Naavi.org

At one time, Bankers were considered trusted individuals and respected in the community. But with the advent of technology, Bankers of the older generation receded into the background and technologists came into the Banking profession. Today Technologists have become Bankers and Traditional Bankers who still remain have become slaves of technology aware persons within the Bank.

The new generation Bankers are short on integrity and follow the Kaliyuga principle of “Self Benefit” and “Self Preservation” at the cost of anything. This generation would not hesitate to destroy their neighbor if it helps them.

I as an ex-Banker is making this statement after observing the behaviour of some of the Bankers in the current banking scenario.

People are aware how ICICI Bank in the case of S.Umashankar who lost money through phishing, went about sharing the fraud  proceeds with the fraudster, tried to shield the fraudster by erasing evidence, by refusing to file Police complaint etc. There are several instances where insiders in Banks have themselves committed offences and otherwise assisted outsiders in committing frauds against innocent customers and then dragged the cases in Courts for years using the money power.

Fortunately, both the RBI and the TDSAT along with some of the cyber savvy adjudicators under ITA 2000 (It Secretaries) have come to the assistance of the innocent Cyber Fraud  victims in Banks and held the Banks liable to pay the fraud amount back to the victims. They have recognized that dilution of security through negligence or otherwise is an assistance for the commission of the fraud and hence the liability should be borne by them.

The “Limited Liability System” introduced by the RBI was one of the greatest steps in this regard and accordingly, in any case of fraud involving internet banking or credit cards or debit cards, where the fraud has been committed by an outsider, the Customer would have Zero liability if he disputes the transaction when he receives the SMS alert. In such instances, the Bank has to restore the account by providing value dated credit to the customer without any delay.

In order to avoid this liability, Banks have started to play games which are exposing the malicious nature of current day Bankers in India.

Yesterday, I came across an incident involving HDFC Bank in which a credit card customer has found that during the period when his old credit card is being replaced with the new credit card, the old credit card has been swiped in a foreign location for over Rs 1.26 lakhs. The customer when he received the call from the Bank to verify the transaction, has stated that he has not carried out the transaction. However, next day, Bank has sent him an SMS that they were not able to reach him when they tried to inform him about the transaction.

If the Customer thinks that he has already replied and does not take further action to continue disputing the transaction, perhaps the Bank would later on say that he did not respond within 3 days or 7 days and try to hold him liable.

It therefore appears that the Bank is trying to create an evidence that it has tried to contact the customer and he was not available. This is a fraudulent action of the bank which should result in criminal action against the persons responsible.

In another incident, ICICI Bank has called a customer about a new card and the card fees. After the customer has indicated that he has no intention of using the card because it is not a free card as was marketed, he has still been billed and is being threatened with adverse effect on CIBIL rating. At the same time, the Bank has recorded a wrong e-mail address of the customer and keeps sending mobile SMS which cannot be replied back.

In both these incidents, Bankers of the current generation have come out as unreliable and fraudulent. The possibility of insider involvement in these instances are high.

I hope both HDFC Bank and ICICI Bank wake up and remember that they exist because of the customers and they need to respect genuine customers and not take any stand that will favour the fraudsters instead of the genuine customers.

Naavi

(This is in continuation of the previous article)

We shall now take a few other comments made by Mr Kris Gopalakrishna as follows and try to derive an inference out them.

5.“I think our concept of privacy will go through a change because we are voluntarily disclosing whom we are because we want some service”.

6.“The understanding of data privacy would go through a change once the boundaries around data were clearly drawn, dispelling concerns about disclosing identity”

7.“Establishing policies around data, how industry must responsibly use your data and respect your privacy — today it’s not codified and hence the worry about disclosing your identity,”

I am not sure why Mr Kris says that “Establishing policies around data…is not codified today”. The PDPA does exactly address this issue (though it is in the process of being enacted). The Corporate responsibilities on what principles of collection and processing is to be followed and how the “Data Trust Score” has to be developed etc has been addressed by PDPA. We have to only get the law passed without delay and get the implementation process into action.

As regards the concerns about disclosing the identity, the concept of the data collector being a “Data Fiduciary” and exercising the responsibility of a trustee can address the concern to a large extent, much more than what GDPR has addressed in GDPR as the Data Controller’s responsibilities.

If therefore the KGC does not trample on the implementation process of PDPA,  privacy governance in India through data protection would make substantial progress. If the DPA then takes control then the data protection regime can bring confidence to people concerned with their privacy.

Speaking on “Anonymity” Mr Kris has commented

8) “Globally, companies are looking at anonymising data — stripping data sets of personal attributes of individuals and gleaning meaningful inferences from the data points.”

