Header image alt text

Naavi.org

Building a Responsible Cyber Society…Since 1998

During the discussion on the Data Protection white paper in Bangalore on 13th instant by three members of the Expert Committee led by the Chairman Justice B.N.Srikrishna, several interesting issues came up for discussion. While it is difficult to recall all the points discussed, I am trying to capture some of the interesting points raised along with my comments here.

The comments made here are not that of the expert committee members and should not be construed as views either accepted or rejected by the committee at this point of time. Justice Srikrishna was however a great listener and tried to probe the persons raising questions to understand the issue as much as possible. The ministry representatives have made suitable notes and they are likely to be discussed by the committee later and taken into account before a bill is recommended.

  1. One of the suggestions made was that the law should be people oriented and principle based.

Comment: In India, we still does not have a law on Privacy protection. Except for the fact that we know Supreme Court considers Privacy as a fundamental right of a person under Article 21 of our constitution under “Right to life and personal liberty”, we donot have a definition of what is “Privacy”.

The first question that the Indian Data Protection Act (IDPA) has to address therefore is whether we have one section in which we define what is Privacy. i.e. Do we incorporate a clause in the definitions, stating “Privacy means…..”.

The problem however is that the nine member bench of the Supreme Court itself did not take up the responsibility of defining what is “Privacy” and some of the judges in their respective individual orders (not forming part of the final signed collective operative order under the judgement of 24th August 2017 which we refer to today as the Puttawamy Privacy judgement) made different comments stating different aspects of our life as elements of “Privacy”.

This law therefore cannot take upon itself the responsibility of defining what is “Privacy”.

Currently, Information Technology Act 2000 (ITA 2000) has a definition of “Personal Information” and “Sensitive Personal Information” and has prescriptions of how it has to be protected by Body corporates,(under Section 43A) , how it has to be collected and protected by intermediaries (Section 79 of ITA 2000), what compensation may be available for wrongful loss arising therefrom (Section 43,66, 72A), how long the data has to be preserved (Section 67C), how the data can be intercepted and collected by Government agencies for national security reasons (Sections 69,79A, ,70B) etc,. All these are essential ingredients of a Data Protection Act in respect of “Data in electronic form”.

Will IDPA also address these issues?.. If so, will it be overlapping with ITA 2000/8 provisions? is one of the decisions that the committee needs to arrive at.

The IDPA as is being envisaged is addressing to what is referred to in the Puttaswamy judgement as “Information Privacy”. This definition is dependent on the definition of “Privacy” and a judgmental decision on “Which information addresses to Privacy”. For example, will an IMEI number be considered as “Personal Information”? if so, is it simply “Personal information” (PI) or is it “Sensitive personal Information” (SPI)? . Is an IP address a PI?, Is E Mail address a PI?. except for “Biometric” or “Password” there may not be a consensus of what is to be included or excluded from the definition of PI and where the line of demarcation has to be drawn between PI and SPI and whether the classification has to be even further refined as PI-Level I, PI-Level 11, SPI-Level I, SPI Level II etc needs to be decided.

In such an uncertain environment, the law cannot be “Prescriptive” at all. It has to be necessarily “Principle based”.

Now, if ITA 2000/8 already has a “Principle based”- “Due diligence” and “Reasonable Security Practice” already defined, what does the new IDPA do in repeating the same things in a different statute?

In this context, a question arises whether it is a good idea to simply make amendments to ITA 2008 to meet the objectives of the proposed IDPA.

If required, a new chapter can be added to ITA 2008 called “Chapter on Data Protection” and incorporate the requirements of registration of data controller etc., which are not adequately covered in ITA 2000/8.

