Naavi.org

[This is in continuation of the previous article]

At a time when the “Personal Data Protection Bill 2019” needs to be passed into an act and atleast 2 or 3 meetings of the JPC has to be completed before the next Parliamentary session, it is beyond our comprehension that MeitY is opening up the issue of amendment of the ITA 2000/8.

If MeitY was really interested, it could have issued the Section 69 and Section 79 notifications which are not amendments to the Act but are only notifications to be issued by the Ministry and later placed before the Parliament. MeitY could have also acted upon whatever suggestions were made by the T K Vishwanathan Committee. 

Instead of focussing on the PDPA at this point of time, there was no hurry to push for a discussion on amendment of ITA 2000/8.

The only reason which comes to our mind to justify this eagerness could be a pressure from the Bitcoin lobby to legitimize the Bitcoin and other Crypto Currencies.

This lobby was successful in getting a Bollywood story line judgement from the Supreme Court which effectively indicated a view  “RBI has the power to regulate Bit coin but the circular they have issued is struck down for reasons of lack of proportionality”.

If RBI comes up with another circular and then Supreme Court will again go into an examination, and perhaps stay the circular, and after two years again come up with the “Proportionality excuse” to strike it down again. The lobby knows that they are standing on a very tenuous ground and if the matter goes before any other bench the decision could be different. Hence they appear to be now moving with the MeitY to bring in an amendment to the ITA 2000 which could help them to declare Bitcoin as legal.

Mr Nayonika Dutta, Deputy Director, e-Commerce Policy at DPIIT, has been quoted in the article in ET   as follows.

“though the Act was last amended in 2008, recent technological innovations such as social media, digital services, ecommerce services, artificial intelligence, machine learning, smart devices, Internet of Things and blockchain have changed the digital ecosystem significantly. While on the one hand, these innovations have provided opportunities for growth and efficiency gains, on the other, they also pose significant challenge ..”

Note the inclusion of the “Blockchain” in the list of technological developments mentioned here. The timing of the MeitY circular was almost immediately after the Supreme Court judgement and there appears to be a nexus between the Bitcoin lobby and the issue of this “Amend ITA 2000”  demand.

Naavi has in the past pointed out that the best way to ban Bitcoin is through ITA 2000 where we can add one more item under the Schedule I under “Excluded Instruments”.

Presently Section 1(4) and the associated Schedule I states as follows:

“Nothing in this Act shall apply to documents or transactions specified in the First Schedule by way of addition or deletion of entries thereto.”

1. 1. 1. A Negotiable Instrument (Other than a cheque) as defined in Section 13 of the Negotiable Instruments Act 1881 (26 of 1881)
      2.  A Power of Attorney as defined in section 1A of the Power of Attorney Act 1882 (7 of 1882)
      3.  A trust as defined in section 3 of the Indian Trusts Act, 1882 (2 of 1882)
      4.  A will as defined in clause (h) of section 2 of the Indian Succession Act, 1925 (39 of 1925) including any testamentary deposition whatever name called
      5.  Any contract for the sale or conveyance of immovable property or any interest in such property

Because an electronic document that represents the Bitcoin is not in the excluded list, it is recognized as an “Electronic Document”.

The RBI Act Section 22, states that ” The Bank shall have the sole right to issue bank notes in .. and the provisions of this Act applicable to bank notes shall, unless a contrary intention appears, apply to all currency notes of the Government of India issued either by the or by the Bank in like manner as if such currency notes were bank notes, and references in this Act to bank notes shall be construed accordingly”. Hence any document which is recognized in law.

The “Sole Right” indicated here has to be interpreted as a “Prohibition” for any private party to issue a “Currency Note like” instrument including a “Promissory Note payable to a bearer on demand”.

The Bitcoin is an electronic document recognized as such by ITA 2000. But in the representation as “Crypto Currency”, the Bitcoin electronic document is used as a substitute for the “Bank Note” or “Currency Note”. The frequent pictorial representation of the Bitcoin as a “Coin” also is an attempt to confuse the consumers to believing that it is a substitute for the legacy currency notes and coins.

