DPA 2022.

Naavi

While a discussion is going on on the CERT-In Guidelines and the Data Protection Act in India, the United States  Cloud Act (2018) is said to offer an approach to enabling law enforcement agencies in India accessing data stored by US Service providers.

According to this article in orfonline.org foreign law enforcement agencies may be able to  access evidence directly from US service providers in case of investigation of “serious crimes”, through an executive agreement drawn up by the two countries for the purpose.

To enter such an agreement with the US, a foreign country must meet certain procedural and substantive requirements, including having protections against surveillance and safeguards against unbridled government access to data. It also requires the partner country to show a commitment to an open and interconnected Internet, and to free flows of data across borders. This is like the adequacy clauses in the GDPR.

It is stated that the United Kingdom (UK) was the first country to have entered into a CLOUD Act agreement with the US, in 2019.

Probably this consideration may be kept in mind by the MeitY while passing the PDPB2019.

Naavi

On 28th April 2022, the Government of India notified certain requirements under Section 70B of ITA 2000/8 regarding information security practices to be followed by all IT system owners.

Subsequently, a detailed FAQ was also published by CERT IN.

These regulations were applicable to all service providers, intermediaries, data centers, body corporates and Government organizations.

The regulation were to come into effect 60 days from the date of the notification. In other words, the regulation became effective from the morning of 27th June 2022.

Now the CERT-IN has notified that in respect of MSMEs as defined under the notification of the MSME ministry dated 1st June 2020, the regulations shall become effective only from 25th September 2022.

At the same time, data centers, VPS providers, cloud service providers, and VPN companies to have been given additional time (till September 25) for the implementation of mechanisms relating to the validation aspects of the subscribers/customers’ details.

According to the definition of MSME under this notification, it refers to

i) A micro enterprise where the investment in Plant and Machinery or Equipment does not exceed one Crore rupees and turnover does not exceed Rs 5 crore rupees

ii) A small enterprise where the investment in Plant and Machinery or Equipment does not exceed ten crore rupees and turnover does not exceed fifty crore rupees.

iii) A medium enterprise where the investment in Plant and Machinery or Equipment does not exceed fifty crore rupees and turnover does not exceed two hundred and fifty crore rupees.

It may be recalled that the guidelines require the following to be in place:

1. All entities shall ensure that their time source is synchronized to the NC/NPL time source
2. All entities report data breach within 6 hours
3. Act in accordance with the directions of CERT-In if any
4. Enable logs of all ICT systems and maintain them securely for a rolling period of 180 days
5. Shall preserve the service registration information for a period of 5 years or longer as mandated by law after termination of registration and such information shall include
   1. Validated names of subscribers/customers hiring the services
   2.  Period of hire including dates
   3.  IPs allotted to / being used by the members
   4.  Email address and IP address and time stamp used at the time of
      registration / on-boarding
   5.  Purpose for hiring services
   6.  Validated address and contact numbers
   7.  Ownership pattern of the subscribers / customers hiring services
6. The virtual asset service providers, virtual asset exchange providers and custodian wallet providers (as defined by Ministry of Finance from time to time) shall mandatorily maintain all information obtained as part of Know Your Customer (KYC) and records of financial transactions for a period of five years so as to ensure cyber security in the area of payments and financial markets for citizens while protecting their data, fundamental rights and economic freedom in view of the growth of virtual assets.

For more details kindly refer to the FAQ document.

Naavi

A committee headed by a retired Judge  Justice K Chandru constituted by the TN Government has provided its report to the TN Government on the need for regulating online games.

The committee had an IIT Professor, a retired ADGP and a Psychologist also in the panel.

We are looking to go through the detailed report but the media reports suggest that the committee has recommended that the State government insist on the Union government enacting a national-level law against online gaming with stakes under Article 252 of the Constitution. It also recommended that the State government expedite its appeal in a related case pending before the Supreme Court.

It is also reported that the committee has recommended that the Tamil Nadu government ban online games with stakes as well as advertisements that encourage people to play such games, by promulgating an ordinance.

The state Cabinet is expected to take a view on the same. According to the report, based on the report, an ordinance could be promulgated, though legislation banning online gaming was enacted by the Tamil Nadu Assembly in February last year, the Madras High Court struck it down in August that year. The appeal preferred by the Tamil Nadu government in the Supreme Court in November last year is yet to be taken up for hearing.

The legislation enacted by other States, including Karnataka and Kerala, were also struck down by the respective High Courts.

In the meantime, a report has also emerged that the “Union Government is committed to fostering innovation and Start-ups including gaming” according to a statement attributed to Mr Rajeev Chandrashekar, MOS of MeitY.

We may also recall that DPA 2021 defines “psychological manipulation which impairs the autonomy of the individual” as a harm and it is considered that online gaming does manipulate the mind of the gamer to the extent that many games induce the gamer into committing suicides. Some of these suicides may relate to loss of money but games like the PubG and Blue Whale relate to psychological manipulation.

I also draw the attention of the readers to an article written by me in 2017 on “Cyber Hypnotism” where the possibility that games may be silently hypnotizing the gamer (Especially children).

