Naavi.org

The COVID 19 lock down has delayed the meetings of the JPC on PDPB 2019 giving room to speculation whether the Government of India is developing cold feet on the passage of the bill which would make it more accountable for some of its activities such as the use of the Arogya Setu app.

We are aware that the MeitY has been in discussion with many business organizations, most of whom are MNCs now exploiting the weak Indian data system who donot want the law which could bring them into a greater legislative bind. From what has been seen in the case of submissions of NASSCOM and AFISMA/SIFMA, there is a lobby that is working on dilution of the Bill. Already the Government has given up on the Data Sovereignty concept by agreeing to allow free transfer of non sensitive personal data across the borders and conditional transfer of event he sensitive personal information despite the adverse impact of this move on law enforcement. Now if we take the recommendations of NASSCOM and ASIFMA seriously, the Government may have to re-draft the Bill again which means another round of public consultation and further delay.

It would be a tragedy if the JPC is used as an excuse to delay or permanently avoid the passage of the bill in its present form.

It may be noted in the AFISMA submission that there is a direct challenge to the sovereignty principle by suggesting that if the MNCs are already in compliance with GDPR, there should be no need for compliance of PDPA as if to suggest that the foreign laws still reign supreme in the Indian jurisdiction.

In the recent Kerala Government controversy against the US company Sprinklr, the so called GDPR compliant Sprinklr did not  bat an eye lid before accepting the sensitive personal data of Indian citizens and processing it in USA knowing fully well that this was not ethical if GDPR was a best practice standard. They did not bother to advise the Kerala Government whose babus may not be aware of “Privacy Protection” and were under the pressure of the Corona crisis that the information can be easily de-identified and pseudonymized before it was transferred to Sprinklr. They did not even bother to bring to the specific notice of the Kerala Government the fact that the Jurisdiction clause of the standard terms of service provided by Sprinklr required the Kerala Government to seek remedy in a New York Court.

Sprinklr was therefore irresponsible as a “Data Fiduciary” and only tried to take commercial advantage of the situation either deliberately or because they were ignorant of the principles of Data Protection under GDPR or even their liabilities under Section 79 and 43A of the Information Technology Act 2000/8

It is such organizations in the Financial sector that the ASIFMA is trying to represent and argue for dilution of PDPA.

The JPC should therefore ignore such submissions and start finalizing the Act. If they still want to have meetings with experts, they should go for a Virtual Conference for which Zoom as modified may itself be sufficient or any other video conferencing tool which they consider as more secure.

I request the JPC to therefore to proceed with their discussions so that before the lifting of the lock down in the next 14 days, the final draft of the Bill is ready.

Naavi

The Personal Data Protection Bill 2019 presented in the Parliament on 11th December 2019 is yet to be passed. It is presently with the Joint Parliamentary committee but seems to have not progressed much due to the Covid19 situation.

There is one section of stake holders who are happy with the delay and there is another section of stake holders who are unhappy.

The Government has been following a very cautious approach in finalizing the legislation and is listening to all vested interest groups and allowing the deferrment under one pretext or the other. The PDPB 2018 had already gone through a public consultation and the PDPB 2019 is again going through another public consultation.

It is ironic that the industry which embraced GDPR without a murmur suddenly has started raising objections to the Indian law as if India has no right to pass a law that could affect the freedom of the business entities to loot the personal data of Indians.

Several centuries ago the conquerors of the Arab world and the sea pirates from the west have plundered the Indian wealth to the extent possible and now the new business managers from the west are trying to exploit the data wealth in the country. Hence they are raising objections after objections to the passing of the Act.

This tendency is verymuch evident in the note submitted by the Asian Security Industry & Financial markets Association (ASIFMA) and Securities Industry & Financial Markets Association, a copy of which is available here.

Despite the long note submitted, it appears that these organizations donot want to see India passing this legislation and even if passed, it has to be completely in favour of the business organizations to help them continue the exploitation of personal data of Indian Citizens. The NASSCOM has already submitted its comments which is also more in the same mould in favour of the MNCs.

After perusing the unreasonable submission made by AFISMA, Naavi.org has considered it necessary to make a point by point comment on the suggestions, which is enclosed here.

 We hope the Joint Parliamentary committee will take into account the comments made herein.

Naavi

There was an interesting interview of Mr Mukhesh Ambani with Mr Arnab Goswami in which Mr Mukesh Ambani has spoken about “Data Ownership” and “Data Monetization”. He has strongly advocated that “Data” belongs to an individual or Corporate and no company should be able to make use of the data to make profits without sharing it with the data owner.

He used an analogy of property kept in a Bank locker and that the Bank does not have the right to take it out and use it to make profits even if the original property is returned to the property owner.

Just a few days back, we had a webinar from Justice B N Srikrishna where he highlighted his view on data ownership. He used the analogy of the terms “My House” and “My Wife” and said that we cannot apply the same principles of property ownership in these cases since in the case of “My Wife”, there is a personal “Relationship” involved which is different from the relationship with a property like the house. He therefore said that the concept of “Property” cannot be applied directly to “Data”.

I agree with Justice Srikrishna and endorse his view that “Data” whether “Personal” or “Corproate” cannot be considered similar to other properties like the movable or immovable properties. It does not even bear exact similarities to intangible properties like goodwill or intellectual properties like the trademark, patent or copyright.

The nature of data as a property  could be closer to the property such as an “Enforceable Right” (Actionable Claims). But still Data is a type of commodity or right which does not fit squarely into any of the known types of properties and hence requires to be treated as an exclusive kind of its own. 

Data is an exclusive kind because it is not static in an organization and has a life cycle. It starts it’s life cycle as raw data which is a set of zeros and ones in no specific form. Once some of these zeros and ones are grouped in a particular manner, some software-hardware combination may interpret as an ASCII character or a number or even as sound and image.

Whether the data is a word file or a note pad file or an mp4 file, it is still a series of binary representations and the first few sets of binary (Header information) identify which software is compatible and is designated to read the body of the data. Accordingly the header data invokes a specific software and we see the data as text sound or image.

Further, data is always in binary form and it is the person who is viewing it who renders a meaning to it. Hence the meaning of data is one that is ascribed by the viewer. If we remove the viewer, and the tools of viewing,  all data looks the same… a sequence of zeros and ones.. To call some thing as personal and some thing as non personal, something as sensitive is all an imagination in the eyes of different viewers using different viewing tools. (This concept has already been embedded into our legal system through Section 65B of Indian Evidence Act)

The detailed explanation of the above concepts in the Theory of Data is discussed elsewhere on this site.

Given this nature of data to be dependent on the software and hardware and the beholder for a meaning,  it is not appropriate to ascribe an absolute value to the data and identify who owns this value.

Further, through aggregation or dis-aggregation, data becomes personal data, or sensitive personal data etc. Personal data can also becomes de-identified data, pseudonymized data or anonymized data.

To ascribe a property nature to this data is therefore complicated and has to factor in the changing nature of the data through the lifecycle it goes through. Just as in the case of a human law applicable to a child is different from one applicable to an adult, a married adult, a senior citizen etc., data laws are different for different types of data. These laws determine the rights associated with the data at different life cycles and also determine the value.

Personal data P, may have a value X to a data fiduciary Y at a particular point of time. It may then be anonymized into P*. The value of P*may be zero to the same data fiduciary who was valuing it at  X till now. At the same time to another research entity Z, P* may have some value of its own. So when P is converted into P*, it reduces in value for Y but increases in value for Z. If Y is selling P as P* to Z, it is like US selling crude oil at a negative price…difficult for economists to understand the valuation…

If we try to recognize this kind of property as some thing like a movable or immovable property or an actionable right, we would not be able to capture all the glory of the personal data. It is like watching  of a pattern in the Kaleidoscope  by a person who is color blind to multiple colors or perhaps is totally blind.

Hence we should stop looking at Data as a normal property but understand that it is some thing different.

Also the instrument that is used to transfer the right on this property is neither a mortgage deed nor a hypothecation deed , nor a contract as we know in law. It is different.

What is this “Different” breed?… Let us simply call it as an entity described as “Data” as defined in ITA 2000 and “Personal Data” as defined in PDPA, There is a person recognized as the “Data Principal” who is having certain rights against a certain set of data. He can hand it over to another person called the “Data Fiduciary” and give him some rights. The “Data Fiduciary” can further transfer it to another person called the “Data Processor” and give him some limited rights.