When a bitcoin is used as a medium in a private electronic space as a “Game website”, the concept lies below the radar. But when the Banking system starts supporting the Bitcoin and the Bitcoin lobby threatens the RBI that they will destroy the legacy currency system,   then it assumes the role of a “Currency”. When Amazon accepts Bitcoin, when advertisements appear in Times of India that Bitcoin is a good investment proposition, then any sovereign Government has to put this down. Otherwise, Bitcoin will be like a Corona Virus and spread to the entire community and destroy our economy.

Unfortunately our Supreme Court has failed miserably to understand this threat to the society or chosen to look the other way and the Bitcoin lobby feels emboldened. They know that they have the power of black money in their hands and they can buy decision maker by transferring a few bitcoins to a numbered Bitcoin wallet system.

However much Mr Narendra Modi may try to reduce the black money in the form of official currency, he will not be able to identify and control black money or benami property in the form of Bitcoin or any other private Crypto Currency. The system of corruption which Mr Modi is trying to fight will thrive strongly if Bitcoin is not locked down immediately.

The Supreme Court judgement has been like the Tablighi conference that spread Corona Virus to thousands in the country and has given a firm base to the Bitcoin lobby promoting the Bitcoin as a safe investment haven. There is no doubt that this has also contributed to the prolonged down trend in the Stock markets since many  might have shifted their investments to Bitcoins. Mrs Nirmal Seetharaman might not have been able to identify this and needs to sit with some senior RBI officials to understand how the “Block Chain Technology” is being used as a cover for promoting Bitcoins.

With the complete loss of confidence on the Supreme Court, the hope for honest tax payers of India is now only Mr Modi and Mr Amit Shah. They need to take time off from the Corona virus  related issues to ensuring that Bitcoin does not become a “Financial Corona” and hurt our economy. 

Mr Ravi Shankar Prasad as the Minister in charge of MeitY needs to provide a public clarification on why the Amendment to ITA 2000 has been taken up on a priority basis over and above PDPA and what is the intention of those who have floated the idea when they have been unable to get ordinary administrative notifications on Section 69 or 79A issued.

What is necessary immediately to show the right intentions, is for MeitY to issue a notification to amend Schedule I of ITA 2008 and add the following exclusion :

vi: Any instrument that purports to represent a Currency or Coin that could be used for exchange of goods like a Bank note.

This does not require an amendment to the Act can be issued immediately during the Corona lock out itself, if the Meity/Ravishankar Prasad/Nirmala Sitharaman are  committed to the banning of Bitcoin and Crypto Currency . Bitcoin being  a Digital Black Money representation used by the Cyber criminals and terrorists, even Mr Amit Shah should be interested in this amendment. Mr Piyush Goyal also has to check why DPIIT was in such a hurry to issue the circular when larger issues related to the lock down are begging to be attended to.

If these honourable Minsiters are serious in tackling black money in India, they should immediately move the above amendment as a notification before any larger amendment to ITA 2000.

Naavi

According to a report in Economic Times today  it appears that the Ministry of Information Technology (MeitY) has circulated a note to select stake holders seeking their advise on the possible amendments to be made to Information Technology Act 2000, last amended in 2008.

The stated objetive of the exercise is to update the law in view of the technological advances in Social Media, E-Commerce, Cyber Crime and Digital Payments. Following the request from MeitY, the DPIIT (Department for promotion of Industry and Internal Trade) headed by Pr Piyush Goyal as minister and Mr Anuj Gupta as OSD, is reported to have written to industry bodies for feedback. NASSCOM, CII, FICCI and ASSOCHAM appears to have received the request.

The decision of the MeitY to take up this issue amidst the Corona lockdown conditions as a priority looks a bit strange.

In 2017, the MeitY had set up an expert Committee under the chairmanship of Mr T.K.Vishwanathan. Subsequently, no official report came out though a small part of its suggestions came out as a “Leak”.  Subsequently, no action was initiated and the committee was killed.

A List of Suggestions made by naavi.org at the time T K Vishwanathan Committee was considering the amendments is available here.

