Naavi.org

In a decision that has somewhat shaken up the GDPR community, the Belgian DPA imposed a fine of Euro 50000/- on a Data Controller who had appointed the Chief of Legal compliance as a DPO. The DPA ruled that there was a conflict between the two roles. (Refer here)

The Compliance officer  is normally considered reliable for the legal knowledge as well as an attitude of compliance more than some other designations such as CTO or CISO or even the CRO or HR head.  If the DPA considers that “Legal Compliance” is in conflict with “Data Protection Law Compliance”, there is an important message that we need to understand.

“Personal Data” is part of the “Total Data” that an organization manages, and the CISO is in charge of protecting that “Total Data” and the Compliance official is in charge of complying with all laws that relate to the “Data”. However this ruling appears to suggest that there could be lack of focus if a legal professional embroiled in litigations or contract drafting etc is expected to be able to manage the complexities of the Personal Data Protection.

The undersigned has often equated “Personal Data Management” as some thing similar to “Hazardous Inventory management” and always suggested that the skills and effort required to handle personal data are highly specialized.

To understand this further, we can also look at the role of the “Bomb Disposal Squad” which is often called upon to remove and investigate any suspicious looking bag in which there may be round heavy object or from which some clock sound is coming out.

In the normal course any body can open the bag and check. But the sensitivity associated with the probability that the object may be a bomb requires that an ordinary person cannot be given the responsibility for clearing the suspicious object.

If an officer of the Corporation knowing the circumstance orders some garbage removal employee to dispose of the bag, even if nothing untoward happens subsequently, the Corporation can take disciplinary action against the Officer for endangering the community and the individual himself.

We should therefore understand that the DPA of Belgium perhaps had a reason to take what appears to be a harsh decision and has sent out a loud message to all organizations to consider both the Knowledge and capability as well as the conflict situation before designating some body as a DPO in their organization.

The same is true for the Indian scenario also.

Naavi

An interesting webinar had been organized today by a group of Legal professionals from Mumbai in which justice B N Srikrishna spoke about the Data Protection Act.  As the architect of the Indian law on Data Protection which is presently before the Parliament for passage, and since in some recent encounters with the Press, Justice Srikrishna had been critical of some of the changes that had been made by the Government in the latest bill as compared to the version which he had submitted along with his report in 2018, the webinar was keenly followed and over 890 participants attended the webinar at its peak.

Justice Srikrishna gave a good overview of the legislation starting from the objectives, to the Data  Protection Principles, Data Principal’s Rights and other key provisions on some of which he has been vocal even earlier.

During the webinar a few important observations were made by Justice Srikrishna which were illuminating which need to be taken note of.  Also due to the paucity of time, some questions of the audience went unanswered. The following report tries to record the essence of the discussions and goes on to also provide our view points on the questions that had been raised during the webinar, for the general information of the interested professionals.

Justice Srikrishna started with the explanation of the objectives for which the Personal Data Protection Act (PDPA) was drafted bringing home the reference to the Aadhaar issue and consequent debate in the Justice Puttaswamy case.  He later went into the discussion of some of the key elements of current bill and areas where perhaps he had some disagreements.

On the most contentious issue of Section 35 which provides the power to the Government to exempt the application of the act in certain circumstances, he clarified that while he does concede that the Government has the power to infringe on the Privacy under certain circumstances, he was highlighting the need for appropriate checks and balances failing which the possibility of a Government official misusing the law to grossly violate the Privacy rights of the individuals could arise and an “Orwellian State” reference could become possible.

He did not discuss the other controversial issue about the Constitution of the Committee for appointment of the DPA not having Judicial representation.

He however justified the earlier provision regarding the cross border transfer restrictions under which one active copy of all personal data transferred out of India had to be kept in India, which has been diluted in the current version of the bill. He highlighted the fact that a high power delegation from US had met the Government to persuade them to dilute the provisions which the Government obliged ignoring the requirements of the law enforcement agencies.

Another point on which he did focus was that the current bill does not set a deadline for the Government to implement the Act and hence could be endlessly delayed. In the earlier version, there was a 18 month outward time limit within which the entire act had to come into existence with various other provisions being implemented at different points of time indicated in the Act itself.

He was also unhappy with the reference  made to the power of the Government to demand  transfer of non personal data/Anonymized data under certain circumstances to the Government under Section 91 of the Act and expressed that he would have preferred a separate legislation for this purpose as had been suggested by his committee.

