Naavi.org

When India adopted Information Technology Act 2000 as the law that first recognized electronic documents and also introduced the concept of “Vicarious liabilities/Due Diligence” for organizations, Naavi came up with the concept of “Cyber Law Compliance.

Then when the amendments of 2008 came into effect, Naavi upgraded the concept of Cyber Law Compliance with a specific framework IISF 309 or Indian Information Security Framework so that organizations can have a specific framework to work on compliance.

When the PDPB 2018/2019 were introduced as a bill in the Parliament and sought to replace Section 43A of ITA 2000/8 with a complete act Naavi and FDPPI worked on the concept of PDPSI or the Personal Data Protection Standard of India as a framework for being compliant with PDPB 2019 as an extended due diligence under ITA 2000/8 to be rolled over to the compliance of PDPB 2019 when it became an act.

The JPC however made a surprise modification in the PDPB 2019 by renaming the PDPB 2019 as DPA 2021 and calling it a common law for “Data Protection including Non personal Data protection”. Though ITA 2000/8 will lose only one section namely Section 43A on the passage of DPA 2021 and the rest of the Data Protection aspects continue to be covered by ITA 2000/8 under the supervision of the CERT-In and the Adjudicators, the change of name of the Act as Data Protection Act and introduction of Section 2(d) stating that the Act is applicable also to non personal data brought in a significant difference to the compliance requirements under the Act.

At present though the title has been changed and Section 2(d) has come into reckoning the only operative change is in the reporting of Data Breach under Section 25 where breach of non personal data also has to be reported to the DPAI along with the breach of personal data if any.

Where in a single data breach incident both personal and non personal data is breached, the data fiduciaries and Non personal data processors need to report the breach to the DPAI. The DPAI reserves the right to give any directions to the reporting company/organization on the action to be taken.

So far there is no indication whether the obligations of a data processor under ITA 2000 has been modified in respect of the data breach report to be sent to the CERT IN. It can therefore be presumed that in case of data breach involving both Personal and Non personal Data, report has to be sent to both CERTI In as well as DPAI. Both may come back with their own directions on what the organization needs to do. Probably CERT IN will leave it to the DPAI to provide directions regarding how the data principals need to be informed etc. In the case of non personal data breach, the DPAI may leave it to the CERT In to provide whatever directions it wants to provide. Any other approach will be not in conformity with Section 56 of DPA 2021 according to which CERT IN would be deemed as a “Sectoral Regulator” having concurrent jurisdiction under a law of the Parliament.

While the regulatory agencies would be able to coordinate between themselves, the PDPSI and IISF 309 also need to reconcile as frameworks that could guide organizations for compliance of ITA 2000 and DPA 2021.

PDPSI itself was built on the principle of “Unified Framework” to have a single framework for PDPB 2019 and GDPR or other data protection laws to which an organization is simultaneously exposed to  and hence it is natural to ensure that between IAT 2000 and DPA 2021 also there has to be a “Unification” of compliance requirements.

Some of the other systems of frameworks create multiple frameworks for different instances of requirements of an organization so that there is a greater focus. It also helps in certification so that multiple certification requirements can be created for the security compliance industry. However from the perspective of a compliant organization, trying to get certified for multiple standards all leading to “Information Security” whether it is “Personal Information Security”, “Non Personal Information Security”, whether the system being audited is “ISMS”, “PIMS” or “DPMS”, is a over lap of efforts leading to additional cost and effort with marginal benefit.

FDPPI would therefore like to stick to its principle of a framework for “Compliance of the Data Protection Law”. Earlier PDPSI was meant to certify the PDP-CMS (Personal Data Protection Compliance Management System) and now it has to transform itself as a means of being certified for compliance with the new “Data Protection Compliance Management System”.

Accordingly necessary minor modifications are being made to the  erstwhile PDPSI standards and implementation specifications to accommodate

a) Consent for anonymization

b) Reporting of Data breach of non personal data

and any other measures that the DPAI may include in its future notifications.

Compliance to ITA 2000 will be an extension like the current extension for GDPR, CCPA etc and will be handled with the classification of data into

a) Personal Data under DPA 2021

b) Non Personal Data under DPA 2021

c) Personal Data under GDPR

d) Personal data under CCPA… etc

Having classified data to which DPA 2021 is applicable into two categories, personal and non personal data, the first level compliance will be as per DPA 2021 which will only cover the data breach notification requirement as of now. Where compliance to ITA 2000/8 needs to be assessed, the controls will be interpreted from the requirements of ITA 2000.

