Naavi.org

The Kris Gopalakrishna Committee (KGC) has released its report on “Data Governance” which is available for public comments till August 13. The report is a rich collection of thoughts that need some churning before recommendations can be formulated.

There are many legal experts who were objecting to Section 91 of the PDPB which empowered the Government to frame any policy for the digital economy involving non personal data. Elaborate but erudite arguments have been made on why this is “Unconstitutional”. However these are not relevant since Personal Data and Non Personal data are the two sides of the same coin and if I say this side of the coin is heads, the other side is Tails and hence regulation or exemptions under the Personal Data Protection Act automatically mean creation of non personal data and hence regulation of Personal data is intertwined with the regulation of non personal data.

Personal Data regulation through PDPB tries to maintain a distance with the Non Personal data by defining “Personal Data” and therefore defining “Non Personal Data”. It also exempts the “Anonymized Data” and “Data that does not contain the identity of a natural person” from its regulations and leaves it open for further regulation.

Now when the regulation for Non Personal Data may come forth separately as recommended by the KGC, with a new regulator, there is a need for the new regulation to also make efforts to keep a distance from PDPB.

The KGC report is not the law but at some points may make a more than necessary comments on the regulation of Personal Data which needs to be avoided when the new law is contemplated. If the legal experts who are objecting to Section 91 of PDPB have any logical reason for their objections, then they may also have objections on the KGC for the same reason.

However, for practical reasons, we need to note that KGC has made a distinct recommendation that there needs to be harmony between not only the Personal and Non Personal Data Regulations but also the Competition Act.

The PDPB has recognized data as

1. General Unclassified Data
2. Personal Data (of Natural Persons)
3. Sensitive Personal Data
4. Critical Data and
5. Minor’s Personal Data

The profiling data which consists of interpretations of personal data is also considered equivalent to raw personal data for regulation.

The General Unclassified data which is defined by what is not a Personal data includes

a) Data of Companies and organizations which are not natural persons

b) May include personal data of deceased persons

c) Anonymized Personal Data

d) Aggregated data which may be classified as Community data

e) Data about the observations of the surroundings of  non personal nature such as weather data.

Some types of data such as “Personal Data generated between two individuals during a transaction”  such as a telephone conversation or “Group Data” such as a group photo, CCTV footage of a public space etc.

These data elements present some challenges in classification as “personal data” which may be controversial despite some interpretations available in GDPR scenario.

For example, a telephone conversation has an issue of determining who has a right to share the conversation since both parties have created the conversation as a “Transaction”.

Similarly a Group Photo is a “Group Transaction” and the right to share may have to be recognized for all the group members.

In the Case of CCTV footages, the camera captures the pictures but not identifies the people and hence the footage is “Unidentified to an individual”. However, at the back end the data can be processed to identify the persons using a face recognition feature or by the observer bringing his personal knowledge to the evaluation of what the data means. This means that the footage is essentially “Anonymous” or “Identity independent” and the identity gets added during the back end processing.

Some of these challenges were sought to be brought to better clarity when the undersigned proposed the “Theory of Data” where in three hypothesis were postulated namely

a) Data is created by technology but interpreted by humans

b) Data exists in different avatars as it passes through a “Reversible life cycle”

c) Data ownership is additive as data moves through the life cycle.

(See articles on the topic here)

A question had been raised at that time whether the Personal Data Protection Act and the definitions used there in would be compatible with this theory.

Now the KGC has come up with many more complex categorization of Data and it is interesting to look at these and also evaluate it with the Naavi’s theory of data before we dive deeper into the recommendations of the KGC.

(To Be continued…)

Naavi

Consequent to the EU Court’s decision to reject the US Privacy Shield, EU has expressed its lack of confidence in the US state to monitor the Privacy Shield without adversely affecting the Privacy rights of the EU Citizens. It has also failed to let the US Government to specify the checks and balances that it wants to establish to protect the Privacy rights of EU citizens in good faith and enter into a negotiation on the due process.

Instead the EU Court has objected to the powers of the US  intelligence agencies to demand personal data from the US based Data Controllers or Data Processors  having access to EU data subject’s personal data. As a result even if the US authorities want the data in connection with the national security requirements, it would be considered unacceptable. The appointment of the Privacy Shield Ombudsperson and his/her reporting to the Secretary of State is also not acceptable to EU.

