The New Dubai Data Protection law stresses on Compliance Accountability

Posted on June 27, 2020 by Vijayashankar Na

The new Dubai Data Protection law in comparison to the 2007 version has given a lot more emphasis on Compliance.

Legitimate Interest

Article 8  of the old Act and Article 9 of the current Act speaks of the General Requirements. It may be observed that most of the requirements in the 2007 law has been carried over to the 2020 law with the addition of “Transparency”.

Additionally “Lawfulness” has been separately expanded in Article 10 and Accountability and Notification separately explained under Article 14 (2020). Six basis have been identified under “Lawfulness” and “Anyone” of them is considered acceptable. This follows the GDPR model and includes

a) Consent

b) Necessity for performance of a contract in which the Data Subject is a party

c) Necessity for compliance of an applicable law that a “controller is subject to”

d)Necessity for protecting the vital interests of a data subject or of any natural person

e) Necessity for the functioning of DIFC

f) Legitimate interest

The 2020 law also defines  genetic and biometric data as additional to the list of special categories defined in  the earlier version which requires “Explicit Consent”.

The Consent and Notice has been elaborately covered along with the Accountability. The onus of proving that Consent has been obtained, lies on the Data Controller.

Article 10(1)(f) states that one of the lawful basis on which personal data can be processed includes where

“Processing is necessary for the purpose of legitimate interests pursued by a Controller or a Third Party to whom the Personal Data has been made available, subject to Article 13, except where such interests are overridden by the interests or rights of a Data Subject.

Article 13 on the other hand states

(1) A public authority subject to DIFC law may not rely on the basis of legitimate interests under Article 10(1)(f) to Process Personal Data.

(2) A Controller that is part of a Group may have a legitimate interest in transferring Personal Data within its Group for internal administrative purposes.

(3) Processing of Personal Data shall be considered a legitimate interest of a Controller if it is necessary and proportionate to prevent fraud or ensure network and information security.

In terms of compliance therefore, a Data Controller should always look for “Consent” and when in doubt bring the processing into the legitimate interest argument preferably by an appropriate internal documentation.

Accountability

One of the areas of emphasis in the new version of the law is Accountability of the Data Controller. The Controller needs to establish data protection by design and default taking into account the risk assessment and establishing a compliance program. The law repeatedly emphasizes “Proportionality” in respect of data collection to the purpose of collection.

Article 14(7) states

“A Controller or Processor shall register with the Commissioner by filing a notification of Processing operations, which shall be kept up to date through amended notifications.”

Article 14(8) also states that the above notification shall be kept in a publicly available register maintained by the Commissioner.

This provision has similarity  to the Indian provision of “Privacy by design policy” being filed with the DPA and is a significant change to be noted.

(To Be continued…)

Naavi

Earlier Articles

The New Dubai Data Protection Law is Bigger, Better and Will bite harder
Dubai Data Protection Law

Posted in Cyber Law | Leave a comment

The New Dubai Data Protection Law is Bigger, Better and Will bite harder

Posted on June 25, 2020 by Vijayashankar Na

From July 1st 2020, life will not be same for Companies who opened offices in Dubai International Financial Center (DIFC) for various reasons. The New Data Protection Law of 2020 will become effective and will totally replace the earlier milder law of 2007.

The law will basically apply to processing of personal data by automated means and where the personal data is part of a filing system and will apply to all companies incorporated in DIFC irrespective of the place where personal data is processed. At the same time it applies to companies irrespective of incorporation if personal data is processed in DIFC as part of a stable arrangement for the processing of personal data in the context of activity in DIFC. It excludes processing of personal data by individuals exclusively for domestic purpose.

While we can discuss the changes in the Grounds of Processing or Data Subject’s rights and Compliance requirements separately, it may be immediately noticed that the new law enhances the remedies available to the Data Subjects and also imposes administrative fines in the form of fines from $50,000 to $ 100,000 for various contraventions, besides directions for cessation of business or reprimands. Additionally the Commissioner can also award compensation to the data subjects or the data subjects may make a claim for compensation through a grievance redressal process or with the intervention of the Court.

