Naavi.org

Out of the several “Vision” statements included in the budget proposal of 2019-20, one particular proposal which attracts the attention is the proposal to start a television program exclusively for the start ups.

Naavi.org has been engaged in “Awareness Building” on Cyber Law Compliance since 1998 and with the enactment of the Personal Data Protection Act (PDPA), there will be more of such awareness activities that needs to be done. This objective of Naavi.org which has been carried over to the organizations like the FDPPI (Foundation of Data Protection Professionals in India” now may have an additional tool to reach out to people through this very unexpected budget proposal namely “Start UP TV of India”.

This Channel is supposed to be started as part of the Doordarshan Boquet  and is expected to serve as a platform for promoting start-ups, discussing issues affecting their growth, matchmaking with venture capitalists and for funding and tax planning.

In as much as “Start Up” is a business venture, the entire business domain will come under the scope of this TV. It could be the CNBC TV or ET News without the stock market noise.

I have in the past discussed with some channels about programs on Cyber Security but most of them have felt that the “TRP” for such programs may not be attractive. So, the proposal of “Start Up TV of India” will also face the challenge of commercial viability which needs to be efficiently handled.

It is not clear if this TV will run under the guidance of the Ministry of IT or Ministry of Information and Broadcasting.

Mrs Nirmala Seetharaman stated that the channel will be designed and executed by start-ups themselves.

We donot know if there has already been some discussions in this regard and some body has been assigned the responsibility for the same.

It is however interesting to know how this idea develops in the coming days.

Naavi

Naavi has been an evangelist for Cyber Insurance for a long time. In fact a separate bloc cyberinsurance.org.in was created to have a focussed discussion on Cyber Insurance only to find that the interest level of the market is still too low for the blog to be of interest as a separate entity. In 2015, Naavi conducted an all India survey on the status of Cyber Insurance to understand the status of the industry. It was found that there was a huge gap in the understanding of the user industries on Cyber Insurance as a product. Many had not even considered it as a requirement as part of their IS policy.

However recently it is found that atleast about 350 Corporate Cyber Insurance policies have been issued. About an year back the individual Cyber policies were also introduced by Bajaj Allianz and later HDFC ERGO and it is indicated that there are more than 15000/- individual policies in operation at this point of time. Hence it appears that Cyber Insurance as a concept has atleast taken off.

Over the last two weeks, I have had extensive discussions with many Insurance professionals to understand the “Perception Gap” between the cyber insurance user industry and the insurance companies. I will try to share some of these thoughts and analysis of some of the insurance polices through these columns.

I have set two objectives for this latest activity focussing on Cyber Insurance

1. Bridging the perception gap between the Information Security industry and Cyber Insurance industry by being the conduit of knowledge exchange between these two industry professionals.
2. Developing the possibility of a specific Cyber Insurance Policy extension or a Cyber Policy itself to cover the risks that arise due to the PDPA (Personal Data Protection Act) that is in the offing.

The above exercise involves conduct of many awareness sessions for the Cyber Insurance industry to make them understand the expectations of the IS industry and vice-versa.

The PDPSI (Personal Data Protection Standard of India) security framework which has been announced by the undersigned is ready to be used as a framework for compliance of PDPA. This can also be a guidance for “Cyber Insurability audit” and hence could assist the Insurance companies in assessing the premium.

Watch out for more discussions in this aspect and join me in this new push for Cyber Insurance.

Naavi

Naavi will be meeting a group of IS and Cyber Insurance professionals  in Pune to discuss the impact of PDPA on the Cyber Insurance industry.

Naavi

PDPA or the Personal Data Protection Act which is being introduced in the Parliament during the current session will be a landmark legislation in India. Presently PDPA is in draft Bill stage and it may become a law during this year. After the notification  of ITA 2000 on 17th October 2000 which  provided legal recognition to Electronic Documents in India for the first time and heralded the birth of the “Digital Society” in India, PDPA will be the most significant legislation to affect the country’s industry.

PDPA is an extension of ITA 2000, which was substantially amended in 2008. Now Section 43A of ITA 2000/8 will be replaced by the entire set of provisions in the PDPA 2018 or PDPA 2019 as it may now be called.