It is ironic that in June 2019 when Ms Keith Krach was confirmed by the US Senate to become the first Permanent Privacy Shield Ombudsperson, the EUDB had praised the appointment.

But the decision of the EU Court now means that this appointment cannot be trusted to protect the EU Citizen’s privacy. In Other Words the Court is suggesting that the Privacy of the EU Citizen supersedes the power of the US President and the Senate and the responsibilities they can be trusted with.

It appears that the EU Court has by this decision gone beyond its  jurisdictional limits and expressing a view on a sovereign foreign Government and its functioning. It is expressing a distrust on the Government machinery that has to be trusted by the whole world for holding the nuclear button.

This decision means that EU businesses need to abide by this ruling and enforce the Standard Contractual Clauses.

I am reminded by the recent Chinese Law on Hong Kong which is reported to also state that “China has a power to prosecute Non Hong Kong Citizens”. Just as China is using the Hong Kong as an excuse to establish its extra territorial jurisdiction, EU Court is trying to establish its hegemony over non EU sovereign states.

There is a need for other Governments including India to wake up to this development and protect its own rights.

In the light of this development, it is most unlikely that the Indian DPA will ever be acceptable to the EU and the “Adequacy” status for India under GDPR is out of question.

Standard Contractual Clauses are equally problematic

In the coming days therefore we will focus more on the Standard Contractual Clauses (SCC).

We shall therefore look at some of the provisions of the SCC which to my mind appear objectionable.

Following is the extract from one of the recommended SCC documents meant for transfer of personal data to data processors. (This is a 2010 document which EU has not been able to update to GDPR but has accepted as also applicable under GDPR)

1. Data Subject can enforce rights against the Data Importer

The Data Subject in this context is a EU citizen and the Data Importer is a company or Individual who is a citizen subject to the laws of the third country like India or US which are sovereign countries.

The SCC says

“The data subject can enforce against the data importer this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where the data exporter has factually disappeared or has ceased to exist in law unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law, as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity.”

This means that when there is a default (read as fraudulent disappearance) by the EU’s Data Controller, the responsibility and liability shifts to the citizen of the third country.

Obligations of the Data Importer

The obligations mentioned here as Clause 5(a) to (e) and (g) include not only the obligation to maintain technical and organisational security measures,  but also cover data breach notifications, rights of access, disclosure of sub processing contracts, disclosure to law enforcement authorities etc.

It also provides an acceptance that  the EU Data Subject can bring a claim of compensation  in the EU Country’s jurisdiction under the laws governing in that country. This also has to be extended to the sub processors.

It is clear that these SCC provisions donot respect the fact that the data importer is a citizen of another country and is bound to comply with the laws of that country. He does not have a right to abdicate his responsibility to the local Government and Constitution through a business contract though the economic power of the data exporter may force the data importer to sign on the dotted line and use his own economic power to make his sub processors also sign on the dotted line.

These contracts cannot be considered as contracts entered into through “Free Will”.

Indian PDPA

The Indian PDPA as envisaged under the current Bill, has one provision that tries to keep the processing of personal data of foreign citizens under a data processing contract separate from the obligations of the Indian law (Section 37).

It appears that Section 37 of the Indian PDPB is reminding EU that it is perhaps presuming that  EU can lord over the world through the GDPR.

When India was discussing the framing of its laws and Justice Srikrishna committee visited Bangalore, the undersigned had raised the need for Indian law to protect the interests of Indian companies from the unreasonable demands of the GDPR like laws.

These were discussed in this article ” Data Protection Law in India… Three Big Ideas …. Data Trust, Jurisdictional Umbrella and Reciprocal Enforcement Rights”.

Out of these suggestions, the suggestion of “Data Trust” was adopted in the concept of “Consent manager” under PDPB and may also be used in the Non Personal data governance suggested by the Kris Gopalakrishna Committee report.

The other two ideas namely the Jurisdictional Umbrella and Reciprocal Enforcement Rights have not yet been included in our law and assume more relevance now after seeing the attitude of the EU Court in respect of the Privacy Shield.

I had suggested

“….However, when it comes to enforcement of the rights of any foreign agency including private citizens as well as GDPR authorities or even the Contractual beneficiaries aborad, on any Indian Citizen or Indian Data Controller or Data Processor, it should be mandatory that the dispute is resolved only with the involvement of the Indian Data Protection Authority.

