Naavi.org

The revised recommendations on the Kris Gopalakrishna Committee on Non Personal Data reiterates the significant role that the Non Personal Data Authority.

It may be noted that the Committee has ab-initio been influenced by the industry to include a recommendation that it must be created with “Industry Participation” . This recommendation has to be taken with circumspection.

While NPDA has to consult industry and have persons with industry experience in its constitution, “Regulation” has to be segregated from the industry. If industry organizations become part of the regulatory agency, the regulatory functions will be corrupted.

Hence the committee’s suggestion “NPDA must be created with industry participation” needs to be rejected.

The NPDA’s  Enabling functions include

a) Ensuring unlocking of economic benefit from non-personal data

b) Creating a data sharing framework

c) Managing the meta data directory of data businesses in India

NPDA’s Enforcing functions include

a) Establishing rights over Indian Non-Personal data in the digital world

b) Address privacy, re-identification of anonymized personal data, prevent misuse of personal data

c) Adjudication when a data custodian refuses to share data with the data trustee.

In defining the enforcing functions, mention of “Privacy” indicates a deliberate attempt to create overlapping powers against the Data Protection Authority being created under PDPB 2019.

While the report says that the roles of NPDA should be harmonized with the CCI and DPA, there is an element of overlapping of regulatory functions which need to be consciously avoided.

As regards “Privacy”, the DPA under PDPB 2019 should be given the unambiguous authority. When there is a doubt the NPDA should refer the Privacy issue including the re-identification of anonymized personal data or misuse of personal data to the DPA for necessary adjudication and corrective action as may be required. 

This has to be kept in mind when the new Non Personal Data Regulation Act is framed.

Naavi

In the previous article, we discussed the “Consent for Anonymization” which has been recommended by the revised report submitted by the Kris Gopalakrishan report.

One other concept which has been suggested by the committee which requires some detailed look is the definition of “High-Value Data Sets” (HVD).

The concept of HVD is a little confusing as it is used in reference to the “Role of an Organization”. In general, concept however it appears to be a Special Category of Non Personal Data” just like how “Sensitive Personal Data” is defined in the PDPB as different from Personal Data in general.

The report defines HVD as

-a “Data Set” that is “beneficial” to the community at large

-shared as a “public good” subject to certain guidelines

There are 15 different types of data sets which have been listed as HVDs plus “and others” whatever it means.

The 15 types of HVDs are the following

i. Useful for policy making and improving public service and citizen engagement
ii. Helps create new and high-quality jobs
iii. Helps create new businesses – startups and SMEs
iv. Helps in research and education
v. Helps in creating new innovations, newer value-added services / applications
vi. Helps in achieving a wide range of social and economic objectives including
vii. Poverty alleviation
viii. Financial inclusion
ix. Agriculture development
x. Skill-development
xi. Healthcare
xii. Urban planning
xiii. Environmental planning
xiv. Energy
xv. Diversity and Inclusion

The organization (either a Government or a non-profit organization)  responsible for the creation, maintenance and data sharing of HDVs are called a “Data Trustee”.

It is envisaged that a community of people can come together to create a “Data Trustee” and host the HVD.

The Data Trustee will have a responsibility to ensure that HVDs are used only in the interest of the community. The data trustee will also ensure that the HVD is not re-identified and also maintain a “Grievance Redressal mechanism”.

Key Guidelines for HVD processing

The report suggests that for every HVD, there will be one Data Trustee but one data trustee may be responsible for more than one HVDs.  What appears to be the intention of the committee is that the organization that collects, processes or shares HVDs will be called a Data Trustee (like the Data Fiduciary in PDPB). But a single such Data Trustee may manage multiple HVDs.

The HVD will be maintained in a data infrastructure which corresponds to “Technical-material” elements like the actual data bases, APIs organizational systems etc. This is similar to the concept of “Personal Data Processing Sub Units” which has been recommended under the PDPSI (Personal Data Protection Standard of India).