There were a few other important points on which he shed some light from his perspective namely

a) Ownership of Personal Data

b) Definition of Critical data

c) The “Fiduciary” nature of the relationship of a Data Processor

d) Data Retention period

Data Ownership

As regards the ownership of the “Personal Data” he gave a jurisprudential view that all that we can call as “Mine” cannot be equated to a “Proprietary Right” and there are “Relationships that need to be recognized” which are not subject to property rights. He therefore reiterated that though the Data Principal calls personal data as “My Personal Data”, he may not have the rights of disposal of the personal data in the same manner as he can dispose of a movable or immovable property.

In this context he highlighted why the two parties who are in other countries referred to as “Data Controller” and “Data Subject” are in India called “Data Fiduciary” and “Data Principal”.

Definition of Critical Data

On the definition of “Critical Data” Justice Srikrishn admitted that there is no definition of the term either in his version or the current version. However, he expressed an opinion that the term can be used in the context of “Whose Personal Data” is being considered and whether that data is of relevance to national security. As an example he referred to the data of the Prime Minister or President or the Chief justice.

The view of Mr Srikrishna is at variance with the general expectation that the distinction between Sensitive and Critical data would be based on the severity of the harm that may be caused to a data principal irrespective of who the data principal is.

The distinction based on whether the data principal is a celebrity or a person of national importance will result in mixing up the type of data with the identity of the person. This distinction may not be the best way to define the criticality of the personal data.

Instead, some data such as Finger print, Iris scan, DNA profile, Skull X-Ray, Tooth X-Ray, Voice Print, or even the Photograph  have the character of being inherently identifiable and not being amenable to being “Anonymized” .

Such data are better qualified to be categorized as critical data since once lost they can never be recovered unlike a Password that can be changed.

Fiduciary Nature of Relationship

Justice Srikrishna re-iterated the need to define the relationship between the Data Subject and the Data Controller as “Data Principal” and “Data Fiduciary”.  The undersigned has discussed this several times earlier and has hailed it is the single most important contribution of Justice Srikrishna to the Data Protection Jurisprudence which would in due course be accepted world wide. (See one of the earlier articles in this regard for more clarity)

This elevation of the relationship of the Controller to that of the Fiduciary will solve many of the problems the world has seen in Data Protection regulation such as “Consent Fatigue” which is more accentuated in India because of the use of different languages by end users, lack of literacy and reduced appreciation of the culture of “Privacy” which is more an elite concept pushed down the population rather than a felt need of the market.

Data Retention Period

While speaking on the data retention period limitation, Justice Srikrishna referred to the provisions of other laws that may require retention of the data for longer period. He mentioned that though normally data has to be retained as dictated by the purpose, in cases where the other laws dictate otherwise, it can be retained for longer period.

Mr Srikrishna however failed to refer to existence of legitimate interest and evidentiary requirements that may necessitate the distinction between the need to erase the data after the purpose is completed vs the need to retain it for longer period which the new law has tried to accommodate by creating a fine distinction between the right to erasure and right to forget as two different rights under Sections 18 and 20.

Though we donot agree with the contention of Justice Srikrishna that Section 35 of the new Act leads to the possibility of an Orwellian State and his omission to recognize some of the improvements that have been made in the Act including the concepts of “Consent Manager”, “Sandbox”, “exemption of liability” etc., the discussion was very useful in putting across a perspective of the law.

Towards the end of the session, there was no time left for taking up some of the questions from the large number of participants.

In order to provide some clarity to some of the questions raised, I have picked up the questions and provided my views under the “your Queries” section in the website of the Foundation of Data Protection Professionals in India. (www.fdppi.in)

I request visitors to peruse the questions and answers provided.

Naavi

Yesterday we had a spectacle of Mr Arnab Goswami the well known journalist being subjected to 12 hours of grilling by the Mumbai Police on an FIR against  his uttering against Sonia Maino alias Sonia Gandhi, the leader of Congress party. 

What was noticeable in the day’s proceedings was that the two people who were arrested earlier for attacking Mr and Mrs Arnab Goswami were given a bail by some Magistrate probably because the Police chose to charge them on flimsy grounds. Mr Arnab Goswami’s complaint was on the lynching of two Hindu Sadhus in Palghar and the lack of investigation on the murder and the silence of the Congress leader.  

Mr Arnab Goswami has developed his own brand of journalism and his high decible complaining of the lynching in Palghar seems to have so much rattled the Congress party that its supporters filed over 200 FIRs against Mr Arnab Goswami and ultimately took to attacking him in the dead of the night when he was returning from his studios.

