Naavi.org

In his continued interaction with the US business, Mr Narendra Modi, PM of India met about 40 US global CEOs in which a discussion has emerged about the new Data Protection law that India is contemplating.

The US businessmen have raised the issue of “Data Localization” which has been one of the contentious issues. Mr Modi appears to have provided a diplomatic answer that Data belongs to the Data Subjects and law will balance the interests of the individual and that of the business trying to commercialize the personal data.

Refer article in TOI

Indian law provides ample provisions to enable cross border transfer of data. When the information is not sensitive or critical, it can be transferred though a working copy has to be maintained in India. In the case of sensitive personal information, other than those declared as “Critical” can be transferred subject to Standard Contractual Clauses, Explicit Consent, Adequacy of laws, Intra Group schemes approved by DPA, besides health emergencies etc.

The Cross border transfer rules of India are not much different from GDPR but is stated differently. While the GDPR says, data can be transferred subject to ……, Indian law says that data cannot be transferred unless……..

The issue behind this controversy is “Data Sovereignty” and there is need for US business to understand that Mr Modi stands as much for India as Mr Trump stands for US when it comes to the sovereign rights of the country.

In the process of the discussions, a point that has cropped up is the distinction between “Personal Data” and “Business Data”. Naavi has in the past highlighted the issue of how GDPR enthusiasts often consider Business E Mail as personal data and try to mount penal charges on the users of business e-mail for digital marketing purposes. The discussions in the US was perhaps centered around the “Transaction Data” related to an individual regarding the e-commerce transaction which the US business wants to exploit for commercial gains. Whether this is to be treated as “Business Data” or “Evolved Personal Data” in which the business has an intellectual property right and whether an individual can provide consent for the use and transfer of such data for a consideration are matters of further debate.

It must be noted that the Big Data industry which deals with “Anonymized” data has no problems with the Indian PDPA since such data is out of regulatory ambit. It is only in case of identifiable data of business transactions of an individual that needs to be recognized as a “Disputed Data Territory”.

A proper legal clarification on such data is perhaps possible to be issued when the next set of regulations on “Data Governance Framework” is considered in India. US business may therefore wait for this legislation to take shape before raising their voice which was so meek when it came to opposing the provisions of EU-GDPR but have become vocal while opposing Indian-PDPA.

Naavi has held that there is solution for this issue also which is feasible as a commercial business proposition both under the current ITA 2000/8 and the forthcoming PDPA. The problem is that the so called “innovative” start up entrepreneurs are too busy replicating business already ideas already in the market rather than investing in new ideas. We therefore have to wait a while until the start up entrepreneurs and the VCs mature in their thinking and be prepared to develop a business which has no precedence.

Naavi

We have been discussing the impact of new Data Protection laws on the protection of “Privacy” of individuals ever since the GDPR came into the debate in Corporate circles. The DPO under the GDPR regime became a key player in the corporate management team since he was expected to be senior enough to be reporting directly to the Board.

At present, the CISOs had assumed importance in the Corporate management hierarchy marching ahead of the CTO. The legal fraternity were fighting for a place as Chief Compliance Officers (CCO). The CROs (Chief Risk Officers) in the mean time were working close to the Board management since they were addressing the business concerns of the top management.

The Advent of the DPO into the Corporate management team upset the apple cart of the corporate hierarchy as suddenly the DPO required to some body capable of advising the management on Data Security issues along with the responsibility to be responsible to manage the relationship with the Supervisory authority.

Additionally, Article 38(3) of GDPR mandated

“The controller and processor shall ensure that the data protection officer does not receive any instructions regarding the exercise of those tasks. He or she shall not be dismissed or penalised by the controller or the processor for performing his tasks. The data protection officer shall directly report to the highest management level of the controller or the processor.”

As a result of the above provision, the DPO suddenly became the most important official in the organization. With the high levels of penalties in the GDPR,  and the need for the DPO to report Data Breaches to the DPA, the importance of keeping the DPO happy became a strategic necessity in the GDPR stake holding companies.

GDPR however gave one relief to the Companies by making it possible to appoint an “External” consultant/consultancy firm as the DPO which could be used by the Companies to ensure that the DPO does not become a whistleblower threat at some point of time. However, wherever a company decided to have an in house DPO, the DPO obviously became an official more important than even the CISO.

Since the DPO required “Legal” knowledge, the CCPs looked at occupying this key position. But with most CCPs coming from the legal background and a low technology background, the companies had to search for the right persons beyond the CCPs to fill up the role of DPO.