The parties Data Principal, Data Fiduciary and the Data Processor therefore handle the entity called “Personal Data” as per the provisions of PDPA. All rights on this “Personal Data” are determined by the law called PDPA. Just as the Transfer of Property act defines what is an “Immovable Property”, PDPA defines what is the property called as “Personal Data Property”. ITA 2000 defines what is a Data Property.

PDPA also defines the kind of rights that the Data Principal possesses and the rights that he can transfer. It also defines the rights of the Data Fiduciary and what he can transfer to a Data Processor. It also defines what are the rights of the Data Processor.

Hence the “Personal Data Property” is an exclusive kind of property and has to be viewed as such without equating it to any other known forms of property except to say it is like this in one feature and like another in another feature. All laws related to “Personal Data Property” arise out of PDPA and every other law is irrelevant.

When we talk of transferring the property, we should only talk of transferring the “Personal Data Right” in the “Personal Data Property”.

These discussions may be theoretical but are important for the purpose of developing jurisprudence in the data protection domain. I therefore place it before the public for debate as part of Naavi’s Theory of Data.

Naavi

Related Articles:

October 8 2019: New Data Theory of Naavi built on three hypotheses

October 8, 2019: Theory of Data and Definition Hypothesis

October 10, 2019: Reversible Life Cycle hypothesis of the theory of Data

October 11, 2019: Additive value hypothesis of ownership of data

November 20 2019: Will Personal Data Protection Act be compatible to the Theory of Data?

March 31, 2018: Theory of Dynamic Personal Data

In a decision that has somewhat shaken up the GDPR community, the Belgian DPA imposed a fine of Euro 50000/- on a Data Controller who had appointed the Chief of Legal compliance as a DPO. The DPA ruled that there was a conflict between the two roles. (Refer here)

The Compliance officer  is normally considered reliable for the legal knowledge as well as an attitude of compliance more than some other designations such as CTO or CISO or even the CRO or HR head.  If the DPA considers that “Legal Compliance” is in conflict with “Data Protection Law Compliance”, there is an important message that we need to understand.

“Personal Data” is part of the “Total Data” that an organization manages, and the CISO is in charge of protecting that “Total Data” and the Compliance official is in charge of complying with all laws that relate to the “Data”. However this ruling appears to suggest that there could be lack of focus if a legal professional embroiled in litigations or contract drafting etc is expected to be able to manage the complexities of the Personal Data Protection.

The undersigned has often equated “Personal Data Management” as some thing similar to “Hazardous Inventory management” and always suggested that the skills and effort required to handle personal data are highly specialized.

To understand this further, we can also look at the role of the “Bomb Disposal Squad” which is often called upon to remove and investigate any suspicious looking bag in which there may be round heavy object or from which some clock sound is coming out.

In the normal course any body can open the bag and check. But the sensitivity associated with the probability that the object may be a bomb requires that an ordinary person cannot be given the responsibility for clearing the suspicious object.

If an officer of the Corporation knowing the circumstance orders some garbage removal employee to dispose of the bag, even if nothing untoward happens subsequently, the Corporation can take disciplinary action against the Officer for endangering the community and the individual himself.

We should therefore understand that the DPA of Belgium perhaps had a reason to take what appears to be a harsh decision and has sent out a loud message to all organizations to consider both the Knowledge and capability as well as the conflict situation before designating some body as a DPO in their organization.

The same is true for the Indian scenario also.

Naavi

An interesting webinar had been organized today by a group of Legal professionals from Mumbai in which justice B N Srikrishna spoke about the Data Protection Act.  As the architect of the Indian law on Data Protection which is presently before the Parliament for passage, and since in some recent encounters with the Press, Justice Srikrishna had been critical of some of the changes that had been made by the Government in the latest bill as compared to the version which he had submitted along with his report in 2018, the webinar was keenly followed and over 890 participants attended the webinar at its peak.

Justice Srikrishna gave a good overview of the legislation starting from the objectives, to the Data  Protection Principles, Data Principal’s Rights and other key provisions on some of which he has been vocal even earlier.

During the webinar a few important observations were made by Justice Srikrishna which were illuminating which need to be taken note of.  Also due to the paucity of time, some questions of the audience went unanswered. The following report tries to record the essence of the discussions and goes on to also provide our view points on the questions that had been raised during the webinar, for the general information of the interested professionals.

Justice Srikrishna started with the explanation of the objectives for which the Personal Data Protection Act (PDPA) was drafted bringing home the reference to the Aadhaar issue and consequent debate in the Justice Puttaswamy case.  He later went into the discussion of some of the key elements of current bill and areas where perhaps he had some disagreements.

On the most contentious issue of Section 35 which provides the power to the Government to exempt the application of the act in certain circumstances, he clarified that while he does concede that the Government has the power to infringe on the Privacy under certain circumstances, he was highlighting the need for appropriate checks and balances failing which the possibility of a Government official misusing the law to grossly violate the Privacy rights of the individuals could arise and an “Orwellian State” reference could become possible.

He did not discuss the other controversial issue about the Constitution of the Committee for appointment of the DPA not having Judicial representation.

He however justified the earlier provision regarding the cross border transfer restrictions under which one active copy of all personal data transferred out of India had to be kept in India, which has been diluted in the current version of the bill. He highlighted the fact that a high power delegation from US had met the Government to persuade them to dilute the provisions which the Government obliged ignoring the requirements of the law enforcement agencies.

Another point on which he did focus was that the current bill does not set a deadline for the Government to implement the Act and hence could be endlessly delayed. In the earlier version, there was a 18 month outward time limit within which the entire act had to come into existence with various other provisions being implemented at different points of time indicated in the Act itself.

He was also unhappy with the reference  made to the power of the Government to demand  transfer of non personal data/Anonymized data under certain circumstances to the Government under Section 91 of the Act and expressed that he would have preferred a separate legislation for this purpose as had been suggested by his committee.

There were a few other important points on which he shed some light from his perspective namely

a) Ownership of Personal Data

b) Definition of Critical data

c) The “Fiduciary” nature of the relationship of a Data Processor

d) Data Retention period

Data Ownership

As regards the ownership of the “Personal Data” he gave a jurisprudential view that all that we can call as “Mine” cannot be equated to a “Proprietary Right” and there are “Relationships that need to be recognized” which are not subject to property rights. He therefore reiterated that though the Data Principal calls personal data as “My Personal Data”, he may not have the rights of disposal of the personal data in the same manner as he can dispose of a movable or immovable property.

In this context he highlighted why the two parties who are in other countries referred to as “Data Controller” and “Data Subject” are in India called “Data Fiduciary” and “Data Principal”.

Definition of Critical Data

On the definition of “Critical Data” Justice Srikrishn admitted that there is no definition of the term either in his version or the current version. However, he expressed an opinion that the term can be used in the context of “Whose Personal Data” is being considered and whether that data is of relevance to national security. As an example he referred to the data of the Prime Minister or President or the Chief justice.

The view of Mr Srikrishna is at variance with the general expectation that the distinction between Sensitive and Critical data would be based on the severity of the harm that may be caused to a data principal irrespective of who the data principal is.

The distinction based on whether the data principal is a celebrity or a person of national importance will result in mixing up the type of data with the identity of the person. This distinction may not be the best way to define the criticality of the personal data.

Instead, some data such as Finger print, Iris scan, DNA profile, Skull X-Ray, Tooth X-Ray, Voice Print, or even the Photograph  have the character of being inherently identifiable and not being amenable to being “Anonymized” .

Such data are better qualified to be categorized as critical data since once lost they can never be recovered unlike a Password that can be changed.

Fiduciary Nature of Relationship

Justice Srikrishna re-iterated the need to define the relationship between the Data Subject and the Data Controller as “Data Principal” and “Data Fiduciary”.  The undersigned has discussed this several times earlier and has hailed it is the single most important contribution of Justice Srikrishna to the Data Protection Jurisprudence which would in due course be accepted world wide. (See one of the earlier articles in this regard for more clarity)

This elevation of the relationship of the Controller to that of the Fiduciary will solve many of the problems the world has seen in Data Protection regulation such as “Consent Fatigue” which is more accentuated in India because of the use of different languages by end users, lack of literacy and reduced appreciation of the culture of “Privacy” which is more an elite concept pushed down the population rather than a felt need of the market.