The incident required to be condemned by all supporters of democracy including those who are opposed to Mr Arnab Goswami. But the politicians have been mostly silent on the attack and the media is also did not raise its voice. 

At the same time Mr Arnab got a stay on the FIRs from the Supreme Court except one case in Nagpur and the Mumbai Police are trying to use this FIR to teach him a lesson. The lesson that he was required to be taught was not to raise his voice on Mrs Sonia Maino/Gandhi and for that purpose he was subjected to a 12 hour interrogation.

While Police may justify that they needed to show some video footages etc and obtain his views, there was no need for the interrogation to continue for 12 hours. It could have actually been broken up and continued on the next day. 

What this incident has shown is that Police in India remain the faithful servants of the politicians and at their beckoning can be made to drop sections on the assaulters and at the same time grill the journalist until he is tired and loses mental balance. We are all aware how Mrs Indira Gandhi imposed the Press Censorship in 1975 emergency time. What Sonia is trying to do is perhaps to follow the footsteps of her illustrious MIL.

This may not be some thing new in India and we could have ignored it in the normal course.  But  the reason why we need to highlight this here is that this kind of behaviour of the Police creates a distrust on them when we try to justify provision of  some extra powers under law. The distrust on the police will translate itself as the distrust of the Government. 

We should therefore consider the impact of this incident on the discussions that are being held on s the Personal Data Protection Bill (PDPB) where there are some exemptions provided to the Government and the Law enforcement related to the protection of Privacy. The undersigned has on many occassions defended the right of the Police for surveillance through CCTV footage and other means because security of the Citizens is an uncompromisable responsibility. 

On the other hand there are people who are opposed to the PDPB stating that it gives too much of power to the Government and/or the Law enforcement. The current incident  supports this view point and shows how a State Government can make its Police to dance to the tunes of a party controlling indirect power in the State. If this can happen in an incident like this, we can imagine that if the same party is in power in the Center, then the laws like Personal Data Protection Act and its objective of protecting the privacy of citizens would be kicked beyond the Hindu Maha Sagar into an oblivion.

There are already many motivated articles that are appearing in pliable journals stating that PDPB will “Stiffle the digital economy with overbearing regulations”. Today’s LiveMint reports one such article. This article has made  the following remarks.

The above face is a familiar face to many on the You Tube. This person has been posting many interesting videos particularly of ancient archaeological sites in India, Cambodia and many other places focussing on many interesting points which no body else seems to observe.

He has a very discernible eye to spot indications of some peculiarities in the construction of ancient temples many of whom like the Hampi and Mahabalipuram are well known to many tourists. But no body else has found certain points such as the possibility of ancient builders having used technology for rock processing, using of lathe type machines long time back, possibility of aliens being depicted in the sculptures etc.

There is no doubt that some of his findings are very significant and the scientific community could very well do a research of their own either to prove or disprove his views.

It is also an observation that when he talks of many ancient Shiva temples and interprets the Shiva Lingam and the Gopuram of temples  as a depiction of energy transmitters or communicators to the alien world, he speaks of Hindu tradition. Possibly thousands of years back only Hinduism was prevalent in these countries and hence only references to Hindu culture can be seen in these ancient temples.

I have viewed many of his videos and have not found any racist or communal thoughts in his publications.

But very recently, he published a video which he has called probably his last video a link for which is presently available here.

In this video he has pointed out that many of his videos have been subjected to moderation and some have even been removed by You Tube for no discernible reason.

We have seen Twitter always supporting Pakistani and Anti Modi subscribers and allowing fake news to be promoted against India. Now a suspicion arises whether Mr Praveen Mohan is being black listed because he takes the name of Shiva in many of his recent postings. One of the recent postings highlighted a structure in Mahabalipuram which he has called the structure as a “Olakkaneshwara temple” and discussed how it could be a light house built to guide ships approaching the coast.

He has indicated that this video was taken off by Youtube. It appears that it has been restored but it is not clear if other videos which he has referred to in his disclosure have also been restored.

But the incident indicates that there could be an anti India bias in the action of You Tube and perhaps they donot want thoughts which could re-write some of the historical concepts ignore the developments in countries like India in the ancient times and consider that all scientific developments originated only from the west.

It is time we Indians bring it to the notice of You Tube that its actions are being watched. If it thinks that it can misuse its popularity to prevent content that supports Indian culture and heritage, then its credentials as a company from US which champions free speech will be severely dented.

The Indian Government has to take note of this development and seek an explanation from You Tube as to their commitment to free speech.

