A Draft E Commerce Policy has been issued by the department for promotion of Industry and Internal Trade, for public comments.
Comments may be made upto March 9, 2019.
Other details of how the comments have to be sent etc are not clear. It will be posted as soon as it becomes available.
In the meantime, the draft of the policy is available here for study… CLICK HERE
Naavi
P.S: Last Date for submission of comments extended to 29th March 2019.
Personal Data Protection regulation is presently a global phenomenon. While legislation like ITA 2000 try to protect “Data” in general(Section 43/66) with specific provisions for protecting “Personal Data” (Sec 72A) and “Sensitive Personal Data” (Section 43A), legislations like GDPR have focussed on Personal Data Protection only. India is set to follow the trend with its own Personal Data Protection Act in due course.
Indian companies today are eager to get themselves certified under various standards such as BS 10012 though these so called standards are nothing but a reiteration of GDPR articles in a slightly modified language.
It must be remembered that “Certification” under a certain standard is only an internal milestone for an organization to inform its stakeholders that they have indeed taken some formal steps towards compliance and is not an end in itself in the organization’s journey towards full compliance of data protection regulations..
BS 10012 is yet to formally align with the UK’s new Data Protection Act 2018 but still for the corporate managements, the tag “BS 10012 compliant” is a desirable asset for which they are willing to spare their budget. But for Indian Companies, BS 10012 may not be sufficient to be complaint with data protection regulation since Indian laws may have to be also understood and complied with.
Cyber Law College which is the academic organ of Naavi.org considers that there is a need to develop Personal Data Protection Standard for Indian Companies which goes beyond BS 100012 and be compliant not only for GDPR but also to ITA 2000/8 and the proposed PDPA.
Currently Naavi uses the Indian Information Security Framework with the following top line implementation charter which is identified as IISF309.
As one can observe, it captures most of the control requirements expected in an information security standard though the details may not be clear in the framework as presented above.
After the advent of PDPA 2018 in draft form, Naavi floated the idea of “Data Trust Score” as a measure of a “Data Audit” conducted under PDPA 2018. This was a measure of how good is the implementation of PDPA compliance in an organization.
The criteria suggested was a 5X5 matrix where 5 parameters namely
The evaluation was suggested on a scale of 0-100 in 5 steps of 20 each and hence it was called the 5X5 grid.
In order to further fine tune the approach and make it repeatable, Naavi is now working on developing a “Standard” which cover different requirements of compliance.
This “Standard” is presently the internal Audit Standard for Ujvala Consultants Pvt Ltd, the corporate entity of Naavi that addresses the audit requirements.
The standard is called “Personal Data Protection Standard of India” (PDPSI) and will be developed by Naavi.org as a part of its educational initiative of Cyber Law College.
The future idea is to make it an open standard which any intending corporate can adopt on their own.
Auditors are free to adopt it to their own audit framework if they feel like or ignore it if they donot feel it has any value, or adopt thoughts from this standard into their own audits.
The objective is to make an “Audit under PDPSI” incorporate principles of personal data protection imbibed in other standards including BS 10012 so that an organization which is PDPSI compliant is essentially also compliant with BS10012. It is understood that a Certification of compliance under PDPSI is not a certificate of compliance under BS 10012. However, an organization which is compliant under PDPSI should easily sail through any evaluation under BS10012.
However, we believe that “Compliance to a standard is required for a faithful protection of personal data as required under law and not just to sport a tag on which a blind faith can be placed”. Such blind faith often leads to complacency and needs to be avoided.
Conceptually therefore, PDPSI has been launched as the future of Naavi’s approach to Personal Data Protection approach and will be integrated with the DTS system which is already suggested.
The details of the standard under each of the above five parameters will be developed module by module and the standard will be published through this site.
Some may feel that by making such standards public, we will be losing an opportunity to commercialize it or we will be hurting other standards providers.
But we firmly believe that a “Suggested Standard” should be made available freely while commercial exploitation can be made through the implementation consultancy.
I trust at least a few of the data protection practitioners would accept this approach as what is required to make compliance to data protection laws affordable to most of the SMEs.
Any suggestions, comments etc are welcome.
This is also an open invitation to interested persons to join me in the development of PDPSI as a standard with wider acceptance in the community.
PDPSI first version will be referred to as PDPSI-0219, and hopefully it would get updated from time to time.