It is also well known that many gamers support “Crypto Currencies” and the entire “Meta Verse” industry has a very close relationship to gaming.

There is therefore a need to give a serious thought to Gaming Regulation in India. Naavi.org has several times pointed out the dangers of Online Gaming and urged for setting up of a “Gaming Regulator” to provide certification for safe games that can be distributed to the public.

The new definition of “Harm” in the DPA 2021 as well as the discussions on Neuro Rights in the global scenario will trigger more discussions on the harmful effect of addictive games.

We are aware that “Gaming” is a big business domain in the world and also a source of technical innovation. But it does not mean that it should not be monitored and regulated.

Probably the Justice K Chandru Committee could start a new discussion in this regard.

Naavi

Ujvala Consultants Pvt Limited has developed an online Data Protection Compliance Assessment Tool which can assist in generating a DTS score for an organization.

DTS or Data Trust Score is a measurability of the extent of data protection compliance of an organization. A Complete assessment of DTS requires an audit, a methodology for converting the audit findings into a score and an assessment by an experienced auditor.

However, as a preliminary measure of assessment, an online assessment tool has been developed by Ujvala Consultants Pvt Ltd.

The tool can be used by any DPO to check the preparedness of the organization before a formal audit may be invited. It is also a tool to be used by Ujvala Auditors to develop the Gap assessment.

The tool has been developed on the basis of DPCSI (Data Protection Compliance Standard of India) as a framework and Naavi’s methodology for DTS calculation.

Ujvala Consultants would be using this tool for its Data Protection Compliance audits.

Naavi

The notification from MeitY dated 16th June 2022 declaring the CBS system, RTGS System, NEFT System and the Structured Financial Messaging Server as protected systems and imposing the information security guidelines of 22nd May 2018 is a watershed moment in the history of Cyber Security Management in the country.

The decision indicates that from now onwards, a representative of CERT-IN will sit in the Information Security Governance Committee of ICICI Bank and supervise all policies and their implementation regarding the information security in the Bank.

This development is similar to “Nationalisation of the Information Security System of ICICI Bank” and is a huge embarrassment to the Bank’s credentials as a trusted repository of public funds.

The Press reports that the systems of HDFC Bank and NPCI has been simultaneously declared as “Protected Systems” but details of the gazette notification is available only in respect of ICICI Bank.

Some members of the public would mis-understand this development and consider as if the Government has bestowed an honour on ICICI Bank by giving it’s systems the status of a “Protected System”. Perhaps ICICI Bank would also like to propagate the same perception.

But the truth is different.

Declaration of a system as a “Protected System” is to enable the Government to exercise a close control on the security of the system because the Government apprehends that the the incapacitation or destruction of the system , shall have debilitating impact on national security, economy, public health or safety.

We must observe that most of the Government financial assets such as the Treasury accounts are presently held in State Bank of India and except by market capitalization ICICI Bank is not more critical than SBI in terms of national security or security of national economy.

ICICI Bank on the other hand has been saddled with thousands of data breach incidents in the form of phishing complaints from their customers and we have already pointed out one documentary evidence of how a Phishing website was run from within the ICICI Bank server itself. ICICI Bank was also in the forefront of Crypto transactions and was enabling Bitcoin remittances from abroad.

We can perhaps consider that the Government might have taken notice of these Bitcoin transactions and the thousands of phishing transactions as potential money laundering incidents which may need a closer scrutiny and investigation on a day to day basis.  The ongoing investigation on Mrs Chanda Kochhar also may require a close oversight on the operations of the Bank, the information deletions that have been made in recent times, the background of the custodians of the transaction servers etc.

Unless properly denied, the existence of a huge scam which is about to be unravelled cannot be ruled out.

I trust that the development  is big enough to need a notice to the stock markets under Clause 49 of the listing rules and there has already been a delay in this regard.

ICICI Bank has to also come out with its own official explanation and disclosure of how this development could affect the investors and affect the share price.

Unless immediate action is taken by the Bank to manage the reputational damage through appropriate public messaging, the share prices of the Bank are in the danger of being adversely affected.

It is an immediate necessity that ICICI Bank makes a public disclosure of it having been notified as a “Protected System” and the changes in the policies and information security  Governance system on its website.

I understand that it is a painful situation for the Bank but the gazette notification has already been made and the clock cannot be turned back.

It is an unenviable situation for  ICICI Bank. Substantial damage has already been done and cannot be reversed. Now only containment of further damage is possible and it may require a careful communication strategy avoiding any false statements that can further damage the organization.

I pity the life of the CISO in ICICI Bank which will change permanently and could  be a bed of thorns with the CERT In breathing down its neck on a minute to minute basis. We can also watch out for some attrition in IS workforce in the Bank.

I expect a series of press articles planted by the Bank in the next week highlighting as if the notification is a “Padma Award” for its Information Security department. Good time for journalists.

(P.S: The situation in HDFC Bank is similar. We are yet to access the notification regarding HDFC Bank and NPCI and hence not commented on the impact of the decision on these organizations in detail. There are many other large Banks such as PNB where also a largescale risk of data breach exists and may require a CERT-IN supervision of the security systems)

Naavi