For More information, visit www.fdppi.in
After a long struggle, the registrants of domain names in Net4India.com are getting resolution from the problem created out of the insolvency proceedings.
During the pendency of the insolvency proceedings the activities of Net4India had been suspended. As a result domain names could not be renewed and services related to the modification of services with Net4India both for domain name related changes and hosting related issues had got stuck.
Naavi.org took up a fight against the problems of domain name registrants and first NIXI responded by making it possible for transfer of dot in domain names to other registrars. Now ICANN also has responded and has promised to provide direct assistance to affected registrants.
It is our sincere belief that this incident has to be taken up as a lesson by ICANN and NIXI to find an automatic solution to such problems in future.
In particular,
a) Registrars of Domain Names and Hosting Service Providers should be considered as “Critical Service Providers” and cannot be allowed to shut shop without a proper notice and winding down of operations. The least that can be done by ICANN/NIXI is to allow transfer of domain names forcibly to other operative service providers.
b) While insolvency proceedings are initiated on such critical service providers, Company Law Tribunal as well as Courts should recognize that they cannot allow critical services to be stopped.
c) The Finance Ministry in consultation with the ICAI should evolve a method by which “Data” is brought into the financial accounting system through a “Contra Accounting Method” so that third party rights on the data donot go un noticed.
Naavi.org thanks Mr Samiran Gupta, representative of ICANN in India for following up with the problem to get the clarification from ICANN.
More discussions may follow.
Naavi
FDPPI (Foundation of Data Protection Professionals in India) has embarked on a major project of conducting a virtual Data Protection Summit on November 19th, 20th and 21st of 2020.
The Summit will consist of six sessions, two on each of the three days, each of 90 minutes each.
Time would be 11.00 am to 12.30 pm and 4.00 pm to 5.30 pm.
Meeting will be on Zoom and will be free.
The Summit will discuss different topics relevant to Indian Data Protection Domain.
The tentative program is as follows:
Session 1: Recent Data Breach Incidents and PDPA of India (Nov 19th 11.00 am)
Session 2: PDPA of India is not a clone of GDPR (Nov 19th 4.00 pm)
Session 3: The Challenge of being a DPO(Nov 20th 11.00 am)
Session 4: The enigma of cross border data transfer(Nov 20th 4.00 pm)
Session 5: Data Trust Score the Indian innovation (Nov 20th 11.00 am)
Session 6: A Unified Framework for Data Protection Implementation (Nov 20th 4.00 pm)
The sessions will be conducted as Panel discussions with experts in the industry and will be anchored by Naavi.
Watch out for more information here.
Naavi
Since 16th July 2020, when the European Court of Justice (EUCJ) came up with its ruling in the Schrems II case and invalidated the US Privacy Shield, there has been a crisis in the Data Processing industry world wide. The principles on which the EUCJ invalidated the US Privacy Shield was equally applicable to countries like India and hence if personal data from EU could not be transferred to US, it was equally difficult for data to flow into India either directly from EU or through the US.
Subsequently on 23rd July 2020, EDPB (European Data Protection Board) came up with some clarifications of the judgement which also re-iterated that personal data cannot be transferred from EU to US or any other country unless the requirements of Articles 46 or 47 of the GDPR are satisified.
On 10th November 2020, EDPB has come up with two recommendations related to the Schrems II judgement as guidelines of how the industry can be compliant with the requirements.
The first document indicates the measures that supplement transfer tools provided under GDPR. The second indicate the European essential guarantees for surveillance measures.
We need to explore whether these documents suggest any workable solution for Indian data processors who are processing or intend processing EU GDPR data.
Some of the essential aspects of these documents are as follows:
Recommendations 01/2020 on measures that supplement transfer tools
The Schrems II order mandates that the protection granted to the personal data in the EEA must travel with the data wherever it goes. In otherwords when data is sent out of EU region and continued to process in other countries, the level of protection to the Privacy rights of the EU GDPR subjects should be same as is available in EU.
The US Privacy shied was rejected because it was felt that the Ombudsman responsible for protecting the Right to Access of a EU data subject was an appointee of the Government and not an independent judicial authority. Secondly it was felt that the data is not insulated from surveillance from intelligence agencies.
