Naavi.org

FDPPI is the leading organization in India focusing on development of systems and best practices  for “Privacy and Personal Data Compliance Management System” (PDP-CMS) and DNV is one of the oldest Management Certification organizations in the world.

The two organizations have come together in a collaboration that offers to the Indian industry co-branded services for building a Privacy and Data Protection Culture in the country and prepare the industry and professionals for the forthcoming Personal Data Protection Act in India through

a) FDPPI-DNV Certification program for Data Protection Professionals

b) FDPPI-DNV Certification of organizations for implementation of  for PDP-CMS (Personal data protection compliance management system)

c) FDPPI-DNV  DTS (Data Trust Score) evaluation

Mr Rajeev Panicker, head ICT business vertical for  Det Norske Veritas GL for India & Middle East Region. (DNV) addressed the FDPPI members on 12th May 2021, during the Jnaana Vardhini session and highlighted the essence of the collaboration between FDPPI and DNV.

Recognizing the value of the complimentary nature of the activities of the two organizations FDPPI and DNV have decided to make co-branded offers for the benefit of the community.

Accordingly, both organizations will offer services of each other to their clients and also execute projects by sharing their resources.

FDPPI has about 37 supporting members of which several members represent organizations which provide their services through revenue sharing arrangements with FDPPI. All of them will now be able to expand their services portfolio with the addition of the FDPPI-DNV co-branded services.

The arrangement is expected to expand the reach of both organizations and benefit the community at large.

Naavi

We are happy to announce that the difficulties of Net4India Customers who had lost control of their domain names, e-mail accounts, hosting facilities etc because the NCLT committed the blunder of not recognizing the existence of a continued business and the interest of the customers and blindly went ahead to declare Net4India as insolvent and freeze its operations may be coming to an end.

While the systemic changes required to be brought in to ensure that such incidents donot recur will continue to be followed up with the MeitY, I am glad to know that ICANN has completed the process of selecting a registrar who would take over the current business of Net4India. Ltd.

Full details of the process is available here. 

As per the announcement, PDR Ltd, (Public Domain Registry) has been designated as the organization to which the Net4India registrations would be transferred.

ICANN anticipates PDR will begin contacting registrants with information on how to access and manage their domain name registrations by early next week.

Once completed, the ICANN-approved bulk transfer will result in the migration of all gTLD registrations from Net 4 India to PDR. There is no charge to registrants for this bulk transfer, and no AuthInfo codes are required for this process.

Once the transfers happen, we suppose that it would be the discretion of the registrants to either continue with PDR or transfer the domains to their preferred domain registrars. Since PDR will be expensive compared to other registrars, we suppose most of the registrants would  look forward to transfer the domains to alternate domain registrars.

We need to wait and see how this proceeds further.

In the process of this appointment of PDR as the registrar, ICANN has ordered an automatic data transfer across the borders for which there is no consent. Also this is likely to transfer the continuing business potential of the customers who were wronged by NCLT to a foreign registrar. MeitY by not intervening in the process has caused the erosion of foreign exchange and cross border data transfer, which need to be corrected.

It is presumed that NCLT must have approved the scheme. If so, we need to again point out the lapse on the part of NCLT not to have recognized the need to get the business transferred to an Indian registrar.

Naavi

We had earlier discussed certain issues concerning handling of personal data after the death of the data principal in our article titled “Digital Assets of the Deceased…Need for a legislative Change”.

Some views were also expressed through the following webinar in the FDPPI’s Jnaana Vardhini Series.

Following this webinar, FDPPI has set up a task force to develop a recommendatory white paper on the handling of Personal data of deceased data principals under the PDPB 2019 which will come up for further discussion in the Parliament during the next session. The task force recommendation would be taken up with FDPPI’s PDP Advisory Board for developing a broader policy at the national level. Also FDPPI’s PDP Code Committee will develop the code of practice for Data Fiduciaries to develop the policy document applicable for Data Fiduciaries on handling the personal data of the deceased customers.