 (Will be continued)

Naavi

Links to all the three parts of this report of the consultation are available here

Part I

 Part II

Part III

Print Friendly, PDF & Email

The Four judges of Supreme Court who recently held a press conference appealed to the public through the media with a request ‘please take care of the institution and take care of the nation’. The judges namely Justices Chelamaeshwar, Rajan Gogoi, Madan B Lokur and Jurien Joseph were complaining that the Chief Justice as “Master of the Roaster” is actually behaving as a “Master” and he should not do so. They said that their efforts to make him allocate sensitive cases only amongst the top 5 judges were not being heeded and some cases are being allocated to the junior judges.

The revolting judges agreed that this was an unprecedented situation and they wanted to go through this exercise as otherwise history would accuse them of having sold their souls.

The conference itself was held very clumsily. The judges did not have the press release nor a proper statement to be handed out to the press. There were favoured lawyers who were in the crowd of the journalists and Mr Shekar Gupta a veteran journalist was even invited to sit on the dais.  Immediately after the press meeting, the CPI party leader Daniel Raja, a known opposition party leader was seen shaking hands with Justice Chelameshwar giving a political colour to the entire episode.

The judges came out as completely inexperienced in not only the manner in which they conducted the press conference but also the manner in which they were fumbling for words during the interaction.

Justice Chelameshwar said that what they wanted to share was a letter they had written to the CJI a copy of which would be shared and that is all they wanted to say. Gagoi confirmed that there is nothing more to say beyond the letter but inadvertently admitted that the admission of the case in the Justice Loya’s death was a reason for this press meet.

Mr Dushyant Dave has been the advocate strongly advocating that the Justice Loya case should not be heard by a specific judge and it should be heard only by one of these four judges as if they would give a decision in his favour only.

Another advocate Mrs Kamini Jaiswal who is bitterly against Mr Amit Shah indicated in her subsequent statements that the possibility of Mr Amit Shah not being convicted was the reason behind this revolt. It was as if Teesta Setlwad was speaking through Kamini Jaiswal.

Yet another advocate Indira Jaising has also been vocal with similar views indicating that the politics of “Anti Amit Shah” forces were truly pushing the judges into a corner with the press conference.

It appears that these three advocates are either directly or indirectly responsible for the current mess in the Judicial system and are unmindful of the damage that they have done to the Indian judiciary for their own personal gains.

It was not surprising that Congress followed up with its own Press Conference though it was also as indecisive as the Judges press conference. It appeared as if Mr K.S.Tulsi had strongly opposed Congress getting into this controversy but Kapil Sibal and P Chidambaram pushed through the conference.  Rahul Gandhi in his usual style spoke a rehearsed sentence and ran away without taking questions.

With the Meeting of D Raja with Chlemeshwar and the Congress press conference, it was clear that the Four Revolting Judges were playing the tune of the political parties. However much they may try to whitewash their intentions, the perception with the public is clear that this was a political agenda playing out through the four judges.

It appeared that these four judges wanted to say more but were restraining themselves. Finally the charges made by the four judges appeared hollow and self defeating. Had they been more forthright, they would have atleast sounded more convincing.

Since then, several legal luminaries are expressing their views on the points raised. A large number of advocates are on the side of the Four revolting Judges while a large number of past judges are holding  the view that conducting of the press conference was wrong.

If we ignore the perceptions and focus more on the problem they have highlighted, then solution is not difficult to find.

The accusation is that while the CJI is considered as having a discretion to constitute benches and allocate cases to any of them, he should do so only with the consultation of the 5 senior most judges who form the collegium.

While the Judges 2-5 in seniority who held the Press Conference hold that CJI is only the “First amongst equals ” and not more important than any of them, they consider that other judges of the supreme court who are 6-25 in seniority are lesser mortals who are not equal to the first five.

This does not seem to be a logical l argument and has to be rejected.

Either all the judges have the privileges attached to their seniority in which case the CJI as the senior most has higher privileges that includes the management of the roaster, or they should agree that all judges of the Supreme Court are equally competent to handle any legal matter before them without fear or favour and with the legal expertise required.