While many may look at PDPA as an extension of the need to protect “Privacy” which the Supreme Court declared as a fundamental right in India, it must be recognized that Privacy Protection had already been extensively recognized when ITA 2008 amendments kicked in.

While there are a couple of sections like 72A as well as Section 43 which can be invoked in respect of Personal Information being breached and misused,  Section 43A was one section in ITA 2000/8 which directly defined the responsibility of organizations collecting “Sensitive Personal Information” (SPI). It defined what was SPI and declared that in the event of a company not following a “Reasonable Security Practice”, (RSP) it would be liable for paying compensation to any victim who suffers a wrongful loss as a consequence.

While the definition of RSP itself was left a little vague, it was specified that RSP is what would be defined in a contract between the data subject and the company or as defined in a law or as defined in an industry specific gazette notified framework.

Unfortunately, Indian industry (except  Banking) did not appreciate or understand the flexibility provided to them in the law or was too lazy to work on a sector specific framework. Instead they simply manipulated the naive MeiTy to declare that a company with a certification of  “ISO 27001” could be deemed to have complied with the “RSP Standard”.

This statutory dependence on an audit process which was commercially driven and subject to many abuses was vehemently opposed by the undersigned and the Ministry was forced to admit in a reply to the RTI query that

“Rule..does not mandate implementation of ISO 27001 standard exclusively… Body corporates are free to adopt and implement other codes of best practices agreed by the industry association”

(Refer here)

This did not prevent the ISO 27001 industry to however claim that  ISO 27001 ensures that organizations comply with ITA 2000. (Refer here).

 PDPA is More Onerous

Now PDPA makes a huge difference to the compliance requirements of the industry related to Privacy Protection and Personal Data Protection.

PDPA does not restrict itself to SPI. It extends to Personal Information (PI) and “Minor’s Personal Information” which is also considered sensitive. It classifies the Data Fiduciaries into more sensitive levels of Significant Data Fiduciary and Guardian Data Fiduciary with increased responsibilities.

Most importantly, by defining the relationship between the Data Subject and Data Controller as we normally refer to as a relationship of “Fiduciary” nature and calling the Data Subject as the Data Principal and the Data Controller as the “Data Fiduciary”, PDPA has changed the narrative completely. The Data Fiduciary is now expected to act like a “Trustee” of the Data principal and his duties are not restricted to following instructions in the “Consent” Form. Though the “Consent” remains in the statute,  it is more an indication of the Data Principal’s objectives for sharing his personal data. The determination of how it has to be processed in the best interest of the Data Principal lies with the Data Fiduciary and not limited to what is contained in the Consent.

PDPA defines the “Data Principal’s Rights” and “Obligations of the Data Fiduciary” which become guidelines for the Data Fiduciary to implement “Privacy By Design” and the security requirements.

Though many derogations are provided including the cover of “Legitimate Interest”, the law imposes penalties both in terms of large financial fines as well as the possibility of criminal prosecution against the Company and its executives. Such fines are of the nature of “Administrative Fines” and need not necessarily require a data breach as it was in the case of ITA 2000/8 but could be imposed even for non compliance.

As a result of these changes, the responsibility of industry for compliance  regarding Privacy Protection and related Data Protection  has increased several folds with the introduction of PDPA.

The biggest impact of PDPA is likely to be on the Data Analytics industry. Data gets a higher value when it is associated with the identity of individual and parameters associated with an individual. Data is considered “Personal Data” if it is identifiable with a living human. If the identity is masked, the data becomes “Pseudonymous personal data” and escapes PDPA. If it is “Anonymized” then also the processing escapes PDPA.

Pseudonymous data by definition is “Re-identifiable”. Anonymous data is not.  Re-identification of a de-identified data is an offence under PDPA and could result in imprisonment of upto 3 years and/or fine of Rs 2 lakhs. The liability may extend to the Company and individually to the managers/Directors  who are negligent. Such offences are cognizable and non bailable making the risk higher.

The Civil liability which could arise out of many non compliance issues could result in penalties upto 4% of the global turnover of the company and is therefore threaten to wipe out the business.

With such penalties hanging over their heads, every company needs to take such steps as are required to ensure that the possibility of non compliance is near zero.

