Naavi.org

Since the release of the draft PDPB 2021, there have been many views expressed by different organizations and some of them are listed below:

1. 1. Comparing the Draft Data Protection Bill 2021 with its predecessors: thequint.com
   2. Data Protection Bill: Hits and Misses: bloombergquint.com
   3. Explained: How India’s data protection Bill compares with EU regulation: Indian Express
   4. Data Protection Bill is Orwellian, loaded in favour of the Government: Justice B N Srikrishna: Moneycontrol.com
   5. PDP Bill recommendations will have higher compliance burden on Startups: IAMAI
   6. Decoding Data Protection Bill: Economic Times
   7. Key Takeaways: The JPC Report and the Data Protection Bill, 2021#SaveOurPrivacy: internetfreedom.in
   8. Data Protection Bill 2021: MP Amar Patnaik bats for Data Regulators at state level: medianama.com

MR P P Choudhary in his interview with news18.com has also expressed some views which are important to understand what went on the minds of the committee in the final stages before the draft was released. Some of the views expressed by him are highlighted here.

On the need for inclusion of Non Personal Data in the Act, he said-

“… Non personal data as on today is not included but for future govt can formulate the policy under section 92 to deal with violations related to it.”

We note that he had admitted that this is an empowerment for the future and as on today Non Personal data is not included.

Regarding the powers to the Government, he has said-

“We can’t put government and private entities in same basket….If you compare birth of section 35, it is article 21 of Constitution of India which is a fundamental right. It says no person shall be deprived of personal liberty except in accordance with the law. So, this is a condition by Constitution. More safeguards have been provided in bill. It says only data can be processed if authorised by the government and will be based on rules framed by the government. On basis of those rules, government can authorise agencies to process the data. The purpose is given in the section 35. Processing of data is only for purpose is national security, protect the sovereignty and integrity. The individual right to privacy will be over-ridden if they clash with national interests”

As regards the dissent on the exemption of Consent for Government Mr Choudhary categorically stated…

” These dissent notes are basically misconceived and unfounded. These notes do not stand legally anywhere. The dissent was not limited to Section 35 but also about Section 12 without consent data shall not be processed. Meaning there will be a complete embargo. It means government can’t process the data. I am asking them, if we don’t process the data of farmers while making them the payments of government schemes what will happen. Should we ask each one one of them separately about their consent. Whether it is expected from the government to obtain consent from 10crore farmers.

If government want to transfer payment to NREGA labourers to public distribution, should we seek consent from everyone. We say government can process the data in accordance to the law. The section say personal data can be processed for benefit for data principal.

Where do they want to take the country? Do they want to take the country back to paper economy from digital economy. The opposition is trying to halt the progress of digital economy. Suppose the government need to raid someone, should income tax authorities seek consent? Is it practical or feasible, should we seek permission from terrorist before processing this data.”

We appreciate the clear and bold statement from the JPC chairman on the dissent notes. The tenor of this interview suggests that even when the dissent is raised in the Parliamentary debate, the Government will defend it with force.

Naavi.org has already provided its views on some of the aspects of the new Bill in the following articles:

1. Anonymisation is like Encryption with a destroyed decryption key 

2. PDPA 2021: The data breach notification regarding Non Personal Data

3. PDPA 2021: The Data Protection Officer is now in an elevated professional status

4. PDPA 2021: The nature of Data as an Asset and nomination facility

5. PDPA 2021: Regulating the human perceptions

6. PDPA 2021: Definition of Harm to include psychological manipulation

7. PDPA 2021: Should Big Data and Data Analytics industry be worried?

The discussions on the Bill will continue.

Naavi in association with FDPPI (Foundation of Data Protection Professionals in India) has started a “Privacy and Data Protection Awareness Campaign” addressing

a) The Public

b) The Data Fiduciaries

c) The Data Protection Professionals

Various programs have been undertaken to address the requirements of each of these segments, details of which will be announced as we go forward.