Await the publication of the different elements of PDPSI-0219 in due course.
Naavi
Naavi has time and again emphasized that “Security” is for the good of the community and if regulatory agencies want to prescribe security guidelines it has to be easily amenable for compliance.
When a regulation like GDPR or PDPA 2018 or even ITA 2000/8 is issued as a legal instrument, then every entity coming under the jurisdiction of the law need to comply with it. Normally most entities are law-abiding and will try to be compliant. But if the regulation is unclear or too complicated, compliance will be low.
It is the duty of experts to come to the assistance of the subject entities to be compliant with the necessary guidelines and the law.
Whenever such a need exists on making people aware of a law and how it has to be implemented in practice, there arises a commercial opportunity in “Training”, “Implementation Consultancy” and “Certification”.
Ideally the law has to be made by the Government and it should be left to the private sector to equip itself with the necessary knowledge and skill. If some experts are good enough to package a service to spread the knowledge and skill, it is their ingenuity.
If Government can invest on its own on outreach programs, it would be good.
However, a law-maker cannot tell a citizen that he has to make a payment to know what the law is. If the Government does so, it becomes a “Tax”. Hence Government programs have to be essentially free for the participants. If a private sector partner is used in such training, then the cost has to be subsidized by the Government to some extent through sponsorship partly or fully.
This principle that “Law should be made known to citizen free of cost”, was discussed extensively in Naavi.org when the then UPA Government came up with Section 43A (ITA 2008) guidelines in April 2011 in which they made a mention that ” Adherence to ISO 27001 standard will be deemed to be compliance of Section 43A.
Naavi took a serious objection to this rule stating that it would make the lakhs of prospective compliance organizations to first of all buy the standard at around US$160 and then spend about Rs 3 lakhs to get certified. We said then that this was a scam bigger than 2G. The MEITY of Mr Kapil Sibal at that time was very angry about this comparison with 2G Scam and many of the executives are still harboring a grudge against Naavi for this purpose.
However, in reply to an RTI, the ministry confirmed that it is not “Mandatory” to have ISO 27001 certification to be compliant with Section 43A and though the ISO organization was allowed to make commercial gain out of the inappropriate mention in the guideline, the matter rested there.
(Details are available in earlier articles of around 2011 in this site available through the link on Old Posts)
Section 43A is now being Replaced
Presently we are in the new era of Data Protection and expecting the PDPA 2018 to be passed whenever the political will manifests. Once this is enacted, Section 43A will be replaced with a whole set of regulations in the Act itself.
As a result, the compliance managers need to understand the law and interpret it in a manner it would be acceptable in a subsequent judicial scrutiny.
Naavi has through Cyber Law College already offered to provide training on PDPA 2018 in the same manner in which he has been instrumental in spreading the awareness of ITA 2008 or HIPAA or GDPR, in India. (for all the three of which, recorded Course content is available at www.apnacourse.com.)
On PDPA 2018, Naavi has adopted a slightly different mode of online coaching since the law is yet to crystalize. These courses are of course priced and are expected to generate revenue to the provider of the course. Naavi has also been discussing with some partner organizations for sponsorship such programs.
During these courses, Naavi often presents a Framework of his own under the banner “Indian Information Security Framework-IISF-309” which tries to incorporate the requirements of compliance to the extent necessary.
This framework is actually a substitution for the “Standards” though it may not be as detailed as a standards document and is explained more during the implementation training.
Being Certified Vs Being Compliant
Many Companies however are more interested in getting themselves “certified to be compliant” rather than actually “being compliant”. For this purpose they look for an agency whose “Certificate” has some blind recognition and is available even at an expensive price.
The GDPR regime as a whole is heavily biased towards making money and hence apart from imposing insane penalties for non compliance, it enables creation of a Certification system whereby people make money for just reprinting GDPR articles as “Implementation Guidelines” or “Standards” and creating “Certification of Certifying professionals” as well as the “Certification of compliance” itself.
Naavi believes that this entire eco-system is dishonest since it’s purpose is making money through licensed distribution of what should be a free knowledge and not oriented towards creating an eco-system of faithful compliance.
No doubt some level of compliance does come out of such activities but the value proposition is mostly inadequate and often exploitative.