Where more than one Controller or Processor is involved, the liabilities will be applicable jointly and severally.

It is therefore time for Companies in India who have their Dubai offices to take a fresh look at their Data Protection Obligations. Many Indian companies might have entered into a business agreement with local companies but they will continue to be liable as either a Joint Controller or a Data Processor and hence have to make an assessment of their liabilities under the new law.

(More discussions will follow)

Naavi

Posted in Cyber Law | Leave a comment

Prospectus for FDPPI Program on CDPP-Module G released

Posted on June 24, 2020 by Vijayashankar Na

Early Bird Discount: Upto 30th June 2020

Membership : Rs 5000 only

Full waiver of Training fee of Rs 6000/-

Posted in Cyber Law | Leave a comment

China Cyber War Risk is now manifesting

Posted on June 23, 2020 by Vijayashankar Na

On September 23, 2014, Naavi.org had written

Quote

China has always been an unreliable nation and cannot be trusted for business relations. China is the leader in Cyber Warfare and using their technologies for our bullet trains and smart cities is an open invitation to disaster if and when there is a cyber war between India and China.

It is good for Mr Modi to keep China at arms length in the field of technology and ensure that India tries to develop its capabilities in the technology era with the assistance of Japan and USA.

Indian companies doing business with China should also be careful not to transfer any critical technology to China in the long term interest of our country

Unquote

This was not the first time, Naavi.org had highlighted the China risk. The fact that China was working on Quantum Supremacy and developing it’s own encryption system, the risk of buying Chinese mobiles, POS machines and computers which may have Manchurian Chips installed or malware installed, the risk of hiring Chinese employees, the risk of transfering IT knowledge to China, Possible use of Bitcoins by China to destabilize Indian economy, have all been highlighted at different points of time.

At the same time Naavi had also brought to the notice of Cert In some time in May 2017 that there was a suspicion that an incident report sent to the email address incident@cert-in.org.in appeared to have been opened in China and the same had been investigated and cleared by CERT- In.

It is therefore no surprise that when the border tensions with China are mounting, there could be a Cyber Attack on India. The CERT-In has issued an advisory indicating that there could be a large scale phishing attack and even an e-mail address such as “ncov@gov.in” could be used in the phishing. This indicated that CERT In had actually identified that an e-mail account by this name could have been created in the Government domain and the same could be linked to China.

It is therefore reasonable to presume that there is a prima facie evidence of an “Attempt to initiate a Cyber Attack” which can be considered as “Cyber Terrorism” under Section 66F of ITA 2000.

If so, the response of CERT-In to issue an advisory of the type they have issued is only the minimum requirement but is grossly insufficient.

CERT In can perhaps warn China that India reserves its right to come out with its evidence and launch a case against China for Cyber Terrorism in an international court.

At the same time, Government should start putting some check on Chinese mobile and laptop sales in India  so that the risks of implanted backdoor is curtailed. It was reported that the sale of One Plus 8 mobiles was quickly  over booked showing the demand for China products.

Each of these devices could be planted spyware in India and we need to check them before allowing their import. Just as China insisted that Microsoft had to deposit their Windows Code before selling  windows computers in China, we have to insist that the  codes in OS in Chinese mobiles must be deposited with the Government before allowing import of any mobiles from China.

It is only such strong moves that will have any security impact on China and the advisory on Phishing is a grossly insufficient response.

Naavi

Also Refer: Is there an Indo_Russia Cyber Attack Collaboration in the offing?

 

Posted in Cyber Law | Leave a comment

On demand course on PDPA.. Making India PDPA Ready

Posted on June 20, 2020 by Vijayashankar Na

In its continued effort to prepare the professionals to “Be Ready..Be Compliant…Be Aware”, Cyber Law College and Naavi.org have introduced an on-demand education program on PDPA.

The Program consists of

  1. 14 hours of video from Naavi
  2. One hour of live interaction

On completion of the course, the participants will receive the participation certificate from Cyber Law College. They can alternatively also opt to take FDPPI’s Certification program for “Certified Data Protection Professional-Module I” by paying the prescribed examination fee as per the terms of FDPPI.

