The copy of the Bill tabled in the Parliament for Data Protection Act 2021 is now available in its official version.
Kindly check DPA2021 for details.
Naavi
According to information floating around, the Data Protection Bill 2021 which is the next version of PDPB 2019 as modified by the JPC-1 under Mrs Meenakshi Lekhi and JPC-2 under Mr P P Chaudhary is likely to be presented in the Parliament today. It will be taken up for further discussions based on the time allocated.
A tentative copy of the modified bill is available at www.dpa2021.in
Some Comments have already been presented in this website in the last few days. These are available below.
Yet another bill which may be presented in the Parliament today is the Crypto Bill which also is the revised version compared to the 2019 version.
In the event the Crypto Bill is presented, there is an expectation that a large number of people will disinvest their Bitcoin holdings and the money will flow to the Indian Stock Markets which should see a boom. For the last few days some media sources have been building up the hype that the Bill is likely to be postponed and hence the stock market was seeing a flight of capital for investments crypto currencies. This trend could reverse immediately if the Bill is presented.
Let us hope both the bills would be presented today to the Parliament so that they can at least move to the next stage before they are passed.
Naavi
IMF has given a clear warning that if Crypto currencies are recognized as legal tender, there would be a macro economic instability.
Some of the comments made by IMF are:
It does not require rocket science to understand that if an anonymous form of currency comes into existence in the form of Bitcoin like Cryptos or the Crypto Assets such as Virtual Tokenized assets, the impact on the economy would be devastating and chaotic.
The Cryptos will definitely be attractive for all tax evaders, criminals, terrorists who are all in a majority in the world today. Honest tax payer is in a minority world over. Politicians who make rules are the primary corrupt persons who want continuation of the Digital Black currencies and Bureaucrats want find it comfortable for taking bribes.
In such a scenario, the hesitancy of the Indian Government to take on the banning of private cryptos is understandable though regrettable. What is a tragedy however is that even Mr Narendra Modi is not able to take a decision probably because the majority of people around him are in favour of Cryptos.
The recent hacking of Mr Modi’s twitter account to promote Bitcoins is not surprising since a majority of persons associated with Bitcoins are criminals and expert hackers. They will continue to undertake their Cyber Terror attacks such as these to show off their strengths.
If we are not buckling under the terror attacks in Kashmir, we should not buckle under the Bitcoin sponsored attacks also.
According to today’s press reports, the presentation of the Bill in the Parliament is likely to be delayed. I hope this is only a wishful thinking of the industry. But we need to keep our fingers crossed and wait to see whether the Government has the courage to take on digital black money or not.
Naavi
Naavi had published the book on “Personal Data Protection Act of India (PDPA 2020) which was based on the version of the bill presented in the Parliament as PDPB 2019.
Now the Government has made changes and is in the process of introducing a new version of the Bill during the next few days. Following this we will have an idea on whether it will be passed as such or will be debated in the next budget session.
A new version of the book will therefore be due in the month of March 2022 based hopefully on the new version of the Act.
In order not to discourage readers who would continue to buy the current version of the book as is available on Notion Press or Amazon or Flipkart, we want to provide this offer on a contingent basis of a new version of the book being made available later in the year 2022.
For those of you who have bought this book earlier to 1st December, some benefit as would be appropriate would be made available. Kindly await for the announcement.
Naavi
One of the interesting new propositions in the PDPB 2021 as compared to PDPB 2019 is the professional status of the Data Protection Officer.
In all data protection laws, there is a requirement that data controllers/Fiduciaries who handle large number of personal data or who handle sensitive personal information should designate a special official called the “Data Protection Officer” (DPO) who can be accountable for compliance.
The DPO has to have sufficient knowledge of the data protection law to guide the organization besides having adequate knowledge of security aspects to understand terms like DPIA, Privacy by Design, Data Trust Score etc. Most laws expect the DPO to be also capable of dealing with data subject relationships and also the relationship with the regulators as a single point contact in the company.
While dealing with the regulators, it is not simply a relationship of reporting a data breach. The law expects that the DPO within the company to be an extended arm of the Data Protection authority (DPA).
When a data breach occurs, one of the key decisions to be taken is to report the breach to the DPA and in some cases to the data principals. But when the data breach is first discovered or when there is a suspected data breach, the company may be concerned about the reputation damage to itself with the disclosure of the breach and would like to avoid disclosure if possible. On the other hand the DPO is expected to look at the harm from the perspective of the data subject/data principal and take a view accordingly. In such situations there could be a serious conflict situation of the DPO role with the company itself.
In certain circumstances, there could be a lapse by an influential internal employee who would like the suspected breach to be ignored and prevent the DPO from reporting it either within the organization or to the DPA. In such cases the DPO is required to possess a high degree of interpersonal skills to ensure that he fulfils his duty to the DPA/Data Principal even at the cost of displeasing some body within the organization.
These situations open up a discussion on the exclusive skills that the DPO needs to posess and determining the credentials required for a person to be appointed as a DPO.
One of the additional requirements that a DPO needs to possess to meet such requirements is a high degree of “Interpersonal Skills”. This is a behavioural skill normally possessed by the HR persons. Another skill is the grievance redressal skills normally available with the legal professional. Successful leaders are born with such skills or have such skills developed over time through experience and learning.
Hence when a new DPO needs to be appointed, the organization has to scout for the right skills. If the company tries to find a short cut and designate a CTO, CISO, CCO or CRO as also a DPO, then there could be a conflict with other duties as well as there may be a serious deficiency of “aptitude”.
For example, typically the CISOs are technical experts and perfectionists. Their expertise is focussed on technology. They may not necessarily good in man management. The HR executive or a Marketing person may on the other hand be a good man manager and communication manager but weak in technology. Most of these may not be well versed in the subject of law. Hence it is not always easy to find an internal candidate to fit the DPO role.
Yet another problem in promoting one of the existing members into the DPO position is the seniority at which they can be fixed. The legal officer may be the best person for the job but the current functional level of even the Chief Legal Officer may be at a level below that of a CISO or a CTO in a tech company. The DPO position may however be a level above CISO and not necessarily below the CISO/CTO.
In GDPR, the law suggests…
a) The Organization shall ensure that the data protection officer is involved, properly and in a timely manner, in all issues which relate to the protection of personal data.
b) The organization shall support the data protection officer in performing the tasks by providing resources necessary to carry out those tasks and access to personal data and processing operations, and to maintain his or her expert knowledge.
c) The organization shall ensure that the data protection officer does not receive any instructions regarding the exercise of those tasks and he or she shall not be dismissed or penalised by the controller or the processor for performing his tasks.
d) The data protection officer shall directly report to the highest management level of the controller or the processor.
The above requirements indicate that the DPO must be a senior person if he is an employee. GDPR however allows an external consultant to be designated as a DPO which could avoid the conflict arising out of the seniority of the CISO/CTO in the organization who needs to accept suggestions from the DPO.
In the Indian law (PDPB 2021), Section 26 states that the DPO shall be a
“…. a key managerial personnel in relation to a company or such other employee of equivalent capacity in case of other entities, as the case may be, possessing such qualifications and experience as may be prescribed …”
The explanation to the section mentions that
“Key managerial personnel” means—
(i) the Chief Executive Officer or the managing director or the manager;
(ii) the company secretary;
(iii) the whole-time director;
(iv) the Chief Financial Officer; or
(v) such other personnel as may be prescribed.
The Indian law also prescribes that the DPO should be in India and it appears that the person has to be an employee.
A careful examination of the above indicates that the DPO can be the Managing Director or the Company Secretary or a Whole time Director or a CFO. We need to await the regulatory guidelines to understand how the DPA interprets this explanation and whether the law presumes that there is no conflict with DPO roles for the CFO or the Company Secretary and the roles such as CISO are not mentioned because there is a perceived conflict.
Even where an external consultant is appointed by a company for his expertise, it will be necessary for an internal employee to be designated as a DPO and such internal employee has to be a key management personnel.
Because of this provision, it is clear that the law expects the DPO to be a fairly senior person and could even be at the level of the whole-time director.
Additionally, under Section 85 (PDPB2021), if an offence is attributable to the negligence of an official then he may be held liable for criminal punishment.
The position of the DPO is therefore more onerous than that of the CISO and hence it would be inevitable that he is designated at the CxO level with remuneration that matches the responsibility.
It would be interesting therefore to observe how the Indian companies develop their internal employees to fill up this role or bring outsiders at the senior level which could cause some heart burns within the organisation.
It is therefore advisable for CISOs and CTO to quickly gear up their skills and be ready to bid for the position of the DPO. From our experience of GDPR, DPA s may consider providing common designations such as Compliance Officer cum DPO or CISO cum DPO as creating conflicts.
The mention of the “Company Secretary” in the list of key management personnel is interesting since Company Secretaries have the experience of holding a “Fiduciary” relationship where they have to safeguard the interests of share holders and be the whistle-blowers if there are violations of Corporate Governance principles. The “Statutory Auditors” who come from the community of Chartered accountants also are trained to be independent in their views and express qualifications in the audit reports if they find any non compliance issues. The CFOs come from the same community of Chartered Accountants and hence at least a few of them retain the independent attitude to be able to handle the fiduciary responsibilities that a DPO is expected to handle. Perhaps it is the reason why a CFO has been mentioned in the example of key personnel.
However, the CFO and the CEO will have their own business related conflicts with the duties related to the DPO and hence conflicts may continue to be there. A Company Secretary is better placed amongst these executives to be a DPO though in Tech Companies, the Company Secretary may not be a key position at present and elevating him to the level of DPO may ruffle some feathers.
The best solution is therefore to appoint an exclusive person to the DPO position who could be a whole time director or Independent Director of the Company.
It is a challenge that Boards of potential “Significant Data Fiduciaries” need to sort out these issues quickly and be ready for the passage of PDPB 2021.
(Comments welcome)
Naavi
Other articles on DPA 2021
7. Anonymisation is like Encryption with a destroyed decryption key
6. PDPA 2021: The data breach notification regarding Non Personal Data
India enacted ITA 2000 (Information Technology Act 2000) with effect from 17th October 2000 and amended it in 2008 with effect from 27th October 2009. The provisions of ITA 2000/8 included legal recognition for a binary expression which we refer to as an “Electronic Document”, and how such electronic documents can be used and the consequences of its mis-use.
In the amendments of 2008, the act was sharpened with the introduction of how sensitive personal data is expected to be protected through a “Reasonable Security Practice” and the consequences for negligence in the process.
The Personal Data Protection Act (PDPB 2021) and the Crypto Currency Regulation bill which are presently being considered in the Parliament for passage have opened up some discussions on what is the legal nature of some special kinds of electronic documents.
Arguments in the context of Crypto Currency bill revolve around the need to ban Crypto currencies from private entities since it could destroy the legit economy by undermining the central bank currency. However when it comes to the legal status of a Crypto Currency, it has its recognition as an “Electronic Document” and hence one argument is that it should be considered as a separate Asset Clause and allowed to be traded in the stock markets like a “Commodity”.
The now abandoned draft Bill DISHA (Digital Information Security for Health Act) had provided that “Health Data” is owned by the health data subject as if it was a “Property”.
The PDPB 2021 considers “Personal Data” as a special kind of data and ascribes a whole lot of regulations on how it can be collected, used and disposed along with the consequences of contravention of the provisions.
In perception, Personal Data is a separate asset clause in the Corporate Data Asset store and to be compliant with PDPB 2021, an organization needs to recognize its “Personal Data Asset”, classify it as Personal, Sensitive personal, critical personal etc, create an inventory tag it with the country of origin of the data principal, the notice and consent associated with its collection and usage and so on. The personal data is not a single piece of data and is often an aggregation of data elements from different sources at different points of time. It has depth and width. It also has a quality tag and an erosion of quality over a period of time.
In view of the fact that personal data like all data has an economic value to the user organization, different types of personal data have different values and the “Data Valuation Standard of India” (refer www.dvsi.in/wp) has developed a tentative methodology for valuing the data in the control of organizations and bring it to the books of account.
However, in the midst of these activities, the treatment of the data of “Deceased” data principals has been an issue that required attention. Under several articles in naavi.org (Refer here)we have discussed this issue in the past.
One of the issues discussed there in is whether ITA 2000/8 Section 1(4) Schedule can be amended to include the feasibility of a “Will” for data assets. The other option is to provide for a “Nomination” facility under law.
In financial assets there is both the provision of a “Will” through which the financial assets can be passed on to legal inheritance as well as nomination of Bank accounts.
The nomination facility for Bank held assets were brought in through section 45Z (introduced in 1985) of the Banking regulation Act which states as follows:
45ZA. Nomination for payment of depositors’ money.—
The legal jurisprudence on the nomination facility in the banking system is that payment or deliver of articles to a nominee discharges the Bank of its liabilities though it is not a legal settlement of the title. The legal heirs are open to settle their claims separately through the testate instruments such as a Will or through other measures available under the transfer of property provisions of law. Nomination does not settle legal ownership and is only a procedural facilitation for the convenience of the Banking system.
Now, PDPA 2021 introduces the concept of Nomination in respect of “Personal Assets” through a provision in the Bill.
Under the proposed Section 17 (4) regarding Rights of the Data Principal,
it is provided that
“The data principal shall have the following options, namely:-
(a) to nominate a legal heir or a legal representative as his nominee;
(b) to exercise the right to be forgotten; and
(c) to append the terms of agreement, with regard to processing of personal data in the event of the death of such data principal.”
Reading this along with the current provisions of ITA 2000, we need to interpret that this provision is only for “Nomination” and not to transfer “Legal Ownership” of the data. Hence this does not also confer the status of “Property” to the data.
This provision also has another anomaly since it tries to provide rights of amendment to a contract signed when the person was alive and in respect of a right that does not subsist after the death of a person.
This needs to be corrected by changes to this amendment failing which this provision could be considered as “Ultra Vires” the established process of law and introduce an ambiguity that will become a focus of end less litigation in future.
If this section survives the passing of the Bill, then watch out for the amendments to be made to PDPSI (Personal Data Protection Standard of India) implementation specifications where we may suggest how this anomaly may be handled.
Naavi
(Comments welcome)
Other articles on DPA 2021
7. Anonymisation is like Encryption with a destroyed decryption key
6. PDPA 2021: The data breach notification regarding Non Personal Data