 PDPA Risk for Data Analytics and AI industries

In this context a data analytics company needs to ensure that the incoming data is largely pseudonymous or anonymous. If not it has to ensure that data is filtered at the first in-gate so that the risk is minimized at further levels of processing.  While this is easier said, we realize that most of the time the identity is integral to the data processing and cannot be easily detached.  Further, the granular details that a data set may contain could make the apparent pseudonymous data easily re-identifiable in the hands of a determined data thief.

Since many of the data analytics companies need to depend on sub contractors, the inability of the sub contractors to protect the personal data upto the “PDPA Standard” could impose vicarious liabilities on the data fiduciary.

In view of these risks, data analytics companies need to be extremely careful in designing their processing systems to ensure that they are “PDPA Compliant”.

Artificial Intelligence industry on the other hand supports data processing industry of every description including Data Fiduciaries, Significant Data Fiduciaries, Guardian Data fiduciaries. In many cases they will be the “Sub Contractors” of the data fiduciaries. In certain cases the AI companies dictate the business process of the data fiduciaries as if they are the main contractors and the data fiduciary is a sub contractor. Such “Reverse domination” is also present in many other data processing situations in the Digital Marketing industry. As a result the AI industry players could be “Joint Controllers” as GDPR defines or “Data Fiduciaries of the Data Fiduciary” in the Indian Context.

AI is one industry where processing often is hidden in the algorithm and it is not easy to discern compliance violations. Indian law is very clear that any violation of law by the AI agent would be the responsibility of the AI creator/manager. Hence AI companies will be liable for any non compliance issues arising out of the AI algorithm incorporated in the process.

In view of the above, both the Data Analytics and the AI industry need to implement special efforts to be PDPA compliant.

Be Compliant and Be Protected

The PDPSI (Personal Data protection Standard of India), designed by the undersigned contains the necessary basic guidance for industries to be PDPA compliant. The PDPSI standard supports the PDPA requirement that every Data Fiduciary should conduct “Data Audits” from time to time and develop a “Data Trust Score” (DTS). This again drastically changes the paradigm of Data Security in the country bringing in a sort of “Disclosure” which is “indicative” of the risks rather than the mandatory data breach notification that follows the actual breach. An audit under PDPSI framework should therefore normally end with an allocation of DTS to an organization. Such DTS will naturally affect the “Insurability” of the organization and impact the cost of data processing.

It is therefore time for the Data Analytics and AI industry to examine the impact of PDPA on their operations and to take such steps as may be essential for their survival before the law is set in stone.

Naavi

Naavi calling for banning of Crypto Currencies is old news. I have many times faced the question if Crypto Currency (say Bitcoin) is so bad, why is it that USA among other countries is not banning it?. Now I can take a little comfort that a Noble winning economist in USA also has called for shutting down Cryptocurrencies. (Refer this article in financial express)

Whether US bans Bitcoin or not, it is necessary for us to remember that our needs are different from other countries and we can take a decision that is independent of others.

In fact, if we have to have a common policy with US, we can make US dollars a legal tender in India because USA has made it a legal tender. But everyone knows that this is not recommended. If it is done, we will ruin our economy.

If making Rupee freely convertible to US dollar which is a globally recognized and stable is detrimental to the Indian interests, it is amply clear that making rupee convertible to the anonymous, privately regulated Bitcoin will be catastrophic.

Can we regulate what is not recognized?

Yesterday, I had the privilege of interacting with a group of Legal officers from RBI in which there was a detailed discussion on Crypto Currencies. It looks that there is lot of doubt in the minds of the officers basically because, people asking for banning of Bitcoin are in the minority or at least less aggressive than those who are promoting Bitcoins in India.

One dilemma of RBI is that people are talking of “Regulation” and asking that RBI should regulate Crypto Currency. But this is a trap which RBI should avoid.

It is not conceivable how can RBI “Regulate” a transaction without “recognizing” what is being regulated. Whatever may be the scope of regulation, there will be always some loopholes for violation and they will be used to make part of the Bitcoin legitimate.

For example, if RBI says “Bitcoin” is banned, there will be 1000 other versions to substitute it. If RBI says a particular “protocol” is not acceptable, there will be tinkering with the protocol to escape the ban.

RBI cannot match with the techno marketers and fight the innovative ways to encash the Bitcoin Ponzi scheme. If it tries to do it, it will only meet with failure.