In 2018, MeitY issued a notification under Section 69 identifying 10 agencies as notified agencies under the section as against no such designation earlier. When un-informed anti Government critics raised a hue and cry, MeitY was unable to defend the issue of the notification.  Similarly, the Intermediary Guidelines were sought to be amended

Then again the administrative notification under  Section 79 (Intermediary Guidelines) were sought to be amended. Naavi.org had also placed suggestions in this regard.Again the notification was objected by a set of Delhi based lawyers and the MeitY dropped the guidelines.

Even when Section 66A was challenged in the Supreme Court, the MeiTy failed to respond effectively and let the section be scrapped instead of being read down.

With such a dismal performance in the past, MeitY  has demonstrated that it has no commitment to bring about necessary changes when it was required and possible and preferred to procrastinate.

Now MeitY is sitting on the PDPA which from being PDPA 2018 became PDPA 2019 and could become PDPA 2020. Instead of focussing on the passage of this Act, MeitY is inviting another set of suggestions to amend the ITA 2000/8 as if it is a diversion to delay the PDPA further under the excuse “We are trying to bring a comprehensive Cyber Law and PDPA can be taken later”.

In the last one month when there was a lock down, MeitY should have pushed for the JPC to conduct a virtual meeting by setting up adequate facilities. MeitY should have also ensured that their Adjudicators at least are active with holding hearings through Video conferencing.

Instead of doing any such productive efforts, MeitY is now opening a Pandora’s box of amending ITA 2000.

It therefore appears that there should be some thing more to this move than what is apparent…. There has to be some vested interests pushing MeitY to make some changes urgently.

What could be the reason?….

(To be continued)

Naavi

Around 2014, before Mr Narendra Modi took over as the PM of India, it was the Supreme Court which was trying to push the Government to take action to curb black money in India. Since then the Modi Government has taken some steps including the “Demonetization” but the political opponents have been working persistently against any measures that the Government wants to take to curb black money.

It was one such move to link the Aadhar to property ownership to curb benami property holdings that finally nailed Mr Modi’s efforts. To prevent this move, the Black money supporters moved the Supreme Court alleging that the Aadhaar use is infringing Privacy. The way the then Supreme Court handled the Aadhaar case with a pre determined zeal to find fault in Aadhaar indicated that there was a real danger of Aadhaar being declared illegal. Some late realization that this would have resulted in a a great damage to the country which had already built an infrastructure for Aadhaar use for Direct Benefit transfer, made the Supreme Court climb down on its aggression and let Aadhaar live to se another day. Otherwise there was no proper ground to reject the “Virtual Aadhaar Scheme” to let Aadhaar be used by private sector.

Since then the Supreme Court has not inspired confidence that it is interested in curbing black money growth in India.

This view was reinforced in the decision of the Supreme Court in the case of Bitcoin. The decision of the three member bench of the supreme Court on 4th March 2019 by judges M/s Rohinton Fali Nariman, Aniruddha Bose and V Subrmanian, which appeared to be a specially crafted judgement to allow it to be misused by the Bitcoin criminals was like a “Bollywood Story”.

Emboldened by the favourable decision from the Supreme Court, the Crypto currency industry has already given a warning to the RBI that they will destroy the economic structure of India.

Naavi.org has been waging a war on Bitcoins for a long time and would not take this blessing from the Supreme Court  lying down. We will continue to call out the fact that the Supreme Court judgement of March 4th was a clever camouflage to allow Bitcoins to be used as the “Digital Black Money” in India.

Mr Narendra Modi is too busy with fighting the Corona Virus and Mrs Nirmala Sitharaman has to deal with some of her own bureaucrats  in the Finance ministry who would like Bitcoins to proliferate. But we will keep the heat on as another Supreme Court hearing in the matter is reported to be scheduled.

We urge the Supreme Court to wake up. The citizens of this country are watchful and any attempt to support the Bitcoins through ambiguous judgement will be brought to the open and if the Chief Justice of the Supreme Court is worried about the honour of the Supreme Court, he has to take control and restore the judicial oversight on the dilution of the efforts to control black money in India.