Naavi

Other articles on DPA 2021

14. PDPA 2021: Concept of Discovery Consent

13. JPC Recommendations on SWIFT Alternative: Out of scope and Disruptive of Global Economic System

12. JPC recommendation on Children Data

11. JPC recommends DPA to watch on Incident Register

10. JPC comments beyond the Amendments-2: Implementation Schedule

9. JPC comments beyond the Amendments-1-Priority of law

8. Clarifications from the JPC Chairman on DPA 2021

7. Anonymisation is like Encryption with a destroyed decryption key 

6. PDPA 2021: The data breach notification regarding Non Personal Data

5. PDPA 2021: The Data Protection Officer is now in an elevated professional status

4. PDPA 2021: The nature of Data as an Asset and nomination facility

3. PDPA 2021: Regulating the human perceptions

2. PDPA 2021: Definition of Harm to include psychological manipulation

1. PDPA 2021: Should Big Data and Data Analytics industry be worried?

If we follow the discussions around the DPA 2021, it appears that there is a confusion regarding the term “Anonymization” and its effect on Personal Data. It is strange that after so much of discussions on the GDPR and the Data Protection laws, we come back to the basics of what is “Personal Data”.

Personal Data is such data which either directly or indirectly can identify a living natural person. This means that set of characters such as  “Chandrashekar” is an element that can identify a living natural person. But the string of data “Chandrashekar” alone has no identity with a living individual since there could be several persons with such name. Further, whether it is a name or not is itself a factor of the knowledge of a recipient of the data. An Indian would recognize it as a name.

Will a person from interior Africa would recognize it even if he is aware of the English Alphabets? or will a person in China who does not know the English alphabets recognize it as a name?

If not, why should we consider “Chandrashekar” as a “Personal data”?. Is it not just  a stream of binaries which one software renders  as text in English  “Chandrashekar”. In another rendition it may look different and may not appear to be a name.

The fundamental principal this suggests is that “Data” is neither personal nor non personal per-se. In a context it may be perceived as “Personal” by some and not by others. (Please refer to Naavi’s Theory of Data for a more detailed discussion)

Can any data that can be perceived as “Personal” by  some body in the world be considered as “Personal Data” by all under law? … Certainly not.

Hence just because we sit in India and get a feeling that “Chandrashekar” is the name of a person, does not mean that “Chandrashekar” should be considered as “Personal Data”.

Another example….What does a string called “Bhajji” or “Submarine” represent?. Is it the name of a dish in South India or name of a naval contraception?.

For a Cricket follower in India, Bhajji  may be a nickname of Harbhajan Singh and Submarine may be the nick name of Mr Subramanyam (Former test cricketer from Mysore).

Hence “Chandrashekar” by itself should not be considered as “Personal Information” no more than Bajji, or Submarine. This is the part of the “Theory of Data” and the hypothesis is that “Data is in the beholder’s eyes”.

Recently, A German Court in an order related to GDPR held that an IP address is a “Personal Data” and if any American Company is touching the IP address then it would be considered as a disclosure of personal data to a US entity which is not permitted by the cross border data transfer restrictions under GDPR. (See this article).

In this instance, the IP address is related to an action by an individual (Such as visiting a website).  But if the data is merely the “IP address” it is not sufficient to identify a living natural individual. Hence it should not be treated as “Personal Information” but be classified as “Non Personal Information”. However if the recipient of the data (IP Address) has in possession more information and his full particulars are available then it may be considered as personal information like the profile information.

This is to be considered as Privacy Jurisprudence .

In India, even the JPC members seem to have an unresolved doubt about what is “Anonymised Data” and how does it relate to “Personal Data”.

Personal data by definition contains elements that lead to an identifiable individual. These identity parameters such as the name, PAN number, E Mail address, IP address, Cookie information etc in combination represent the identity parameters that render a piece of information as “Personal Information” to which the data protection law becomes applicable.