Depending on the type of HVDs, the regulatory authority namely the Non Personal Data Governance Authority (NPDGA) will set the guidelines to determine appropriateness of the chosen HVD  such as the objectives, what is the public good involved  etc. It would be necessary for the Data Trustee to secure an “Expression of Interest” from a minimum number of community entities to be part of the HVD initiative.

It appears that the concept suggested here is like a “Trade Union” and if there is a difference of opinion among the community constituents, about the Data Trustee, there could be issues like in an industry with multiple trade unions.

However,  the committee envisages that there will be only one Data Trustee per HVD. The concept of “One Data Trustee” for “One HVD” appears to be short sighted and needs rethinking.

Otherwise the committee appears to think the “Data Trustee” as similar to Significant Data Fiduciaries or Guardian Data Fiduciaries under PDPB 2019. There has to be a process of registration of an entity as Data Trustee at the NPDGA.

Naavi

After the Kris Gopalakrishna Committee on Non Personal Data Governance (KGC) submitted its first report , public comments had been invited. Now the Government has published a revised report after receiving the comments and requested for a second round of public comments to submitted before 27th January 2021.

Comments can be submitted here

The revised report can be accessed here.

From the publication, it appears that this is a report revised by the Committee itself and not by the MeitY.

One of the major revisions appears to be in reiterating that in the Personal Data Protection Bill 2019, Sections 91(2) and 93(x) may be omitted.

Section 91(2) stated :

(2) The Central Government may, in consultation with the Authority, direct any data fiduciary or data processor to provide any personal data anonymised or other non-personal data to enable better targeting of delivery of services or formulation of evidence-based policies by the Central Government, in such manner as may be prescribed.

Explanation.—For the purposes of this sub-section, the expression “non-personal data” means the data other than personal data.

Section 93(x) stated:

(x) the manner in which the Central Government may issue a direction, including the specific purposes for which data is sought under sub-section (2) and the form of disclosure of such directions under sub-section (3) of section 91; or 30

This does not make any material difference to the Personal Data Protection Bill (PDPB) though it will satisfy the demands from some of the opponents of the Bill who had identified this as a point of contention.

The other major point that could impact the PDPB 2019 is the recommendation regarding Consent for Anonymized Data.

The revised report suggests that “Consent should be obtained from the data principal for anonymization of personal data”.

It may be observed that Naavi has suggested the inclusion of the consent for anonymization as part of the Notice/Consent format to be used under PDPSI (Personal Data Protection Standard of India) as a measure of compliance under the principle of “Abundant caution”.

However, personally, it is necessary to record that this proposition is not considered necessary and perhaps is self contradictory to the major objective of the Non Personal Data Governance (NPDG) regulation. It may also be not fully in conformity with the principle of “Right to Carry on Business of choice” in the constitution as per Article 19(1)”(g).

According to Article 19(1)(g), it is a fundamental right guaranteed by the constitution to “practise any profession, or to carry on any occupation, trade or business”.

Why is this Provision Self Contradictory?

The revised KGC report states

“It is clear from industry feedback to the Committee and from its own research that large collections of anonymized data can be de-anonymized, especially when using multiple non-personal data sets”

Accordingly, it is suggested by the revised recommendations that “Data Collectors” at the time of collecting personal data should provide a notice and offer the data principal the option to opt out of the data anonymization.

This suggestion is considered as “Self Contradictory” since it directly negates the very definition of “Anonymziation” as provided in the PDPB 2019.

According to Section 3(2) of the PDPB 2019, Anonymization is defined as follows.

(2) “anonymisation” in relation to personal data, means such irreversible process of transforming or converting personal data to a form in which a data principal cannot be identified, which meets the standards of irreversibility specified by the Authority;

The Data Protection Authority is expected to provide the necessary technical guidelines as to determine what is the yellow line between “Identifiable Personal Data” and “Anonymized Personal Data”.

The new recommendations appear to express its lack of confidence in this definition and the ability of the DPA to find out an acceptable technology recommendation for determining what constitutes “Irreversible process”.

The argument that “Anonymized data can be de-anonymized”  and its acceptance as a legal principle is a dangerous precedent. The same argument can be extended to “Encrypted Data can be Decrypted”.

If we presume that “Encrypted Data can be decrypted” then any data leak consisting of “Encrypted Data” has to be considered as a “Data Breach”. This goes against the accepted principles of Data Protection recognized even under laws such as HIPAA/HITECH Act and takes “Encryption” out of the equation constituting “Security of Information”.

If Anonymized data can be re anonymized then we have to accept that encrypted data can be decrypted. It is only a question of “Technology used for breaking Anonymization or Encryption”, “Efforts applied” and “Intention”.

Accepting the suggestion therefore is a serious blow to the Information Security principle that “Encryption Secures Information”.

The more practical way of addressing the concern is to clarify that “Anonymization” is an “Irreversible process”, meeting the standards of “Reasonable irreversibility” to be notified by the Data Protection Authority.

If some Data Analytics company or a Data Analyst uses efforts such which are large enough, any encrypted data can be de-crypted or any anonymized data can be identified. If such effort is being applied, it must be considered that the intention is “Malicious” and the identification should be considered as a contravention of Section 82 of PDPB2019 and punished accordingly. It may also be considered as “Diminishing the value of information residing inside a computer or affecting it injuriously by any means” under Section 43-66 of ITA 2000 and punished accordingly.

Hence there is sufficient deterrence in the law to ensure that breaking the anonymization as per the standard prescribed cannot be “Presumed”. If this can be “Presumed”, then every regulatory feature prescribed in PDPB can be presumed as infeasible of being regulated and this would be self contradictory by itself.

Why the Provision is Unconstitutional

If Anonymziation as per the standards set by the Data Protection Authority is followed, then the “Identifiable Personal Data” becomes “Non Personal Data” and becomes the subject matter of governance under the new law namely the Non Personal Data Governance Act (NPDGA). The objective of this NPDGA would be to unlock the value in the data which is considered “Non Personal”.

A substantial part of the Non Personal Data includes “Anonymized Personal Data”. If there is no freedom for the Personal Data Collector to use “Anonymized personal data” as “Non Personal data” and unlock the value, then the business arising there of is being effectively killed. In such a case any personal data collected which is for a specific purpose and limited for usage to the time until the purpose is accomplished will have zero value after the purpose is completed since it has to be mandatorily extinguished.

If we consider “Profile” as also “Personal Data” then all the profiles also need to be extinguished after the purpose for which the profile data was collected. On the other hand, if the “Profile data” could be anonymized then it would be useful to the community without adversely affecting the privacy interest of the individual.

It is to ensure that personal data collected should be useful to the community that the principle of “Permitted Data Processing and Disclosure” allows exceptions to some of the restrictions on personal data processing for Public Interest, Emergent requirements of the data principals and others, as well as the law enforcement.

Along with these rights of the society in public interest, safety and law enforcement, the right of a business to carry on business with anonymized data in a manner that does not adversely affect the privacy of the erstwhile identifiable personal data must be considered as “Legitimate Interest” of the business and protected under Article 19(1)(g).

Hence the proposition is considered unsustainable from the point of view of fundamental rights.

Rights Cannot be recognized in “Re-birth”

In India we believe that individuals go through cycles of birth and death and all of us have a history of previous births. There have been many instances where hypnotists have claimed that through “Age Regression” they can extract the previous birth information of an individual.  Some studies appear to suggest that some past birth experiences are also proved correct. The Nadi Astrology system also supports the views of “Karma” from “Previous birth” having an impact on the present life of an individual.

Without going into the details of a discussion on this subject of Re-births, I would like to point out the similarity of the individual’s re-birth to the re-identification of an anonymized personal data.

Once personal data is anonymized (as per standards prescribed in law), then it must be considered as “Dead”. Just as we cannot recognize the legal rights of property or family relations of a previous birth because a hypnotist can extract what appears to be an “Evidence” of previous birth,  we cannot provide rights to the data principals whose private data has been anonymized and a criminal data scientist de-anonymizes it for  commercial benefit.