Indian Data Protection Authority shall be the sole adjudicating authority for all disputes in which an Indian Citizen or an Indian Corporate or an Indian Government agency is a party.“

It had also been suggestted that

”  Recognition of any data protection law of any country outside India shall be only on a reciprocal basis where equal rights are available from the other country which may include

a) Enforcement of the privacy rights of an Indian Citizen or a Company in the foreign jurisdiction

b) Enforcement of penalty of any description on an Indian Citizen or a Company vis a vis similar rights for the Indian companies or individuals on the foreign citizens and companies. “

I wish the JPC on Personal Data Protection Bill will keep these suggestions in mind so that the DPA is given enough powers to ensure that India can enforce its Data Protection Law for protection of the Privacy of its citizens in such a manner that EU or any other country using their economic clout donot try to create a “Data Colony” in India.

Naavi

PS: All opinions expressed at Naavi.org are the personal opinions of Naavi

The great Twitter hack is a serious development in the Cyber Security scenario that has many implications.

It has highlighted

• • that the security of Twitter is not good enough for the level of its operations and the sensitivity of its operations
  • the foolishness of many Indian Banks who had adopted to “Twitter Banking” using twitter messages to trigger Banking transactions
  • that Social Media is never to be trusted with or without deep fakes
  • Bitcoins continue to be the bane of civilized society as a tool of crime
  • Indian Personal Data Protection Bill was right in insisting that the Social Media Intermediaries need to enable the users from being identified on a voluntary basis

It is time for an Indian Twitter alternative so that we can slowly shift to the Indian alternative with a new account, new password and a new identity.  But the Indian company should ensure that they go much beyond the security that Twitter provided where compromise of one administrator account could land the global commuters at risk of not only an economic crime but a political controversy of large proportions.

In the post Chinese App bans several alternatives have been announced but most of them have failed to provide even the basic functionalities, let alone security.

It appears that the Indian IT and IS professionals have a long way to go to demonstrate their IT skills before the Indian Apps make a dent in the International scenario.

Let’s hope the opportunities beckon the really talented who have presently been working for most of the International brands to turn their attention towards developing the Indian supplier market for Twitter like services.

Naavi

Ever since GDPR became effective on 25th May 2018, there has been a debate as to whether the earlier arrangement between US and EU for “Adequacy” status based on the 1995 directives would be considered as “adequate” under GDPR for cross border transfer of EU personal data.

Under the Privacy Shield, self certifications were registered with the US Department of Commerce based on a Privacy Shield Framework and the Department of Commerce, US entered into valid legal agreement with EU.

On July 12, 2016, the European Commission deemed the EU-U.S. Privacy Shield Framework adequate to enable data transfers under EU law . It provided the legal basis for transfer of personal data from EU to participating US organizations. This was a replacement of the Safe harbor framework which had been earlier turned down by the EU Courts as inadequate.

According to the Privacy Shield a set of information as listed here were required to be submitted by the US entity to the department as a “Commitment”. A certain fee was charged for the self certification (Eg: $975 for a company with turnover of $25million). The organizations were required to place a grievance redressal mechanism (eg Arbitration) free of charge to the EU citizens who would have a recourse to raise their Privacy related complaints for redressal.

The Privacy Shield requirements  addressed the concerns of Privacy reasonably.

However the decision of the EU Court of Justice on 16th July 2020, following a complaint that had been raised in Austria by an activist Max Schrems has now rejected the arrangement from adequacy considerations. But, the Standard Contract Clauses used for cross border transfer were held valid.

Hence US companies who were hitherto relying on the Privacy Shield certifications will have to go for re-writing the contracts with the EU companies incorporating the acceptable Standard Contract Clauses which may bring them to the jurisdiction of the EU Courts directly without the protection of the US judicial system.

However, the obligation to ensure that the SCC s are proper, lies more on the EU entities  unless the US entities by virtue of holding business establishments in EU submit themselves to the jurisdiction of GDPR.

The principal reason why the Court held that the Privacy Shield certification is unacceptable to EU is that the “Ombudsperson” under Privacy Shield may not be having the powers to prevent the US intelligence agencies to deny protection to the EU citizens in a manner EU desires. The Court opined that since the Ombudsperson reports directly to the Secretary of State, he cannot be considered “Independent”.