In this connection, I want to draw the attention of the honourable CJI to the following article “Where to Buy Bitcoin in India: Cryptocurrency Exchanges Lower Their Fees”

The honourable judges should note that the article starts with a sentence “Since the supreme court lifted the RBI ban, more people have been looking to buy bitcoin and other cryptocurrencies in India. Responding to community feedback, a number of cryptocurrency exchanges have lowered their fees as the Indian crypto sector continues to grow…”

Is any further proof is required to recognize that the judgement of Rohinton Fali Nariman, Aniruddha Bose and V Subrmanian, is the basis for promotion of Bitcoin business in India. We will not be surprised if more such articles appear claiming the endorsement of the Supreme Court for Bitcoins, the currency of criminals and terrorists.

If these judges have any understanding of the developments they should take action against the Bitcoin exchanges who are putting out such reports which are misleading to say that the Supreme Court decision is in favour of Bitcoins.

Since I donot expect these judges to eat their own words, I request the CJI to move in, keep the judgement in abeyance and take a review by a larger bench.

Otherwise we have to conclude that Supreme Court is in favour of creating a digital black money economy through Crypto currencies and destroy the RBI backed sovereign system of currency in India.

Naavi

“Information Security” has been a term which we are all familiar with. But in recent days, people have been using a term “Data Protection” and talking as if it is different. This is intriguing and requires some discussion.

If we look at the definition of “Data” under ITA 2000/2008, it appears that there is no difference between “Information” and “Data”. Both terms  refer to binary expressions which can be interpreted by computer devices as “Text”, “Sound” or “Pictures” or a combination of the same. Research is going on how the “Binary expressions” can also be converted into what we can feel by touch or what we can smell or taste. After all if we can establish a connect with the neurons in the human brain and send some stimuli triggered by some binary expressions, we will have a situation where human faculties of seeing, hearing, touching, smelling or tasting can all be replicated by binary triggers which may be called “Software” with the use of appropriate “Hardware”.

Hence if we talk of “Data Protection” as a measure of “Protecting” “Data or Information”, then our controls to ensure “Confidentiality”, “Integrity”, “Availability”, as well as “Authentication” and “Non Repudiability” should be considered sufficient to protect all kinds of data. The CISOs today along with their team of IS trained and certified army of professionals are geared to protect information and hence should be also capable of discharging responsibilities of “Data Protection” in whatever manner it is described.

However in recent days, there is a clamour for another kind of professionals in the industry. These are some times called “Privacy Officials”. Is this necessary?… Is this desirable? is a question that is bothering many.

These Privacy officers have a slightly different role than the Information Security Officers because, IS professionals focus on protecting the “Binary Data” without any reference to what a given set of binary data may mean when looked through an application and converted into a text or sound or picture.

On the other hand the Privacy officer looks at what the binary data translates into and whether it contains a name of an individual or any data which is identified with an individual. Such information is classified as “Personal Information” and the “Privacy Professional” focusses on how to protect such “Personal Information or Personal Data”. The Privacy officer then thinks of controls which are beyond what the IS professional has thought of.  The Privacy Officers therefore require to be heard separately.

Again as distinguished from the Privacy professionals who work within an IT organization trying to protect the personal data, there are privacy activists like lawyers who try protect the right to privacy of people, under the Constitution as a Right to liberty and Right to dignified life. These advocates are not protecting “Data” but they are protecting “Privacy”. The Courts also are making orders about “Privacy Protection” as if “Privacy Protectio” and Data Protection” are one and the same.

We therefore have two kinds of Privacy professionals, one trying to protect the Right to Privacy under the Constitution who fights in a Court, and another set who work within the IT organizations to protect the “Personal Data”. Are they same? or Different?…is another dilemma we need to sort out.

Same way, the current IS professionals protect all data while the Privacy Professional in an  IT organization tries to protect the “Personal Data”.

Since “Personal Data” is a subset of “Data” managed by an organization, it appears that the IS managers are already functioning as “Personal Data Protectors”. In such a scenario, there is a genuine question on why do we need a separate set of professionals called “Privacy Professionals” or “Data Protection Professionals” and some of them being coronated as “Data Protection Officers” (DPO).