Hence the concept of “Data, Re-born” should not be provided sanctity under law as much as the rights of a person on his previous birth cannot be recognized under law. It would be like recognizing the right of a person to write a will that if he returns in his next life, the property should be restored to him in the new birth.

Suggestion

It is therefore suggested that the recommendation of the “Revised Kris Gopalakrishna Committee report” regarding the “Consent for Anonymization” is rejected.

However the definition of “Anonymization” under Section 3(2) of PDPB 2019 can be modified as under.

(2) “anonymisation” in relation to personal data, means such irreversible process of transforming or converting personal data to a form in which a data principal cannot be identified, which meets the standards of irreversibility specified by the Authority, by reasonable, non malicious efforts.

It can also be suggested that a definition of “De-Anonymization” can be added to the PDPB as

3(..) De-anonymization means converting “anonymized personal data” which has been subjected to a standard irreversible anonymization process as per Section 3(2), to a state where it can be identified as personal data either partially or fully, whether accurately or not.

Inclusion of the above definition of “De-anonymization” would meet all the concerns that the revised Kris Gopalakrishna Committee report expresses.

 Naavi

Cyber Law College in association with FDPPI has earlier launched two programs related to building legal awareness on Data Protection Laws connected with the “Certified Data Protection Professional ” (CDPP) course. These were part of the larger 5 Module course to build  360 degree skilled Data Protection Professionals in India. The remaining three modules were one on Technology, Audit and Behavioural skills.

The training for Module-I covered Indian Data Protection laws and training on Module G covered the global data protection laws.

Now FDPPI and Cyber Law College are launching the course on the Audit Module, namely Module-A.

During this program,  scheduled as a 12 hour online program, the Art and Science of Data Audit would be discussed. Since this is the first such program which is being conducted and introduces many new concepts including Valuation of Data in a Balance Sheet, Distributed Responsibility for implementation, etc., there is a possibility that the program may be extended beyond 12 hours if required.

The discussions will cover the conceptual difference between an “Assessment” and “Audit”, different types of audits that one encounters in the Data Protection profession , the objectives of each of these audits, the modalities of how a practitioner may conduct such audits etc.

The Data Protection Impact Assessment (DPIA), Harm Audit, Data Breach Audit and Data Protection compliance audits will be discussed separately.

The Data Trust Score (DTS) Assessment which is a part of the Indian data protection regulation will also be discussed in detail.

The Data Protection Compliance audit will be explored in detail using the PDPSI (Personal Data Protection Standard of India) framework .

PDPSI is a framework for implementation and is also a Certifiable Standard of compliance. PDPSI is also a DTS assessment framework during the Audit process.

Foundation of Data Protection Professionals in India (FDPPI) is sponsoring the Data Protection Compliance audit under the PDPSI framework and this training is considered part of the accreditation of PDPSI Consultants and PDPSI Auditors who can provide consultancy to organizations on designing and implementation of Data Protection compliance programs as also to conduct Audits of such programs.

Consultation for implementation and Audit of the implementation will be undertaken by two different individuals.

While this Data Audit training may be considered mandatory for the Audit, implementation may be guided by the consultants. Organizations are open to implement the guidelines on their own and directly approach an auditor for Certification or take the assistance of consultants before approaching the auditors.

FDPPI may have additional criteria for accrediting auditors under their approved audit process for certification.

This Module-A training would be followed by an “Online Examination” and “Submission of Assignments”. 50% of the marks would be allocated for each of these two evaluation segments.

There will be three grades namely  A, B And C.

Grade A: represents Ready for Audit

Grade B: represents Ready for Consultancy

Grade C: represents requirement of improvement

One Improvement re-examination will be permitted for upgradation of Grade C to Grade B.

According to the present scheme for accreditation of PDPSI Auditors,

FDPPI may accredit their members who pass out of this training with Grade A and have also passed out of the Module I and Module G program, as “Provisionally Accredited PDPSI Auditors”.

They may be upgraded into fully “Accredited PDPSI Auditors” after they complete the two other modules of the larger training program which includes the modules on Technology and Behavioural Skills.