The problem of determining how to handle personal data of deceased persons has many complications. Personal Data is often the key to access data lying with a Data service provider (Eg: E Mail service provider or a hosting company). The data lying within the account space of a service provider can be identified as an intellectual property coming under  “Copyright”. A software code developed by an individual may have copyright and also patent rights. In such cases the “Property character” of the data is well established and what is required is a “Claim Process” to enable the legal heirs to inherit the rights on the intellectual property.

However, “Personal Data” which includes the “Password” used for accessing the account is not clearly recognized as a “Property” and the right on individually identifiable data elements required as a password or to re-set the password cannot be assigned like the ownership of a “Intellectual Property”. In order to ease the claim process for settlement of a deceased person’s data property, if we start recognizing personal data as “Property” then during the life time of the data principal, we must agree for alienation of the personal data as a property.

In the “Non Personal Data” scenario, it is possible to recognize data as an alienable property and a “Sale” or “Licensing” or “Assignment” can be recognized as a means of transferring the property. But in the case of “Personal Data” Indian PDPB and GDPR may prefer to avoid the term “Sale” and use only “Assignment of Rights” as a means of transfer of any beneficial interest.

The Singapore PDPA which has extended the rights under the PDPA-2012 (Sg) to the personal information of deceased persons for 10 years or the HIPAA which has extended certain obligations of the covered entity to protect the EPHI for 50 years have looked at the “Personal Data of the deceased persons” as a “Commodity”. Though “Rights of Privacy” have no significance after death even under these laws, the laws expect “Protection” including non-disclosure to unauthorized person to continue for the state time period.

It is only in CCPA that the prospect of “Personal Data” being capable of being “Sold” has been discussed without any reservations.

Though Indian law has not spoken of “Transfer of Personal Data” from one person to another, the concept of “Consent Manager” used in the Act indicate that a Data Principal can transfer the right to “give consent” or “withdraw consent” to the consent manager. Just as the collection of personal data from a data principal to a data fiduciary is supported by a “Consent” in accordance with the Indian contract Act, the provision of the right to “Give or withdraw consent” is given by the Data Principal based on the “Consent to appoint a Consent Manager”.

Unfortunately the “Consent” which is a “Contract” does not survive the death of the Data Principal and hence on receipt of the knowledge of death of the consent giver, the data fiduciary should freeze the transactions in the account. Where the basis for collection and processing was not consent (say in GDPR) then, there would be a “Legitimate Interest” which survives the death of the data principal.

Hence the legal basis of collection and processing can have an impact on the right of the data fiduciary to continue processing of a deceased data principal’s personal data.

One solution which would have resolved this issue was to have introduced a “Nomination” facility for “Personal Data”. This has to be done with a new statutory provision and perhaps the PDPB 2019 itself is an opportunity to introduce the provision of “Nomination”.

In case the JPC has not suggested any provision in this regard, this can be introduced as an additional amendment when the Bill is introduced in the Parliament. This requires introduction of a definition of “Nomination of Personal Data” in Section 3 and also an additional sub section under Section 14 ( Processing of personal data for other reasonable purposes”.

The detailed procedures under this clause may include

a) Sending an annual confirmation request (similar to balance confirmation in Bank overdraft accounts) for validating the privacy policy.

b) If no reply is received to the confirmation request, sending a second request with a notice that the account would be de-activated and tagged as “Dormant” after a period of say 6 months

c) If no reply is received, for 6 months, sending a final notice and transferring the account along with the personal data to an arvhive.

d) If no re-activation request is received for 2 years ( Or say 6 years as in the case of  HIPAA), transferring the personal data and the data lying in the account to a Government Repository, which can be created by the DPA itself, by adding a new function of DPA under Section 49(2).

