Naavi.org

On June 21, 2021,  EDPB adopted the final version of the recommendations on supplementary measures following the earlier recommendations of November 2020 after the Schrems II ruling of the EUCJ.

The final version of the Recommendations includes several changes to address comments and feedback received during the public consultation and places a special focus on the practices of a third country’s public authorities.

One of the modification suggested is

-the emphasis on the importance of examining the practices of third country public authorities in the exporters’ legal assessment

-to determine whether the legislation and/or practices of the third country impinge – in practice – on the effectiveness of the Art. 46 GDPR transfer tool;

-the possibility that the exporter considers in its assessment the practical experience of the importer, among other elements and with certain caveats; and the clarification that the legislation of the third country of destination allowing its authorities to access the data transferred, even without the importer’s intervention, may also impinge on the effectiveness of the transfer tool.

This means that the Data Exporter has the responsibility to appraise himself about the laws of the destination country and not depend entirely on the existence of a written contract. Some due diligence is required to be exercised.

It was in this context that FDPPI came out with a note on the “Surveillance laws” in India to assist the Data Importers in India who had to keep their vendors informed about the laws in India.

India is a sovereign country and therefore does not submit to arbitrary contractual obligations that prevent a Data Importer to challenge the local Government when a need for surveillance arises under due process of law.

The full text of the Recommendations is available here:

The principles stated in the guidelines are that

1. 1. 1. Controllers should know their transfers
      2.  Controllers should verify the transfer tool relied upon
      3. Assess if there is anything in the law of the destination country that impinges on the effectiveness of the safeguards
      4. Identify and adopt supplementary measures that are necessary
      5. Take such formal procedural steps as may be required under Article 46
      6. Re-evaluate at appropriate intervals the level of protection afforded to the transfer

It may be recalled that Article 46 of GDPR provides that the appropriate safeguards in the absence of “Adequacy” the following measures are available for transfer

(a) a legally binding and enforceable instrument between public authorities or bodies;
(b) binding corporate rules in accordance with Article 47;
(c) standard data protection clauses adopted by the Commission in accordance with the examination procedure referred to in Article 93(2);
(d) standard data protection clauses adopted by a supervisory authority and approved by the Commission pursuant to the examination procedure referred to in Article 93(2);
(e) an approved code of conduct pursuant to Article 40 together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects’ rights; or
(f) an approved certification mechanism pursuant to Article 42 together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects’ rights.

We must also remember that apart from Adequacy under Article 45(3) and safeguards under Article 46, there are derogations available for specific situations under Article 49 which include the following measures which allows transfers to third countries.

(a) the data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards;
(b) the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken at the data subject’s request;
(c) the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person;
(d) the transfer is necessary for important reasons of public interest;
(e) the transfer is necessary for the establishment, exercise or defence of legal claims;
(f) the transfer is necessary in order to protect the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent;
(g) the transfer is made from a register which according to Union or Member State law is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate a legitimate interest, but only to the extent that the conditions laid down by Union or Member State law for consultation are fulfilled in the particular case

In addition to the above measures, the Controller has the right to mitigate the risk by using pseudonymization at his end which is a fundamental suggestion under Article 32.

In view of the above it is suggested that all Data Importers suggest that the Data Exporters adopt the suggested alternate measures and not insist on the signing of contracts which are un enforceable at the end of the Data Importer.

We will be happy to provide any further clarification required under this provision as required.

Naavi

Data was called “Oil” because it was recognized as having immense value to the business. There are organizations where data is a by product and there are also organizations where data is the finished product.

Whenever a ransomware attacker demands a ransom of Rs 10 lakhs or Rs 100 crores, he has a perception of a value for the data. Most often the companies agree to pay the extortion amount which vindicates the value placed on the data by the attackers. Some companies may look at the “Opportunity Cost” of not agreeing to pay the extortion after which the attackers may release the data in the dark web. Some attackers actually auction the data in the dark web or sell it at a fixed price and there are people who are willing to buy.

According to international studies value of data in the dark web may vary if it is a simple name and e-mail data vs sensitive data like finance data or health data. If a data set is current with verified information and contains data such as credit card information with CVV, the value of each set of data could be substantial .

In the recent case of NCLT declaring Net4India as “Insolvent”, it was obvious that the judges had not  recognized the value of data in the possession of the company before declaring it “Insolvent”.

Even companies who ought to know the value of data because they earn their income by processing data, often find that they are unable to take adequate security measures because the CISO or DPO is unable to convince the CFO that a certain investment is required to build compliance competency.

One of the solutions that Naavi has been demanding for a long time is that Accountants should find a way of bringing the value of data in to the balance sheet of the Company. In case the judges at NCLT had seen a Net4India balance sheet with a Data asset value of say Rs 100 crores, they would have perhaps not issued an insolvency order at all.

The accounting community today has a method for valuing Trademark, Copyright or Patent normally on the bases of “Net Present Value” of the benefits that an asset may provide over a period of next 5-10 years. Accountants value Fixed Assets with a “Depreciation” which is a reflection of the period for which an asset remains productive.

Some times, assets are valued on the basis of cost of acquisition, cost of production, market value and such other means.

Most of such valuations are not accurate. They are based on assumptions and often understate the asset value as in the case of Public Sector enterprises sitting on large tracts of land or over state the value as in the case of high tech product companies whose products have a short life time but costs may get spread out over a longer period. We see an investment company faces a sharp fall in their assets when the monsoon is delayed or a favourite political party loses an election and none of the accountants can explain why the P/E ratio of one company is only 4 or 5 where as another company have 10 times the P/E ratio.

Despite these uncertainties in valuation,  accountants still have agreed upon a valuation system, tax authorities accept certain valuation principles, Merger and Acquisition specialists strike billion dollar deals based on their valuation of tangible and intangible assets and the show goes on.

Many times the value of assets as we find in a balance sheet is on a “Going Concern” basis and the moment the organization is recognized as “Sick” the value of assets plummet.

It is therefore strange that when we speak of “Value of Data” being shown in the books of account, some accountants think it is a bizarre thought and refuse to be drawn even into a discussion.

FDPPI (Foundation of Data Protection Professionals in India) has taken the first significant step in trying to convince accountants and corporate managers by including a standard and supporting implementation specifications in the “PDPSI” framework (Personal Data Protection Standard of India framework for assessment of compliance of data protection regulations in an enterprise).

The implementation specification no 6 of the PDPSI framework states

6. Data Valuation and Accounting

The organization shall adopt a policy of assigning a financial value to the inventory of data and provide visibility to the data asset in the books of account.

The implementation specification further suggests

The value of data may be brought into the books based on a scientific valuation method or on a provisional basis and reported as a special reserve or as a Contra entry (both an asset and liability separately)

The Visibility of the valuation of data as an asset shall be extended to both personal and non-personal data.

Many managements may wonder why  a PDPSI audit has to comment on the data valuation policy of the Company.

But the most important reason why the “Bringing the Data Value” into the books of account is to provide “Visibility” to the asset which needs to be protected and harnessed.  If Data at some value is visible in the Manager’s dash board on a continuous basis, then it is more likely that the decision makers in the company will realize that they need to do some thing about it.  What is not visible is likely to be de-prioritized.  When the Company knows that it had a data of Rs 100 cores last quarter and it has jumped to Rs 200 crores this quarter, they will certainly ask a question to the DPO about the implications of the change in the data value.

Some accountants quickly jump and say this will enable fraudulent overvaluation of assets and therefore risky.

But what we are suggesting to start with, is that while all of us try to find an acceptable method of valuation, let the data value be represented as a “Contra Value” where it does not increase either the assets or liabilities nor  even create a “Special Reserve” as we do in the case of valuation of intangible assets such as “Goodwill” or “Trade Mark”. There is no case for accountants to refuse this suggestion so that all advantages of “Visibility” is realized without the risk of inappropriate reporting of profits.

After agreeing to bring a notional value of the data into the books of accounts, we can continue to fine tune the valuation by adopting a combination of

a) Cost based valuation

b) Market value based valuation

c) Computation of Net present value of future revenue generation

d) Accounting appreciation and depreciation based on logical factors

etc.

FDPPI has started a dialogue with the industry and has also set up an internal working group to take this concept to other industry associations.

We welcome Chartered Accountants, Chartered Valuers, Cost Accountants and other professionals to join hands with FDPPI to develop an acceptable system of valuation so that India can lead the world in this respect.

It is however realized that the solution to this problem does not lie in extending the valuation methods presently used by the industry because Data is an Asset Class which is unlike the movable or immovable assets or the actionable claims. It can neither be classified clearly with other known types of asset classifications like “Tangible” and “Intangible assets” .

I draw the attention of some of the thoughts the undersigned has already expressed through these columns such as the “Theory of Data” where we discussed the “Additive Value Hypothesis” of data.

We also enclose a distinct note on the topic which is available here.  I request professionals to go through these papers and start contributing their thoughts. We would like students to debate this in their respective institutions and come up with innovative thoughts.

But it is essential to realize that the valuation methodology of data has to be led by “Data Professionals” and FDPPI therefore takes the lead to develop a proper guidance in this regard which we can take to other forums.

FDPPI has created an internal working group in this regard and would soon be working on an industry level working group across the industry to ensure that there will be a larger participation of professionals.

Naavi

(Comments welcome)

After ISMS and PIMS, it is the time for PDP CMS or Personal Data Protection Compliance Management System to be implemented in organizations. PDP CMS is inclusive of PIMS  and ISMS but is more focused on either of them. ISMS focus rests on technical security across all information in an organization while PDP-CMS is focused on Personal Data. PIMS is focused on Privacy related to one specific data protection law leaving the security to a supporting ISMS system. On the other hand PDP-CMS is a unified system that takes into account all applicable data protection laws in an organization and incorporates Information Security along with Privacy controls as required for compliance.

After conducting three separate modules, Module I, Module G and Module A over the last 18 months, FDPPI is now launching an integrated module of training for professionals who could be consultants for data processing organizations or undertake audits for certification with a calculation of Data Trust Score as envisaged in the proposed Indian law.

The first such program is being inaugurated today at 10.30 AM and would be conducted online over 36 hours spread over six week ends.

FDPPI is happy to welcome DNV the globally renowned Certification agency which has joined hands with FDPPI as a Certification partner for this course.

Naavi

SPOT REGISTRATION

Pay Rs 40000/- through this link 

and Contact Ramesh Venkataraman for the session link

The E Book on Cyber Crimes which was available on the website, E- Book section has now been updated and released in print form.

This book is now available online at the publisher’s website   at Rs 450/-

The Book will also be available on Amazon and Flipkart.

First five purchasers who review the book and send their review by e-mail to naavi, would be eligible for a cash back of 50% of the price paid. This book has a limited objective of meeting the quick needs of the law enforcement.

Naavi

Ollie Robinson made an impressive Cricket Test debut at Lords last week against  New Zealand. He virtually saved England from losing the test by not only taking 7 wickets but also scoring 42 runs at a critical stage in the first innings.

However a lobby worked against him to point out tweets  that had been posted by him in 2012 which was allegedly “Rascist” and “Sexist”. The English Cricket Board (ECB) in a holier than thou reaction, immediately suspended Mr Robinson indefinitely and said that they will conduct the necessary enquiry.

They said

” Ollie Robinson has been suspended from all international cricket pending the outcome of a disciplinary investigation. He will not be available for selection for the second Test against New Zealand starting at Edgbaston on Thursday 10 June. Robinson will leave the England camp immediately and return to his county”

Subsequently the England Prime Minister Boris Johnson said that the punishment was harsh and he was promptly criticized.  It was unfortunate that even our own much loved cricketer Farooq Engineer was critical of Robinson as well as Boris Johnson for his remarks.

Ravichandran Ashwin however came up with a very mature response stating

“I can understand the negative sentiments towards what #OllieRobinson did years ago, but I do feel genuinely sorry for him being suspended after an impressive start to his test career. This suspension is a strong indication of what the future holds in this social media Gen”

Further, earlier  statements on Twitter from Jimmy Anderson, Eion Morgan, Jos Butler  have also been unearthed accusing them of passing intemperate remarks  may be called rascist. They are more recent than 2012.

Anderson was reported to have stated

“I saw Broady’s new haircut for the first time today. Not sure about it. Thought he looked like a 15 yr old lesbian!”

As against this, it is interesting to note what did the offending tweet from Robinson stated.

[Another publication quoted the following tweets:

“I wonder if Asian people put smileys like this ¦) #racist”; “My new muslim friend is the bomb. #wheeyyyyy”; “Real n—– don’t let the microwave hit 0:00”; and “Wash your fingers for the mingers #cuban”.]

Conservative party leader’s came up with statements suggesting that the statement of Mr Robinson should be seen in the context of a ten year old view of a teen ager and his current apology. However, the labour party which is a known supporter of Muslim interests in England and passed many remarks against Indian interests in the past jumped into the political debate to oppose the views of the conservative party leaders making the issue political.

We know that many times Cricket boards provide suspended sentences so that the career of an individual is not affected by an immediate ban. We have also seen that in civil suits we have a period of limitation and in criminal law, we have the principle of a convict being “reformed” and released into the world. Many rapists and murders come out of jail and lead normal life after a sentence of 5 to 7 years.

In such a situation, it is clear that the immediate suspension from all international cricket and throwing the person out of the team environment immediately and banishing him to his house in utter humiliations appears a very biased decision from ECB. Prima facie this decision itself appears an “Appeasement action” taken by ECB in support of the Muslims and Cubans who were referred to in Mr Robinson’s tweet.

Though the use of “Muslim” and associating it with “Bomb” must have irritated many, we should also observe that he has added the word “Friend” to his description. Hence there was a neutralization of the terror association within the statement itself.

The proposed punishment is definitely “Disproportional” to the gravity of the offence and appears to has been taken for political reasons.

From the Privacy  perspective, we do get a thought that probably Mr Robinson could have exercised his “Right to Forget” some time back so that this controversy could have been avoided. This would not however prevented the possibility  that some archived  version of the tweet could have still surfaced.

Psychologists say that during adolescence, harmonal changes in human beings bring about some changes in a person’s behaviour and could make him/her do things which he/she may correct in later years as maturity dawns in. Many College boys and College girls might have been eve-teasers or adam-teasers but later turned into perfect gentlemen or women.

In fact we recently had controversies surrounding Hardik Pandya’s remarks in a TV show for which some limited punishment was given by the Indian Cricket Board. We know that even Gandhi whom we revere as Mahatma did admit of teen age indiscretions and we all admired him for his honesty.

Many of our celebrities may have had chequered careers during their younger days and if one digs deep, the past of many respected individuals may be tainted with such tweets or articles in print or recorded voice messages.

The action of ECB  therefore appears to be more a case of reverse rascism than a move born out of a genuine reason of discipline. There is a need for investigation of how the tweets surfaced, who brought in a complaint to ECB and why such a severe action was contemplated. There could be political lobbies which were trying to create a political storm and gain sympathy of Muslims and Cubans for political gain.

It is high time that such incidents are evaluated based on the context and not literally on the basis of the words used.

An AI algorithm may commit such a mistake but human beings endowed with  the power to think should  not commit such mistakes.

The action of ECB will have a chilling effect on free speech and needs to be condemned.

Naavi

Reference articles

Republicworld.com

Indianexpress.com

Foundation of Data Protection Professionals in India (FDPPI) is an organization of the Data professionals dedicated to the empowerment of the Data Protection eco system in India.

Towards this end, FDPPI has developed Certification programs for skill development of professionals. At the same time, FDPPI has also developed a Certification standard for “Personal Data Protection Compliance Management System” to enable organizations to implement appropriate compliance programs which are certifiable by experts.

In a bid to extend the awareness of Privacy and Data Protection regulations in India, FDPPI engages itself in many outreach activities. One such activity is its weekly webinars from experts on various topics surrounding Data Protection.

In a bid to further extend the reach of these awareness programs to the younger generation in Colleges, FDPPI has set up a separate division to promote student participation in Privacy and Data Protection activities. The “Privacy and Youth” is a movement that has been set up for this purpose to engage the educational institutions and provide an opportunity for the students of Law, Engineering and Management students to participate in the activities of FDPPI.

FDPPI has therefore embarked on setting up “Student Chapters” and “Affiliate Colleges” so that the interaction between the academia and the industry can proceed on a continuing basis.

The program is coordinated by Dr Mahendra Limaye, Advocate, Nagpur. For more information Dr Limaye may be contacted at mahendralimaye yahoo.com or fdppi@ fdppi.in.

Naavi