On the other hand, the RBI Act can be amended to include any form of Cryptocurrency as the sole prerogative of RBI by just adding the word “which term shall include crypto currencies” in section 22 of RBI Act after the words “Currencies”.

The threat of Libra

The Recent flotation of “Libra” by Facebook is an attempt to make “Face Book” the Central Bank of the Globe. While Bitcoin only threatened the existence of RBI, Libra may threaten the Central Banks of many countries.

Facebook has the membership strength which makes it one of the biggest congregation of people in any one single economic unit if we define it as one. The Crypto Currency Libra which Face Book wants to introduce and which our media seems to be enamored with (Refer this article in Hindu) will be managed by a “Founder Group” (Libra Association) which consists of Facebook, Mastercard, VISA, Uber and the Vodafone group.( A total of 28 influential corporate groups appear to be supporting Libra).

It is stated that Libra issue would be backed by a reserve of real assets though we donot know the nature of such assets. It is probable that the market valuation of the real estate owned by some of these groups and their promoter shares as well as their present wealth in the form of Bitcoins and other crypto currencies may be thrown in as their contribution to the reserves.

It is not clear how the initial stock of Libra would be developed. Will the founders be allocated some Libra stock in lieu of the assets contributed to the reserve? or as “Sweat equity” of the promoters with some freeze on sales for a certain period? Will the Company issue stock through an ICO?

It is possible that all these techniques may be used in combination so that the initial stock is credited to the Company as saleable stock. This may completely avoid “Mining” at the stage and the seed stock may be credited to the promoters as their contribution whether withdrawable or not. It may also be made additional security to the reserves kitty. Since the value will keep appreciating as the trading picks up, the value of the seed stock as reserve will also keep increasing without any effort from Facebook.

It is possible that “Mining” may be available as reward for using some resources of Face Book or as loyalty points etc. We can expect that all marketing acumen of Facebook will be used to create a stock of saleable Libra stock.

Having issued the stock, it will then be sold at market rate to the investors world over and the blocks will start rolling out. Mining may be introduced at this stage and may be limited to the block validation fee as a percentage of the transactions validated with a low level of difficulty.

The promoters in the Libra Association may provide their services against Libra and that itself would provide a huge market.

Unless law makers are able to understand how this scheme may be able to keep itself outside the framework of legacy laws, it is likely that Libra would get the initial traction enough to be a threat to the economy. (Refer this article in guardian.com for more details)

It is stated that Facebook may avoid launching this in India to avoid a confrontation with the RBI. But it is likely that many of the Indians may acquire and transact in Libra unless such transactions are not specifically prohibited in law.

It is therefore necessary for RBI and the Finance Ministry to take such steps as may be necessary to ensure that Bitcoin or Libra does not become the new conduit of global economic transactions that would hurt our economic interests.

If this requires amendment to ITA 2000, PMLA or FEMA, it must be done without further delay.

I also call upon the new Finance Minister Smt Nirmala Sitharaman to use the budget to make a specific mention that

“Crypto Currencies are not recognized in India and any transaction related to dealing with any Crypto Currency would be considered as a conversion of legit currency wealth to an illegal asset and punishable under Prevention of Money Laundering Act”

As regards meeting the threat of Libra in the long run, the strategy should be “Eliminating Digital Black Wealth” and must be taken as the foreign policy stand of India. We should lead the formation of a “Anti Crypto Currency Group” of countries and fight this global menace just like terrorism.

Ceding to Bitcoin and Libra is like ceding Kashmir to the separatists since separatism is also considered as “Freedom Struggle” by a few. If Kashmir is not negotiable for India, Rupee is also not negotiable. We cannot allow Bitcoin or Libra to make any inroads to the Indian currency system.

I hope RBI and the Finance ministry  will recognize this and act appropriately.

Naavi

The Cyber Law Guru app which is available on Android platform has now been extended to cover Personal Data Protection Act.

Now queries can also be sent over the App on PDPA related areas and would be answered to the best of the ability of the expert panel. (Expert Panel at present consists of Naavi alone).

PDPA is now in draft form and will be re-introduced in the Parliament to start the process of it being a law.

Cyber Law College of Naavi already has structured a Certificate Course in PDPA and would be delivering it as an inhouse course for organizations and through scheduled web based course. Details are available on www.cyberlawcollege.com

Naavi