Committee on Data Governance…: Is it relating to Anoymized Personal Data or Non Personal Data?

On September 13, the Government of India constituted a committee of Experts on Data Governance Framework under the chairmanship of Kris Gopalakrishna, Co-Founder Infosys.

Copy of the notification

Constitution of the Committee

The members of the Committee are

  1. Shri Kris Gopalakrishna, Co-Founder of Infosys
  2. Additional Secretary/Joint Secretary, DPIIT (Department of Promotion of Industry and Trade)
  3. Ms Debjani Ghosh. President NASSCOM
  4. Dr Neeta Vema, DG, National Informatics Center
  5. Shri Lalitesh Katragadda, CTO, Avanti Finance
  6. Dr Ponnurangam Kumaraguru, IIIT, Hyderabad (Ed:is it Delhi?)
  7. Shri Parminder Jeet Dingh, IT for Change
  8. Shri Gopalakrishna S, Joint Secretary, MeitY

Terms of Reference

The terms of reference of the committee are

  1. To Study various issues relating to Non-Personal Data
  2. To Make specific suggestions for consideration of the Central Government on regulation of Non Personal Data

Concept of Privacy of Community Data

The initial paragraphs of the notification recalls the work of SriKrishna Committee and refers to the “Community Data”.

The SriKrishna Committee had commented

“Community data relates to a group dimension of privacy and is a suggested extension of our data protection framework. It is a body of data that has been sourced from multiple individuals, over which a juristic entity may exercise rights. Such data is akin to a common natural resource, where ownership is difficult to ascertain due to its diffused nature across several individual entities. It is relevant for understanding public behaviour, preferences and making decisions for the benefit of the community”

The Committee had gone  on to suggest that the Government may consider a law to recognize the phenomenon where personal data of individuals get aggregated (eg: Google Map data) and becomes useful to the community, but is beyond the control of the individuals for regulation under the PDPA.

It had flagged the possibility that Individuals may not be aware of what their data can disclose when aggregated with billions of other data points. This data is analysed by algorithms and produces reliable data which helps produce other indicators that are of help to the community.

However, the Committee noted that  an individual’s sharing of data in some of these cases automatically shares the data of his/her spouse,friends and family without their consent. It also flagged the possibilities that companies collecting such data can make use of it as “Big Data” and derive some pattern of behaviour of the community and hence the “community privacy” was at risk.

The Committee noted :

“A suitable law will facilitate collective protection of privacy by including a principled basis for according protection to an identifiable community that has contributed to community data. This will take the form of class action remedies for certain kinds of data breaches involving community data with diffused social and systemic harm. Tools like group communication and sanction may be envisaged. Such protection will take into account any intellectual property ownership of the juristic entity.”

It therefore appears that the Government has now taken a follow up action on the recommendations of the Sri Krishna Committee by constituting the Kris Goplakrishna Committee.

However, if we look at the “Terms of Reference”, it indicates that the notification refers to “Non Personal Data” and not “Personal Data”.

We understand that “Personal Data” becomes “Non Personal Data” through a process of “Anonymization”.  It is the aggregation of this anonymized data that creates the Big Data business of Google Maps et al.

What the SriKrishna Committee was concerned was the “Identifiable nature of the shared personal data which becomes the aggregated identifiable personal data of a group” and suggested that the “Privacy laws” should grow up from protection of “Individually identifiable personal information” to “Individual group identifiable activity information”.

It appeared that the intention of Justice Srikrishna was,  just like we identify the “Right of an Individual to Privacy”, we should identify the “Right of the Family Group” or the “Larger community” to be able to protect the “Community Privacy”.

This concept of “Community Privacy” is not what the current regulations of “Privacy” as a fundamental right of an individual can address. Hence a separate legislative framework was suggested.

It appears that the Terms of Reference does not capture this intention correctly.

Inadequacy of the Constitution of the Committee

It may be noted that the point raised by Justice SriKrishna is a complex legal issue which requires a careful accommodation of the Puttaswamy Judgement as well as the provisions of PDPA. It is not simply a “Technology or Business Promotion Issue” though the stake of business is involved.

Hence, the constitution of the committee as if the issue is one of the Big Data Industry by having only business interests represented there in is not considered correct.