In the light of these developments, US Privacy shield was rejected as an instrument of “Adequacy”. On the other hand the ruling held that Standard Contractual clauses (SCC) can continue to be one of the acceptable instruments under which a Data Exporter from EU can transfer the GDPR data out of EU.
While the SCC would be available as a tool for transfer as per Article 46 in case of repetitive transfers, the derogations, which includes the explicit consent under Article 47 would be available for occasional transfers.
The guidelines of November 10, 2020 suggest a five step process to be followed by the Data Exporter before accepting the SCC which can be supplemented by appropriate additional clauses.
Step 1: Data Exporter should be aware of where the data is going and whether it is relevant and limited.
Step 2: One of the transfer tools suggested in Article 46 namely, a legally binding and enforceable instrument between public authorities (eg bilateral treaty type documents), SCC, etc. or the applicable derogations.
Step 3: Data Exporter should make an assessment of the law or practice in the destination country that may impinge on the effectiveness of the appropriate safeguards being relied on.
Step4: Data Exporter should identify and adopt such measures as are necessary to bring the level of protection of the data transferred, upto the EU standard
Step 5: Data Exporter should take formal steps as may be required to adopt the supplementary measures
Step 6: Data Exporter should undertake periodical review.
Recommendations 02/2020 on the European Essential Guarantees for surveillance measures
Additionally, the EDPB guidelines has set out four principles under which the EU would like to be guaranteed that the surveillance measures in the destination country is acceptable.
They are
If therefore, Indian data importers need to continue their data processing contracts, they need to satisfy the Data Exporter with the above principles and go through the five steps of evaluation. The findings should be documented as a “Due Diligence”.
As regards the situation in India, if a company is processing EU data and the EU data subject has to exercise the right of Access, correction, portability and deletion (Forget), Indian laws should fall within the acceptable parameters set by the EUCJ.
In India, Section 69 of ITA 2000 is one law that supplements the Indian Telegraph Act and provides surveillance rights. When PDPA is enacted there will be Section 35 and 36 of the Act that will provide exemptions from the Indian law to the law enforcement agencies.
However, under Section 37 of the PDPA of India (as per current Bill) any processing operation involving the processing of personal data of foreigners can be notified as exempt from PDPA. Hopefully every Indian company engaged in the processing of personal data from EU will use this provision.
But Section 69 of ITA 2000 and the Indian Telegraph Act as well as some other sectoral regulations may have jurisdiction on all the data processing activities of an company which includes local data and foreign data. In such cases, the possibility of surveillance measures could come in for dispute by the EU agencies.
It is in this context that a great disservice has been made by the Maharashtra Government and the Mumbai Police by their persistent harassment of Republic TV which required Supreme Court intervention for what appeared to be a clear violation of human rights. The political system failed to bring quick end to the problem and Judiciary took an unreasonably long time to resolve the issue. The lower courts including the Mumbai High Court did not appear to have covered themselves with glory and it was only the supreme court which came to the rescue of the human rights principles involved.
What this incident indicates is that if a company in Maharashtra is processing personal data of EU and it falls into the bad books of the local police supported by the local Government, there could be various forms of harassment including seizing of data centers, arrest of data center employees etc., which could halt the company’s operations.
Though one can justify that it is illegal the local Police have proved that they are supreme can can even manipulate witnesses and evidences and carry their mission through. In every case, it is impossible for Supreme Court to come to the rescue of the company.
Hence the risk of surveillance by the local administration is a risk that every company functioning in the state of Maharashtra has to bear. Any true professional who is conducting a due diligence in India on a company in Maharashtra cannot therefore give a clean chit that the company is immune to “Republic Attack”. Hence it is near impossible for Data Importers in Mumbai or Pune to convince their business partners in EU region that they will meet the standards of surveillance mentioned in the November 10th document.
Sitting in a far away place, it is possible for Data Exporters that what happened in Mumbai is a reflection of the situation in India as a whole and if this perception is not removed the data processing business in India will be permanently affected. NASSCOM needs to give a thought to that possibility.
Naavi has been suggesting the Karnataka Government to initiate certain measures to counter such a perception to say “Bengaluru is not Mumbai” and “Data Processing regulations in Bengaluru is compliant to the International expectations”. If the Government implements some of these suggestions, it may be possible for IT companies to shift their data processing activities from centers in Maharashtra to somewhere in Karnataka.