Data Retention Period

While speaking on the data retention period limitation, Justice Srikrishna referred to the provisions of other laws that may require retention of the data for longer period. He mentioned that though normally data has to be retained as dictated by the purpose, in cases where the other laws dictate otherwise, it can be retained for longer period.

Mr Srikrishna however failed to refer to existence of legitimate interest and evidentiary requirements that may necessitate the distinction between the need to erase the data after the purpose is completed vs the need to retain it for longer period which the new law has tried to accommodate by creating a fine distinction between the right to erasure and right to forget as two different rights under Sections 18 and 20.

Though we donot agree with the contention of Justice Srikrishna that Section 35 of the new Act leads to the possibility of an Orwellian State and his omission to recognize some of the improvements that have been made in the Act including the concepts of “Consent Manager”, “Sandbox”, “exemption of liability” etc., the discussion was very useful in putting across a perspective of the law.

Towards the end of the session, there was no time left for taking up some of the questions from the large number of participants.

In order to provide some clarity to some of the questions raised, I have picked up the questions and provided my views under the “your Queries” section in the website of the Foundation of Data Protection Professionals in India. (www.fdppi.in)

I request visitors to peruse the questions and answers provided.

Naavi

Yesterday we had a spectacle of Mr Arnab Goswami the well known journalist being subjected to 12 hours of grilling by the Mumbai Police on an FIR against  his uttering against Sonia Maino alias Sonia Gandhi, the leader of Congress party. 

What was noticeable in the day’s proceedings was that the two people who were arrested earlier for attacking Mr and Mrs Arnab Goswami were given a bail by some Magistrate probably because the Police chose to charge them on flimsy grounds. Mr Arnab Goswami’s complaint was on the lynching of two Hindu Sadhus in Palghar and the lack of investigation on the murder and the silence of the Congress leader.  

Mr Arnab Goswami has developed his own brand of journalism and his high decible complaining of the lynching in Palghar seems to have so much rattled the Congress party that its supporters filed over 200 FIRs against Mr Arnab Goswami and ultimately took to attacking him in the dead of the night when he was returning from his studios.

The incident required to be condemned by all supporters of democracy including those who are opposed to Mr Arnab Goswami. But the politicians have been mostly silent on the attack and the media is also did not raise its voice. 

At the same time Mr Arnab got a stay on the FIRs from the Supreme Court except one case in Nagpur and the Mumbai Police are trying to use this FIR to teach him a lesson. The lesson that he was required to be taught was not to raise his voice on Mrs Sonia Maino/Gandhi and for that purpose he was subjected to a 12 hour interrogation.

While Police may justify that they needed to show some video footages etc and obtain his views, there was no need for the interrogation to continue for 12 hours. It could have actually been broken up and continued on the next day. 

What this incident has shown is that Police in India remain the faithful servants of the politicians and at their beckoning can be made to drop sections on the assaulters and at the same time grill the journalist until he is tired and loses mental balance. We are all aware how Mrs Indira Gandhi imposed the Press Censorship in 1975 emergency time. What Sonia is trying to do is perhaps to follow the footsteps of her illustrious MIL.

This may not be some thing new in India and we could have ignored it in the normal course.  But  the reason why we need to highlight this here is that this kind of behaviour of the Police creates a distrust on them when we try to justify provision of  some extra powers under law. The distrust on the police will translate itself as the distrust of the Government. 

We should therefore consider the impact of this incident on the discussions that are being held on s the Personal Data Protection Bill (PDPB) where there are some exemptions provided to the Government and the Law enforcement related to the protection of Privacy. The undersigned has on many occassions defended the right of the Police for surveillance through CCTV footage and other means because security of the Citizens is an uncompromisable responsibility. 

On the other hand there are people who are opposed to the PDPB stating that it gives too much of power to the Government and/or the Law enforcement. The current incident  supports this view point and shows how a State Government can make its Police to dance to the tunes of a party controlling indirect power in the State. If this can happen in an incident like this, we can imagine that if the same party is in power in the Center, then the laws like Personal Data Protection Act and its objective of protecting the privacy of citizens would be kicked beyond the Hindu Maha Sagar into an oblivion.

There are already many motivated articles that are appearing in pliable journals stating that PDPB will “Stiffle the digital economy with overbearing regulations”. Today’s LiveMint reports one such article. This article has made  the following remarks.