Naavi.org

yesterday, I had an opportunity to experience the perspective of Law Students on the DPDPA in the Moot Court Competition held by KLE Law College which discussed the issues of a data breach and how the lawyers could argue the incident in the Court in days to come and how the Judges may react.

I am not fully aware of the problem statement but it was clear that the problem was that there was a website providing medical services belonging to the Government sector where a breach of the personal data of customers was observed through an AI algorithm used by the payment gateway. The arguments centred around the compensation payable to the individuals whose personal data was lost and the liability of the website.

It was good to see many interpretations of the provisions of the Act presented by the students which represented the investment they have made in understanding this new law.

However, many of these interpretations appeared to need correction as otherwise the data protection Jurisprudence may get corrupted in near future.

In particular, it was amusing to see the tendency of the community to use Section 35 exemption from personal prosecution of Government officials as a ground to ask for scrapping of the section like the scrapping of Section 66A of ITA 2000.

We we have repeatedly pointed out that this decision of the Supreme Court arose because of a mis interpretation of the term “Transmission” of electronic information as “Publishing” of electronic information and a desire of the Supreme Court to show its power by scrapping a provision instead of helping in clarification through a “Reading down” of the provision.

Law students should realize that their glory is not in scrapping down a law enacted by the Parliament but to bring clarity to the law. Even the prayer to the Courts in such cases should be in improving the system rather than bringing down the system. Perhaps even the Courts need to appreciate this.

The community appears to be mis-interpreting DPDPA and focussing on being critical of the administrative powers of the DPB rather than focussing on the basic objective of the Act. It was also seen that some students were drawing the objectives of GDPR into interpretation of the act without understanding the applicability. The community appeared to be unable to appreciate that DPDPA is a compliance related law and has to work with ITA 2000 for personal remedy. It was surprising that in the discussions no body remembered the remedy available under Section 46 of ITA 2000 for the victims of a data breach while the power of the court to grant compensation in such cases was remembered from the Bhopal Gas tragedy.

It is interesting to note that during the next week’s IDPS 2024, we will be discussing “Adjudication as a remedy for Data Breach Compensation” in a Key Note as well as the “Grievance redressal mechanism” in the focussed group discussion. Hope the legal community would benefit from these discussions.

We need a “Nachiketa debate” on DPDPA with the Judiciary to ensure that DPDPA or any of its provisions does not get scrapped but the Judiciary assists in improving the interpretation of the Act.

Naavi

DPDPA 2023 expects that “Consent” is the legal basis for processing of personal data. Consent requires a contract between the data principal and the data fiduciary. A Contract is a combination of an “Offer” and an “Acceptance”.

What we normally find on websites today are “Privacy Policy” which is a declaration of the organization that this is what we do to protect your privacy. This is in the form of a “Disclosure”.

When the disclosure is presented as a “Offer” and is confirmed as “Accepted”, the “Consent” is actualized. This leads to the action of the data principal in providing the necessary information, for the data processor to process the data as per the consent.

Perhaps to put the DPDPA 2023 into proper compliance framework, we need to change the “Disclosure Format” of Privacy policy to an “Offer” format of a Notice.

One of the implementation challenges is to make the consent contract non repudiable with proper authentication. The ITA 2000 indicates that the authentication of an electronic document is valid only if it is supported by a digital/electronic signature. As a result to enable a “Perfect Consent”, the Privacy Notice has to be accepted with an electronic signature. Since all data principals donot have a digital signature, the Aadhar based E-Sign is an option to explore. If however, e-sign has to be used for every consent, withdrawal of consent, modification of consent etc. it will be an expensive proposition for the data fiduciary.

How does DGPSI try to address this? or how should MeitY facilitate this? is a point of debate…

….Let us discuss your views on this in IDPS 2024 at Bengaluru, on November 30 and December 1…

Register today..at www.idps2024.in

DPDPA envisages two key professional roles for driving compliance.

The DPO is responsible for for DPDPA compliance within the organization while the Data Auditor is an independent auditor who checks the implementation.

FDPPI has recognized these roles and created the C.DPO.DA., or Certified Data Protection officer and Data Auditor as a Certification program.

In the upcoming IDPS 2024 on November 30 and December 1 at KLE Law College Auditorium in Bangalore (also available virtually), you can discuss the impact of DPDPA on the professions of DPO and Data Auditor.

Be there, participate and contribute. Register today at www.idps2024.in

Naavi

As India moves ahead into the era of DPDPA, there is a rush for professionals to occupy the role of “DPO” in an organization. It is some times easy to grab a title but difficult to retain it and feel deserving to hold it. Hence those who aspire to be DPOs need to have and develop the credentials necessary to be a DPO.

When FDPPI was formed in 2018, one of the first objectives set for itself was to build an “Empowered” community of “Knowledgeable”, “Efficient” and “Ethical” Data Protection Professionals who contribute to the development of a “Secure Information Society” by lawful means.

The “Empowerment” comes from the “Ethical Attitude” which is as often absent in our approach to modern life. The knowledge we have, the skills we possess are meaningful only when they are applied with a noble objective. It is not enough if as a DPO we guide our organizations to be law abiding and meticuously follow the “Rules” when published. We need to be also “Ethical” in our approach and fulfil our duties as a ” Guardian of Privacy” of the “Data Principal”. A DPO is himself/herself is a “Fiduciary” and needs to be guided by the needs of the “Data Principal” when designing the compliance in an organization.

DGPSI as a framework of DPDPA Compliance recognizes this role of a DPO. As a guardian of Privacy of the Data Principal, the DPO is responsible to identify the Privacy Risks of the Data Principal and ensure that the risk is mitigated to the extent feasible, informed to the data principal and consent recorded.

In fulfilling this role, DPO will have a natural conflict with the business objectives of the organization which he has to navigate through. This requires leadership skills, persuasive communication skills and also empathy with the Data Principal. DPO also being a first respondent to the Data Principal needs the skill to negotiate and resolve disputes. Interpersonal skills to work harmoniously with the peers, superiors and regulators is also a desirable credential of the DPO.

Want to know more about the credentials of a DPO?….

Attend IDPS 2024…Details at www.idps2024.in …Register today.

It appears that on behalf of MeitY, National E Governance Department (NEGD) has started an awareness campaign on DPDPA to the industry professionals.

A few days back NEGD conducted a physical conference in Delhi and today they hosted a one hour webinar from Advocate Supratim Chakraborthy of Khaitan Associates.

It was a well conducted webinar and useful to the industry professionals.

Hope many more such discussions will be conducted by NEGD.

In the meantime, FDPPI will conduct about 20 hours discussion on DPDPA and other global Data protection laws and the interaction with the recent developments in technology in the two day conference in Bangalore on November 30 and December 1, under the Indian Data Protection Summit 2024. (IDPS 2024).

Check for details on www.idps2024.in and be there physically or virtually.

Naavi