India is on the threshold of a new Personal Data Protection Act (PDPA) which recognizes a special role for DPOs and if the legal provisions are taken seriously, the DPO will be a senior executive who will be reporting directly to the Board and some times even complain to the Data Protection Authority (DPA) even against the Board.

If we donot understand why this special status is given to the DPO, we are bound to have a fight within every organization where the CISO will expect that the DPO should report to him and not to the CEO or the Board. If the DPO reports to the Board or even to the CEO, it will undermine the position of CISO and this would create a disruption in the hierarchy.

To understand the difference why a protector of a subset of data needs more power than the protector of the super set of data, we can look around us to see the plight of the Police in Delhi who were struggling to control the Shaeen Bagh protests.

Normally one will say that Shaeen Bagh protest is like any other sit in protest and the Police should be able to handle it as they handle a worker’s strike or any other gathering.

But controlling the Shaeen bagh was beyond the capability of the Delhi Police because there was sensitivity to the situation. The protesters were all Muslims and any action such as a lathi charge could only result in a riot as it happened later. The possibility of international ramifications of a charge on the protestors could also not be ruled out. Additionally most of the protesters were women and children and this human shield could not be tackled just as any other group of protesters.

Similar protests in China or Hongkong would have been handled differently and Indian Police did not have similar powers. This made a difference between their success or failure.

In other words , “Who the protesters were” made a difference to “What security operations could be conducted”. If the Police had treated them as just another group of protesters without having any racial outlook or discriminatory outlook, they would have been accused as “Communal” and “Gross violators of human rights”.

Hence “Controlling the Shaeen bhag protest” was different from controlling “Any other Protest”.

This is exactly the situation that confronts the “Information Security professionals” and the “Data Protection Professionals”. Even though “Personal Data” is part of the “Data” , those designated to protect the Personal data need certain skills that are different from those who are handling  protection of “Data” in general. “What the data is” makes a difference between the protector of “Data” and protector of “Personal Data”.

It is for this reason that the DPO is having a different brief than the CISO when it comes to protecting the data under his domain.

If “Personal Data” is more sensitive than “Data” in general then the DPO must have all the skills of a CISO and some thing more to handle the sensitivity. Hence the DPO assumes a role more important than the CISO in the organization and has to be on par with a CISO or even above him.

As a result the CISOs of today will have to accommodate the raise of another class of professionals called DPOs to occupy key professional positions in the organization. Some of these could be experts in Data Protection Laws but without much understanding of the technology and IS functions.  Until the Data Protection lawyers acquire a reasonable understanding of the technology, there will be a constant friction between the designated DPO and the current CISO.

Not all CISOs may be ready to acquire additional skills required to be elevated to the position of DPOs and giving up the tag of CISOs since at present the importance of DPOs is a little bit obscured compared to the importance of CISOs in the industry. But sooner or later they will realize that DPO is a more elevated position in the organization and unless they acquire additional qualifications such as the “Certified Data Protection Professional”  they may fall behind in the race to professional growth.

It is high time that CISOs and IS professionals realize this development and take steps to preserve their current industry position by acquiring additional Personal Data Protection Certifications.

CISOs and IS officials in India should also realize that acquiring certificates for GDPR knowledge with international certification agencies is not a substitute for acquiring certificates for PDPA knowledge and certifications that focus on the requirements of Indian Data Protection Professionals.

In this direction, the Certification program of FDPPI  stand out in a class of its own and deserves a serious look.

Naavi

With the increased use of Cloud as an infrastructure for data storage and processing, some aspects of the Cloud functioning pose serious challenges to the data protection compliance which needs a debate by experts.

The essential aspect of data protection laws is to provide a choice to the data subject to be able to access the personal data and if required ask for updation, portability and erasure.

The Data Protection Officer (DPO) is responsible for the compliance of aspects under the law and has to exercise control on how the personal data of data subjects can be discovered in the pool of corporate data that is scattered across the cloud (often multiple clouds), ensure that Consents are tagged to each such data set, and whenever any correction is to be made, it is synched at all the location centers.