This aspect has been addressed by PDPA both by declaring that Anonymization will make a personal data go out of the jurisdiction of PDPA and also criminalizing the re-identification where anonymized information may be re-identified.

The very definition of “Anonymization” is that it can never be re-identified, but under the concept of “Dynamic Data” and the “Corporate restructuring” as well as AI, no body can be certain that an anonymization process be 100% effective.

The failure of anonymization and consequential re-identification can be addressed under PDPA if properly implemented by hoisting vicarious liabilities on the inefficient anonymization as well as the re-identification.

Lastly, Mr Kris has reflected

9. “Unfortunately or fortunately, data, compared to all the previous eras — agriculture, manufacturing and IT or digital — where the economic value lay in physical goods, knows no national boundaries. It can be transmitted without friction. How does a nation create value on the data of its citizens? How does a nation protect the data of its citizens? These are the questions everyone is grappling with”

In this comment, Mr Kris has acknowledged the need for data sovereignty and the need for the country to consider aggregated personal data as an asset of the nation. It is precisely this concept which is in conflict with commercial exploitation and the committee has to  show how it will ensure that the national interests are not compromised.

Partially the PDPA will address this issue. KGC will however need to ensure that any of its recommendations donot provide loopholes for commercial establishments to take out the benefits of Indian personal data out of the country. If they are allowed, this will be considered as “Data Laundering” or “Data havala” similar to money laundering and havala.

If this committee can find a Data Governance framework that can prevent the TransUnion type of data heist, then it will be a great achievement. Let us hope the committee would be able to reach this goal.

(Comments welcome)

Naavi

(This is in continuation of the previous article)

The next two comments of Shri Kris Gopalakrishna that we would like to analyze is

2. “India has a huge opportunity to leverage data in every aspect: data will be very important in providing credit, better banking services, healthcare, education, retail and ecommerce.”

3. “Everywhere, the efficiency can be improved, services levels enhanced. It is not just the companies benefitting, the individual also benefits,”

These comments reflect the potential for corporate benefit such as credit rating, health insurance etc which are projected to be beneficial to the individual because of better efficiency.

Ever since e-Governance and E Banking concepts became a reality in India, we the Citizens and the Consumers have been held the promise of “Economy through Digitization”. But in practice such economies have never been realized. At one time we had free Banking. Now we need to pay for ATM services and also for physical visits to the branches. There are charges for NEFT transfers (May be it is removed now). The annual ledger charges have now become service charges and the Government benefits on these through Service tax and GST. As a result, E Banking has become more expensive than non e-Banking. Similarly, E Governance has become more expensive than non e-Banking. Over and above this, fraud risks are to be borne by customers. Even Cyber Insurance cost is hoisted on the consumers.

This “Higher Efficiency and benefit to the consumer” is therefore a scam that IT companies promote. Less said about it better it is.

Let us therefore forget this benefit coming to consumers out of Big Data Governance. The fact is that eventually, commercial companies will make more money, consumers will pay for more security. There could be of course new services and convenience but it is a trade off with additional cost

we can also look at another comment made by Mr Kris that is related to the above.

4. In the physical world, property rights have been clearly established. I think, over time, property rights will be clearly established in the online world.”

We have debated this at length earlier. GDPR has not adopted the “Property” concept. California Consumer Privacy Act has adopted the “Property Concept”. In India DISHA (proposed) endorsed the property concept of personal data but PDPA rejected it and brought in a superior concept of “Data Trusteeship”.

The concept adopted by PDPA is globally unique though many in the industry may not appreciate its value and by ignorance degrade it to the GDPR concept of “Personal data being a transferable Right”.

This is one area where I would wish the KGC does not err. I urge each of the members of the committee to go through the discussions presented at naavi.org on the concept of “Data Fiduciary-Data Principal relationship” and how it differs from “Data Controller-Data Subject relationship”.

Initially, I had also preferred the “Property” concept at one level and a separate intermediary of “Data Trusts”, but Justice Srikrishna was more innovative and suggested something better in the concept and merged the concept of Data Trusts into the concept of Data Controller and created the “Data Fiduciary”.

This innovation needs to be preserved as it has the potential to be one of the most innovative concepts in Data Protection regulations across the globe.

While leveraging the benefits of the Personal data aggregation, the KGC should ensure that “Data Laundering” through “Mergers and Acquisitions” as we have pointed out in the case of TransUnion taking over CIBIL.

Similar corporate re-structuring tactics may be used to defeat the some of the provisions of Data Protection such as Data Sovereignty and cross border restriction of personal data transfer.

We need to watch if these contentious issues will be addressed by the committee with National Interest in mind.

Personally, I have an apprehension that the strong industry lobby that opposed Data Localization in PDPA will, through NASSCOM and other industry members of the committee try to dilute the Data Sovereignty principle and the Data Localization requirements. Taking a conspiratorial speculative outlook, I even have a thought in the corner of my mind that this committee has been formed only with the idea of killing the Data Localization concept strongly promoted by Justice Srikrishna committee. I hope Mr Kris will realize this in due course and does not allow such manipulation.

I hope the minutes of meeting of this committee would be available under RTI for the public to ensure that no such deviations of purpose occur.

In fact, these are the days when Legislative proceedings are broadcast in realtime and we are asking Supreme Court to conduct hearings with a real time video broadcast to the public. It is therefore time to consider that committees such as these also should consider public broadcast of their proceedings. This will ensure transparency to the operations of the committee.

Will the Chairman consider video  broadcasting of proceedings in real time?

(Continued)

Naavi

(Continued from the previous article)

Shri Kris Gopalakrishna, Co-Founder of Infosys who has been appointed the “Chairman” of the “Expert Committee on Data Governance Framework” with the terms of reference

a) To study various issues relating to Non Personal Data

b) To make specific suggestion for consideration of the Central Government on regulation of Non Personal Data

has provided some indication of what is in his mind on “Privacy” and “Data Protection” through is interview in ET  From his interview we have culled out 9 statements on which we provide our comments.

The reason why we are taking up this for debate is that the views of the Chairman of the committee could influence the final outcome of its recommendations and hence it is necessary for data protection regulation watchers to understand his mindset.

The views and corresponding comments are as follows. These comments donot necessarily indicate any disagreements but try to clarify issues.

1.  “the broad strokes of data regulations lie in trying to leverage the economic value of data for the benefit of the citizens, not just for corporations, and protecting them from the vulnerabilities inherent in the digital era.

In the past, the broad strokes of “Data Protection regulation” was embedded in “Cyber Crime Prevention” legislations such as ITA 2000/8. It recognized “Data” as a valuable asset of the organization and companies do protect data in their own interests. But when an enterprise fails to protect data and apart from adversely affecting its own interest, adversely affects the interests of other persons, the law provided a remedy which included prosecution of company and its officials for negligence.

After the advent of strong data protection laws, the broad strokes of “Data Protection Regulation” leveraged the need of individual privacy protection. Hence GDPR prescribed stringent penalties that made the industry sit up and take notice of the compliance requirements. In India, PDPA was framed by Justice Srikrishna to provide a similar “Data Protection Governance Framework”.

These regulations kept a window open to accommodate the interests of the Data Analytics industry by accommodating “Legitimate Interest” and “Anonymization of Personal Data”.

Anonymized data was completely out of the Data protection regulation and “Re-identification of anonymized data” was a punishable offence/civil wrong in some of these regulations. Similarly, Corporate data was out of the purview of these legislation, though some ambiguities remained on “Employee Data” and “Business E-Mail”.

The “Data Governance Framework” of pre-data protection regulation era and also the “Anonymized and Non Personal Corporate Data” in the “Post-data protection regulation era” was dictated by frameworks such as the Information Security models of ISO.. In the post data protection regulation era, the GDPR/PDPA compliance framework assumed importance and supplemented the earlier ISO frameworks. Some of the ISO frameworks like ISO27001 voluntarily added ISO27701 like provisions as extensions so that it can assist companies for securing both corporate and personal data.

The PDPSI (Personal Data Protection Standard of India) as proposed by Naavi was a “Data Governance Framework for personal data and suggests a similar approach to Corporate/Non personal data.

Now the Kris Gopalakrishna Committee (KGC) on Data Governance Framework has flagged the “leveraging the economic value of data” for the benefit of the citizens. This “economic value” gets generated by the aggregation and derivation out of the individual data  accumulated from different sources. If the source is “Anonymized pool” of personal data (Which may include the IoT data), the economic value of the aggregated data is what the Big Data industry is today exploiting.

The Justice Srikrishna committee however flagged a different type of data where one person provides an identified data under a consent but it automatically reveals the personal data of his family or community and on aggregation reveals certain value added behavioural information and raised a concern that this needs to be regulated.

It is not clear if KGK committee will restrict its recommendations to the processing of ” Anonymized personal data” only or “Identified community information” which relates to “Community Privacy”.

The views of Kris Gopalakrishna indicates that contributors of individual data  should benefit by their contribution even when anonymized, and converted into value added data. This is the concern raised by Naavi in his article on Dynamic Data.

There is an IPR issue in the case of such value creation and whether the citizen can be provided a part of the benefit through a legislation and if so, how needs to be explored.

(To be continued)

Naavi