Expecting that the rule of “First amongst Equals” applies only to the first five and not to all the 25 judges of the Court indicates a self serving argument.

If we admit that the roaster allocation had some “Motive” behind it as implied by these four judges, we can also imply a “Motive” behind the accusation of the four revolting judges. If CJI wants to avoid handing over some sensitive cases to any of these four and wants to give it some other judge down the line which is a departure from the procedure indicates a “Bad motive”, then the demand that such cases should be handed over only to them and not to anybody else also indicates a “Bad Motive” on the part of the four judges.

If we leave aside these perceptions since these judges are not transparent about their motives and want to hide behind the respect they enjoy as judges of the highest court of the land, let us accept that the only grievance is that the allocations are being done not in accordance with the established procedures of the past where all the five senior most judges worked together as a collegium and distributed sensitive cases only amongst themselves so that none was unhappy but the current CJI is trying to break this tradition.

Perhaps this is making these judges insecure and their friend lawyers also more insecure because they were perhaps existing in the system more by the strength of their relationship with the judges rather than their ability to fight a case on the merits.

The solution for this is not in asking the media and the public to adjudicate since what “We the people ” may say will not be palatable either to these judges nor to their favoured lawyers. Nevertheless since they have sought our advise, let us provide them the advise.

The problem is about allocation of cases to the 25 judges of the Supreme Court in an equitable manner that justice is done to the petitioners. The criteria of seniority is only relevant as a demonstration of the expertise of a judge and not otherwise. Each judge may however carry a badge of domain expertise based on the type of cases in the past where he would have examined a particular domain in depth and thereby gained an expertise. There cannot be any expertise based on qualifications since the College qualifications of all the judges are at least 3 decades old and has no relevance today. For example, Mr Chelameshwar being a student of Physics in his college does not make him a domain expert in a case involving Noise pollution or Electric outage etc.

Either the judges have to declare their top three areas of interest/specialization based on their own self introspection or based on the cases they might have handled in their career  and have to be tagged with the domain of expertise which were required to resolve them.

Assigning a “Domain Expertise Tag” to every judgement released by a judge in all the Courts is a process that has to be introduced now so that after a decade or so, it becomes a reliable barometer to tag a Judge with his area of domain expertise. Criteria for this needs to be developed and adopted.

In the meantime, an adhoc measure can be adopted where each judge of the Supreme Court is asked to declare three areas of interest that is used as his “Specialization Tag”.

Every judge will automatically have a seniority tag also. Using these two tags along with a “Random Allocation Tag”, it is possible for the Chief Justice to select a Judge or a Bench of multiple judges for assigning any case.

For this purpose, the CJI may categorize a case as “Requiring a specific domain expertise”. He can use is “First amongst equals” privilege to do so. Similarly, he can decide on whether the case requires a single judge or more judges to be in the bench.  Having decided these two parameters out of his privilege of being the CJI, he can proceed to allocate cases in the following manner. CJI can also determine the workload of a judge and determine if he has to be part of the selection for a given case or not.

a) In case of single member allocations, the choice can be completely randomized, such as picking up a judge out of the 25 (or lesser numbers if some is over burdened with cases at present). It is possible to do this by computerized allocation with priority criteria for domain expertise and seniority to be set to zero.

b) In cases where two  judges are there in a bench, one of the selections can be made on domain expertise criteria and the other on random basis.

c) In cases there there are three or more members in the bench, one member may be selected on seniority basis, second on domain expertise basis and the third randomly.

In larger benches the criteria can be repeated for the balance vacancies to be filled up.

This process leaves enough scope for the CJI to exercise his privilege and also provide opportunities for the senior members to be part of the important cases where there are at least 3 members. The single member benches which are prone to manipulation by friendly advocates would be randomized so that no advocate would gain an unfair advantage with a petitioner saying “I Know this Judge, Come to me”.