In comparison, there could be data such as the weather, the environment etc which is understood by everybody as “Non Personal Data”. Then there is information about a “Company” which is not a “Living Natural Person” which also is easy to identify as “Non Personal Data”.

However there could be doubt about personal looking data of a non living natural person. In this case there is no doubt that the information may be considered as “Personal information” but there is no need for providing “Privacy Protection through data protection for the deceased individual”.  Hence compliance requirements of a data protection law may not apply to the personal data of a “deceased data principal”.

In the context of compliance therefore the organization can classify the personal data of a deceased individual as different from personal data for which the obligations and rights become applicable. (Unless the law specifically makes it applicable to personal data of deceased persons…like Singapore law)

Yet another category of personal data that creates a problem is the “Anonymized Data” where the identity parameters of the individual contained in a personal data set are removed and irrevocably destroyed so that even the person who created the anonymized data from an identifiable data cannot re-identify the data.

Some people consider that “Anonymization” is reversible and hence anonymised data should be also considered as “Protected Personal Data”. But if the law places a standard for anonymization which includes that the identity parameters separated from the identified information is forensically destroyed, then there is no way of reversing the process of anonymization.

In the case of “Encryption” there is a “Key” with which the encrypted data can be de-crypted. This is similar to the process of “De-identification” or “Pseudonymisation” where identifiable data is rendered unidentifiable through a process of removal of identity parameters and/or substitution with proxy parameters. The person which has the “Key” to de-identification or pseudonymization can re-identify the data. Hence these processes are reversible.

If however we have a very strong encryption and the holder of the encrypted data does not have the decryption key, then such data is considered “Confidential” though the data is in the hands of an unauthorized person. Data Breach notification requirements under HIPAA/HITECH Act do not consider such data breach as breach of PHI. If however the encrypted data is lost along with the key stored in the same data store, the breach is recognized.

In the Case of anonymization, the anonymization process is known to the anonymizer. However just as an encrypting person deliberately throws away the decryption key, the anonymiser forensically deletes the anonymization key so that de-anonymisation is theoretically not possible if proper standard has been followed.

Hence it is correct to consider that “Anonymised Personal Data” is not “Personal Data”. This was the status in the PDPB 2019. However in the PDPB 2021, the JPC has been confused sufficiently by some experts who have held the view that just as a data encryptor having the decryption key can decrypt the encrypted data, an anonymiser of data can de-anonymise it as a matter of routine. This is an incorrect perception of the process of anonymization. An anonymisation process inherently includes the process of forensic deletion of all the identity parameters. Otherwise it is only a de-identification process and not anonymisation process.

Some experts claim that Data Analysts can apply sophisticated algorithms and read meanings into Big data which enable them to de-anonymise. This is a false premise since if the anonymisation process is as per a proper standard, the de-anonymiser can only make a guess like creating a “Profile” out of data which is just a “View” and not “Fact”.

Beyond this, if some body can decrypt encrypted data without a key by use of brute force attack or social engineering, it is called a “Crime” and not the problem  of the encryption system. Similarly if anonymised data can be de-anonymised to a reliable extent by use of some technology, then it would mean that the standard of anonymisation was not good enough or the de-anonymiser was a criminal who with a persistent hacking of the data was able to extract personalized information out of the anonymised information. Such acts should be considered as a crime and PDPB 2019/2021 does consider them as publishable crimes with 3 years imprisonment.

If we are not confident of our Data Protection Authority for his capability of setting a proper anonymisation standard which cannot be broken with a reasonable level of sophistication of an attack, then the user of an unreasonable level of sophistication to break an anonymisation should be considered as a “Motivated Criminal” and the punishment should be raised from 3 years to at least 10 years or more to bring in sufficient deterrence.

Unfortunately without understanding this aspect, PDPB 2021 tries to include “Anonymised Data” as part of the regulations and create an overlap between ITA 2000 and PDPA 2021.