It must be noted that PDPA had a serious opposition from NASSCOM as regards the “Data Localization” aspect and the objection was serious enough for its proxy member in the SriKrishna Committee (DSCI)  to record a dissenting note in the report itself.  NASSCOM will now have an influence on this committee’s report and will definitely reflect the business interests of MNCs.

The committee also includes of the secretary of DPIIT, another industry representative from Avanti Finance (the board of which consists of Ratan Tata and Nandan Nilekani), a representative from IT for Change which is an NGO, Mr Kumaraguru, an academician, besides the representative from NIC and MeitY.

The Constitution of the committee therefore appears to be inadequate/inapprpriate considering the legal issues on which this new committee may trample with. Considering the involvement of business interests, it would not be surprising that it would reflect the Big Data industry view and could ignore the conflicts with the Privacy and Data Protection requirements. There could therefore be conflicts with the PDPA.

Theory of Dynamic Personal Data

It should be pointed out that we at Naavi.org had flagged this issue in March 2018 when introducing the “Theory of Dynamic Personal Data”  There is a need for the industry observers to take a second look at the idea that was discussed here which was expanded in some of the later articles on GDPR. The theory as propounded may be raw but it has an idea that is relevant to the “Community Privacy” issue that was raised by Justice SriKrishna.

We will highlight some of the issues in our subsequent articles in this series. Watch out for more on this topic here.

(Continued)

Naavi

Reference Articles:

Data Processors may be able to create a Diamond out of Charcoal..if Indian Data Protection Act is innovatively drafted

 

 

 

Print Friendly, PDF & Email
Posted in Cyber Law | Leave a comment

PubG deserves to be shut down

The gory incident of a boy in Belgaum, Karnataka, beheading his father for not allowing him to play PubG Mobile has shocked all sane persons and brought the  focus back on the ill effects of Mobile Game Addiction on the youth of the country.

While participating in a TV discussion today, I was surprised at the number of calls received from different parts of Karnataka pleading the channel to do some thing to get PubG banned to save the youngsters who have become addicted to the game.

In the past, we have discussed the adverse effect of BlueWhale  and urged the Government to take suitable action including identification and removal of dangerous games like the Bluewhale. It appears that PubG (Player Unknown’s Battle Grounds) is far more dangerous than Blue Whale.

Blue Whale used a process of cyber hypnotizing the player and leading him to commit suicide. But it required a mentor to carry out its design and appears to have petered out after the arrest of the founder.

In the Belgaum incident, the boy has planned out the murder of his father in a gory manner and locked up his mother first before assaulting the father and chopping off his head and hands. The anger that he has displayed is surprising and indicates the profound impact the  Game has created on the boy.

Some of the other incidents reported include the following:

    1. A 20-year old boy from Jagitial, Telangana died after playing PUBG Mobile for 45 days. After suffering intense neck pain, she was taken to the hospital where the doctors found the nerves in the neck were damaged. The boy died while undergoing treatment.
    2. In a recent report, a boy from Chhindwara in Madhya Pradesh accidentally drank acid mistaking it for water while playing PUBG. He was rushed to the hospital and doctors have now said that his condition is now out of danger.
    3. Two persons who were busy playing PUBG on train tracks were knocked down by a train. The incident happened in Hingoli district in Maharashtra. They were run over by a Hyderabad-Ajmer train. An accidental death report was filed.
    4. A fitness trainer from Jammu allegedly started hitting himself after losing at PUBG. He was reportedly playing the battle royale game for 10 days. Doctors state that although he is recognising people, he is still not very conscious and still under the influence of the PUBG game.
    5. In another incident, a boy died of Cardiac Arrest after playing the game continuously for 6 hours.

There have been many more incidents reported where the adolescents have shown violent reactions when asked to stop playing the game. Many have dropped out of their colleges out of the addiction.

As the clamour for the game being banned grows, PUBG is preparing to release Mobile Season 9 on September 13. Before launching of this new version certain challenges have been thrown up to offer some freebies to the players and this may be the cause for a rush in completing the assignments leading to the violent behaviours we have seen.

The National Child Rights Commission has stated that the game should be banned because of its violent nature.

In some of the States, PUBG has already been banned. There have been as many as 10 arrests for people accused of playing an online game despite the ban being enforced.

However, the ban has not been effective partly because the game is a downloadable game and once downloaded, it stays in the mobile even if further downloads are prevented.