FDPPI may  also upgrade Persons who pass out of the program in Grade B  “Provisionally Accredited PDPSI Auditors” based on their consultancy experience.

For registration for the program and  kindly proceed to CDPP-Module-Audit”

The Date and time Schedule for the program is yet to be finalized. Tentatively the course should commence towards the end of January 2021 after the registrations close on 18th January 2021.

P.S: Though the training program is driven by the needs of the  emerging Indian data protection law, the concepts discussed are universal and will apply even for compliance of GDPR and other Data Protection laws.

Naavi

When Personal Data Protection Bill 2019 (PDPB 2019) gets passed in the Parliament, companies will be scrambling to get on to the compliance band wagon.

While there will be many job opportunities for Data Protection Officers (DPO) trained in data protection, there will be many SMEs/MSMEs, who will not be able to hire trained DPOs since there will be a great shortage of qualified persons who are aware of the Indian Data Protection Laws and are capable of converting it into implementation plans for the organization.

Naavi has already started Certification training trying to make people understand the Personal Data Protection Bill 2019 and how it may translate into an Act. With Foundation of Data Protection Professionals in India (FDPPI), a not for profit company, Naavi has already launched a program for “Certified Data Protection Professionals”  in two modules namely a module on Indian laws and module on Global laws.  Naavi has also released a book which explains the Indian law as it is emerging.

Now Naavi has moved onto the next level of assisting the organizations on how they can go about compliance of the Data Protection Regulations through a framework that guides them through to compliance and prepares them to be certified as follows:

“Certified that …………………………..  (Name of the organization) has  satisfactorily implemented policies, procedures and other  measures to be considered compliant with the provisions of  ………… (Name of the data protection act such as GDPR, PDPA etc) ,  with a Data Trust Score of …….. (Assessment score) “

Naavi has been discussing the PDPSI (Personal data protection standard of India) over the last two years in this website and other conferences. Now the concept is explained in greater detail in an E Book. This contains the comprehensive standard for compliance of data protection laws which can be implemented by any Personal Data Processing organization by themselves with a reasonable assistance from their in-house information security or privacy aware professionals.

FDPPI which is the Certifying Agency under the standard is  shortly  conducting “PDPSI Consultant Accreditation Training” to equip data protection professionals to be fully conversant with the provisions of PDPSI and assist organizations that may need their help.

Consultants  may also conduct the audit on implementation already done by organizations with or without the help of other consultants and  issue Certificates of compliance if the implementation is found satisfactory.

These initiatives help companies to get ready for compliance as soon as the law gets passed.

The E Book above contains the 12 standards and 50 implementation specifications that constitute the standard along with details of the certification system and DTS assessment system. (P.S: The book does not contain templates of policies which are to be developed by consultants based on different implementation contexts).

The framework under PDPSI incorporates the best practices and includes the controls normally suggested under internationally used standards and makes several innovative improvements.

Organizations interested in using the PDPSI framework may contact Naavi through e-mail.

(P.S: Kindly note that this is an imitative of Naavi and FDPPI and does not have  prior consultation with or accreditation from any Government agency. After the Personal Data Protection Act comes into being, the Data Protection Authority is expected to publish norms for certification separately and this certification is expected to prepare the organization for the formal certification system that may be introduced by the Data Protection Authority in due course… Naavi)

Naavi

Data in a company is an asset which creates value for the company. The business model of many companies is built on the concept of “Data as Raw Material” and “Processed data as finished product”. In between, there is “Data Under Process which is work in progress”, “Data Discarded as process waste or an effluent”.  Hence “Data” is often seen as a valuable industrial asset by itself.

Just as a machine in the machine manufacturing company is a finished good and is a capital asset in the company where it is used for production, Data in a data processing company is a raw material or a finished good and in another company where it is used as a software or production meta data, it is a “tool of production”. In a manufacturing company where data is generated under the automated machine environment, data is a “Catalyst” or an activity record.

Additionally, “Data” is often used as an “Object of Crime” or a “Tool of Crime” when it becomes the subject matter of criminal laws of the jurisdiction in which the victim of a cyber crime may reside.