Further, if the personal data and the associated profile needs to be ported or erased, the DPO should be able to ensure that the personal data associated with a given data subject is gathered without any omission and ported. If the information has to be erased, the DPO should be able to confirm that the personal data set of the given individual has been erased from all locations except those locations where it is required to be maintained by virtue of the company’s legitimate interests or because of law enforcement or national security reasons.

The task of personal data identification, consent tagging, porting and erasure is a difficult task even if the entire data is handled through the company’s own data center since there is always a tendency for personal data to get scattered in the resources of the company particularly in an unstructured format.

In the extraordinary situation that we are presently in where most companies had to introduce Work From Home under the COVID 19 lock down conditions, the corporate data access had to be given to employees from their home devices without proper preparation as to the security requirements. This could have spread the sensitive personal data of the data subjects to many of the employees personal devices.

In such a situation, all the designated rights of the data subjects/principals are all subject to “Emergent Exceptions”.

Whenever a suspected data breach incident is reported, the first task of the DPO is to confirm the breach through an investigation and then an attempt to preserve the evidence through forensic measures. This is not only required to meet the demands of the Data Protection Authority subsequently, but is also a legal obligation under Cyber Crime laws.

If the DPO fails to meet the requirements, he would not only make the company liable for higher levels of fines for lack of proper post-incident response and also for criminal prosecution of the company’s CEO, Directors or CISO, besides himself.

When a company is maintaining its own data center to which it has physical access, several forensic methods may be available for the compliance. Some of these such as “Discovery of Personal Data”, “Consent Tagging” etc may be possible even in the cloud environment. But when it comes to portability and erasure, the cloud infrastructure presents a tough situation where the DPO is completely dependent on the Cloud Service Provider (CSP). If the client is a small entity and the CSP is an Amazon or Microsoft, it is clear that the DPO has no freedom to get what he may want from the CSP and he would be entirely at the mercy of the CSP to meet the compliance requirement of the cloud user.

Some of the Data Protection Contracts of Data Controllers which were developed in the pre-GDPR era had taken into consideration data storage in the company’s own data center and had Incorporated clauses which were feasible for implementation in that scenario. However with the migration of storage and certain functions to the Cloud, many of the data processors continue to function under the legacy contracts which contain provisions which are impossible to fulfill in a cloud scenario.

In many occasions, the clients from US and even EU may use their old contract format and not revise it to meet the changed circumstances of both the new responsibilities under GDPR and the use of cloud for storage as well as processing. The Indian processors may find it difficult to convince their clients that the contractual clauses are ab-initio not applicable to the system of data processing that both might have otherwise agreed to. Identification of such situations is essential for Indian data processors to protect themselves from agreeing to do what they know they cannot do.

One such condition we often find in these contracts is the “Data Erasure Standards” to be used both when the personal data has to be first mounted on a new hard disk and also when it has to be deleted permanently. The Data Erasure standards such as DOD 5220.22 M or Bruce Schneier’s algorithm or any other method is developed for hard disk forensics and can apply where the entire storage system is under the control of the data controller/processor/fiduciary. But they donot apply when the data is stored in the cloud where the facilities are shared with others.

Also the techniques of “Deleted Data Recovery” that can be used in Disk Forensics does not function in the shared data storage facilities where the user has only control over certain number of bytes of storage space spread over a non contiguous space within the hard disk.

Further most storage systems even within a computer have migrated from hard disks to SSDs, and the file systems work differently making it difficult to use legacy forensic systems to carry out forensic investigations.

While some of the challenges mentioned above is not within the control of the DPO to rectify, it is necessary to recognize these limitations and factor it into the data processing agreements as “Disclaimers”.

I look forward to receiving a feedback for Forensic experts to identify the “Limitations of traditional forensic techniques in a cloud environment” and finding solutions to Data Protection Regulatory compliance.