Technically there is no difficulty in segregating data as “Personal” and “Non Personal” using “Anonymisation” as a separator. Just as a strongly encrypted data with the key having been destroyed cannot be recovered, a properly anonymised data cannot be de-anonymised.

I wish JPC gives a serious thought to correct this situation when the Bill is taken up in the Parliament for discussion provided there is no ego issue in making  changes.

Naavi

Other articles on DPA 2021

14. PDPA 2021: Concept of Discovery Consent

13. JPC Recommendations on SWIFT Alternative: Out of scope and Disruptive of Global Economic System

12. JPC recommendation on Children Data

11. JPC recommends DPA to watch on Incident Register

10. JPC comments beyond the Amendments-2: Implementation Schedule

9. JPC comments beyond the Amendments-1-Priority of law

8. Clarifications from the JPC Chairman on DPA 2021

7. Anonymisation is like Encryption with a destroyed decryption key 

6. PDPA 2021: The data breach notification regarding Non Personal Data

5. PDPA 2021: The Data Protection Officer is now in an elevated professional status

4. PDPA 2021: The nature of Data as an Asset and nomination facility

3. PDPA 2021: Regulating the human perceptions

2. PDPA 2021: Definition of Harm to include psychological manipulation

1. PDPA 2021: Should Big Data and Data Analytics industry be worried?

Naavi has been in the forefront of creating awareness of Cyber Laws in India since 1998. Over the last two decades, Naavi.org has emerged as a treasure house of awareness about Cyber Laws. Additionally Naavi has promoted Cyber Law College through which certification programs have been conducted since 1998 on Cyber Laws and later Data Protection. In the recent days traditional colleges like NLSUI and NALSAR have introduced their own certification programs and Naavi has been associated with the development of such programs also.

Through the institution of FDPPI, Naavi has also set up an NGO to take the Privacy and Data Protection knowledge to the professionals through Certification programs and compliance frameworks for implementation.

Now with the Indian Parliament taking up for debate the new version of the bill PDPB 2021, we are closer than before for the Indian data protection law to be operative. Hence the need for intensifying the activities of FDPPI has arisen.

As a result there is a need to spread the knowledge of Privacy and Data Protection amongst the masses so that a culture where people appreciate the need for and the  limitations of Privacy as a right and Data Protection as a regulatory mechanism and make proper use of the rights provided to them by law.

In this direction, Naavi through Cyber Law College and FDPPI would be undertaking some initiatives in the same manner the Cyber Law Awareness was spread during the period 2000-2010

The first such  outreach program would be the “All India Privacy Awareness Program” to be undertaken by Cyber Law College.  This is meant for ordinary persons who are  not conversant with the concept of Privacy and Data Protection and would  explain the concept of Privacy as a human right, its implications in the data protection domain, the objective of the Data Protection Act, the diverse views of the Privacy Activists and the industry, the aspects of PDPB 2021 relevant for ordinary citizens of the country, etc.

Naavi would be launching the “Privacy and Data Protection For Everyone” campaign shortly to spread the awareness of the provisions of the new PDPB 2021 along with the background and the future trends in Privacy related issues in India.

This joint program of FDPPI and Cyber Law College should help in the absorption of the knowledge of the emerging data protection laws in India.

Watch out for the details.

Naavi

In the new version of PDPA 2021 (We can start calling this DPA 2021 from now onwards) that is replacing PDPB 2019 has indicated under Section 57 that “Obligation to take prompt and appropriate action in response to a data breach under Section 25” would be one of the reasons under which a penalty of upto 2% of Total worldwide turnover or Rs 5 crores can be levied on a data fiduciary.

Section 25 of the  Act states as follows:

Reporting of (***) data breach.