A similar question has to be also raised on GMail which continues to hide the “Originating IP address of email senders” in e-mails received by g-mail account holders ignoring the right of an e-mail account holder to know from which IP address he has received an e-mail. The e-mail is a transaction between the sender and the receiver, GMail is only an intermediary under ITA 2000.

If this status of an intermediary has to be retained, GMAIL should not interfere with the communication that emanates from the sender’s computer and reaches the receiver’s computer. By changing the header information that starts its journey from the sender’s personal computing device, GMAIL is processing the information and not acting purely like an Intermediary. Hence it should lose whatever protection law normally provides to intermediaries.

Unfortunately in India our CERT-IN or the MeitY does not pull up companies when they behave illegally and irrationally and we tend to accept their actions as unquestionable.

Hope MeitY takes note of Mr Praveen Mohan’s complaint and also just as they reacted to Zoom with a project to develop an Indian counterpart, they should look for an Indian counterpart of You Tube.

Naavi

As the country has moved into the digital way of doing Business, Governance and conducting personal life, the threats of various kinds arising from the use of computers, mobiles and other devices that work on “Data” have only increased.

Technology persons often pursue their creative goal unmindful of the impact they cause on the society. Hence they often talk of “Disruption”. We as corporate managers and as users of technology therefore often confront the so called “Zero day vulnerabilities” that are exploited by hackers around the world to make money and commit all sorts of offences.

As a result today, we often find it difficult to trust content on the website, message that comes in WhatsApp or Twitter or even an email that lands directly with us. Now a days, if I get a phone call which says I am calling from Bank, instead of listening to it, we are more concerned in ending the call because we donot know if even picking up a call will let some virus in.

The biggest threat that we face today is therefore “Lack of trust” in anything that comes to us as “Data”. So, it may not be “Data which is on the run”. Some times we have to run away from data.

Recently we came to know that “Data” of one big company were attacked by a hacker group who first of all encrypted the data and made it unusable and further threatened to release confidential data to the public. They wanted payment of a big sum of ransom that too to be paid in the currency of the criminals called Bitcoins.

“Phishing” continues to affect us particularly importers and exporters who face impersonated messages such as we have changed our Bank account..please remit the invoice payment instead of the regular account to another account. In one such case a big company in Saudi Arabia paid out rs 190 crores to the fraudsters instead of to ONGC. We are also aware that many times money has been taken out of the Banks through the SWIFT messaging systems.

Every day we also hear about the losses common people face through GPay or other mobile payment systems

These kinds of frauds appear simplistic and not as sophisticated as the Stuxnet attack on the Iranian nuclear system or North Korean attack on Sony corporate network, or DDOS attacks launched from CCTV cameras, robots made to drop material on shop floor to murder workers, Automated Cars being hacked causing accidents or Drones trying to hack into your systems by hovering around your wifi devices.

While we are struggling to tackle such technology related attacks, the advent of a new law in India called Personal Data Protection law  is making the life of Corporate manager more complicated because the law is expecting you to take pro-active steps to prevent frauds failing which even when there is no attack, the corporate may be  imposed hefty fines.

This new development is coming in the form of “Personal Data” which is a subset of the “Data” and is like the “Hazardous inventory” you may have in your godown.  It may look small in quantity but the drums of those explosive chemicals require greater attention than the tonnes of steel which you can leave in the open space without much of a security risk.

The cyber threats like ransomware have moved from “Encryption” to “Threat to release the information” because release of personal information could be more damaging to a company than not being able to decrypt the information that is locked up.

The threats are therefore changing their nature and companies have to ensure that apart from protecting data from being unauthorizedly accessed, modified or denied access, threats such as “Non Availiability of Consent”, “Use of data for purposes other than for which they were collected”, “Retention of personal data beyond the expirty date”  etc can become more damaging.

Hence organizations need to change their outlook on defining what is a “Cyber Incident” and how they have to respond to a Cyber incident involving potential personal data loss.

The advent of the new law means also new responsibility centers in the organization along with the conflicts between the senior executives whose area of influence is getting disrupted.

The CEOs therefore have both the challenges of shielding against the known cyber threats but also bring about a transition of the organization to recognize the need to change the focus of security from “Protecting Data” to “Protecting the so called privacy rights of an individual”, which may require a complete overhaul of the business architecture.

The days for business managers is therefore challenging and exciting.

Naavi

www.liveibc.com/mmalive

www.facebook.com/mmachennai
www.youtube.com/madrasmanagementassociationchennai

In case you need any further assistance contact MMA Chennai: