Naavi.org

Sri Lankan Ministry of Digital Infrastructure and Information Technology (SLMDIIT) has announced that it has finalized a framework for a Data Protection Bill defining measures to protect personal data of individuals held by Banks,Telecom Operators, Hospitals and other personal data aggregating and processing entities. The ministry has set a 3 year time frame for implementation of the law.

The framework has adopted the populist format of defining the “Data Subject” and “Data Subject’s Rights”, “Data Controller/Processor” and “Transparency and Accountability measures to be followed by the Data Controller/Data Processor”, “Use of Consent”, “Setting up of an appellate authority for Data Protection”. etc.

According to the statement of the ministry, the drafting Committee had also taken into account international best practices, such as the OECD Privacy Guidelines, APEC Privacy Framework, Council of Europe Data Protection Convention, EU General Data Protection Regulation and laws enacted in other jurisdictions such as United Kingdom, Singapore, Australia and Mauritius, Laws enacted in the State of California as well as the Indian Bill, when formulating the said draft Legislation.

We may note that the Bill is silent on “Right to Forget” which indicates that some original thinking has also gone into the drafting.

However, unfortunately the Sri Lankan drafting committee has failed to understand the key innovation which Justice Srikrishna introduced in the Indian law which many of the observers fail to notice.

World over data protection practitioners are aware that “Consent” is the only instrument that links the “Privacy Choice” of an individual to the way the personal data is processed. However, in the online world, there is no way by which a consent can be fully “Informed” and a legally valid consent can be obtained. Most of the time consent is one step towards availing an online service and the data subject is in a hurry to click “I Accept” without reading the Privacy Statement/Policy offered for his perusal. Most such consents contain excessive permissions and the data subject is not capable of understanding and responding with a calibrated permission.

In other words the system of “Consent as an instrument of expression of Privacy Choice” of an individual has failed. Putting complete faith on Consent is therefore a mistake that GDPR committed, Indian Bill avoided and Sri Lankan Bill failed to take note of.

The PDPB/A ( Draft Bill of -Personal Data Protection Act) presently in discussion in India and drafted by Justice Srikrishna has redefined the relationship between the Data Subject and the Data Controller as one of Data Principal and Data Fiduciary.

I am aware that many observers blinded by the GDPR glare have failed to notice the impact of this subtle change in the terminology which has been supplemented in the Bill elsewhere with the words “Any person processing personal data owes a Duty to the Data Principal to process such personal data in a fair and reasonable manner” and Naavi may at present be the only person in India highlighting this key provision of the Bill. However, we are sure that the import of this difference between PDPB/A and GDPR will be realized by the industry in due course and will be interpreted properly to incorporate the following three principles.

1. “that the Data Fiduciary and the Data Processor  will have a responsibility beyond the consent to take such steps as are fair and reasonable to protect the privacy of the individual”

2.”that the Errors and Ommisions as well as the Misrepresentations and Wrong perceptions that can creep into the written consent are not the final binding contractual instructions of the Data subject to the Data Fiduciary”

3. ” that the Data Fiduciary/Processor is bound to exercise due diligence in the interest of the Data Principal to protect his Privacy beyond the apparent expression of desire of the data principal in the consent instrument”.

Sri Lanka had the advantage of adopting a similar posture in its draft bill which it has failed to do.  This is a disappointment.

There is however one other element of the Sri Lankan media release which attracts attention and has relevance to India.

The media release states

“The accountability obligations would require the Controllers to implement internal controls and procedures, known as a “Data Protection management Program”, in order to demonstrate how it implements the data protections obligations imposed under the Act.”

I specially note the words “Data Management” used in this sentence either with purpose or otherwise instead of some thing similar to “Information Security Practice” or “Security Safeguards” etc.

In India, having spoken of the “Security Safeguards” under section 32, we are now separately discussing the “Data Governance Framework” for which another committee has been formed by the Government.

The Sri Lankan statement indicates that it has directly jumped from “Information Security Management” halfway to “Data Management” by recognizing the need for “Managerial Approach to Data Security” instead of the “Technical Approach”. I accept that what Sri Lanka means is nothing different from ISMS and not Data Governance.

But the use of the word “Management” draws attention to the need to look at Data Protection as part of an overall  Data Governance System of which Data Security is one part. Security of Personal Data Protection is a sub part of Data Security itself which should apply to “All Data”.

“All Data” relates to Corporate Data, Anonymized Data, IoT generated data etc and without managing the Data in general an enterprise cannot get into securing the data.

Further, with more and more countries coming up with their own regulations, an enterprise is likely to be confronted with a need to be compliant with a boquet of data protection laws.

The PDPSI (Personal Data Protection Standard of India) has captured this requirement already by introducing a Data Classification system where the “Applicable Law” will be a parameter of the tag to be associated with a “Personal data set”.

The details of the data classification system recommended under PDPSI can be found here

Naavi has therefore suggested that in order to implement any Data Protection regulation, it is essential to first identify the applicable law and ensure that data is kept in appropriate silos where the relevant law can be applied. Mixing up the data would not be an efficient way of complying with the law.

Along with the Data Classification suggestion as above, PDPSI has also adopted several other measures of “Data Management” such as identifying “Internal Personal Data Gate Keepers and Controllers”, “Grievance Redressal mechanism” etc.

It is for this reason that PDPSI has already recognized the importance of “Data Governance” as the key requirement of Data Protection and is ready for the implementation of the Data Governance Framework.

Sri Lanka could have taken note of such developments and refined its regulation and made it even better than the Indian draft.

Hopefully with the further developments in India when the Bill gets passed into an Act, the Sri Lankan draft Bill will also undergo corresponding changes and be better than what it now is.

Naavi

Following the direction of the Supreme Court to the Center to file an affidavit on its measures to regulate social media and the discussions on whether Aadhaar can be linked to the Social media accounts, UIDAI has come out with its view that a “New Law is needed for Aaadhaar_Social Media Linkage”.

UIDAI has been often at the receiving end with the Supreme Court  on the permitted uses of Aadhaar on which the citizens of India have spent crores of rupees. Recently, eminent jurist Harish Salve said that “Supreme Court” is responsible for the economic slow down in India.

In the mining sector alone, 23 lakh jobs appear to have been lost because of the Supreme Court judgements.

The reason for such opinions to be coming forth is that Supreme Court is often going beyond its judicial duties and not allowing the Government to do its executive functions because it has a soft corner for the Anti Modi lawyer brigade who find fault in everything the Government does.

Perhaps the Supreme Court has now realized that there is some truth in these allegations and hence has gone slightly soft in its latest order regarding the “Linking of Aadhaar to Social Media”. It has directed the Government to come up with its guideline in this matter.

The bench of Justices Deepak Gupta and Aniruddha Bose has observed that “Technology” has taken a “Dangerous turn”  and there is a need to curb the misuse of social media.

In December 2018, the Government had actually come up with a revision of its 2011 administrative notification on “Intermediary Guidelines under Section 79 of ITA 2000/8”. This had several provisions to regulate fake news in social media.

This was just an administrative notification but the Government afraid of its own ability to meet the legal scrutiny put up the notification for public comments. Since it was a pre-election scenario, lot of noise was raised by the political opposition and a petition was also filed in the Supreme Court. The public comment was sought and the guideline went into the oblivion and the lobby which was against the regulations succeeded in stalling the regulation.

Now the Supreme Court is coming back to advise the Government on framing a regulation. It is necessary for the Court to now dismiss the earlier petition against the regulation and let the Government proceed with the regulation.

Naavi has time and again pointed out that there is a need to regulate the social media from being misused and one of the means is to allow “Identified Social Media Players” an extra freedom to express themselves as against the “Anonymous Cyber Stonepelters“. The so called “Trolls” in social media are mostly people who hold fake accounts and use it to discourage expression of some people who dare to express themselves identifying themselves.

Many of the articles on this site  highlight not only the problems but also the solutions. Even now Naavi recommends that a suitable solution to prevent misuse of Social Media can be implemented without the need for the Government to tinker with the Aadhaar law.

This has been discussed several times in this site and can be operationalized without any delay if the technical framework can be built up to back the suggestions.

But so far there has been a lack of will from the Government or Private technology players. I hope that the current situation will at least prompt some aggressive technology people to take up this project immediately.

Such companies can even implead in the current suit in the Supreme Court and plead for an opportunity to present its plan so that if the Supreme Court or the Government has any suggestions they can be implemented. Alternatively the Government can present the project as one line of approach to find a solution and respond to the Supreme Court.

We need to wait and see how the solution unfolds in the coming days.

Naavi

The Yahoo’s Nazi Memorabilia case fought between the French and the US jurisdictional issues had remained so far a landmark judgement on application of Jurisdiction involving websites that can be viewed across the borders. Finally that case upheld the jurisdiction of the US courts to determine what Yahoo Inc can do outside France on websites which are not in French language and therefore not directed specifically to the French citizens.

Now the judgement of the EU Court in respect of the exercise of “Right to be Forgotten” to be extended outside EU has been correctly struck down and provides the much needed clarity in the application of EU laws outside the EU region. In particular, the GDPR watchers would find some relief in this judgement.

At present our comments are based on news paper reports and we reserve our comments when the detailed order is studied. For immediate reference, we refer to the article in moneycontrol.com titled “Google wins case over reach of EU right to be forgotten”

According to the report, the EU Court of justice has said

“…There is no obligation under EU law for a search engine operator to extend the rule beyond the EU States”

In a manner of satisfying its ego, the Court has also said that the search engine operator must put measures in place to “Discourage” internet users from going outside the EU to find that information. This needs to be ignored because if the Court admits lack of jurisdiction in the first place to apply the law, it lacks jurisdiction to advise and set guidelines for the operations of organizations outside EU.

During the last one year, many citizens of EU have been harassing companies in other countries including India with notices related to GDPR. Now these trouble makers should realize that there is a limit to the extra territorial jurisdiction of EU and it cannot infringe on the sovereignty of other countries.

This judgement should put a stop to all such arguments.

Copy of the judgement

Naavi

The ongoing controversy of “Preventing Fake News” has now taken an interesting turn with the Supreme Court directing the Government to file an affidavit within 3 weeks on how it proposes to link Aadhaar to the social media accounts as being discussed in the Madras High Court in a petition. The Supreme Court has acknowledged the misuse of social media and the adverse impact it has on the society and National Security.

In the past, when the Government came out with guidelines on “Intermediary Guidelines” as well as any other case involving the key word “Aadhaar”, the Supreme Court came down heavily against the Government as if it is selling out the Privacy Right of the Indian Citizens. The Privacy activists who want to oppose anything the Government does supported by the Congress advocates took the cases to the Supreme Court and prevented any action to be taken by the Government. But for this negative strategies pursued by some activists and supported by the Supreme Court, there would have been a strong “Intermediary Guidelines under Section 79 of ITA 2000” by this time.

Now the bench of the Supreme Court which has provided the current ruling appears to be very reasonable in acknowledging that neither the Supreme Court nor the High Courts are competent enough to take a final view on this techno legal matter and the Government is perhaps in a relatively better position to come up with a suggested solution.

The problem with the Government is that it does not have adequate mechanism to respond to such needs since it has killed the “Cyber Advisory Committee” which was mandatory for such purposes according to ITA 2000 and is banking on an inadequate set of Delhi based advisers to provide a solution which ultimately always falls short of expectations and meets the opposition of the Court.

I hope at least this time the Modi 2.0 Government finds a proper solution which should satisfy the Supreme Court.

Naavi has been advocating that within the provisions of the current ITA 2000 and the proposed structure of the Personal Data Privacy Act, there is a reasonably effective solution to meet this problem. Unfortunately the Government does not listen to innovative suggestions and the private sector is not sure of the revenue capability of such a solution. The so called “Innovators” in the Start Up domain are more interested in re-inventing the wheel by taking up the same type of project again and again without really taking up a really innovative project.

In the current context of the Supreme Court putting a sort of a dead line on “Traceability” of social media transactions, Naavi proposes that there can be a “Public-Private Partnership” which can meet the needs of the Government and at the same time make the project self sustaining and perhaps profitable.

I look forward to the Government coming up with a proposal to invite suggestions from the private sector and perhaps it may be possible to provide a good response to Supreme Court within the deadline.

Watch this space for more information on this topic.

Naavi

Yesterday, there was a conference titled “Communique19” at SITM (Symbiosis Institute of Telecom Management) , Pune.  (SITM is incidentally renaming itself more appropriately as Symbiosis Institute of Digital and Telecom management or SIDTM). The conference amongst other things discussed the Personal Data Protection Bill and the above photograph shows the panel members.

The panel as seen above consisted of (From Left to Right) Mr Satish Dwibashi of Wibmo.com, Mr Neeral Arora, Advocate and Forensic Expert, Dr Sriram of DSCI, Mr Venkata Satish Guttula of Rediff, as well as me and Mr Sridhar Sidhu of Wells Fargo.

While discussing the issues, I highlighted the differences between GDPR and PDPB/PDPA. I have explained the differences many times in this website and hence I am not going to repeat it and  will take up another point for discussion.

During the discussion which also raised the issue of  the “Data Governance Framework”, I highlighted the formation of the new Kris Gopalakrishna committee and the background in which the committee was formed.