(1) Every data fiduciary shall by notice,(***) report to the Authority about the breach of any personal data processed by (***) such data fiduciary.(***)
(2) The notice referred to in sub-section (1) shall be in such form as may be specified by regulations and include the following particulars, namely:—
(a) nature of personal data which is the subject matter of the breach;
(b) number of data principals affected by (***) such breach;
(c) possible consequences of (***) such breach; and
(d) the remedial actions being taken by the data fiduciary (***) for such breach.
(3) The notice referred to in sub-section (1) shall be (***) issued by the data fiduciary within seventy-two hours of becoming aware of such breach.(***)
(4) Where it is not possible to provide all the information (***) provided in sub-section (2) at the same time, the data fiduciary shall provide such information to the Authority in phases without any undue delay.
(5) (***)
(5)The Authority (***)shall, after taking into account the personal data breach and the severity of harm that may be caused to the data principal, direct the data fiduciary to report such breach to the data principal and take appropriate remedial actions(***) to mitigate such harm and to conspicuously post the details of the personal data breach on its website.
Provided that the Authority may direct the data fiduciary to adopt any urgent measures to remedy such breach or mitigate any harm caused to the data principal.
(7) (***)

(6) The Authority shall, in case of breach of non-personal data, take such necessary steps as may be prescribed.

The obligations under Section 25 subsections (1) to (5)  refer to “Personal Data”.  Sub section (6) empowers the Authority to prescribe necessary steps to be taken in case of Non Personal Data.

At this point of time the bill will therefore be not applicable to the notification of data breach of non personal data beyond what has been prescribed already under ITA 2000.

In the case of Non Personal Data Breach there is no harm caused to a data principal whose privacy is sought to be protected under this law. Hence any action required to be taken is not within the recommendations of the Supreme Court under the Puttaswamy Judgement. This is only an amendment to ITA 2000 and the powers now available to the CERT-IN Director.

This opens up a question on whether administrative fines can be levied for non personal data breach under DPA 2021 and if this provision stays, will it be considered as an “Extraneous Provision” to this law which over rides the powers of the Adjudicator and Appellate tribunal as well as the High Court which have jurisdiction for levying penalty for breach of non personal data under ITA 2000.

The idea that there has to be a single regulator for Personal and Non Personal Data is not a wise idea and this is likely to create confusion both to the judicial authorities as well as for the purpose of compliance.

It would also create one more level of overlap of the functions of a CISO and DPO in an organization since the DPO has to keep track on Non Personal Data Breach also where as the CISO also needs to keep track of Cyber and Information Security issues.

It is still not late for the Government to delete this aspect of data breach notification and also the applicability of the Act to non personal data under Section 2.

Naavi

Other articles on DPA 2021

14. PDPA 2021: Concept of Discovery Consent

13. JPC Recommendations on SWIFT Alternative: Out of scope and Disruptive of Global Economic System

12. JPC recommendation on Children Data

11. JPC recommends DPA to watch on Incident Register

10. JPC comments beyond the Amendments-2: Implementation Schedule

9. JPC comments beyond the Amendments-1-Priority of law

8. Clarifications from the JPC Chairman on DPA 2021

7. Anonymisation is like Encryption with a destroyed decryption key 

6. PDPA 2021: The data breach notification regarding Non Personal Data

5. PDPA 2021: The Data Protection Officer is now in an elevated professional status

4. PDPA 2021: The nature of Data as an Asset and nomination facility

3. PDPA 2021: Regulating the human perceptions

2. PDPA 2021: Definition of Harm to include psychological manipulation

1. PDPA 2021: Should Big Data and Data Analytics industry be worried?

[Indian Economy being killed for the sake of Crypto Currency survival]

According to earlier reports, the Crypto Bill was expected to be discussed by the Cabinet on 15th/16th December 2021.  So far there is no information and it appears that, the Bill was taken out of the agenda under the pretext that it requires further improvements.