It is the prerogative of the EU Court to provide whatever guideline it wants to the GDPR authorities including directions to accept or reject the agreement it entered into with the US in the interest of the Trade and Commerce.

But if the EU Court considers that the US Secretary of State being the authority to whom the Ombudsperson of Privacy Shield reports is unacceptable from the Privacy protection of a EU citizen, it is to be considered as rejection of the authority of the US Government to take such steps as may be required at the level of the Secretary of State of US to protect their country.

In the current political scenario where it appears that EU is slowly being consumed by Islamic fundamentals and there are demands in some of the EU states about introduction of Sharia law, it is necessary for the global community to ensure their own protection. This includes an ability to retain their sovereign rights to monitor the data movements in the interest of national security. Hence it is to be considered as the sovereign right of US to have a due process of law that provides the Secretary of State some control on the Ombudsperson and cannot provide total independence as EU desires.

This principle that the EU Court seems to propagate through this judgement can tomorrow also provide it a reason to reject the authority of the DPA in India as well as in many other countries.

Hence the decision of the EU Court should be considered as an affront to the global community challenging the authorities of the respective Governments to set up their own apex data protection authorities in good faith with necessary independence but always subject to “National Security Considerations”.

This argument will bring us back to the debate of “Privacy is a right which is not absolute” and has to be considered as subject to “Reasonable Restrictions”.

Though many activists consider “Reasonable” as “Total” and donot agree with any restrictions, it is the fundamental right of any citizen of a free country like US or UK or India to consider that it is the prime duty of the Government to protect its citizens from terrorism, international crime etc.

If this requires surveillance of a certain order subject to a reasonable “due process”, it is unacceptable for a  foreign Court to interfere.

The decision of the EU Court will now place US on par with the India and hence from business perspective, Indian companies now may feel that they can compete for data processing contracts directly with US since both are subject to SCC obligations. To this extent, the development can be considered as advantageous to India.

However, this is not a time to gloat over the new business opportunity that has come up but to recognize and oppose the re-emergence of the age old colonial mindset in Europe with the added danger that the current rulers of EU countries may function more under the influence of Islamic fundamentals posing a greater political risk to the international business.

It would be interesting to see how UK reacts to this development and how US counters. The best option could be not to make a fuss about the decision, ignore it and let the businesses settle their commercial interests through the SCCs. It could be inconvenient in the short time but would be acceptable in the long run as a business process.

Naavi

Reference

EUCJ Judgement of 16th July 2020

EDPB clarifications dated 23rd July 2020

Standard Contractual Clauses

EU controller to non-EU or EEA controller

• decision 2001/497/EC 
• decision 2004/915/EC 

EU controller to non-EU or EEA processor

• decision 2010/87/EU 

ICO UK Templates

Controller to controller template

Controller to processor template

Article that appeared in India Legal Print magazine

When countries move from a “No Data Protection Law” to a “Strict Data Protection Law”, one of the problems faced by the companies is how to handle the legacy personal data which is already with them.

This data could have been collected earlier either without proper consent or without the consent information being available for reference now. Even if the consent had been obtained earlier, it is unlikely that the information provided to the data principal would not have been made as required under the current data protection requirement.

For example, the PDPA of India when implemented would require the notice for personal data collection to include the following points

(a) the purposes for which the personal data is to be processed;
(b) the nature and categories of personal data being collected;
(c) the identity and contact details of the data fiduciary and the contact details of the data protection officer, if applicable;
(d) the right of the data principal to withdraw his consent, and the procedure for such withdrawal, if the personal data is intended to be processed on the basis of consent;
(e) the basis for such processing, and the consequences of the failure to provide such personal data, if the processing of the personal data is based on the grounds specified in sections 12 to 14;
( f ) the source of such collection, if the personal data is not collected from the data principal;
(g) the individuals or entities including other data fiduciaries or data processors, with whom such personal data may be shared, if applicable;
(h) information regarding any cross-border transfer of the personal data that the data fiduciary intends to carry out, if applicable;
(i) the period for which the personal data shall be retained in terms of section 9 or where such period is not known, the criteria for determining such period;
( j) the existence of and procedure for the exercise of rights mentioned in Chapter V and any related contact details for the same;
(k) the procedure for grievance redressal under section 32;
(l) the existence of a right to file complaints to the Authority;
(m) where applicable, any rating in the form of a data trust score that may be assigned to the data fiduciary under sub-section (5) of section 29; and
(n) any other information as may be specified by the regulations.

