Naavi.org

The PIL filed against the Kerala Government and Sprinklr in the Covid patient data processing contract has brought before the Kerala high Court one of the first real tests of the Privacy Protection principle in India

The Court has in its preliminary hearing passed several injunctions against the US company Sprinklr raising questions on the privacy protection of the patients. The Court has set the next hearing by 18th May 2020.

We need to note that India is in the threshold of passing its own Privacy protection law and soon thereafter there will be discussions with the GDPR and other international regulators about the “Adequacy” of the Indian privacy protection regime. For this consideration, apart from the law as passed, the attitude of the Courts will be an important factor. Hence the way Kerala High Court decides in this case will determine if the Indian judicial system respects privacy adequately or not.

The order therefore requires to be studied on some of the academic points that it raises.

Copy of the order

This case has arisen because Kerala Government entered into a contract with Sprinklr, an online data processing company to process the Covid patient’s data. It has been challenged on several grounds and what we are interested is the privacy issues that have come up for discussion.

The issue here is that the data sought to be processed by Sprinklr is “Sensitive Personal Data” and there is an issue of  “Reasonable Security Practice” and “Due Diligence” under ITA 2000 (Section 43A) . Since the Personal Data Protection Bill 2019 (PDPB 2019) is sought to be a direct replacement of Section 43A, the reasonable security practice may be currently considered as the compliance requirements as stated in the PDPB 2019. Hence we need to evaluate the arguments on whether Privacy Protection is adversely affected or not by the contractual arrangement with reference to PDPB 2019.

In this connection , the Data Protection obligations, the Rights of the Data Principal, the mandatory explicit consent, the restrictions on transfer of personal data outside India, the security requirements etc become relevant.

At the outset we need to identify that the information on Covid is “Sensitive Personal Information” and hence it requires “Explicit Consent” for processing  and transfer out of India.

The Court has spoken of the need for “Confidentiality” and “Anonymization” that also need to be discussed.

According to the defense of Sprinklr,

a) The confidentiality of the data of the citizens is guaranteed as per the terms of the contract.

b) The State Government has undertaken to take full responsibility for its protection

c) Available protection systems on the Amazon cloud service makes it impossible for Spinklr or anyone else to breach confidentiality or to deal with the data surreptitiously or maliciously.

d) Sprinlkr at present does not hold any data at present and has transferred all such data back to the Kerala Government.

e) Data resides in India and hence any breach of its confidentiality will expose Splinklr to action in India and hence the standard form clause of jurisdiction in USA should not be objected to.

The MeitY has argued that Sensitive personal data should always remain in India and also that the data should be anonymized before it is handed over to the processors. It has also rightly insisted that the data which was transferred earlier should be confirmed as having been purged by the company.

Considering the current status where the Court does not want to adversely affect the Government’s efforts in controlling Covid, the Court has decided to take an interim view only on ensuring the confidentiality of the data and take up a detailed hearing later on.

The injunctive relief granted by the Court is therefore under this consideration that Confidentiality of the data has to be maintained.

The approach of the Court is to be appreciated that they have tried to take a balanced view and rejected most of the contentions of Sprinklr without taking any drastic step that could adversely affect the Covid prevention efforts of the Government.

But when the case is heard in detail the defense provided by Sprinklr will come for a detailed scrutiny. In this regard, its Privacy Policy, the Terms and conditions, the Data Protection Addendum, the GDPR privacy by Design policy will all come for scrutiny.

There is a possibility that between now and the next hearing, Sprinklr may make changes in its website policies which will amount to tampering with the evidence. Hence all these documents have been archived by CEAC  and any changes  if attempted will be provable as tampering of evidence. 

From a first glance of these documents, it appears that the defense of the company that it follows international standards of data protection and hence nothing can go wrong may not be a tenable argument. There is enough indication that the documents are only statements of intent which does not seem to be reflected in the actual implementation.  The information so far available on the news reports is sketchy and if the company is subjected to intense cross examination, it may be possible to bring out more inconsistencies to prove that they donot have any credible evidence to substantiate their defense.

It will be interesting to observe how both sides take the case from here. We would refrain from more discussions at this stage for reasons of propriety. If however a need arises in the coming days, more points may be taken up for discussion.