 ITA 2000 compliance requirements will  basically revolving around Confidentiality, Integrity and Availability of non personal information along with the Section 7A (data integrity audit), Section 3/3A (Authentication) , Sections 69.69A,69B, Sections 65-75 etc.

The Certified PDP CMS auditors have presently been trained in PDPB 2019 compliance and will adopt to DPA 2021 requirements. They have been exposed to ITA 2000 compliance only to a marginal extent. Hence it would be necessary for the PDP CMS auditors to undergo an additional training on ITA 2000/8 compliance requirements.

Measures are being initiated to ensure that this change of PDPSI auditors to DPSI auditors is being worked out.

Naavi

The 5th issue (first of 2022) of the Data Protection Journal of India has been released.

Last year FDPPI started the Data Protection Journal of India as a quarterly journal. The journal has now completed one year of its existence.

The latest issue released today discusses the changes between PDPB 2019 and the JPC corrected version of DPA 2021 which if passed in the budget session would be perhaps called DPA 2022.

I hope readers would enjoy the information contained in the journal.

Naavi

As the world rallies around the  International Privacy Day with activities of creating awareness about Privacy, India awaits the beginning of the budget session in the next couple of days with the hope that the long awaited Data Protection Act is passed by the Parliament.

The Personal Data Protection Bill has been in the Parliament in different versions since 2006. The new versions post Supreme Court decision of 2017 and the  Justice Srikrishna Committee report  in the form of PDPB 2018 and PDPB 2019 is now back in an updated version as Data Protection Act (DPA 2021).

Data Privacy legislation is a complex legislation that has a huge impact on the industry as well as the functioning of the Government. Privacy activists always like to have a law that allows for little freedom to Government or the Business to make any use of personal data either for national security nor for business considerations.

The recent decisions of the EDPB in directing the Europol to delete substantial parts of the  surveillance data held by them and further passing adverse order on the EU Parliament itself for allowing data transfer from EU to US, indicate a tendency of the regulators to get carried away with their own thought process of “Privacy Above All”.

 But it is necessary for all Privacy enthusiasts including the regulators to retain their feet on the ground and remember that no  legislation can ignore that the law has to maintain harmony between different rights such as Right to freedom of information, Right to security. Individuals whose privacy needs to be protected have to accommodate the existence of other citizens who are concerned about the security of the state and also the right of the business to exist and grow.

Several of the observers in India were critical of the constitution of the selection committee of the DPA in the earlier version of the Bill. They felt that there is a need for a completely independent authority who can take on the Government if required. However,  the developments with the EDPB appears to indicate that  “Unlimited power with the DPA” is a danger by itself and if the powers are not balanced, there is a danger of the DPA becoming an Anti India institution.

Fortunately the DPA 2021 tries to understand this need of the society and tries to balance the needs of the different stake holders.

Let us therefore enjoy a balanced view of Privacy as is projected by the DPA 2021.

Naavi

We the Indians often forget our own history but remember the colonial history. This is true as much of the story of Indian independence as the story of India’ journey to the era of Privacy Protection and Data Protection.

Today most of us recognize as the “Republic Day” when the Constitution was adopted in 1950 and we remember January 28 as the International Privacy Day.

We must recognize that the “Right to Privacy” which was upheld as the fundamental right by the Supreme Court of India on 24th August 2021 is extracted out of the Right to Life and Liberty under Article 21 of the Constitution. The Supreme Court did not pass a new law recognizing the right to privacy. It just re-iterated that the right is already there and we did not know it. (Remember the Advertisement of Amazon Pay!).

Hence January 26 should be rightfully recognized as the Indian Privacy Day though the International Privacy Day is celebrated on January 28. This will at least establish that India did not wake up to Privacy only after GDPR but had recognized the concept at the beginning of our democratic life itself.

If however we want to celebrate the concept of “Data Protection” or “Information Privacy”, perhaps October 17, 2000 (Date when ITA 2000 was notified) is the right day . On this day Electronic documents got legal recognition and the recognition that Privacy protection extends to protection of personal information came with the passage of the Information Technology Act 2000.

On this day, we started recognising that  personal information in electronic form needs to be secured for protecting the privacy of an individual. The law stated that failure could result in penalties under Section 43, imposed by the Adjudicating officer who is the regulatory authority.

Again since the focus of ITA 2000 was more on Cyber Crimes, we did not recognize it as a Data Protection Law.