I may recall my earlier article/s in which I had made a mention of “Community Privacy” as a concept which had been referred to by Justice Srikrishna in his report. I take this opportunity to explain what could be one instance of the “Community Privacy” which is reflected in the above photograph.

I, like other participants in the panel signed off a permission to SITM that any photographs taken during the session could be used by SITM in social media etc. This is pretty much what happens in every conference, though ICO, UK started the practice of giving a notice that such photographs may be considered as not violating the privacy of the individual.

The above photograph however has been uploaded by me here because I was one of the participants in the panel. However, in the process, I might have violated the wishes of any of the other participants who might have liked to keep the photograph out of view of the visitors of Naavi.org. Though the panelists might have given the permission to SITM and SITM has placed it in public domain and I have also sought permission from these gentlemen, it is not clear if they have consented for this publication.

This is a classic example of how data of one person becomes the “Shared Data” of another person due to the context in which the personal data is generated and the decision of the other person to share it according to his wishes could be a point of contention.

This is what Justice Srikrishna indicated as “Community Privacy Issue” for which PDPB/A (nor any other law like GDPR) has provided an explanation. He suggested that the Government may consider a new regulation for this purpose.

If Kris Gopalakrishna Committee (KGC) takes a cue from the preamble in the circular indicating the formation of the Committee and interprets the terms of reference that such “Community Data” is “Non Personal Data”, it may include community data as part of its discussion and declare it as part of the “Big Data” or provide another intermediary status to such “Community Data”.

Is this therefore a case of “Community Privacy” that  needs to be regulated? .

If so how do we regulate it?…

Can the photograph per-se without the names be considered as “Not identifiable” and hence “Anonymous”? Or

does the degree of “Anonymization” in this instance is nothing more than “De-identification”? and does not constitute “Anonymization” as defined under PDPB?

..these are some interesting thoughts that emerge out of this instance.

In the past, I had raised the issue of “Recording of Telephone Conversations” and expressed the opinion that the conversation belongs to both the “caller” and the “called” and recording is considered as the right of both persons. In the context of our discussions now, I see a clear explanation to my earlier view because this telephonic conversation belongs to the class of data now known as “Community Data” and hence all the members of the community (in this case the caller and the called) has joint and several rights to use the data as per their choice.

This “Joint and Several” right to dispose of the data will be the key to defining the regulation of community data. Once such data is considered the personal data of each of the individuals, the rest of the regulation may follow the lines of PDPB/A as the contextual risk assessment demands. While each member may have a right to refuse permission to consider the data as Community data by specific disclaimer,  it may be considered that by default the data belongs to all persons in the community.

As regards the original photographer, his status would be like a “Data Fiduciary” who posts it in a social media or deals with the information in any other manner in the general interest of the data principals.

As regards the “Anonymization”, it may be considered that the photo without the names is actually “Anonymized” but only to a basic level of obfuscation. The identity of the persons is known only to those who knows either from their memory or by use of some identification tool.

Had we perhaps masked the faces, the anonymization could have gone to the next level and if all the others had been cut off from the picture, perhaps the anonymization would have been complete though it would have eroded the value of the data completely.

The person who assigns identity to the respective persons is required to take up the responsibility of “Re-identification” of the anonymized data (Which will be a criminal offence when PDPB/A becomes operational), unless he can provide a suitable defence of either “Prior Permission” or “Prior publication”.

If the identity is assigned by an AI algorithm and it commits a mistake, then there will be other issues such as whether it was a “Negligent Mistake” or “Recklessness/mischief” and accordingly the responsibility will have to be placed.

Consent is otherwise inherent in the participants allowing themselves to be photographed.

While these comments and opinion applies without much of a controversy in case of a photograph of this nature on the stage where a panel discussion was held, during such conferences, many “Candid” photographs are also clicked by the photographers which may capture moments which the subject may or may not like to be made public.

How should such photographs be handled? will it require “Explicit Consent”? are points of a separate debate. The responsibility of the photographer and the first publisher of such photographs is high in such cases.

This discussion on “Community Privacy”  as well as the resolution through considering them as a “Joint and Several Right” is raised I believe for the first time in India. Readers are welcome to contribute their thoughts.  I hope the KGC takes note of these views and incorporates it in its deliberations.

I am also trying to convince a few experts in Bangalore to constitute a shadow committee to discuss and deliberate this issue of “Community Privacy” and publish a document. Let us see how this project proceeds.

Naavi