What we are interested is in observing if the Court will impose a heavy penalty as envisaged in PDPB 2019 which is also consistent with the GDPR which the Company swears by. The penalty to be imposed has no relation to the fact that the sensitive personal data has now been returned or that the Company has deferred the receipt of remuneration by 6 months. We know that “Data” has value and just as Crude oil can be sold at -37$ per barrel, it is not impossible to think that “Data” can be bought at “Zero” value for the hidden benefit it represents.

Also the attempt to justify the jurisdiction clause which requires Kerala Government to raise its disputes if any in New York is laughable to say the least. If a dispute arises, the company would definitely raise the jurisdiction clause and stall any proceedings in India.

I wish the company was more straightforward than to claim that the jurisdiction clause does not matter. If so, it will be a great precedent to all other customers of Sprinklr and other service providers to simply ignore the jurisdiction clause and proceed in India.

It is open the Court however to accept the admission of the company that since data is stored in India, the company can be sued here. The Court can  confirm that since the Contract is a standard form contract, and it is not supported by authentication by digital/electronic signature, it has only the status of an implied dotted line contract and hence the jurisdiction clause deserves to be rejected as an Unconscionable clause”.

This will help many others and also provide a new reason for imposing data localization in the PDPB 2019 since it helps in overcoming the inconvenient jurisdiction clause. If the company retracts on this argument as they are likely to do, then the current argument will be considered as an attempt to mislead the Court.

It is also strange that the Company is arguing that the State Government is indemnifying the Company by taking “full responsibility”. If so, it is another point that proves that the contract is unfair to the Kerala Government.

Another point which the Company seems to  forget  is that in “Personal Data Protection”, ensuring “Confidentiality” is only one aspect. It is an information security issue and is a necessary but not sufficient condition of data protection obligation.

What is more relevant in data protection is that beyond securing the confidentiality, integrity and availability of personal data there are other aspects of consent, rights, the lawfulness of the processing etc.

Hence just because the data is protected (we are not aware if the Amazon cloud data was actually encrypted), it does not mean that all obligations of data protection are fulfilled. Also just because no data breach has occurred now, we cannot say that the contravention of the privacy right cannot be recognized.

Hence the last word has not been said in this case. We hope that the High Court stands upto the principles and come to a good conclusion without succumbing to the defense of “urgency” etc.

Naavi

Also Read

It is reported today that the Kerala High Court has ordered that Kerala Government was wrong in getting the personal data of Covid patients processed with Sprinklr, without de-identifying the personal data. It has also ordered that the patients are to be notified by the Government .

The Kerala Government had appointed the  US based service provider for analysis of Covid patient’s data which ran into a political debate of nepotism as well as a debate on the infringement of privacy of citizens. We can leave the political controversy aside and focus only the issue related to the Privacy of the patients.

In this case, Kerala Government was a customer of Sprinklr and used the Software as a Service (SaaS). Data was provided to Sprinklr initially directly on their website and later by the Kerala Government from is website. Processing was done by the Sprinklr engine which must have worked from US and then the processed information was stored either in US or other servers.

The service involved sharing of the Covid patient’s data which is “Sensitive personal data” under ITA 2000 (amended in 2008) as well as any norms that can be traced to the forthcoming Personal Data Protection Act in India or the prevailing global norms of GDPR.

Though the Company is a US company is bound to follow the principles of “Reasonable Security Practices” under Section 43A of ITA 2000/8. The Company is also expected to follow “Due Diligence” which is “following such practices as a prudent person would follow under similar circumstances”.

As of 25th April 2020, a prudent organization in India dealing with “Sensitive personal information” would consider the provisions of the Personal Data Protection Bill 2019 as the guidelines of privacy to be followed as due diligence.

The Kerala Government is also obliged to consider the Justice Puttaswamy judgement declaring Protection of Privacy to be a fundamental right of an Indian citizen.

More importantly, the Kerala High Court itself in the Oomen Chandy Case  (WP(c) No 40775 of 2017),5  has  said

“The newly recognized fundamental right to privacy, which takes within its fold the right to protect ones reputation as well, would merit classification as a fundamental right that protects an individual,  not (only) against the arbitrary State action, but also from the actions of other private citizens, such as the press or media,”..

Hence both the Kerala Government and Sprinklr were bound to recognize the Privacy protection guaranteed under the Puttaswamy judgement and initiated Privacy protection measures in the collection, processing, storing and disposal of the sensitive personal information.

In the Indian context, the Privacy law may be new to the Kerala Government but Sprinklr is claiming that its services are “GDPR Compliant”. Hence Sprinklr was fully aware to the sensitivity of the information being processed and even if the Kerala Government was not conversant with the privacy laws in general, should have cautioned the Government on how to address the issue.

The first thing that comes to everyone’s mind is the “Consent” from the patients. There is also the question of possible transfer of data out of India either for storing or for processing for which  an “Explicit Consent” was required to be called for by Sprinklr even if Kerala Government was not aware.

Further though the Government can claim exemption for “Medical Emergency”, the exception under PDPA applies only to an entity such as a hospital transferring the patient data for the purpose of medical treatment etc and not for Big Data analytics which can be done by many Indian companies.

Further, Indian PDPA goes beyond the “Consent” related constraints and holds the person who collects and processes the personal data in a capacity of a “Data Fiduciary” meaning a “Trustee” who has to protect the privacy of the data principal as per the Puttaswamy judgement principle. Hence no implied consent with concessions for transfer of data to a US entity can be presumed as “Due Diligence”.

In the instant case, both Kerala Government and Sprinklr are “Data Fiduciaries” since the purpose and means of processing is determined more by the SaaS company than the Kerala Government which is the user of the service under the terms and conditions under which the Sprinklr service is on offer. (Though the Data Protection Addendum on the website makes the Kerala Government the Controller and Sprinklr the Processor. In that case the data protection clause should have been directed by Kerala Government to Sprinklr which certainly is not the case here.)

As per the statement of one of the advocates representing the Kerala Government, it is claimed that the Company has a privacy policy and follows international data protection norms ensuring a high level of confidentiality of data. It is stated that the data was stored in an encrypted form in Amazon cloud in Mumbai.  If this contention is proved by evidence, it can prove that one copy of the data was perhaps stored in India. While the security of the information might have been secured against further breach because of encryption, the disclosure of the data to the service provider is still outside the consent mechanism.

The High Court has taken note of this in its order and come to an opinion that it was wrong for the Kerala Government to have shared the information with the SaaS provider without “Anonymization”. (We presume the Court was referring here to Pseudonymization or de-identification).

A quick glance at the Website of Sprinklr.com indicates that it uses several sub processors for processing work, and makes a mention of GDPR  and CCPA. However it does not mention compliance of ITA 2000/8 nor any Indian privacy laws.

Whether the policies which are declared on the website are operative or not can only be tested if data principals in India send requests for personal data processed and seeking portability of the data or right to forget. The company will most probably  reject any such requests under some excuse.

As regards the cross border transfer, the policy does not even recognize that it is in operation in India and hence the possibility of its compliance to Indian laws is clearly absent. It clearly says that it offers its clients the option to host the data in USA and Europe and there is no mention of the storage in Mumbai.

Without going too deep into an analysis it can be considered that Sprinklr is not in compliance with Section 43A ITA 2000/8 and it has rushed to the processing because the business opportunity fell on its laps.

Now that the Kerala High Court has caught the privacy related short comings in the process, it is necessary for Sprinklr to immediately stop receiving identified personal data of the patients which is any way not required for the purpose for which the data is being shared with them. The analytics that they may do has no relation to the identity of the person by name and hence it should immediately agree to an intermediary like NIC conducting “De-identification” process before the data is handed over to Sprinklr.

Simultaneously Sprinklr should transfer the processed data up to date to a custodian like NIC and purge all related data in all its servers and provide appropriate evidence of the erasure.

There is therefore no logic for the Kerala Government or Sprinklr to take any  excuse to process the identified data. They need to immediately engage the services of another intermediary, trusted in the Indian environment such as NIC or CDAC to put together a de-identification-re-identification framework  to continue further processing.

NIC should be more than capable of this exercise and if not there would be a number of software companies in India who can do it.

It would be interesting to see how the case develops further and whether the Court takes any cognizance of the principles of privacy protection that has been included in the upcoming privacy act.

In the next hearing we hope that the Court will place a substantial fine both on the Kerala Government and Sprinklr on the lines suggested in the PDPA Bill 2019 which is Rs 5 crores for the Kerala Government and upto 4% of the global turnover of Sprinklr. This will be in addition to the personal relief that can be claimed collectively by the data principals.

Naavi

(P.S: This is a quick comment based on the news reports that have just appeared. More may follow)

Also Read

It has been an observation that Cyber Criminals try to target  such destinations where the possibility of reward would be high.  The recent attack on Cognizant through a ransomware called Maze indicates that despite the Company being well informed about Cyber threats and probably well equipped with experts to guide the Information Security aspects in the Company, it could be successfully compromised by the attackers. It could be due to the persistent attacks on a large number of employees through phishing e-mails and probably using the Work From Home situation which could have diluted the security measures that this attack was made possible.

It is understood that the Maze users have a history of demanding ransom upto US $6 million (Rs 42 crores) and also disclose upto 700 MB of confidential data of a company in the past.  So Cognizant would not escape easily if they chose to pay a ransom which could be of the order of US $10 million (Rs 70 crores). And this has to be paid in the form of Bitcoins which means that Cognizant has to invest in black money to the extent of Rs 70 crores. The share holders of Cognizant can object to the use of company resources for this purpose. It is possible that Cognizant may have some coverage of Cyber Insurance but whether it will apply to the payment of extortion arising due to the negligence of the company and if so to what extent is not known.

Further if the data that has been lost relates to personal data of EU countries, the company has to also face the GDPR fines which could be also debilitating. If the personal data lost includes Indian citizens or Indian companies, there could be action against th company through local courts. The company is fortunate that the Personal Data Protection Act is still not in place and like the Breach Candy hospital, this major data breach will go unpunished under Indian law. Though CERT-In may send a notice, it is unlikely to take any action an the company may relatively face less trouble from Indian regulators than from the EU GDPR authorities from multiple countries.

It is regrettable that  large company like Cognizant should have fallen to the malware and it will take some time to understand what really went wrong.

For the time being we would like to look at another dimension of the fraud and in particular how the inaction from the Union Home Ministry under Mr Amit Shah has contributed to this attack and will continue to encourage more such attacks.

Recently the MHA stepped into the shoes of MeitY and gave a security advisory on the use of Zoom video conferencing software. Though the advisory was meant for Government department, it was released as a PIB press note giving an opportunity to the ignorant media persons shouting that “MHA had declared Zoom as Unsafe”. As a result many members in the public including companies might have dropped Zoom and moved to more vulnerable tools.

However, MHA has so far not opened its mouth on the issue of “Bitcoins” and when a strange Supreme Court judgement came out indicating restoring of Bitcoin Exchanges, neither the Finance Ministry under Mrs Nirmala Sitharaman, nor the Home Ministry under Mr Amit Shah nor the MeitY under Mr Ravishankar Prasad, took interest in filing a review of the faulty decision .

Every body seems to be happy that the Supreme Court has taken the responsibility to give a sense of approval to Bitcoins on its shoulders and the industry can make hay while the sun shines by converting the legitimate white money in the country to digital black wealth in the form of Bitcoins and other Crypto currencies.

So far we were considering that Mr Amit Shah could be relied upon when national security is at stake and since Bitcoin is the currency of the criminals and terrorists, he would take steps to ensure that its acceptability as a currency for settlement of financial transactions would be recognized as a national security risk. This hope has been belied. Unfortunately he and his department has displayed no urgency in this matter while they rushed to give a premature advisory in the case of Zoom.

It is well known that to prevent a crime, the ability of the criminals to benefit from the crime has to be stopped. So if crimes like Cognizant attacks have to be reduced, it should be made difficult for the criminals to benefit by collecting the ransom  in Bitcoins.

The first step for the MHA is therefore to take steps to bring out an ordinance to ban Crypto Currencies forthwith so that the Ransom ware distributors are choked of the reaping financial rewards arising out of their crime.

Secondly, MHA should issue a notice to Cognizant not to pay the ransom since it would encourage similar attacks on Indian companies and also result in a Black Money transaction of an amount equal to the ransom.

I hope Mr Amit Shah is able to understand the long term damage that is being made to the Indian national fabric by allowing Bitcoins to continue to exist.

I request Mr Shah not to accept any view from his department that suggests that “Supreme Court has held Bitcoin as Valid”. Supreme Court has actually not validated Bitcoin or Crypto Currency. On the other hands, the three judges have delivered a cleverly constructed judgement like a Bollywood story so that without telling that Crypto Currency is a valid currency in India, they have created a false impression to let the industry benefit fraudulently.

The RBI and  the Finance Ministry should have come up with an amended Circular to re introduce the ban on Crypto Exchanges and the MeitY should have come up with the law on banning Crypto currency which is already in draft stage. But all the three wings of administration have remained silent or have been silenced by the power of crypto currency corruption.

If Mr Amit Shah along with Mr Narendra Modi are the last repositories of honesty and lack of corruption in India, they should make moves to bring a ban on Crypto currencies immediately.

There is no need for the Government to wait for the current Covid 19 crisis to be over before taking action in this regard since this is the time when more such attacks will happen on other organizations since the “Work From Home” situation has exposed most companies to the risk of malware from the home environment jumping into corporate networks.

Stopping ransomware attacks is therefore a Covid priority. If Stopping Bitcoin circulation as a currency relied upon by the criminals is a step in this direction, this is also a Covid priority.

If the MHA, Meity, MOF and RBI are not collectively deaf, I suppose they will listen to this appeal for ban on Crypto currency.

Naavi

[This is an article first published in India Legal magazine]

On December 2018, the central government proposed to issue an amendment to the Intermediary Guidelines under Section 79 of the Information Technology Act, 2000 (ITA 2000). This was neither a new Act nor a new rule. It was only a proposed amendment to a rule placed for public comments.

However, it was challenged as unconstitutional by some activists and referred to the Supreme Court. The government is now expected to present a new version of the rule in the Supreme Court and the industry lobby is already mounting pressure on the centre to bend the rules to their advantage.

Section 79 and the rules therein are meant to bring accountability to intermediaries to prevent certain crimes such as defamation, spreading of hatred and disharmony, inciting violence and such through information posted on websites, blogs and messaging platforms. The role of intermediaries in fuelling such crimes and assisting law enforcement agencies in detecting and bringing to book the perpetrators is undisputed. However, these business entities are averse to accepting any responsibility for preventing their platforms from being used for fake news to disturb the community and as a tool for anti-social elements.

An internet intermediary, incidentally, provides services that enable people to use the internet. They include network operators; network infrastructure providers such as Cisco, Huawei and Ericsson, internet access providers, internet service providers, hosting providers and social networks such as Facebook, Twitter, Linkedin, etc.

The use of fake videos and Artificial Intelligence (AI)-based content for posting malicious material has made the problem more acute since the amendment was first proposed. Two of the most contentious aspects of the proposed amendments are that the intermediary is required to trace the originator of a message that flows through his platform and that he should deploy technology-based automated tools for proactively identifying, removing or disabling public access to unlawful information.

Objections have been raised on the ground that the intended measures are “technically infeasible”, infringe on “privacy” and put restrictions on “freedom of expression”. Given the propensity of courts to react favourably whenever activists quote Articles 21 and 19 of the Constitution, the industry lobby expects a climbdown from the government. After all, the government had buckled under their pressure when it diluted data sovereignty principles in the personal data protection act by dropping “data localization”.

The challenge before the Court is now two-fold. The first is to realise that excuses based on technical infeasibility are false and such measures are already being used by the industry for compliance with other international laws such as General Data Protection Regulation (GDPR). The second is that “national security” is as much the duty of the government and a fundamental right of citizens as the protection of privacy or freedom of expression of certain other individuals. The law should not allow disruption in the lives of innocent persons while protecting the rights to privacy and freedom of expression of some activists.

At present, most large intermediaries do scan the messages that pass through their services to identify the nature of content so that appropriate advertisements can be displayed when the receiver of the message reads them. Most leading companies, including Facebook, also use AI to read the messages and profile the users. Hosted content is also moderated and scanned for malicious codes as part of information security measures. Hence, the claim that it is impossible to make a reasonably effective check and flag objectionable content is not acceptable, particularly in the case of large intermediaries like Google and Facebook. As regards the proactive removal of content which is “unlawful”, this involves the judgment of intermediaries. However, if they are ready to proactively identify potentially objectionable content, the government can always suggest a mechanism for reviewing the tagged content and get it moderated.

Most data managing companies undertake a similar “discovery” exercise when it comes to complying with laws such as GDPR. There is no reason why they should not apply similar “data discovery” tools to identify offensive content and flag it for manual supervision. The technology is available and being used by the same companies who are resisting the request of the government. The Court should reject such claims. Their bluff needs to be called out.

We may also note that the Personal Data Protection Act, which is expected to be a law soon, has also brought in a provision whereby social media intermediaries have to provide an option to users to get them “verified” and the “verification” should be visibly presented with the account.

In other words, it will be mandatory for social media companies to identify the owner of a message and therefore make him accountable. In the case of WhatsApp, it must be mentioned that what is required is not “reading of the message” which is objected to from the “privacy” angle as the information may be encrypted, but only to identify the origin of a message. This can be technically achieved by tweaking the header information of the message and incorporating a checksum identity of the message. This can be identified at the server whenever it is forwarded.