If the Supreme Court wants a software to be developed for the purpose, I am sure that there would be many software professionals who would be willing to develop it for free as their contribution to protect the institution which is the concern of these four revolting judges.

Naavi

Print Friendly, PDF & Email

Public Consultation on Data Protection Legislation

Posted by Vijayashankar Na on January 14, 2018
Posted in Cyber Law  | Tagged With: , , , | No Comments yet, please leave one

Yesterday, (13th January 2017), three members of the Judtice Srikrishna Committee on Data Protection Law participated in a public consultation program in Bangalore at the IISc auditorium.

Honourable Justice (Retd) B.N. Srikrishna, the Chairman of the committee was present along with two other members of the committee namely Mr Gopalakrishna and Rama Vedashree. A healthy discussion was held all through the day with around 100 participants which consisted of the elite Privacy practitioners in Bengaluru including IT professionals, Lawyers, Activists and some representatives from the academia. This was one of the four such meetings that are being held across the country while the option to submit the feedback continues on the website till January 31, 2018. The earlier meetings were held in Delhi and Hyderabad and the last meeting is being held at Mumbai.

Though this consultation was not directly related to a discussion on Aadhaar, there were many agitated Aadhaar critics in the meeting and raised their concerns. The Supreme Court which is resuming its hearing on Aadhaar on 17th January 2018 will take into account the efforts of the Government in improving the Privacy protection regime in the country both in its efforts to introduce the Virtual Aadhaar ID system as well as the introduction of a robust data protection law in India.  In that context, the efforts being taken by the committee to have a wide consultation across the country with experts from the field was important since one of the objections of the Anti-Aadhaar lobby has been that the Justice Srikrishna Committee itself did not have a proper representation of all stake holders. This consultation process therefore addresses this issue and takes the sting out of the criticism that the committee does not represent all the stakeholders.

Justice Srikrishna came through as a well informed person even in the field of Technology and gave confidence to the community that the Data Protection recommendations to be given by the committee would be fair and address most of the concerns. He was keen to listen to the views of everyone and responded where required with his own wit and humour, keeping the discussions lively throughout the day.

End of the day, the gathering was convinced that the job of framing the data protection law which has been pending since many years and passed through many versions would get another serious and fair try.

We urge professionals to take the time left to go through the white paper and submit their valuable views to the committee so that the opportunity to contribute to the law making in this important area is not missed.

Naavi.org hs been providing its views and will continue to do so in the next few days left.  So far some of the views have been expressed in the following articles.

1. Data Protection Law in India… Three Big Ideas …. Data Trust, Jurisdictional Umbrella and Reciprocal Enforcement Rights
2. Look beyond GDPR and Create Personal Data Trusts to manage Privacy of data subjects
3. “Compliance by Design” should be the motto of the Data Protection Act of India
4. We should forget the “Right to Forget” in Indian Data Protection Act
5. Personal Data should be considered a personal Property
6. Data Protection Act.. We should aim at Compliance with Pleasure not Compliance with Pain.
7. Right to Privacy should cease at death
8. Proposed Data Protection Legislation in India- White Paper released
9. All articles

Naavi

Print Friendly, PDF & Email

As the Government of India conducting nationwide public consultation programs on the Data Protection Law proposed to be drafted on the basis of the Justice Srikrishna Committee, I would like to place before the ministry, some of my key ideas.

Big Idea 1: Data Trusts

The global regime of data protection including the EU GDPR recognizes the role of

  1. a Data Protection Authority for the nation,
  2. Data Controllers who collect data from the subject and/or determine how the personal data is to be used,
  3. Data Processors who process personal data on the instructions of the Data Controller
  4. Data Protection officers at the industry level as compliance officers.

