Naavi.org

Participation is free. Join on the above meeting room on Zoom platform or watch on You Tube channel.

The complete program is as follows:

The speakers conducting panel discussions are as follows:

Naavi

Karnataka Government is conducting its flagship annual IT BT conference as a Virtual Conference this year. The conference is titled Bengaluru Summit 2020 (BTS 2020) and will be  held between 19th and 21 November. The theme of the summit is “Next Now”.

Honourable Prime Minister of India, Mr Narendra Modi would be inaugurating the Bengaluru Tech Summit 2020 set to open tomorrow.

FDPPI has taken a stall and interacting with the participants

The stall will display the activities of FDPPI and distribute material relevant to the activities.

Concurrently with the BTS 2020, FDPPI is also conducting Indian Data Protection Summit (IDPS 2020). This summit will also be virtual and will be available both on Zoom platform and on Youtube webcasting.

There will be six panel discussions covering different topics of interest.

Participation in the IDPS 2020 is free. Registrants on the FDPPI website has been sent the Zoom link. The sessions will be webcast on YouTube simultaneously.

The Link to Zoom sessions have already been distributed through the social media contacts of the members of FDPPI.

The webcast would be available in the Youtube Channel here:

https: www.youtube.com/naavi9 

The six sessions will be managed by experienced professionals and members of FDPPI.

Naavi would anchor the sessions.

The event is sponsored by Ujvala Consultants and Co-Sponsored by Redwood Learning and Sysman Computers.

CIO association of India is also supporting the event.

We wish public in large numbers attend the IDPS 2020 and make this event a success.

Naavi

For More information, visit www.fdppi.in

After a long struggle, the registrants of domain names in Net4India.com are getting resolution from the problem created out of the insolvency proceedings.

During the pendency of the insolvency proceedings the activities of Net4India had been suspended. As a result domain names could not be renewed and services related to the modification of services with Net4India both for domain name related changes and hosting related issues had got stuck.

Naavi.org took up a fight against the problems of domain name registrants and first NIXI responded by making it possible for transfer of dot in domain names to other registrars. Now ICANN also has responded and has promised to provide  direct assistance to affected registrants.

Details are available here

It is our sincere belief that this incident has to be taken up as a lesson by ICANN and NIXI to find an automatic solution to such problems in future.

In particular,

a) Registrars of Domain Names and Hosting Service Providers should be considered as “Critical Service Providers” and cannot be allowed to shut shop without a proper notice and winding down of operations. The least that can be done by ICANN/NIXI is to allow transfer of domain names forcibly to other operative service providers.

b) While insolvency proceedings are initiated on such critical service providers, Company Law Tribunal as well as Courts should recognize that they cannot allow critical services to be stopped.

c) The Finance Ministry in consultation with the ICAI should evolve a method by which “Data” is brought into the financial accounting system through a “Contra Accounting Method” so that third party rights on the data donot go un noticed.

Naavi.org thanks Mr Samiran Gupta, representative of ICANN in India for following up with the problem to get the clarification from ICANN.

More discussions may follow.

Naavi

FDPPI (Foundation of Data Protection Professionals in India) has embarked on a major project of conducting a virtual Data Protection Summit on November 19th, 20th and 21st of 2020.

The Summit will consist of six sessions, two on each of the three days, each of 90 minutes each.

Time would be 11.00 am to 12.30 pm and 4.00 pm to 5.30 pm.

Meeting will be on Zoom and will be free.

The Summit will discuss different topics relevant to Indian Data Protection Domain.

The tentative program is as follows:

Session 1: Recent Data Breach Incidents and PDPA of India (Nov 19th 11.00 am)

Session 2: PDPA of India is not a clone of GDPR (Nov 19th 4.00 pm)

Session 3: The Challenge of being a DPO(Nov 20th 11.00 am)

Session 4: The enigma of cross border data transfer(Nov 20th 4.00 pm)

Session 5: Data Trust Score the Indian innovation (Nov 20th 11.00 am)

Session 6: A Unified Framework for Data Protection Implementation (Nov 20th 4.00                            pm)

The sessions will be conducted as Panel discussions with experts in the industry and will be anchored by Naavi.

Watch out for more information here.

Naavi

Since 16th July 2020, when the European Court of Justice (EUCJ) came up with its ruling in the Schrems II case and invalidated the US Privacy Shield, there has been a crisis in the Data Processing industry world wide. The principles on which the EUCJ invalidated the US Privacy Shield was equally applicable to countries like India and hence if personal data from EU could not be transferred to US, it was equally difficult for data to flow into India either directly from EU or through the US.

Subsequently on 23rd July 2020, EDPB (European Data Protection Board) came up with some clarifications of the judgement which also re-iterated that personal data cannot be transferred from EU to US or any other country unless the requirements of Articles 46 or 47 of the GDPR are satisified.

On 10th November 2020, EDPB has come up with two recommendations related to the Schrems II judgement as guidelines of how the industry can be compliant with the requirements.

The first document indicates the measures that supplement transfer tools provided under GDPR. The second indicate the European essential guarantees for surveillance measures.

We need to explore whether these documents suggest any workable solution for Indian data processors who are processing or intend processing EU GDPR data.