In the current regulation which was contained under Section 43A of ITA 2000/8, the Reasonable Security Practice rule no 5(3) stated

(3) While collecting information directly from the person concerned, the body
corporate or any person on its behalf snail take such steps as are, in the
circumstances, reasonable to ensure that the person concerned is having the
knowledge of —

(a) the fact that the information is being collected;
(b) the purpose for which the information is being collected;
(c) the intended recipients of the information; and
(d) the name and address of —
(i) the agency that is collecting the information; and
(ii) the agency that will retain the information.

Additional requirements were provided on minimal retention, purpose limitation, right to access and correction, Opt out option, right to withdraw consent, grievance redressal, disclosure norms, security safeguards etc were to be followed by body corporates collecting sensitive personal information, but were not mandated clearly to be part of the “Privacy Policy” to be published which was the “Notice” as we now refer to.

The privacy policy was required to indicate the type of personal or sensitive personal data or information collected, purpose of collection, usage of such information, disclosure and reasonable security.

As we can see though the intention of Section 43A was similar to the PDPA 2020, the details specified as the requirements of notice in the PDPA 2020 are far more than what was envisaged under Section 43A of ITA 2000.

It can safely be said that the consents if any in the pre-PDPA 2020 time would be insufficient to meet the requirements of PDPA 2020.

The Data Fiduciaries therefore have to obtain fresh consents by serving fresh notices to the Data Principals.

In the ITA 2000, there was no concept of a Data Fiduciary and the Data Processor though in the clarifications provided by the Government, it was indicated that the Data Processor was not responsible for the consent and only that body corporate which had a direct relationship with the data subject would be required to collect the consent.

If therefore we strictly interpret the emerging regulations, all legacy personal data with the Body Corporates will have to be forensically deleted as soon as the PDPA 2020 comes into effect or new consents should be obtained.

Assuming that the organisations would send out e-mail notifications to the data subjects and seek the consent based on a new consent, it can safely be assumed that a very large number of such data subjects would either not respond or their e-mail addresses would be no longer correct and hence they would not be able to respond.

In such cases a large number of data sets have to be purged.

When GDPR came into effect, similar problems were faced by the Data Controllers and while most of them might have purged the data, some have archieved them under legitimate interest claims and some might have not taken any action other than sending a reminder for re-permission.

There were many instances where data subjects retorted back to the re-permission request with a question, “Where and when you got my personal information? How are you processing it?, Where is the past consent? etc”..  Unable to face such questions, some companies simply purged the data without making an attempt to renew the earlier consent though this resulted in loss of earlier investment.

In the case of GDPR, since the EU Directive was already in force, perhaps it was not necessary to provide for any transition option from the legacy system to the GDPR system. But in India where the earlier system did not require the consent of the type now required, it would be unfair to penalize those organizations which were in compliance of Section 43A but may fail the current requirements.

Hence there is a need for providing a smooth transition from Section 43A (ITA 2008)  based personal data collection to the Section 7 (PDPA 2020).

Such a transition has to provide relief to those organizations

a) Who hold consents as per Section 43A of ITA 2008

b) Send out Opt-In request to the new consent forms but not receive confirmation

to phase out such data over a period of time relevant in the context of the legitimate interest of the organization.

Though it would have been good if this had been covered under a clause to enable the DPA to enable a smooth transition from ITA 2000/8 to PDPA 2020, there is no reason to despair since it is possible that this provision can be covered under Section 14 by the DPA with appropriate notification.

Hopefully if this comes for discussion during the discussions of the JPC and the vested interests who want to delay the passage of the Bill hold it out as one of the reasons why the Bill should be re-considered, the Government would be able to provide an effective counter argument that it could be covered under the notifications from the DPA.

Alternatively a simple additional provision can be added to Section 14 under “Processing of personal data for other reasonable purposes” to include a provision to the following effect.

Section 14 (4) : Where the Authority considers it necessary and expedient, it may through appropriate notification provide for necessary transition from the legacy laws to the provisions under this Act, through the legitimate interest declared in the “Privacy by design policy” as per section 22 of the Act.

Naavi