I propose a new category of agency called “Data Trust” which operates between the Data Subject and the Data Collector and works as an escrow agent for the personal data of the individual. It will be a specialised institution which

  1. has the necessary wherewithal to secure the data entrusted to it by the public
  2. has the ability to classify the personal data entrusted to it by the public into different data category packages such as “Basic”, “Basic-identity”,”Sensitive identity”, “Confidential” \or such other categories as they may chose to logically group
  3. has the ability to decode the consent forms and privacy notices of data collectors and grade the data controllers
  4. has the ability to determine which category of data is required to be supplied to which category of data controller
  5. has the ability to process a realtime request from the data subject to supply appropriate data to the data collector during a service registration process
  6. is registered with the Data protection authority
  7. is subject to being reviewed both by the strength of their performance and an audit by the authority
  8. is able to keep an arms length relationship with the Data collectors
  9. is able to monetize the data for the benefit of the data subject
  10. is able to issue a pseudonomization Id to its members which can be used instead of the real information when personal data is to be provided to data collectors.

The creation of this intermediary would be a unique suggestion that will make Indian law different from the rest of the world and meet the requirements of our country where there are a large number of less literate persons operating mobiles.

Big Idea 2: Jurisdictional Umbrella

Since Data Protection is a global concept and just as India is imposing responsibilities under Indian law, many of the Indian processors are already under obligation to international data protection agencies including GDPR authorities where huge penalties are likely to be imposed on the Indian companies through contractual obligations.

Indian law therefore has to also decide on the jurisdiction of the proposed law and how it will handle the disputes arising between Indian processors (or controllers) with the GDPR counterparts.

It is proposed that Indian law is made primarily applicable to the Indian Citizens for the protection of their rights on personal information privacy.

Impact of this law on non citizens arising due to the collection of their personal data during their activities which come under the Indian legal jurisdiction is not an obligation of the country but could be accepted in the interest of projecting India as a country that can be trusted for data protection for cross border transactions.

However, when it comes to enforcement of the rights of any foreign agency including private citizens as well as GDPR authorities or even the Contractual beneficiaries aborad, on any Indian Citizen or Indian Data Controller or Data Processor, it should be mandatory that the dispute is resolved only with the involvement of the Indian Data Protection Authority.

Indian Data Protection Authority shall be the sole adjudicating authority for all disputes in which an Indian Citizen or an Indian Corporate or an Indian Government agency is a party.

Big Idea 3: Reciprocal Enforcement Rights

Recognition of any data protection law of any country outside India shall be only on a reciprocal basis where equal rights are available from the other country which may include

a) Enforcement of the privacy rights of an Indian Citizen or a Company in the foreign jurisdiction

b) Enforcement of penalty of any description on an Indian Citizen or a Company vis a vis similar rights for the Indian companies or individuals on the foreign citizens and companies.

I urge the Ministry to incorporate the above three ideas into the proposed law in appropriate terms.

Naavi

Print Friendly, PDF & Email

It appears as if the Anti Aadhaar lobby in India has just been outsmarted by the UIDAI with its proposition of the “Virtual Aadhaar ID” as a response to the many complaints about the leakage of Aadhaar information.

The Supreme Court is waiting to complete its hearing which potentially could hold that the linking of Aadhaar to Bank and Mobile accounts was in violation of the Constitutional Right to Privacy of an individual. In the process, the entire Aadhaar scheme’s future hangs in balance.

The ground had been well prepared for scrapping the Aadhaar with the hurriedly issued 9 member judgement in the Puttaswamy case declaring Privacy as a fundamental right giving a very strong weapon with which any action of the Modi Government related to Aadhaar could be struck down.

Since the Supreme Court cleverly avoided defining what is Privacy even while holding that it is a Fundamental right, it left the doors wide open to intervene on any thing that Aadhaar was supposed to be linked with. The recent sting operation of Tribune alleging that the entire Aadhaar data base access could be purchased for Rs 500/- in 10 minutes had primed up the argument for striking down the Aadhaar linkage. Aadhaar linkage appeared to be a lost cause after this Tribune revelation.