The program is available for subscription of the video lectures for a period of 3 months.

Simultaneously, a similar online program is also being introduced on Cyber Laws and Information Technology Act.

Details are available here

After the present Personal Data Protection Bill becomes an Act, a free online upgrade session to discuss the changes if any will also be conducted.  This course will be revised subsequently with fresh recordings after the Act comes into effect and the people who have subscribed to this version of the course would be given discounted subscription for the post-Act version of the course.

Naavi

Posted in Cyber Law | Leave a comment

How Legitimate Interest is factored in the PDPSI framework

Posted on June 19, 2020 by Vijayashankar Na

PDPSI (Personal Data Protection Framework) is one of the suggested frameworks for compliance of the data protection regulations, like the BS10012 or ISO 27701. 

PDPSI framework tries to address the requirements of the Data Fiduciaries/Data Processors incorporating all the best practices under the international frameworks and extending it to meet some of the difficulties that are encountered by the implementing agencies.

In this article, I try to explain a few concepts which are necessary to adopt PDPSI framework for compliance of data protection regulations. (Please refer to www.pdpsi.in where there are many other articles on the framework)

Naavi

We often use the terms Data Protection and Information Security as synonyms. However with the advent of strong Personal Data Protection regulations like the GDPR and the forthcoming Indian PDPA, there is now a need to distinguish the terms Data Protection and Personal Data Protection. If we would like to use the term “Data Protection” only in the context of “Personal Data Protection”, then we should use the term “Information Security” for referring to “Protection of Non Personal Data”.

We should adopt this convention and also distinguish the two terms in terms of implementation of any compliance requirements.

 

“Data” is generally recognized as an “Asset” of an organization. It is often generated within the operations of the organization and some times acquired at a cost.

The Objective of any commercial organization is to earn legitimate profits in business by using its assets. Hence companies which want to use Data as a raw material for their business activity are well within their rights.

While processing “Data”, the organization has to recognize that the subset “Personal Data” requires a separate treatment because it has to be compliant with the applicable laws.

“Personal Data” is like the hazardous inventory that an Inventory Manager has to confront with, storing and processing of which requires the special knowledge of the data protection laws. It is  for this reason that while the CISO handles the responsibilities of securing the Data asset in an organization and a Data Governance Manager/Officer (DGO) handles the responsibilities of ensuring the productive use of Data asset of an organization, the Personal Data Protection Officer (DPO) is assigned the special role of protecting the Personal Data which is in the custody of an organization.

While the DGO and CISO handle the “Non Personal Data” from the management and security perspective, the DPO needs to handle the “Personal Data” both from the point of view of management and also from the point of view of security.

The DPO will determine how productively personal data can be used and also how to secure it as per the law. Since the processing of the personal information should conform to the requirements of the relevant data protection regulation, a proper compliance of this provision requires

a) Classification of data as Personal data

b) Identifying the purpose of processing

c) Identifying the lawful means of processing

The Data Protection laws place a high reliance on the “Informed Consent”. But at the same time, they also recognize that some times, obtaining “Consent” may be practically not feasible and in such cases factor in exemptions and derogations. Additionally emergencies and public interest also have to be recognized.

Beyond all these lies the concept of “Legitimate Interest of the Data Fiduciary/Data Controller”.

While “Purpose” is the end objective of processing, “Means” is the path through which the objective is achieved. In the context of Data Processing, Purpose and Means are closely related and often used synonymous.

In view of the different purposes of processing permitted under the data protection laws,  the Data Fiduciary/Data Controller can use an appropriate means of processing of personal data which may fall into any of the 5 categories indicated in the following diagram.

Purpose of processing which is “Unlawful” is obviously out of consideration of a Data Fiduciary.

Those purposes of processing which are not covered by the exemptions and derogations and are also not covered under the consent or emergencies have to be considered under the “Legitimate Interest of the Data Fiduciary”.

Any other purpose would be considered as  “Non compliant”.

The management of the “Legitimate Interest” of the organization in a manner in which personal data remains to be productive without increasing the risk of non compliance of data protection regulations is the challenge that the DPO has to handle.

However, the DPO has to appreciate that  most data protection laws try to draw a line between “Legitimate Interest” and “Harming the Privacy Right of Data Principals(Also called Data Subjects)”. The boundary of the legitimate interest argument is the unacceptable harm caused to the data principal.

One extreme view of Privacy activists has always been that “Privacy is Paramount”. If this argument is accepted then there is “No Legitimate Interest argument”.  Either there should be a public duty or legal compulsion of some sort  (which includes the self legal defense) or there should be a “Consent”.

However, as long as the term “Legitimate Interest” remains in the legislation (Both GDPR and PDPA use this term)

GDPR recital 47 states

“The legitimate interests of a controller, including those of a controller to which the personal data may be disclosed, or of a third party, may provide a legal basis for processing, provided that the interests or the fundamental rights and freedoms of the data subject are not overriding, taking into consideration the reasonable expectations of data subjects based on their relationship with the controller….

the existence of a legitimate interest would need careful assessment including whether a data subject can reasonably expect at the time and in the context of the collection of the personal data that processing for that purpose may take place…

The processing of personal data strictly necessary for the purposes of preventing fraud also constitutes a legitimate interest of the data controller concerned…

The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.”

The Indian PDPA as proposed indicates under Section 22(d) that every data fiduciary shall indicate the legitimate interest in the Privacy by Design policy which is approved by the DPA and hence becomes an “Approved Objective of Processing”. The Indian law has reduced the uncertainties between what the Data Fiduciary may consider as the “Legitimate Interest” and what the privacy activist may consider as an “Intrusion of Privacy” by bringing in the concept of “Privacy By Design Policy” which is a document that is filed with the DPA at the time of registration of a Significant Data Fiduciary.

In the light of the above, let us now introduce how PDPSI tries to address the legitimate interest of a business.

PDPSI differs from other frameworks such as ISO27701 or BS 10012 as it tries to bring in a concept of ” Unified Data Protection Program”. Both ISO27701 and BS 10012 address the PIMS for GDPR. PDPSI on the other hand addresses PIMS for PDPA-India, GDPR-PDPA-Singapore,CCPA, Dubai DPA, UK DPA., etc. It is a single framework which branches off into individual compliance requirements. It also encourages the technical architecture that supports the need for multiple data protection requirements.

The identification of what falls under the “Legitimate Interest” is the responsibility of the apex Governance committee for Personal Data Protection. This apex committee which may be called by names such as the Personal Data Protection Committee or by any other name should have representation of

1) At least one Independent Director of the Company

2) The CEO

3) The DPO

4) The CISO

5) The CTO

6) The CCO

7) One or more Business managers

8) HR Manager

9) Data Governance Manager (if any)

The designation of a DPO without conflicting responsibilities and constitution of this committee is an essential starting point for compliance of PDPA and PDPSI places a significant weightage on this aspect.

In the committee, proposition of what should constitute the legitimate interest of the organization beyond what is otherwise permitted should be discussed and approved into the charter of implementation.

As a process,

the legitimate interest discussion stems from a business proposition by the Business Manager that is converted into a technical process by the CTO and approved by the CISO but objected to by the DPO.

The DPO may raise objections for the reason that the identified process and the purpose may infringe on the Privacy rights of a data principal.

The Committee has to deliberate and arrive at a consensus on why the suggested process is necessary for the business and what safeguards can be introduced based on the suggestions of the DPO.

Following this, the process  will be part of the Privacy By Design Policy or a DPIA and in both cases, Indian law envisages an approval from the DPA. If the DPA suggests any modifications, the process has to be discussed once again and approved.

The DPO on his own may have to refrain from a unilateral decision since the determination of the legitimate interest has an impact on every other business functionary and should carry the concurrence of the top management.

We shall explore more on how PDPSI achieves this unified data protection implementation in the follow up articles.

(To Be Continued)

Naavi

Posted in Privacy | Leave a comment