Amidst the competition between the CISO and the CCP to become the DPO, some companies who had created the role of a CRO had another contender for the post because he was already close to the senior management and carried some influence with the board members.

Now the Indian proposed legislation viz: Personal Data Protection Bill/Act (PDPB/A) has also created the necessity for the DPO in all  IT organizations in India handling personal data in some form. PDPB/A required the DPO to be an employee and the engagement of an outside consultant as an option was not available.

If we look at the responsibilities of a DPO, it is clear that he should be an expert in technology and business to be able to guide and monitor the organization’s data processing activities, besides assisting and cooperating the DPA and acting as a single point of contact to the Data Principals.

The skills required to manage this responsibility reminds one of the Indian “Neethi Sara” about the six virtues of a “Wife” which states

 ‘‘Karyeshu Dasi, Karaneshu Manthri; Bhojeshu Mata, Shayaneshu Rambha, Roopeshu lakshmi, Kshamayeshu Dharitri, Shat dharmayukta, Kuladharma Pathni‘.

Section 36 of PDPB, lists 7 requirements of a DPO which we can call the “Requirements of an ideal DPO”.

Just as it is difficult to find the Kuladharma Patni mentioned in the Neethi Sara, it is not easy to find the right executive who fits the requirements of all the 7 requirements of the DPO as mentioned in the PDPB/A.

Organizations like FDPPI (Foundation of Data Protection Professionals in India) of which the undersigned is the Chairman is setting its sight on creating such ideal DPO material over a period. A number of professionals some with ISO audit backgrounds or certifications in International Privacy laws are presenting themselves to be considered eligible for the position of DPOs in India. But many of them need to re-skill themselves with knowledge of the law in India and it will take some time to get the ideally “Qualified persons” for the position of the DPO. Even if some acquire certifications of various kinds, the need for “Handling the Data Principals”, “DPA” in addition to the Colleagues in the organization pose a challenge to most of the professionals.

In the meantime a new challenge has come up with the Government starting preliminary work on a new regulation that may address the needs of processing “Non Personal Data” which is the raw material for the Big Data industry. The formation of the Kris Gopalakrishna Committee to work on the requirements of a regulation for “Community Privacy” and  “Data Governance Framework”  is throwing up a new challenge that brings in the “Management” personnel to “Manage the Data” for a productive use as an asset of the organization. These Data Governance Mangers/Officers (DGO) may be another group of people who will put in their hat in the ring to be considered as the people who call the shots for not only protecting the Data technically like the CISOs, but also from the compliance angle like the DPOs.

The DGOs may emerge not from the IT background like the CISOs or the Legal Background like the DPOs nor even the Risk Management background like the CROs but from the “Management Background”. The usual IIM trained management professionals could be the people who would fill in this role of “Managing the Data Asset of an organization”. In the future organizations, we may therefore see a tussle between the DGOs , the DPOs and CROs to occupy the prestigious role as advisors to the Board on Data Management, Data Security and Compliance of Data Security regulations.

It would be interesting to watch who would win the race to the top of the corporate echelon..

Naavi

Sri Lankan Ministry of Digital Infrastructure and Information Technology (SLMDIIT) has announced that it has finalized a framework for a Data Protection Bill defining measures to protect personal data of individuals held by Banks,Telecom Operators, Hospitals and other personal data aggregating and processing entities. The ministry has set a 3 year time frame for implementation of the law.

The framework has adopted the populist format of defining the “Data Subject” and “Data Subject’s Rights”, “Data Controller/Processor” and “Transparency and Accountability measures to be followed by the Data Controller/Data Processor”, “Use of Consent”, “Setting up of an appellate authority for Data Protection”. etc.

According to the statement of the ministry, the drafting Committee had also taken into account international best practices, such as the OECD Privacy Guidelines, APEC Privacy Framework, Council of Europe Data Protection Convention, EU General Data Protection Regulation and laws enacted in other jurisdictions such as United Kingdom, Singapore, Australia and Mauritius, Laws enacted in the State of California as well as the Indian Bill, when formulating the said draft Legislation.

We may note that the Bill is silent on “Right to Forget” which indicates that some original thinking has also gone into the drafting.

However, unfortunately the Sri Lankan drafting committee has failed to understand the key innovation which Justice Srikrishna introduced in the Indian law which many of the observers fail to notice.

World over data protection practitioners are aware that “Consent” is the only instrument that links the “Privacy Choice” of an individual to the way the personal data is processed. However, in the online world, there is no way by which a consent can be fully “Informed” and a legally valid consent can be obtained. Most of the time consent is one step towards availing an online service and the data subject is in a hurry to click “I Accept” without reading the Privacy Statement/Policy offered for his perusal. Most such consents contain excessive permissions and the data subject is not capable of understanding and responding with a calibrated permission.

In other words the system of “Consent as an instrument of expression of Privacy Choice” of an individual has failed. Putting complete faith on Consent is therefore a mistake that GDPR committed, Indian Bill avoided and Sri Lankan Bill failed to take note of.

The PDPB/A ( Draft Bill of -Personal Data Protection Act) presently in discussion in India and drafted by Justice Srikrishna has redefined the relationship between the Data Subject and the Data Controller as one of Data Principal and Data Fiduciary.

I am aware that many observers blinded by the GDPR glare have failed to notice the impact of this subtle change in the terminology which has been supplemented in the Bill elsewhere with the words “Any person processing personal data owes a Duty to the Data Principal to process such personal data in a fair and reasonable manner” and Naavi may at present be the only person in India highlighting this key provision of the Bill. However, we are sure that the import of this difference between PDPB/A and GDPR will be realized by the industry in due course and will be interpreted properly to incorporate the following three principles.

1. “that the Data Fiduciary and the Data Processor  will have a responsibility beyond the consent to take such steps as are fair and reasonable to protect the privacy of the individual”

2.”that the Errors and Ommisions as well as the Misrepresentations and Wrong perceptions that can creep into the written consent are not the final binding contractual instructions of the Data subject to the Data Fiduciary”

3. ” that the Data Fiduciary/Processor is bound to exercise due diligence in the interest of the Data Principal to protect his Privacy beyond the apparent expression of desire of the data principal in the consent instrument”.

Sri Lanka had the advantage of adopting a similar posture in its draft bill which it has failed to do.  This is a disappointment.

There is however one other element of the Sri Lankan media release which attracts attention and has relevance to India.

The media release states

“The accountability obligations would require the Controllers to implement internal controls and procedures, known as a “Data Protection management Program”, in order to demonstrate how it implements the data protections obligations imposed under the Act.”

I specially note the words “Data Management” used in this sentence either with purpose or otherwise instead of some thing similar to “Information Security Practice” or “Security Safeguards” etc.

In India, having spoken of the “Security Safeguards” under section 32, we are now separately discussing the “Data Governance Framework” for which another committee has been formed by the Government.

The Sri Lankan statement indicates that it has directly jumped from “Information Security Management” halfway to “Data Management” by recognizing the need for “Managerial Approach to Data Security” instead of the “Technical Approach”. I accept that what Sri Lanka means is nothing different from ISMS and not Data Governance.

But the use of the word “Management” draws attention to the need to look at Data Protection as part of an overall  Data Governance System of which Data Security is one part. Security of Personal Data Protection is a sub part of Data Security itself which should apply to “All Data”.

“All Data” relates to Corporate Data, Anonymized Data, IoT generated data etc and without managing the Data in general an enterprise cannot get into securing the data.

Further, with more and more countries coming up with their own regulations, an enterprise is likely to be confronted with a need to be compliant with a boquet of data protection laws.

The PDPSI (Personal Data Protection Standard of India) has captured this requirement already by introducing a Data Classification system where the “Applicable Law” will be a parameter of the tag to be associated with a “Personal data set”.

The details of the data classification system recommended under PDPSI can be found here

Naavi has therefore suggested that in order to implement any Data Protection regulation, it is essential to first identify the applicable law and ensure that data is kept in appropriate silos where the relevant law can be applied. Mixing up the data would not be an efficient way of complying with the law.

Along with the Data Classification suggestion as above, PDPSI has also adopted several other measures of “Data Management” such as identifying “Internal Personal Data Gate Keepers and Controllers”, “Grievance Redressal mechanism” etc.

It is for this reason that PDPSI has already recognized the importance of “Data Governance” as the key requirement of Data Protection and is ready for the implementation of the Data Governance Framework.

Sri Lanka could have taken note of such developments and refined its regulation and made it even better than the Indian draft.

Hopefully with the further developments in India when the Bill gets passed into an Act, the Sri Lankan draft Bill will also undergo corresponding changes and be better than what it now is.

Naavi

Following the direction of the Supreme Court to the Center to file an affidavit on its measures to regulate social media and the discussions on whether Aadhaar can be linked to the Social media accounts, UIDAI has come out with its view that a “New Law is needed for Aaadhaar_Social Media Linkage”.

UIDAI has been often at the receiving end with the Supreme Court  on the permitted uses of Aadhaar on which the citizens of India have spent crores of rupees. Recently, eminent jurist Harish Salve said that “Supreme Court” is responsible for the economic slow down in India.

In the mining sector alone, 23 lakh jobs appear to have been lost because of the Supreme Court judgements.

The reason for such opinions to be coming forth is that Supreme Court is often going beyond its judicial duties and not allowing the Government to do its executive functions because it has a soft corner for the Anti Modi lawyer brigade who find fault in everything the Government does.

Perhaps the Supreme Court has now realized that there is some truth in these allegations and hence has gone slightly soft in its latest order regarding the “Linking of Aadhaar to Social Media”. It has directed the Government to come up with its guideline in this matter.

The bench of Justices Deepak Gupta and Aniruddha Bose has observed that “Technology” has taken a “Dangerous turn”  and there is a need to curb the misuse of social media.

In December 2018, the Government had actually come up with a revision of its 2011 administrative notification on “Intermediary Guidelines under Section 79 of ITA 2000/8”. This had several provisions to regulate fake news in social media.

This was just an administrative notification but the Government afraid of its own ability to meet the legal scrutiny put up the notification for public comments. Since it was a pre-election scenario, lot of noise was raised by the political opposition and a petition was also filed in the Supreme Court. The public comment was sought and the guideline went into the oblivion and the lobby which was against the regulations succeeded in stalling the regulation.

Now the Supreme Court is coming back to advise the Government on framing a regulation. It is necessary for the Court to now dismiss the earlier petition against the regulation and let the Government proceed with the regulation.

Naavi has time and again pointed out that there is a need to regulate the social media from being misused and one of the means is to allow “Identified Social Media Players” an extra freedom to express themselves as against the “Anonymous Cyber Stonepelters“. The so called “Trolls” in social media are mostly people who hold fake accounts and use it to discourage expression of some people who dare to express themselves identifying themselves.

Many of the articles on this site  highlight not only the problems but also the solutions. Even now Naavi recommends that a suitable solution to prevent misuse of Social Media can be implemented without the need for the Government to tinker with the Aadhaar law.

This has been discussed several times in this site and can be operationalized without any delay if the technical framework can be built up to back the suggestions.

But so far there has been a lack of will from the Government or Private technology players. I hope that the current situation will at least prompt some aggressive technology people to take up this project immediately.

Such companies can even implead in the current suit in the Supreme Court and plead for an opportunity to present its plan so that if the Supreme Court or the Government has any suggestions they can be implemented. Alternatively the Government can present the project as one line of approach to find a solution and respond to the Supreme Court.

We need to wait and see how the solution unfolds in the coming days.

Naavi

The Yahoo’s Nazi Memorabilia case fought between the French and the US jurisdictional issues had remained so far a landmark judgement on application of Jurisdiction involving websites that can be viewed across the borders. Finally that case upheld the jurisdiction of the US courts to determine what Yahoo Inc can do outside France on websites which are not in French language and therefore not directed specifically to the French citizens.

Now the judgement of the EU Court in respect of the exercise of “Right to be Forgotten” to be extended outside EU has been correctly struck down and provides the much needed clarity in the application of EU laws outside the EU region. In particular, the GDPR watchers would find some relief in this judgement.

At present our comments are based on news paper reports and we reserve our comments when the detailed order is studied. For immediate reference, we refer to the article in moneycontrol.com titled “Google wins case over reach of EU right to be forgotten”

According to the report, the EU Court of justice has said

“…There is no obligation under EU law for a search engine operator to extend the rule beyond the EU States”

In a manner of satisfying its ego, the Court has also said that the search engine operator must put measures in place to “Discourage” internet users from going outside the EU to find that information. This needs to be ignored because if the Court admits lack of jurisdiction in the first place to apply the law, it lacks jurisdiction to advise and set guidelines for the operations of organizations outside EU.

During the last one year, many citizens of EU have been harassing companies in other countries including India with notices related to GDPR. Now these trouble makers should realize that there is a limit to the extra territorial jurisdiction of EU and it cannot infringe on the sovereignty of other countries.

This judgement should put a stop to all such arguments.

Copy of the judgement

Naavi