But suddenly the “Virtual ID” option floated by UIDAI has frustrated the anti Aadhaar lobby and given a strong argument for UIDAI that it is responding to the security vulnerabilities and taking mitigation steps.

The plight of the Anti Aadhaar lobby is  like the plight of a batsman in a Cricket game who has happily jumped forward to a flighted delivery hoping to hit a six,  only to find that he has  missed the ball and is now praying that the Wicket Keeper does not stump him out.

We hope that the Wicket Keeper completes his expected duty and the Umpire does not call a no-ball.

There is no doubt that the Aadhaar authorities have been in the past behaving with an air of arrogance that reminded me of the “Indira Gandhi of Emergency Days” . But the intention of the Government to use Aadhaar as a unique identifier to root out benami asset holding and black money cannot be faulted. All those who wanted to  protect their black money were using the “Privacy” argument to oppose Aadhaar. The UIDAI was playing into their hands so far by its own negligence, ignorance and arrogance.

Hence there is a need to address the security concerns and meet them adequately rather than blaming the system itself and fight for its scrapping.

The Virtual ID concept is some thing which should be appreciated as a step in the right direction. It is true that it has come late and should have been in place from the day Aadhaar was intended to be used for KYC purposes widely. We have repeatedly advocated what we have called  “Regulated Anonymity” and the Virtual Aadhaar ID is close in its concept to part this concept which is the principle of “De-Identification” or “Pseudonomization”.

Under the proposed system, UIDAI will stop allowing direct access to its core CIDR server system which houses the data of the citizens collected for issue of Aadhaar. Instead there will be a gateway server which faces the down stream service providers which is linked in the back end with the core CIDR server. Public will be able to obtain a “Virtual Aadhaar ID” which is a 16 digit temporary random number mapped to the Aadhaar number of the user, through the website. This 16 digit number may be used as an ID to be provided to service providers like Banks and Mobile companies. When these users want to check the Aadhaar identity against either the OTP or biometric of the Aadhaar holder, the query will be processed by the secondary server which in turn will query the Core CIDR server and process the request.

The exact architecture that UIDAI may use is not known. It is however clear that the Core CIDR server has to be kept insulated from the public including the agencies such as AUA/KUA with a strong Firewall that separates the Core CIDR system from any communication from outside. The mapping of the Virtual ID issued and the true ID has to be maintained some where and that becomes a critical component of the process. How this is secured determines the security of the system as a whole.

If UIDAI again makes mistakes in managing the security of this “Mapping Server”, then the problem will continue.

The architecture should therefore include a “Virtual ID issuing server”, “Virtual ID-True ID mapping Server” in addition to the current “Core CIDR Server”. In the Regulated Anonymity system that we had discussed in the past, a system was discussed for such requirements and hopefully some of those principles would be used and improved upon in the UIDAI new system. (The Regulated Anonymity system is discussed here). The concept was discussed in 2013 and could be considered as raw and amenable to many improvements.

If UIDAI does not secure access to the “Mapping Server”, the data will be only be marginally more secure as it introduces one additional step for the hackers to break.

If UIDAI sheds it’s “I Know Everything” attitude and is humble in listening to the experts in the field, it may perhaps be able to secure the system at least in future. Whether it is too late?… is difficult to answer.

The Y2K Moment again

Keeping the arguments of how the security of the Virtual ID would be implemented, we can now address the industry issue that the proposed system has introduced. UIDAI has announced that the UIDAI will start accepting VID from March 1, 2018. From June 1, 2018 it will be compulsory for all agencies that undertake authentication to accept Virtual ID from their users.

This means that all the agencies who are using Aadhaar now, (Should be thousands of companies) will all have to tweak their codes to accommodate a 16 number system in the place of a 12 number system for its services. For some time, they need to maintain both systems working and later remove the earlier 12 digit number acceptance.

Additionally it may be necessary for them to covert all existing storage of True Aadhaar Id with a Pseudo Aadhaar Id or atleast remove the True Aadhaar Id from their system.

This will be like implementing the “Right to Forget” which is a tough task since most of these companies will not know where all they have stored the Aadhaar numbers in their systems. It could be on web servers, on cloud storage systems, on e-mail servers etc and all of these have to be erased. (If such a requirement is made).

It is possible that the Supreme Court may impose the above condition for allowing the use of Virtual ID in future and not scrap the system. But it is not known when they will give their view on it. The user companies have to therefore keep their fingers crossed and wait if the 16 number field has to be used in future or they should keep both options in place for some time.

The software developers therefore have their hands full only to implement the changes as the Supreme Court may decide. In this respect we will be re-living the days of Y2K implementation when globally codes were changed to accommodate a four digit field for the year component of a date instead of the 2 fields which were provided.

Good for many… but costs for the companies….Perhaps it is the price to be paid for the development amidst a hostile political environment.

Waiting to see what the Supreme Court will do now….

Naavi

Related Articles:

Aadhaar Authentication: How To Use Virtual ID (VID)

Virtual ID is Aadhaar 2.0, It Can be Changed Any Number of Times: UIDAI Chairman

Aadhaar Virtual ID “Unworkable”, Will Oppose Tooth-And-Nail: Petitioners

There’s no consensus over Aadhaar number or 16-digit virtual ID

Old Articles of naavi

Reasonable Security Practices For UID Project..in India..A Draft for Debate

The Unique ID Project.. What should be Unique?

The National ID Card Challenge for Nandan Nilekani.. Part I

The National ID Card Challenge for Nandan Nilekani.. Part II

Print Friendly, PDF & Email

As the extended date (31st January 2018) for submission of feedback on the whitepaper on Data Protection law approaches, there is increased activity in the industry circles to submit the recommendations.

It is obvious that there will be two distinct sets of recommendations that will be reaching the Government. One would be from the industry side where the concern is on the role of Data Controllers, Data Processors, the Cross border data flow restrictions, Data Localization, impositions such as Privacy by design and Right to be forgotten, Right to access and correction etc. On the other hand the Privacy Rights activists would be focusing more on the rights protection through increased participation of the data subject in the management of personal data, increased penalty, better data breach notification, proper consent management etc.

The law makers need to ensure that there is a balance in meeting the conflicting demands of the two stakeholders.

The Justice Srikrishna Panel has been heavily influenced by the GDPR in the draft of the white paper and it is likely that even the final law may borrow a lot of ideas directly from GDPR.

One of the key suggestions which Naavi.org would like to put out is to look beyond the concepts of Data Controller and Data Processor which form the backbone of GDPR and look at a new dimension of control by creating a third entity which we may call “Data Trusts” or “Data Managers”.

The “Data Trust” is envisaged an intermediary between the data subject and the Data Controller and would address most of the regulatory concerns where there are likely to be conflicts between the Privacy activists and Data Industry.

We all accept that “Data” is the new oil and there is a huge  business interest driving data analytics which will be seriously affected by the Privacy regulations. If the regulations are too strict, the business interests will find ways to overcome the law and do what they would do for the commercial gains.

For example, “Informed Consent” coupled with “Notice” can be the basis on which any data controller could gather personal information for further processing. Even if these are mandated by legislation and supported by audit, penalty etc, it is unlikely that this would be anything beyond formalities. In the mobile world which is the biggest concern, consumers of service can hardly be expected to study the Privacy Notice and provide Informed Consent all the time. The Consent may be so complicated and long winding that “Consent Fatigue” may make it useless. Further it is possible that the coding of the Apps or software may include data mining though the notice may say otherwise.

Hence “Notice+Informed Consent” principle though is essential would not work in practice to the extent it should.

I therefore propose that a system should be introduced where data subjects are provided assistance by professionals in managing their “Data” and ensuring that it is not misused and where it is used with consent for financial gain, a part of the reward goes to the data subject.