Time has come for the MeiTy to recognize that this game deserves to be banned completely to protect the youth.

Some may wonder, what is the use of banning a game when many more similar games may sprout up. Some want to blame the parents of these players (most of them are boys in the 17-19 years of age) for their failure to stop the addiction without understanding that parents are not expert psychological counsellors and if they attempt to correct the behaviour of these addicted kids, more violent backlashes will happen.

In the case of Bluewhale the affected kids were of lesser age and some corrective action could be taken by schools. But PubG addiction appears to be more on young adults who are out of school and therefore it is difficult to counsel them in the schools or colleges through an effort can be made.

One of the features of the game reported by a person was that the game gives an option to name the enemies with real world persons before killing them in the battles. This feature of the game makes it possible for the gamer to name the characters after people around him like their parents or friends or teachers and go about to kill them in the virtual game to derive a satisfaction. The problem however is that this may incite them as in the case of the Belgaum incident to commit the killing in the real world instead of the Cyber world.

This feature of the game may therefore be considered as “Inciting Violence against living persons” and could be a valid reason to ban the game.

It is reported that the Jordan Government has already banned the game in their country.

We urge the ministry to immediately issue an order under Section 79 of ITA 2000 to declare this game as harmful to the society and bring it down from the playstore. Simultaneously, all  MSPs should be ordered to kill the game in any of the mobiles where they have been already downloaded. This of course needs to be through an order of the Government in the interest of the community.

We therefore appeal to Mr Ravi Shankar Prasad, the honourable minister of IT in the Central Government to take immediate action in this regard to get the game banned.

To prevent sprouting of similar games, the Government should set up a “Controller of Online Games” and monitor such dangerous games and take immediate action to get them removed.

We also urge the responsible people in the community like the parents , teachers, and child right activists to approach their respective MPs to take up the request with Mr R S Prasad and push for action.

We also urge the media to take up a sustained campaign on an all India level to ensure that the issue gets the attention of the Government of India immediately.

Naavi

Print Friendly, PDF & Email
Posted in Cyber Law | 1 Comment

PDPSI Vs ISO 27701 Vs BS 10012

PIMS (Personal Information Management System) is the next buzzword in the Information Security domain that will be discussed by the Data Protection professionals.

Presently, two international frameworks namely the BS 10012 and ISO27701 are available for us to follow. The undersigned has however developed a separate framework titled the Personal Data Protection Standard of India (PDPSI) which has been developed with the exclusive idea of assisting Indian Organizations and more particularly the SMEs and MSMEs.

It is our belief that Information Security Framework is developed by experts in order to guide the community for adopting it as a business practice that benefits the organization. When multiple organizations adopt a food framework of information security, the community would benefit.

Such a framework should be “Open Source” and not looked upon as a Cash Cow by charging exorbitant fees for the community members to know what is the best practice to follow.

Whether it is BS 10012 or ISO 27701, it costs around Rs 13000/- each to acquire and read. ISO 27701 makes normative reference to four other standards namely ISO 27000,ISO 27001,ISO 27002,ISO 29100. To understand ISO 27701 we therefore need to acquire and study all these collateral documents. Fortunately BS10012 does not have any normative references.

Those organizations which are considering the PIMS now and donot have earlier ISO implementations, need to therefore spend a significant money just to acquire a document that lists out the suggested practices. The interpretation and implementation through a consultant is the additional expenses.

Basically these frameworks list out the broad outlines of compliance requirements as follows:

1.Leadership
2.Planning
3. Support
4.Operation
5.Performance evaluation
6.Improvement.

ISO 27001 continues with specific guidance related to ISO27001 and ISO 27002 as also guidance directed to Controllers and Processors.

The PDPSI incorporates all these principles though the document is under development. In principle, PDPSI focuses on five foundation principles represented by the following diagram.

This model compresses the normal technical controls into one segment and all policy controls into a second segment. The need to manage the human elements is packed into the third segment. The Leadership, commitment etc is clubbed under Responsibilities. The classification of data is considered a separate foundation requirement which defines also the scope of the implementation. 

PDPSI recommends a “Distributed Implementation Leadership with a Top level policy leadership along with a designated person for accountability”.

For those who are accustomed to a specific format of the ISO/BS, PDPSI appears as a raw document. Salient features of PDPSI is explained under www.pdpsi.in

The normative references (to keep to the familiar term) are made to IISF 309 (Indian Information Security Framework), Theory of Information Security Motivation, Naavi’s pyramid model of Prioritization of Information security objectives.