The PDPSI framework will be immediately incorporating this suggestion as a recommended implementation specification within Implementation Specification (IS17) on Notice and Consent form, and related implementation specifications such as Classification (IS 33),  Access Control (IS 36), Data Storage and Security (IS 37), Data Destruction (IS 43) etc.

In the absence of the available guidance from the DPA and the PDPB 2019, PDPSI will incorporate some controls which may be modified after the PDPB 2019 becomes a law.

PDPSI will therefore be the first framework for PDP-CMS which would address this contentious issue as a part of the compliance.

Naavi

“The Hindu Business Line” news paper carried a headline today stating : “A Glimmer of Hope for Cryptos in India”

Economic Times says : “Crypto Disclosures to protect Investors; MCA”

A statement attributed to an official states “The move would bring in greater transparency in the activities of companies engaging in trading of cryptocurrencies, which are not legal tender in India” .

We are aware that the media particularly the above two publications hold an editorial policy in support of the legalization of the Digital Black Currency in the name of Bitcoin and its various avatars.

We are also aware that there are many in the Government particularly in the Finance Ministry who are sympathetic to Bitcoins.  So also many judges in the Supreme Court.

We have been demanding that the Government officials, Judges and also businessmen should declare their holdings of Bitcoin and all related “Private Cryptos”.

In the light of the above demand, if we look at the MCA notification it is clear that MCA has thrown a gauntlet at the Digital Black Money holders.  It could be considered as a clever move to trap the holders of Digital Black wealth.

We are aware that many corporates who were attacked with ransomware demands, did pay out using Bitcoins. Obviously, they should have diverted their white money into buying Bitcoins and it would not have reflected in the Balance sheet. Now they need to disclose the transaction along with the source of payment, details of the seller and the exchange through which they bought.

If they have used their personal black money, then they cannot disclose the transaction. If the seller has sold it from his black wealth, he will need to explain. If the Exchanges claim that they are doing KYC, they need to declare the identity of the people involved. If the transaction has gone through a Bitcoin wallet held abroad, there is a possibility of a havala transaction.

If the companies donot declare their Bitcoin holdings, if and when the Government bans the Crypto and gives a window for existing investors, the Companies who have hid the transaction now cannot declare later.

The same argument applies to the individuals. They now need to declare their crypto assets in this year’s tax return and if they do, have to explain the source. If they donot, then they permanently remain black money holders and in the eyes of Indian law remain tax evaders.

Damned if you do and Damned if you don’t.

I am sure that the same publications which are today welcoming the MCA move will tomorrow ask for more concessions to ensure that the current holders are given immunity. Then the same people who were opposing the Electoral Bonds, Bearer Bonds and the schemes for regularization of previous tax defaults will have to eat their words.

Let us observe how things develop….

Naavi

It is sad to see that Twitter is full of ridicule for the Supreme Court of India following its intervention in the Oxygen supply issues.

The formation of a National Task force to streamline Oxygen supply by the Supreme Court, however good intentioned it may be, is an over reach by Supreme Court into the executive functions of the Government. This is a constitutional misadventure which should have been avoided.

The Court could have urged the Government to act and could have engaged in an off-judgement conversation to hasten action.

If the shortage of oxygen is due to black marketing and hoarding, the culprits are to be identified and punished. If it is due to the inefficiency of the Government machinery, the reasons why Government Jobs have become the preserve of the inefficient and the root cause such as “Reservation” should be explored.

The task of allocating a life saving commodity equitably to thousands of locations in India is a logistics issue. It cannot be solved by diverting oxygen from a less privileged state to Delhi or more privileged states or to protect the Judges in a specially created five star hospital.

The Supreme Court could have asked for advice from some companies in logistics business or IIMs to work out a more efficient method of managing the Oxygen supply. IT Companies could have helped in the rolling out of the software if required.