Data Processing companies and data protection professionals are often confronted with the conflict between two individuals where one is demanding information and another is resisting disclosure because of a possible violation of his privacy. In such cases, there is a conflict between “Right to information” and “Right to Privacy” both of which are individual constitutionally protected rights. In any practical situation, it may not be easy to decide whose right is legally more acceptable.

One way to resolve such conflicts is to create a documentation of a “Harm Audit” where an expert will document the pros and cons of the requested disclosure and give a value judgement on whether the disclosure be permitted or not.

Similar conflicts may also arise between the “Right of the Data Principal/subject” and the “Legitimate interests” of the organization.

Here again there is a need to conduct a “Harm audit” and document the findings. But a harm audit conducted when there is a reported conflict between the organization and a data subject will involve a “Conflict of interest” when the audit is conducted by an employee of the same organization. Such conflict is found in many activities of the Data Protection Officer and often the resolution in favour of the organization would not be acceptable to the data subject and the matter may end up in a grievance redressal muddle including courts.

In the third kind of conflict where there is a conflict between the need for disclosure to a law enforcement authority for investigation and subsequent prosecution of a crime, the organization is in a more difficult situation as any refusal could lead to the organization itself being charged with “with holding of evidence” or “Non Cooperation with a law enforcement authority” which may be offences by themselves.

When an organization is confronted with such requests from the law enforcement authority, it is essential to recognize that non compliance of the demand is not an option under the law of the land.

What is required under these situations is to first examine whether the demand has come from the right authority and after due process. If so, the demand should be honoured. However if the demand could be honoured with the use of disclosure of pseudonymous information (which may not be acceptable when the request is for identification of a potential criminal himself), only pseudonymous information may be disclosed.

Where the personal data to be released is part of the protected Personal Data under a law (eg personal data of a EU citizen protected under GDPR), then there is a possibility that the action of disclosure may come under the scrutiny of the EU regulatory authority.

While all data protection laws recognize the sovereign rights of the country where processing takes place and provides for exemption, there could be a need for the data importer-processor who has received the law enforcement demand to inform the data exporter.

While sending such requests either before or after the disclosure to the law enforcement agency, it would be better for the Data Importer to document a “Disclosure Approval” by recording a legitimate interest  indicating the compelling need for disclosure arising out of the demand from a verified law enforcement agency and documenting also the harm that may be caused if any to one or more data subjects.

It must be remembered that the obligation to be compliant with local laws arises out of the law enforcement jurisdiction while the perceived conflict indicating the violation of GDPR compliance could arise out of a contractual commitment. In order to safeguard the company both ways, it is necessary to incorporate suitable provisions in all data processing agreements that demands from the local law enforcement agencies resulting in disclosure of personal data shall be permitted disclosures under the contract.

The organization shall however ensure that the principle of “Data Minimization” meaning only the data required and justified by the investigating agency shall be disclosed with an undertaking from the recipient that it shall be used only for the purpose for which it is requested and secured while in the custody of the recipient as required under law.

While disclosures under Section 69/69A/69B of ITA 2000 are reasonably protected through a process, the CrPc provisions exercised by the local police often donot have similar safeguards.

There is a need for the police to ensure that any CrPc request for data is issued in accordance with the procedure enumerated in the rules associated with Section 69/69A/69B of ITA 2000.

If the police does not include the ITA sections in the CrPc 91 notice, which is more likely, the organization , releasing the data should not forget to mention this in their data release note.

Where there is any disagreement between the law enforcement and the Police such as when the Police want a “Roving investigation”, the only remedy available for the organization is to get a Court order restraining the “Roving Investigation” but providing all the investigation that may be otherwise required for a specific investigation for which a valid authority is available with an investigating officer.

Any information released by an organization in such cases to Indian police authorities shall be accompanied by an appropriate Section 65B (IEA) certificate. Further, the data as well as the relevant associated data (even if not disclosed immediately) should be archived and held as “Data Related to Evidence and Potential Evidence”.

Naavi