The Classification model is depicted in the following diagram.

The classification of the data incorporates the “Subject Laws” so that PI-GDPR is classified differently from PI-PDPA.

The measurability aspect will point to a “Data Trust Score” for which one of the recommended approaches is the Naavi’s 5X5 DTS system indicated below.

The distributed model of responsibility sharing is reflected in the Governance model indicated below. (Explained in greater detail on www.pdpsi.in) 

Overall, PDPSI attempts to cover the principles inherent in both ISO27701 and BS10012 and provides a greater focus for an Indian organization with a few innovations thrown in between.

Once PDPSI is fully developed with the assistance of other professionals who are well versed in ISO/BS but are free mentally to pursue a more “Made in India” framework, it could be adopted widely.

In the meantime, some of the principles enunciated in PDPSI is expected to become part of the ISO/BS in their revised versions. Also the Data Protection Authority of India which is likely to come up in 2020 may adopt most of the principles under PDPSI as suggested framework under PDPA.

In the meantime, Naavi.org will continue to develop this concept which is already being applied by Naavi where ever it is relevant.

Naavi

Print Friendly, PDF & Email
Posted in Cyber Law | Leave a comment

We need Insurance against Traffic Fines…Mr Gadkari, are you listening?

Mr Nitin Gadkari is set to lose all his popularity he had gained in the last few years for his work as a minister over his quixotic decision of raising traffic fines to astronomical levels.

While creating deterrence against drunken driving, rash driving etc are necessary, across the board increase of fines such as for not wearing helmet or not wearing seat belts etc was unwarranted.

The traffic offences have to be ideally classified into two important categories. Offences that endanger third parties and offences which affect only the individual vehicle user for his safety.  Helmet and seat belts fall in this category. Penalties  have to be less for the second  category since  it is only to promote  own safety and has no impact on others.

The non maintenance of roads leading to potholes and consequential accidents should be held as traffic offences by the civic bodies and they should be fined at a larger level because their negligence affects the community as a whole. Similarly, invisible signs of no parking, non working traffic lights etc also cause problems to those who are essentially followers of law.

In the last two days there are reports of one fine of Rs 87500/- on a Truck driver and Rs 47500/- on an Auto driver. Not withstanding the crime, these fines are insane. Mr Gadkari should bear the direct responsibility for such a situation and be answerable to the voters in Maharashtra. Shivasena should have a cakewalk in the elections if they make this MV act as an election issue.

I have always held that such crazy levels of fine will only increase the corruption level in the Police. It is early days and Police may be now accounting the fines and the department is increasing its revenue by a few lakhs each day in major towns. Soon the fine collection will start stagnating and getting converted into bribes to the Police. Police will pass on a part of their loot to the politicians also and therefore the corrupt system will grow with political patronage.

Instead of targeting the consumers by increasing the fines, I want Mr Nitin Gadkari to do some thing that is beneficial to the road users. One such requirement is to check the Toll booth contracts many of which should have ended over time but are continuing without any maintenance of the roads. Recently, I had an occasion to travel in the Nice Road in Bangalore towards Magadi and found the road full of pot holes just like the City roads. One wonders why we need to pay any fees for such roads. Is not the Transport ministry responsible for these?

Some time back some ill informed politicians in Karnataka went against Uber and Ola and taxed them as Taxi operators, which resulted in increase of the rentals for the consumer. Similarly these fines will also increase the Uber/Ola rates since the companies have to factor this fine as part of the regular expense. The truck operators would also factor some fines in their cost and the cost of goods transport will also go up.

Mr Nitin Gadkari will be solely responsible for this increase in transport related costs.

Vehicle Insurance should include Traffic Fines

While these criticisms are well known and understood by all except the egoistic politicians who donot want to correct their mistakes, the main purpose of writing this article is to bring it to the notice of Mr Gadkari and others including Mr Modi that there is an urgent need to introduce a component of “Insurance against Traffic fines” as part of vehicle insurance.

Since the new fines have the effect of “Deterrence”, accidents will come down (Should come down). This should reduce vehicle insurance claims. Insurance companies should be therefore persuaded to reduce the insurance premium on all  existing policies.

Additionally the Traffic Fine endorsement should be provided at an extra premium.