Even when the amendments were passed in 2008 and made effective on 27th October 2009 with the introduction of Section 43A and 72A,  we failed to recognize that the Data Protection Act had become operative in India.

We even missed the 11th April 2011 when more detailed “Reasonable Security Practice” under Section 43A was released containing a summary of what we recognize today as DPA 2021 did we realize that India’s Data Protection day had arrived.

But it is never late to realize the truth. Just as it took us 75 years to realize that Netaji Subhash Chandra Bose has a legitimate claim to be called  the first Prime Minister of India, January 26 has the claim to be called the Indian Privacy Day and 17th October has the claim to be called the first Data Protection Day of India.

Hopefully this truth will start sinking in with the professionals now.

Naavi

Recently when the JPC submitted its report on PDPB 2019 dissent notes were  presented by a few members of the committee belonging to opposition parties . Some of these were related to “Excessive powers” to the law enforcement and “Lack of parliamentary oversight”.

Two recent incidents in EU directly reflect the views of the EU community on these issues and are interesting for us to take note since they may come in for discussion during the Parliamentary debate on DPA.

While it is difficult to accept the views of the EU society on both these counts, it is nevertheless interesting to take note of these issues.

First is the decision of the EDPS passing an order on the Europol to delete vast amount of data held for criminal investigation purpose. Second is the reprimand issued on the EU Parliament itself for violations of GDPR.

No doubt the EDPS appears to be a hero in his own right but whether these actions are good for the society in the long run is difficult to say.

The EDPS involved is Mr Wojciech Wiewiórowski who was appointed on 5th December 2019 for a term of 5 years. Earlier he has serverd as Assistant European Data Protection Supervisor from 2014 to 2019.

He is certainly a highly learned person with vast experience in the field of Data Protection and served as the Polish Data Protection Commissioner since 2010 till he moved to the EDPS.

In the first instance the EDPS accused Europol of becoming a counterpart of the NSA in USA and clandestinely spy on the citizens in a mass surveillance effort.

It is said that Europol has accumulated quadrillions of bytes of sensitive data (about 4 petabytes equivalent to 3 million CDROMs).

The data has been collected from various sources including criminal records, extracted from encrypted phones and other sources. The EDPS has ordered that the data shall not be held for more than 6 months and Europol shall take steps to delete the rest of the data within one year.

Technology has been used for everything from Artificial Intelligence, Robots, 3D printing, Crypto currencies, Web 3.0 and so on. But when law enforcement wants to use technology there is objection from many quarters. This discrimination on use of technology for national security is not good for the society.

In another decision, the EDPS has issued an order reprimanding the EU Parliament for allowing transfer of data to Google and Stripe against the Schemed II principle.

Though no fine was imposed, a reprimand has been issued and an order to make changes to the notice and address other issues pointed out.

For some this may seem as a heroic commitment to privacy where the EDPS has taken on its own appointee (like the Bhasmasura syndrome referred to in another context). But if we consider the long term implications of both these decisions, it appears that the EDPS is indirectly endangering the global security by assuming itself power over and above the European Parliament and Law Enforcement and is diluting the counter terrorism efforts of the Europol.

Naavi.org had raised the red flag in June 2018 on “Whether GDPR will convert the entire Internet into Deep web” by carrying Privacy beyond its natural limitations. It appears that this prophesy is now coming to haunt us. On the one hand the “Meta Verse” mafia  has joined hands with the Crypto Currency mafia in an attempt at creating a Web 3.0 which is an attempt to create a nation beyond all nations. At the same time, people on the right side of the law like the EDPS are showing holier than thou attitude on privacy to dilute security to the extent that criminals and terrorists  will thrive.

This fight between the Privacy activists and National Security agencies in EU is not an internal issue of Europe. If the Europol is not able to gather enough intelligence required to identify terror activities, then terrorists operating from within Europe may not only attack EU but also other global citizens. We in India are therefore concerned about the stance taken by EDPS on the Law Enforcement issue in particular and wish that the Europol is not weakened by the over enthusiasm of the EDPS.

A serious global debate is required to be undertaken in this regard by all the security agencies. Perhaps NIA should take the lead to discuss with the NSA, Europol and other similar agencies to ensure that Europol is not rendered impotent.

A time has come for the Indian Government that while passing the Indian act, it should be ensured that the security concerns are not ignored. After all Right to security is as much a fundamental right as Right to privacy whether the Supreme Court agrees or not.

Naavi