It is clear that the Ministry of Finance is not interested in the Bill and hence they are unlikely to declare completion of the work. There will be one excuse after another to postpone the presentation of the Bill until the Government surrenders to the digital black money.

We refer to the report in Moneycontrol.com which provides some information on the developments.

It is also stated that the scope of the bill will be expanded to include regulation of Non Fungible Crypto tokens. (NFTs) This will further assist conversion of white money into black money and create value out of thin air.

Even if by a provision of law use of “Crypto” as “Currency” would be prohibited, once the concept of Crypto as an asset is permitted, there will be ways of tokenizing the crypto asset which is used as an exchange medium. The investments which are today in the stock markets will shift substantially to Crypto assets. This will also give a boost to creating representative Crypto tokens which may be traded. SEBI is known to have already been compromised on the Crypto issue and the attempt to remove RBI from the control is only to ensure that the only opposition to Crypto is eliminated.

If Crypto is allowed as an asset and traded then it will be not long before we have tokenized assets replacing the stocks or Commodities in the market. Instead of buying L& T shares, we can create a Virtual L&T and trade its parts.  These crypto L & T bits need not be backed by any revenue or income and still they will command a premium since there will be an artificial scarcity created through the algorithm.

We are presently hearing of Virtual Taj Mahal as a tradeable asset. Tomorrow there may be a virtual Ayodhya, Virtual Kashi, or Virtual Mathura or a Virtual Kashmir. Imagine the potential of Virtual Kashmir which can be sold and made into a tokenized currency to get global money to fund terrorists.

It would also not be unthinkable to see creation of even a “Virtual Modi” or “Virtual Sachin” or “Virtual Amitabh” as a tokenized asset.

If for example, a logarithmically controlled limited version of “Virtual Modi Crypto Asset” is created and say there will be only 100o original replicas which can be issued as an ICO in a competitive bid with a base price of USD 1 million, then it will surely be bought by some investors. Subsequently they may be resold in smaller units. 1000 original Virtual Modi Cryptos can each be divided into a Million Modi Crypto bits and we will have 1 billion Modi Crypto asset bits to be traded. They can be traded in the stock markets for thousands of rupees/dollars like the Bitcoins of today. They will be bought both by Modi Bhakts and Modi haters for different reasons.

These thoughts may look crazy for the time being but these will certainly happen in the days to come if private Cryptos are given even a small legal opening. (Similar concepts are already available in Virtual Cricket games). Fraudsters and Scamsters will therefore have a field day if Crypto Currencies and NFTs are made legit investments.

It appears that India may win against the Pakistani Terrorists and even the Chinese might but it cannot win the war against Black money. The Crypto currencies and the NFTs are the weapons with which the economic invaders will humble the legit economic systems in India in the days to come.

If we want to protect the country’s economy from going to dogs, we need to say no to all forms of Cryptos and particularly the Private Crypto assets/currencies.

We pray that  Lord Kashi Vishwanatha give courage to Mr Narendra Modi to take on his most powerful enemy namely Black Money in India.

I request Mrs Nirmala Sitharaman to raise above the fear of the unknown and kill Cryptos once and for all. Let India be the global leader in destroying the Crypto currency world. Kindly not be misguided by vested interests who talk of Block Chain as an inevitable technology to sustain the argument for Crypto Currencies. The two can be separated and we can kill Crypto assets without killing the Block Chain technology.

Even the need for official currency is only a cover for keeping the concept of Crypto Currency alive. It makes no economic sense to have an official Crypto currency replace the current virtual currency system we have .

I hope the Cabinet members of Mr Modi’s cabinet show their political willingness to take on the Crypto currencies.

Otherwise we will have only one conclusion that even Mr Modi was powerless against the digital black money and reconcile in anguish Et tu Modi?

Naavi

Also see: NDTV report

The copy of the Bill tabled in the Parliament for Data Protection Act 2021 is now available in its official version.

Kindly check DPA2021  for details.

Naavi