For this,  I propose the following infrastructure.

  1. Declare “Personal Data” as the property of the data subject which he has right to license for a commercial consideration.
  2. Any Data Controller who wants to use personal data must be prepared to purchase the rights from the data subject through a “License”.
  3. The “Personal Data License” will be bound by a contract (like the consent) which will determine the purpose for which the data use is licensed, the period etc along with a measurable financial benefit in case the data is used for marketing and financial gain.
  4. Since it is difficult for the data subject to negotiate a proper value for the personal data, there is a need for “Personal Data Managers” as professional advisers to the data subjects or a more institutional form of “Data Trusts” which could be organizations who will offer the service of “Personal Data Management”. They will function like “Portfolio management advisers” and  “Mutual Fund” organizations in the investment circles.
  5. Personal Data Managers and Data Trusts may offer their services under a “Self Declared Data Management Practice Statement” which is registered with and approved by the National Data Management Authority.
  6. The National Data Management Authority will provide the Approval rating of such individual Personal Data Managers and Institutional Data Trusts in a National Registry and through periodical public feedback and its own research make necessary changes as and when required.
  7. The data subject will be free to chose any Personal Data Manager or Data Trust and deposit their personal data with them with option to “Port data” to other data managers/trusts.
  8. The Data Controllers will be mandatorily required to  obtain the data from these data managers and trusts who will be responsible for vetting the “Notice” and “Consent” in a professional manner.
  9. In order to enable a data subject to encapsulate his personal data into a package that can be managed, the Data Trust will receive the data and issue a “Personal Data Management ID”. This could be issued in multiple layers such as “Basic Data ID”, “Medical Data ID”, “Financial Data ID”, “Biometric Data ID” etc.
  10. When a data subject needs to provide his personal data for availing any service, he may simply provide the appropriate ID and the service provider has to extract the details from the designated data trust/manager who is expected to apply due diligence in the interest of protecting the interests of the data subject.

Advantages 

Apart from the benefits of this system to assist the data subject surf through the maze of complicated Privacy Notices, and Consent forms multiple times and understanding them befor approval, the system will make it easy for the regulator to regulate the industry since instead of regulating hundreds of data controllers and processors, they can focus on regulating the Data Trusts and Data Managers as an intermediary industry. This will reduce the number of players to be monitored.

At the same time, the Data Management industry will be able to develop expertise in data protection and management which is absent today even with regulatory authorities.

Since this scheme envisages that there would be a proxy ID for the data, it will enable confidentiality and data security by not exposing the primary data in multiple collection points.

Each data trust will be like the UIDAI or even better in terms of data security and they should compete on the basis of their security principles and ability to pay a license fee to the data subject members.

We donot envisage that members will pay for this service. They will license their personal data to the Data Trust agency either for free or for a fee payable. It may take some time for the economic model here to develop and for the Data Trusts to provide a commercial benefit to the members. But initially, their ability to provide data protection by pseudonomization of the personal ID or through complete encapsulation with the proxy ID will be a sufficient reward to the data subjects.

If Data is really the new Oil and the Data industry makes money out of the data subject’s data, then they may pass on part of the benefits to the data subjects. For this purpose they may offer a small percentage, even if it is one part in a lakh of a rupee of their profits from the data management business either in cash or in the form of “Loyalty Coupons” that can be exchanged elsewhere, it would provide some kind of “Return” to the data subject to compensate for his loss of privacy.

I believe that the above proposal is even a solution for the inadequacy of UIDAI to secure the Aadhaar data.

P.S: These are my preliminary ideas which can be refined further into a commercial service if any organization is interested. I trust the Data Protection Law recommended by Justice Srikrishna Committee makes such service feasible through appropriate enabling provisions.

Naavi

Earlier Articles related to the above may be available here: 

Print Friendly, PDF & Email