Hopefully the Government of Karnataka will come up with appropriate strategies in this regard.
Naavi
Naavi.org had earlier pointed out how CIBIL which was once owned by Indian Banks was quietly transferred to a foreign company for undisclosed consideration by a number of Indian public sector Banks in a concerted move.
In the process, more than 500 million sensitive personal data sets of Indian Citizens was acquired by the foreign company along with the revenue benefits flowing out of the profits.
See the details here:
CBI Enquiry is required for finding the truth behind TransUnion taking over CIBIL
Is TransUnion-CIBIL guilty of Accessing Critical Personal Data through surreptitious means?
Data Laundering ..is it covered under PDPA?
Now there is a report that NPCI is all set to sell its equity to 131 companies including Banks, PSOs, etc in what is said to be an attempt to create “Distributed Ownership”
According to the report, invited companies include the likes of JP Morgan Chase, DMRC, Western Union, Airtel, Jio, Paytm, Bank of America, etc.
It may be noted that presently NPCI is owned to the extent of 82% by 12 domestic Banks while the remaining is held by 40 smaller Banks and select cooperative, rural and foreign banks.
At present it is stated that only 4.6% of equity would be diluted for about 1800 crores. However, we cannot forget that CIBIL similarly started a dilution program which eventually meant that the company which was owned by the Indian Banks later went into the control of Trans Union completely.
We should remember that the NPCI also holds highly valuable sensitive personal data which is infact “Critical” since the UPI IDS are unique and link to the financial assets of millions of Indians. An attack on NPCI will debilitate the country to the extent that it would be of interest to the national enemies engaged in cyber terrorism and cyber war.
What may start as a 4.6% dilution at Rs 1800 crores may firstly be valued much more than Rs 1800 crores and secondly, it may not stop at 4.6% and go to much higher. In the case of CIBIL, the dilution started at 10% and reached 92%. Similarly NPCI may soon be sold out completely to the foreign hands.
I call upon the Finance Ministry to withdraw this proposal forthwith as it will not be possible to guarantee that NPCI will not be sold off to foreign interests just as CIBIL was sold in a scam.
This sort of dilution is may be considered “Data Laundering” and the forthcoming PDPA has to question such ownership transfer of companies with critical personal data since it is a data sovereignty issue.
Naavi
EDPB published the following press release today:
During its 41st plenary session, the EDPB adopted recommendations on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data, as well as recommendations on the European Essential Guarantees for surveillance measures.
Both documents were adopted as a follow-up to the CJEU’s ‘Schrems II’ ruling.
As a result of the ruling on July 16th, controllers relying on Standard Contractual Clauses (SCCs) are required to verify, on a case-by-case basis and, where appropriate, in collaboration with the recipient of the data in the third country,
–if the law of the third country ensures a level of protection of the personal data transferred that is essentially equivalent to that guaranteed in the European Economic Area (EEA).
The CJEU allowed exporters to add measures that are supplementary to the SCCs to ensure effective compliance with that level of protection where the safeguards contained in SCCs are not sufficient.
The recommendations aim to assist controllers and processors acting as data exporters with their duty to identify and implement appropriate supplementary measures where they are needed to ensure an essentially equivalent level of protection to the data they transfer to third countries. In doing so, the EDPB seeks a consistent application of the GDPR and the Court’s ruling across the EEA.
The recommendations contain a roadmap of the steps data exporters must take to find out if they need to put in place supplementary measures to be able to transfer data outside the EEA in accordance with EU law, and help them identify those that could be effective.
The recommendations on the supplementary measures will be submitted to public consultation. They will be applicable immediately following their publication.
In addition, the EDPB adopted recommendations on the European Essential Guarantees for surveillance measures. The recommendations on the European Essential Guarantees are complementary to the recommendations on supplementary measures.
The European Essential Guarantees recommendations provide data exporters with elements to determine if the legal framework governing public authorities’ access to data for surveillance purposes in third countries can be regarded as a justifiable interference with the rights to privacy and the protection of personal data, and therefore as not impinging on the commitments of the Article 46 GDPR transfer tool the data exporter and importer rely on.
Reference:
Recommendations 02/2020 on the European Essential Guarantees for surveillance measures