Naavi

Reference:

Data Sanitization for cloud storage

Erase Data Objects in Cloud

Data Deletion on Google Cloud Platform

Erasure on cloud

The functions of a Data Protection Officer (DPO) under the emerging Personal Data Protection Act (PDPA), includes the DPO being the single point contact for grievance redressal between the Data Principal and the Data Fiduciary.

In discharging this function, the DPO can chose to be like a post office receiving the grievance and passing it onto some body else in the orgnization for resolution. In that case he does not need to even understand what is the grievance and still call himself the “Contact Person”.

But the intention of PDPA is that the DPO is responsible for ensuring that the rights of the Data Principals is adequately met by the data fiduciary and if in any specific instance the data principal is not satisfied, he can contact the DPO for resolution. If the resolution is not satisfactory, the data principal can take the complaint to the DPA and seek adjudication.

It is the responsibility of the DPO therefore to try and understand the grievance and if possible try to provide a satisfactory resolution at his level itself so that the matter does not have to be escalated to the DPA.

In order to resolve such issues the DPO should be able to come down from his pedestal of a highly paid employee of an IT Company working in the AC cabin and moving around in a chauffeur driven car, and try to appreciate why a data principal is raising a query that he is wronged. It is quite possible that the data principal may be wrong. But the DPO still is responsible to ensure that the data principal is satisfied with whatever resolution he gets.

When the data principal is correct in his complaint, it may be easy to resolve since conflicts if any would be with other internal members all of whom are part of the super ordinate goal of compliance to PDPA.  But when the customer is wrong but is adamant that his right has been infringed, the situation is more challenging.

It is not always easy to deal with people who are wrong but donot know that they are wrong. It often happens when we deal with children who are adamant. A good parent always understands that the Child does not know as much as he/she and hence tries to come down to the level of the child to understand and resolve the issue in a manner in which the child understands. In such cases, we put ourselves in the shoes of the child and try to understand why he/she is adamant. This requires the parent to give up his ego and deal with the child as an equal, gain confidence and then slowly make him/her realise that the parent is providing some thing better than what he himself wanted.

This art of grievance redressal is often critical to any mediation. The ability to step into the shoes of another and understand his concerns and his views is  “Empathy” ,a human skill that is relevant for a good DPO.

Emotion researchers  define empathy as the ability to sense other people’s emotions, coupled with the ability to imagine what someone else might be thinking or feeling.

Two major kinds of empathy are often recognized namely the “Affective Empathy” and “Cognitive Empathy”.

“Affective empathy” refers to the sensations and feelings we get in response to others’ emotions; this can include mirroring what that person is feeling. This could be a dysfunctional response where one can feel stressed if the other is stressed.

“Cognitive empathy,” on the other hand is sometimes called “perspective taking,” and refers to our ability to identify and understand other people’s emotions. This is a positive characteristic of a good leader.

The DPO to be successful has to develop the Cognitive Empathy skills and avoid the affective empathy traits. When a complainant comes to you with a problem, being compassionate is one thing but getting lost in re-living the complainant’s distressed state is another and often, a problem.

An example which most of us might have seen is when a child is in some kind of a distress and the father and mother are both responding to the situation. The mother being compassionate to the suffering of the child starts crying and sobbing and the father contains his own feelings but immediately moves to do what is immediately necessary, such as picking up the child, rushing him to the hospital etc.

In a work situation also, HR managers often find themselves in such situations where they have to be sympathetic and show empathy with the people when they have some problems, but the solution may not be also become miserable themselves.

The “Counsellors” are often trained to react correctly in such situations where they are empathatic but not to the extent of reducing themselves to be mirroring the problems of others.

Understanding the principle of “Empathy” is relevant to appreciate the very definition of “Privacy Protection” itself since “Privacy” is a “State of mind” of another person and when we are trying to protect the Privacy, we are trying to give a feeling of assurance to the data subject that he feels that his privacy has been under his control only.

This principle of “Empathy”, how it differs from “Sympathy” and the benefits of “Cognitive Empathy” are behavioural skills that an effective DPO must posses.

(Comments are welcome)

Naavi

Reference Article:

Importance and benefits of Empathy.