Instead Supreme Court has created a committee of a different kind of professionals which will only result in one more paper and no action. All the Committee members are medical experts and have no direct experience or knowledge on Oxygen production, supply in the world and logistics of how to distribute it across the nation without any patient feeling that his oxygen was not snatched away by another patient. They cannot say Delhi Judges need more oxygen than Chamarajanagar villagers or why West Bengal needs more Oxygen than Uttar Pradesh.

Dr Devi Shetty has given valuable suggestions on how to control the next shortage of medical professionals and this committee is more suited for that decision than on streamlining of Oxygen supply. The judgement indicates that the Court does not have expertise in identifying the root cause for the problem nor a possible solution and have just reflected the combined views of a few gentlemen with some life experience based on what the lawyers put up before them in terms of evidence and arguments.

Creation of such task forces can only frustrate the executive and make them less accountable. Now all initiatives of the executives would stop and the IAS officers will look upto the directions from the committee. This may create more harmful in the days to come.

Most of the citizens today are questioning the Supreme Court why they are not addressing the issue of pending cases. Naavi.org has repeatedly been asking the rationale for the “Bollywood Judgement” which allowed Bitcoin trading in India against the wishes of RBI which is the designated regulator. The Judges of the Court has still not come out with a declaration of their Bitcoin/Crypto asset holding to clear themselves of the suspicion of being irrationally biased.

The Supreme Court did not intervene when Net4India customers were suffering and feeling digitally choked because of the mis-handling by NCLT.

The Supreme Court has not been able to stop the political violence in West Bengal leading to hundreds of BJP workers being killed by their political opponents. They have turned a blind eye to the DMK workers in Tamil Nadu going violent against their political opponents. The Court did not act when farmer’s agitations were required to be curbed.

These inefficiencies/biased functioning of the Supreme Court,  not to talk of the charge of nepotism and corruption, has turned Supreme Court action in setting up the task force in the current Oxygen shortage context into an object of ridicule.

The selective action of Supreme Court to indulge in such executive activism is a dangerous tendency and should be curbed at the earliest.

I therefore urge the CJI to call for a full bench meeting of the Supreme Court and draw up some ethical standard operational procedure for the functioning of the Court when such public interest issues need to be adjudicated.

If possible, Supreme Court should consider setting up a Taskforce of respected citizens to help the judges draw up a plan of action to ensure that the Judiciary remains within its boundaries and let the Executive function on their own.

Naavi

We have pointed out several times how NPCI needs to take more responsibility for securing financial transactions in India

Besides yesterday’s article (NPCI needs to be watched) Some of the earlier articles in this regard are given below.

The Cosmos Bank fraud.. Could better security at NPCI have prevented it?

Software Application is not a mere piece of coding…There is business behind it

NPCI and RBI cannot absolve themselves of responsibility in UPI Fraud

4-D Secure protocol for Online security… Attention NPCI

Will NPCI indulge in Data Laundering like CIBIL?

Tweaking the MDR charges …Watal Committee recommendations…3

RBI cannot remain silent.. and so also NPCI, CERT and Ministers of Home, IT and Finance

The Unification of Fraud possibilities through UPI

Presently, NPCI is showing its affinity towards Bitcoins and is supporting Crypto Exchanges. We have a strong feeling that NPCI is getting ready to give a back office support to Crypto Exchanges to defeat any designs of RBI to bring a ban on Crypto currencies.

If RBI comes up with an official Crypto currency, NPCI may provide simultaneous support for all Crypto Assets as a category and enable that Bitcoins may continue to be used in our economy.

We have brought this possibility to the notice of all regulatory agencies but all regulators including the ministers in the Modi Cabinet are silent. The power of corruption can silence any body and it is showing its power by supporting the Bitcoin lobby. Honest citizens of India have no faith in Judiciary and the Government and are getting ready to succumb to the powers of corruption. Politicians take tax payer’s money distribute it before election and after election to their supporters and the tax payers look like fools who donot know how to live in this society.

Leaving this philosophical thought aside for a day when Mr Narendra Modi has a day of enlightenment like the Buddha, let us turn our attention to some academic debate on the NPCI handling Personal Data of millions of Indians and whether this data is safe in their hands, in the light of the CIBIL incident discussed earlier.

Status of NPCI

NPCI acts as a clearing house of all financial transactions using the UPI Id. All Banks have registered mobile numbers of account holders to the account which is also linked to the Aadhaar, PAN etc. When a UPI ID connects to a Bank account, it carries with it the payload of all personally identifiable sensitive data.

NPCI acts as an intermediary transmitting the requests from one UPI ID to another UPI ID. Hopefully the personal data behind the UPI IDs need not come to the hands of NPCI and remain with the respective Banks.

However, NPCI is maintaining a data base of financial transactions of various kinds which are linked to Inter Bank transfers of money, Credit card payments, payments from google pay, amazon pay, phone-pe, paytm etc. It must be having mobile numbers to bank account links of the public.

However, NPCI does not directly deal with individuals and is not visible as a “Data Fiduciary” to a data principal. It collects all the data from the participating institutions under a data processing contract not visible to the public.

It has 221 institutions registered for the UPI transactions including many cooperative Banks, As of April 2021 it handled 447.343 crores of transactions valued at Rs 1692.974 crores. This included Aadhaar related transactions, Bills pay transactions, eKyc transactions etc

It is clear that NPCI should have in its possession enormous amount of personal data in its accessible control.

However, the Privacy policy of NPCI available here and archived as on date here provides a very sketchy information about the personal data collected by NPCI and how it is used or shared.

There is a single Privacy Policy which addresses the website visitors which does not make any mention of the indirect data principals to whom NPCI is a “Joint Data Fiduciary”.

Para 2 of the policy states

“NPCI, in its role as a retail payment system service provider and a payment gateway, may receive financial information of a person which may include name of bank, account number, withdrawal amount, cheque number, payee details etc. Collection of such information by NPCI is in consonance with statutory and regulatory requirements and internal procedural and operating guidelines and byelaws. The internal procedural, operating guidelines and bye-laws of NPCI are duly documented.”

Para 3 appears incomplete and states as under

STORAGE OF INFORMATION

NPCI collects personal information online primarily to provide our visitors with a more relevant experience on this web site. When doing so, NPCI takes every reasonable effort to avoid excessive or irrelevant collection of data. As a corporate body and payment system service provider, NPCI maintains the records and information in a safe and secured manner as per its policy and in compliance with the statutory provisions and directions for the period required by it and as prescribed by laws and rules etc. We collect personal information only to the extent that it is necessary for the purposes set out below:

a. ———-

b. ———-

Personal information, if captured, is stored in paper and electronic files within NPCI’s premises, and approved archives. NPCI does not allow any unauthorized access to the information stored by it in any form whatsoever . The information is securely stored and access is restricted to authorised personnel only. NPCI incorporates confidentiality clause in non-disclosure agreement with entities having business with NPCI to keep personal information secure and confidential and not to disclose the personal information to others, unless required by law or by an order of a court or by written instruction by NPCI. Such non-disclosure agreements stipulate that all personal information obtained by other party from the arrangement with NPCI will be returned or destroyed on termination/expiry of the non-disclosure agreement.

Further, anytime you visit this web site, NPCI may gather certain non-personally identifiable information regarding the means you use to access our site. This information may include the type and version of your browser, your service provider, your IP address and any search engine you may have used to locate the website. We use this information to help diagnose problems with our server, administer the web site, and compile broad statistical data.

The purpose for which information is collected is left blank.

It is surprising that for an organization of global reputation, has such a shabby privacy policy which is not even complete.

If such an organization starts supporting the Digital Black Money exchange in India, then we can expect that the future of Indian economy is endangered.

Naavi.org has sought some clarifications from NPCI regarding the above and awaiting response.

Naavi