Insurance companies today provide such covers for administrative fines under say GDPR or even the Extortion under ransomware. If these are acceptable as insurable risks, why not traffic fines?

I would like IRDAI to engage in discussions with the Insurance companies to quickly introduce the coverage on such fines.

If Mr Gadkari is still walking on the ground, he should push the insurance companies into providing such insurance coverage besides reducing the fines on “Non Third Party Risk Creating offences” to a reasonable level.

I wish a petition is raised in this regard by some public interested person.

Naavi

Print Friendly, PDF & Email
Posted in Cyber Law | Tagged , , , | Leave a comment

List of Nodal Officer Contacts

Many times disputes that arise with service providers of various agencies are resolved easily when we are able to reach out to the right persons in the organization.

ITA 2000/8 mandates that every online service organization (who is an intermediary) needs to mandatorily provide the name and contact details of the Grievance Redressal officer on their website.

Unfortunately, most websites not only hide their contacts for receiving complaints but also hide their physical address to which any notice can be sent by a consumer.

Though this is a violation in itself that can be penalized by either an Adjudicator or perhaps by a criminal Court too, most organizations out of ignorance donot provide the contact details.

I am happy to provide a compilation of nodal officer’s contacts which have been compiled by one diligent law enforcement professional. While care has been taken to update the list, errors and omissions could be present. I hope the public will consider this useful.

List of Nodal Officers of different e commerce agencies in India.

I request these and other organizations to point out if any corrections are required. We welcome other intermediaries to share their contact addresses.

We may also bring to the attention  of readers 5t our Associate service center at ODRGLOBAL.IN provides online dispute resolution service which can be effectively used to resolve consumer disputes. We invite these agencies to use the services of ODR Global. It should be economical and also convenient.

CDMAC (Cyber Disputes Mediation and Arbitration Center) is one ADR center whose services may be invoked if a more serious arbitration of a dispute is required. First level disputes can be mediated by Naavi. For the time being, in the interest of the e-Consumers, such mediation would be provided free of charge.

Any collaboration  in developing  the ODR platform  and CDMAC are welcome.

Any enquiries in this regard  may be sent to Naavi.

Naavi

P.S: The following address in the list was corrected on 8th September 2019:

Yahoo India Pvt Ltd, Unit No 304, A wing, 3rd Floor, Satellite Gazebo East Wing, Guru Hargobindji Marg, Andheri (East),Mumbai 400093.
E Mail: in-legalpoc@verizonmedia.com

 

Print Friendly, PDF & Email
Posted in Cyber Law | 1 Comment

New Cyber Crime Act in the anvil?

Recently, Mr Amit Shah, the honourable Home Minister of India collected information from across the country on the amendments that are required to the law to effectively counter Cyber crimes. Information coming out of the ministry seems to suggest that a new “Cyber Crime Act” may be in the anvil to supplement and partially replace the provisions of Information Technology Act 2000 as amended in 2008 (ITA 2000/8).

According to this report in Times of India  the new approach would be to amend the ITA 2000/8 to keep most of the civil offences under the present act and create a new Cyber Crime Act to address the issue of Cyber Crimes.

One of the features being considered is to ensure that there will be no inter state jurisdictional barrier for Cyber Crime investigations. This would be a good move if it is extended to the full extent including the creation of the National Cyber Crime Police cadre which is a long term necessity in India.

Other than this provisions of Chapter XI of ITA2000/8 may be shifted into the new Act. In the earlier act there was no recognition of  “Cyber Squatting” as an offence and this is due. Section 66A which covered Cyber harassment was wrongly scrapped by the Supreme Court and requires to be reinstated in some form.

The Intermediary guidelines which were sought to be amended and were opposed by some activists may now find a place in the new Act.

Hopefully some of the evidentiary issues including Section 65B of IEA that affect prosecution may get tampered with.

Let us wait and watch what more changes are going to be proposed. We hope the law will be stringent and at the time fairly implemented with checks and balances to prevent misuse by the Police and clever criminals and harassment of honest Netizens.

We need to specially watch out for lobbyists specially from the Banking sector will try to influence the changes in their favour.

Hopefully the draft would be available for public comments during the winter session along with the revised Data Protection Bill.

Naavi

Print Friendly, PDF & Email
Posted in Cyber Law | Leave a comment