In view of the above, the technical infeasibility objections for not being able to trace the origin of a message is unsustainable in the current age of technology using AI. These are false excuses.

However, while issuing the new guidelines, the government may have to recognise that some views on Section 79 have been expressed by the Supreme Court in Google India Private Limited vs Visakha Industries and the proposed amendment has to be compatible with the views expressed therein. This case involved a complaint of defamation and the non-removal of the content by Google when demanded. It also opened a discussion on the concept of “due diligence” as per the version of Section 79 in ITA 2000 and an amendment made in 2008 which became effective from October 27, 2009.

The final outcome of this judgment was focused more on the applicability of the law with reference to the date of the incident. But during the course of the judgment, some important principles of international jurisdiction and the scope of “due diligence” emerged. These would be relevant in analysing the proposed intermediary guidelines. It may be noted that the original version of Section 79 required “due diligence” to be exercised to “prevent the commission of offence”. The due diligence under the old Section 79 had not been expanded with any notification of rules and hence was an open-ended responsibility.

In the case of the amended Section 79, which is applicable now, the law requires that “the intermediary observes due diligence while discharging his duties under this Act and also observes such other guidelines as the Central Government may prescribe in this behalf”. It, therefore, extends beyond “prevention” when the data enters the control of the intermediary and monitoring throughout its lifecycle.

Additionally, the concept of “due diligence” has been detailed in the intermediary guidelines on April 11, 2011, which is now proposed to be replaced with an amended version. The Court recognised that the amended Section 79 provided protection from liability not only in res­pect of offences under ITA 2000 but other laws as well which was welcomed by the industry as an expansion of the safe harbour provisions.

At the same time, we need to observe that the scope of Section 79 has expanded significantly in terms of how the government may exercise its regulatory powers and also the level of control that the intermediary is expected to implement as part of the compliance requirements.

In view of the vindication of the current version of Section 79 in the Visakha judgment and the lack of sustainability of technical infeasibility objections raised by the intermediaries, they seem to have no option but to accept accountability that the amended guidelines prescribe. The challenge mounted in the Supreme Court may, therefore, end up only with a clarification on the procedures related to content removal.

However, the Court could suggest some standard measure to ensure that between the period when the victim notices the harm and brings it to the knowledge of the intermediary and until a Court comes to a decision, he would get some interim relief which is fair to both parties. Hence, if a notice for removal is received by an intermediary, pending an order from a Court, he should exercise caution to prevent continuation of the alleged damage. Ignoring the knowledge of alleged damage would neither be legally wise nor ethically justifiable.

In such cases, the content may continue but it should be flagged as “reported objectionable vide notice received from ….” with a hyperlink to the copy of the notice. The flag may be removed after a reasonable period such as 90 days if no court order is received.

This measure will ensure that the delay in obtaining court orders does not continue to harm the victim to the same extent as it otherwise would. If such a measure is not available, every complainant will seek relief in the form of an interim order to block the content.

If such a request is agreed to by the trial court, the content remains blocked until the case is settled which may last for years. It would be good if the suggested procedure of dispute management is included as part of the intermediary guidelines.

Lead Illustration: Anthony Lawrence

—The writer is a cyber law and techno-legal information security consultant based in Bengaluru

Based on specific request, Naavi/Cyber Law  is conducting a crash course on Personal Data Protection Act of India from 20th April 2020 to 25th April 2020 through virtual training for 2 hours on each day.

The program will be held between 8.30 am to 10.30 am.(IST)

The coverage would be as follows:

1.Evolution of Privacy Law in India. (ITA 2000-ITA 2008-Puttaswamy Judgement.Etc.) and .Understanding the Concept of Privacy and its relation with Data Protection

2.Applicability, Exemptions, Data Protection Obligations and Data Principal’s Rights

3.Grounds of Processing without Consent, Restrictions on Transfer of Personal Data outside India

4.DPA, Adjudication and Appellate Tribunal, Penalties and Offences and Grievance Redressal mechanism

5.Compliance Obligations (Transparency and Accountability Measures), Data Audits and DPO

6.Data Protection Challenges under New Technologies, Data Governance Framework, Interactive discussion and Review

The participation fee would be Rs 3000/- per participant.  Registration can be done by making the payment below: