The Flagship event on Data Protection in India for the year namely IDPS 2021 is being conducted as a virtual conference on November 17,18 and 19.
The eventful three days will host 9 Panel Discussions and several Keynote speeches from eminent industry professionals.
At present the registration is free. Please block your calendar and register yourself.
The program schedule is here.
Naavi
Mr Suresh Kumar, the then Law Minister of Karnataka inaugurated a seminar on Privacy on October 17, 2008 at KLE Law College, Bangalore, seen here with Naavi
On 17th October 2000, India notified Information Technology Act 2000. With the notification, for the first time in India, “Binary Expressions” processed in “Computers” were recognized as Electronic Documents and equivalent to written documents (Subject to exceptions in Section 1(4) of ITA 2000).
Simultaneously, digital signatures were recognized as a form of authentication and digital contracts recognized in law became feasible.
This was the birth of Digital Society in India. Today, the 17th October 2021 is the 21st anniversary of this momentous day.
Naavi has been advocating that this day has to be commemorated as the Digital Society Day of India since it marked a significant change in the history of India. If we are today talking of Digital India and taking pride in our achievements in digitization, the origin of this Digital India was in the legal recognition of digital documents.
The importance of October 17, increased when ITA 2000 was upgraded with the amendments of 2008 which incidentally became effective from 27th October 2009. With this amendment, ITA 2000 fortified its provisions on “Personal Data Protection” and “Non Personal Data Protection” with the introduction of sections 43A, 72A, etc.
Even after Section 43A is replaced with PDPB 2019 passed into an Act, the remaining provisions for data protection in ITA 2000 continue to make it the principal Cyber Law of India.
Let’s remember this day therefore as the day Indian Digital Society was born. Hope some day in future, MeitY will recognize the importance of October 17 for the Digital future of India and start commemorating the day officially.
It may be recalled that Naavi along with KLE Law College, Bangalore conducted a major event on Privacy 
way back on 17th October 2008 which was inaugurated by the then Law Minister of Karnataka, Mr Suresh Kumar.
That was the time when the Personal Data Protection Bill had been presented in the Parliament along with the ITA 2000 amendment Bill. ITA 2000 amendment bill became a law and created the ITA 2008 version of ITA 2000. The Personal Data Protection Bill however lapsed and we are still struggling to bring a law for Privacy Protection in India.
Today’s Privacy Activists need to refer to the events of this seminar available here and see how the Digital Society Foundation of India started as a trust tried to establish an organization which inter-alia was interested in developing education on Cyber Law in India. However this imitative could not be sustained. The current day FDPPI is a new incarnation of the DSFI which appears to have taken off because the environment is more conducive today to Privacy and Data Protection.
A Copy of the Personal Data Protection Bill 2006 presented in the Parliament at that time is available here and is worth looking into when analyzing the legislative history of PDPB 2019.
Some more photographs of the event are here:
When the Indian Data Protection Summit 2021 (IDPS 2021) discusses the Past, Present and Future of Privacy Law in India, it is necessary to remember this 2006 version of the Bill which faded into oblivion.
Naavi
Naavi, the Chairman of FDPPI had earlier undertaken “Karnataka Cyber Law Awareness Movement” in 2005 during which long certification courses were conducted across Karnataka in Bangalore, Mysore, Hubli and Mangalore under the umbrella of Cyber Law College.
Cyber Law College is a division of Ujvala Consultants Pvt Ltd which is a supporting partner of FDPPI.
In a new comprehensive outreach program, Naavi is now scheduling an “Indian National Privacy Awareness Movement” (INPAM) starting from the Vijayadashami day on 15th October 2021.
The INPAM would be a free program aimed at ordinary citizens and students to make them aware of the concept of “Privacy”, “Data Protection” and the “PDPB 2019”.
The program would be conducted on the Mobile App- FDPPI available here:
https://play.google.com/store/apps/details?id=co.edvin.titge (For Android)
https://apps.apple.com/in/app/myinstitute/id1472483563 (For ioS)
Please download the App and await further instructions on the batches.
The program would initially be launched in English and Kannada and later different batches would be introduced in different languages.
Naavi
Today’s Economic Times carries a report “Center Weighs Single Nodal Policy”. According to the report, the Government is contemplating a new “Nodal Policy” for Social Media to tackle the aggression of the rogue Tech Companies who have no respect for Indian sovereignty.
In the process however, the Government has once again shown that it does not want to confront the media and is ready to compromise on the Intermediary Guidelines of February 25th, in which an attempt was made to bring self regulation on social media to curb fake news.
It is disappointing that time and again the Government shows its indecisiveness and takes one step forward and two steps backward when it comes to taking tough decisions whether it is the farm laws or the amendments to ITA 2000 or the Personal Data Protection Act.
The opposition may appear weak whenever elections are held in India but their hold on media is so strong that any new law will be opposed both in the media and in the Courts. It is for this reason that media can get away with advertisements to recruit journalists with the sole purpose of opposing the Government and Courts which spend end less hours to defend anti nationals and bail applications in serious narcotics cases while genuine cases languish in pendency.
The move on “Single Nodal Agency” reminds us of the “Convergence Bill” which was hotly debated in the years 2000-2001 before being dropped like a hot potato for reasons of political expediency.
It may be interesting to look at some of these old forgotten issues in the articles available in the links below.
https://www.naavi.org/cl_editorial_04/edit_01_mar_11_01.htm
https://www.naavi.org/views.htm
Knowing the attitude of the press, the opposition and the Courts, the attempt to bring a “Single Nodal Policy” will only mean that the “Self Regulation” envisaged under the Intermediary Guidelines of February 25th may take a back seat.
Let is wait and see if the new Ministry is able to cut the hesitancy and make bold moves required to take India forward.
Naavi
In 200o December, Naavi started the promotion of the concept of “ITA 2000 Compliance”… as the digital mantra for the corporate era. In 2008, the amendments to ITA 2000 changed the characteristics of ITA 2000 into a security oriented law and ITA 2008 compliance became a mandatory requirement.
ITA 2008 compliance included compliance of Section 43A which covered Personal Data Protection.
This translated in 2009 into a framework named Indian Information Security Framework IISF 309 which was being used for ITA 2000 compliance. After some evolution, IISF 309 had become a 30 parameter framework as indicated below.
This framework was confined to 30 requirements and not the 114 requirements which we today look at in ISO 27002. However, it covered the essential aspects required for meeting all the requirements as required under ITA 2000 including the Grievance Redressal. It also recognized the responsibilities of operational executives other than the IT executives.
Consequent to the focus that has now come on PDPB 2o19, there was a need for a special framework for Personal Data Protection and it emerged as the PDPSI or the Personal Data Protection Standard of India. This framework had 50 implementation specifications under the umbrella of 12 standards. It was an expansion of IISF since new controls became necessary for Privacy management.
The PDPSI started with a “Classification” of data into “Personal Data” and “Non Personal Data” and thereafter PDPSI focused on the requirements for Personal Data Protection as per the law. The Non Personal Data Protection was left as “DPSI” or “Data Protection Standard of India” to follow under the IISF 309 approach.
This has now evolved into a 33 point framework as follows.
It may be observed that the new framework incorporates the concepts such as the Data Value accounting which came up during the PDPSI discussions.
It was initially expected that the PDPB2019 will restrict itself to Personal Data Protection and a separate law will be passed for “Non Personal Data Governance”.
The PDPB 2019 therefore defined “Data” as “Personal Data” based on certain parameters and what was not “Personal Data” was considered “Non Personal Data”. In this distinction there was one set of data which was “Personal Data” and upon Anonymization, became “Non Personal Data”.
There was a confusion in the industry which got onboarded onto the JPC that Anonymization is another form of De-Identification or Pseduonymization. The fact that Anonymization is “Irreversible” transformation of what was hitherto “Personal” into a “Non Personal Information” while the de-identification and pseudonymziation was “reversible” was not sufficiently digested. The Personal Data Protection Authority was expected to develop an acceptable standard of “Anonymization” that would render “Personal Data” into “Non Personal Data”.
The lack of confidence of technology specialists that there could be an acceptable level of “Anonymization” which could be adopted as a standard while a “Brute Force Attack to re-identify an anonymzied information” could be covered by the law that criminalzied such a “Brute Force de-anonymization” led to the new JPC to consider some changes to the PDPB 2019 as approved by the earlier JPC chaired by Mrs Meenakshi Lekhi.
The leaked reports about the possible modifications to the earlier draft of PDPB 2019 now contain a rumour that the “Data Protection Authority” to be named under PDPB 2019 will be entrusted with the responsibility of both Personal Data Protection and Non Personal Data Governance. Also the reporting of the “Data breach Notification” under PDPB 2019 will now also cover the reporting of “Non personal data breach” also.
The Non Personal Data Governance requirements as suggested by the Kris Gopalakrishna Committee require deliberation of a few years and cannot be brought into the PDPB 2019 in the draft which is expected to be presented in December 2021 to the Parliament. It is therefore expected that whatever changes may be made in the PDPB 2019 regarding Non Personal Data would only be peripheral.
While making the DPA responsible for the “Anonymization Standard” is natural and to that extent the DPA becomes an authority to regulate the “Converted Non Personal Data”, the entire regulation regarding Non Personal Data Governance is a completely new law which requires a different regulator. While PDPB 2019 is a “Privacy Protection oriented law”, the “Non Personal Data Governance Act (NPDGA)” as it may be called, would be a law on how to monetize the non personal data. This is more involving Data Valuation and Data Marketing.
Just as a CFO and CMO often have different perspectives in business, the PDPA regulator and the NPDPA regulator need to have diametrically opposite attitude to business. PDPA regulator will be close fisted and inward looking and the NPDPA will be an extrovert and more liberal.
Combining the two roles could result in some conflicts and be dysfunctional. The Coruts which are following the directions of the Puttaswamy Judgement and expecting PDPA-India to be able to meet the standards of Privacy protection under the Puttaswamy judgement guidelines will find the combined law if it comes forth as a Personal and Non Personal Data Protection Act of India as a dilution of the requirements expected for personal data protection.
This approach will deviate from the global standards which keep the Personal Data regulations under laws such as GDPR and CCPA and keep the Non Personal Protection as part of the “Computer Abuse regulation” or “Cyber Security Act”.
Since it appears that the declaration that the DPA under PDPA 2019 is also the regulator for Non Personal Data Protection (Which is now the responsibility of the Director CERT-IN under ITA 2000/8) and the “Non Personal Data Breach Notification” would be shifted from the CERT-In to the DPA under the new PDPB2019, the industry needs to gear up to meet this change.
With a view to ensure that an organization following PDPSI framework for meeting the standards of PDPA-India will have to watch their backs for protection of “Non Personal Data of whatever nature” is brought under the new version of the Bill (Eg: Anonymized Personal Data”), it has become necessary to emphasize that PDPSI has to be complimented with the DPSI at least as applicable to the “Data Breach Notification” requirements.
Even if the change is restricted to the reporting of breach of non personal data only, this would require identification of a potential data breach, forensic investigation, a harm audit all directed to Non personal data. Hence there would be a need to take a holistic view of the Personal Data Protection and the Non personal Data Protection (to the extent covered under the PDPA-India) at the time of compliance.
The 33 point framework indicated above therefore becomes the twin framework to be considered by all organizations.
The framework will be further expanded with detailed notes shortly.
Naavi