Some of the essential aspects of these documents are as follows:

Recommendations 01/2020 on measures that supplement transfer tools

The Schrems II order mandates that the protection granted to the personal data in the EEA must travel with the data wherever it goes. In otherwords when data is sent out of EU region and continued to process in other countries, the level of protection to the Privacy rights of the EU GDPR subjects should be same as is available in EU.

The US Privacy shied was rejected because it was felt that the Ombudsman responsible for protecting the Right to Access of a EU data subject was an appointee of the Government and not an independent judicial authority. Secondly it was felt that the data is not insulated from surveillance from intelligence agencies.

In the light of these developments, US Privacy shield was rejected as an instrument of “Adequacy”. On the other hand the ruling held that Standard Contractual clauses (SCC)  can continue to be one of the acceptable instruments under which a Data Exporter from EU can transfer the GDPR data out of EU.

While the SCC would be available as a tool for transfer as per Article 46 in case of repetitive transfers, the derogations, which includes the explicit consent under Article 47 would be available for occasional transfers.

The guidelines of November 10, 2020 suggest a five step process to be followed by the Data Exporter before accepting the SCC which can be supplemented by appropriate additional clauses.

Step 1: Data Exporter should be aware of where the data is going and whether it is relevant and limited.

Step 2: One of the transfer tools suggested in Article 46 namely, a legally binding and enforceable instrument between public authorities (eg bilateral treaty type documents),  SCC, etc. or the applicable derogations.

Step 3: Data Exporter should make an assessment of the law or practice in the destination country that may impinge on the effectiveness of the appropriate safeguards being relied on.

Step4: Data Exporter should identify and adopt such measures as are necessary to bring the level of protection of the data transferred, upto the EU standard

Step 5: Data Exporter should take formal steps as may be required to adopt the supplementary measures

Step 6: Data Exporter should undertake periodical review.

Recommendations 02/2020 on the European Essential Guarantees for surveillance measures

Additionally, the EDPB guidelines has set out four principles under which the EU would like to be guaranteed that the surveillance measures in the destination country is acceptable.

They are

1. 1. Processing should be based on clear, precise and accessible rules
   2. Necessity and proportionality with regard to the legitimate objectives pursued need to be demonstrated
   3. An independent oversight mechanism should exist
   4. Effective remedies need to be available to the individual

If therefore, Indian data importers need to continue their data processing contracts, they need to satisfy the Data Exporter with the above principles and go through the five steps of evaluation. The findings should be documented as a “Due Diligence”.

As regards the situation in India, if a company is processing EU data and the EU data subject has to exercise the right of Access, correction, portability and deletion (Forget), Indian laws should fall within the acceptable parameters set by the EUCJ.

In India, Section 69 of ITA 2000 is one law that supplements the Indian Telegraph Act and provides surveillance rights. When PDPA is enacted there will be Section 35 and 36  of the Act that will provide exemptions from the Indian law to the law enforcement agencies.

However, under Section 37 of the PDPA of India (as per current Bill) any processing operation involving the processing of personal data of foreigners can be notified as exempt from PDPA. Hopefully every Indian company engaged in the processing of personal data from EU will use this provision.

But Section 69 of ITA 2000 and the Indian Telegraph Act as well as some other sectoral regulations may have jurisdiction on all the data processing activities of an company which includes local data and foreign data. In such cases, the possibility of surveillance measures could come in for dispute by the EU agencies.

It is in this context that a great disservice has been made by the Maharashtra Government and the Mumbai Police by their persistent harassment of Republic TV which required Supreme Court intervention for what appeared to be a clear violation of human rights. The political system failed to bring quick end to the problem and Judiciary took an unreasonably long time to resolve the issue. The lower courts including the Mumbai High Court did not appear to have covered themselves with glory and it was only the supreme court which came to the rescue of the human rights principles involved.

What this incident indicates is that if a company in Maharashtra is processing personal data of EU and it falls into the bad books of the local police supported by the local Government, there could be various forms of harassment including seizing of data centers, arrest of data center employees etc., which could halt the company’s operations.

Though one can justify that it is illegal the local Police have proved that they are supreme can can even manipulate witnesses and evidences and carry their mission through. In every case, it is impossible for Supreme Court to come to the rescue of the company.

Hence the risk of surveillance by the local administration is a risk that every company functioning in the state of Maharashtra has to bear. Any true professional who is conducting a due diligence in India on a company in Maharashtra cannot therefore give a clean chit that the company is immune to “Republic Attack”.  Hence it is near impossible for Data Importers in Mumbai or Pune to convince their business partners in EU region that they will meet the standards of surveillance mentioned in the November 10th document.

Sitting in a far away place, it is possible for Data Exporters that what happened in Mumbai is a reflection of the situation in India as a whole and if this perception is not removed the data processing business in India will be permanently affected. NASSCOM needs to give a thought to that possibility.

Naavi has been suggesting the Karnataka Government to initiate certain measures to counter such a perception to say “Bengaluru is not Mumbai” and “Data Processing regulations in Bengaluru is compliant to the International expectations”. If the Government implements some of these suggestions, it may be possible for IT companies to shift their data processing activities from centers in Maharashtra to somewhere in Karnataka.

Hopefully the Government of Karnataka will come up with appropriate strategies in this regard.

Naavi