New Mission to Demystify Data Protection Regulations in India
Having declared the intentions of Naavi to work towards making “Security Knowledge” as affordable as possible to the market place, Naavi’s Cyber Law College is interested in undertaking a missionary approach towards spreading the knowledge about Data Protection Regulations in India at prices that are if possible lesser than the competition.
Towards this objective, Naavi is embarking on empowering organizations for BS 10012-2017 compliance while the Certifications can be obtained by organizations that partner Naavi in this program if required.
Just as in 2004-06, Cyber Law College embarked upon a “Cyber Law Awareness Movement”, it is now proposed that Cyber Law College and Naavi will embark on a “Demystifying Data Protection Laws” which will include compliance of GDPR to BS 10012 standard, PDPA 2018 (as proposed) and ITA 2018 in general as applicable to data protection.
This program will consist of in-house corporate awareness programs, extended training programs and educational courses.
I look forward to other professionals and organizations to provide their guidance on how this objective can be achieved and how the mission of Cyber Law College can be made a success.
One of the objectives of this proposed movement is that by the time the PDPA 2018 comes into effect, the codes and practices etc which the DPA need to provide does not become a commodity that can be used for exploitation of the user industries and the possibility of exploitation in selling the standards and providing certifications etc are very much reduced.
I wish that DPA never allows “Standards” organizations to create copies of the legislation and call it as proprietary standards protected by Copyright. All such standards should be declared as open source or otherwise certifications based on them should not be recognized by the DPA. Commercial exploitation should be limited to the implementation of such standards and not by selling the standards specification itself.
Naavi.org is interested in creating a knowledge distribution system in such a manner and at such a price that the possibility of such exploitation is substantially reduced if not eliminated.
Watch out for more details in this site from time to time.
Your comments are welcome.
Naavi
This is in continuation of our discussions on the Intermediary Guidelines which are proposed to be amended by the MeitY. The Government wants to urgently address the “Fake News” phenomenon which has exploded into a real mess with leaders like Rahul Gandhi taking it to ridiculous lengths and earlier respected media like Hindu falling into the gutter of lies with such political parties.
In this context we reiterate our strategy to address the concerns expressed by many companies and activists while providing their comments by a completely different approach which no body other than one Commentator (FDPPI… Page 21-28 of the first batch of comments) has made.
The suggestion is to introduce a system of voluntary adoption of an “Intermediary Dispute Resolution Policy” (IDRP) administered by “Intermediary Dispute Management Centers” (IDMC) which are accredited by the Ministry.
The big idea in this suggestion draws from the “Uniform Domain Name Dispute Resolution Policy” (UDRP) and the INDRP which resolves domain name disputes. It also goes along with the need to be compliant with the Data Protection Laws (PDPA 2018) which has introduced the concept of “Data Fiduciaries”, when it becomes applicable. It also takes into account the system of “Digi Lockers” which the Government has already introduced.
It uses the system similar to declaration of a company through “Prospectus” as used in IPO scenario and “Certification Practice Statement” as used in Digital Signature regulation.
When an organization commits itself to a declared policy and the consequences thereof, they also subject themselves to the requirements of avoiding “Breach of Trust” charge .
Additionally the “Due Diligence” becomes the self accepted level and if it fails to meet them, they should also accept the liabilities that may come upon them under Section 79.
Further, since the administration of the policy and its adjudication on a complaint will be through an expert non government organization and there is no need for political opponents of Mr Modi to muddy the discussion.
Before people start evaluating any suggestion, I request them to fully appreciate what Section 79 really means and what these guidelines actually indicate.
Section 79 says that if there is any contravention of ITA 2000/8 and such contravention has been done through a message which has passed through an intermediary, then the intermediary who follows the due diligence will not be held liable. If the concerned intermediary fails to meet the definition as defined in ITA 2000/8 or is found to have abetted in the contravention or has failed in the due diligence as determined by a Court, it will be held liable along with the person/s who actually committed the contravention and caused damage to a complainant.
Section 79 is not itself a penal section which states that there will be some punishment if it is not followed. Similarly the guidelines which we are discussing does not prescribe mandatory punishments to say that if these guidelines are not followed, the intermediary will be punished with imprisonment, fine or liability to compensate.
For these guidelines to hurt, some complainant should have a cause of action under ITA 2000/8 or other law and hold out the information handled by an “Intermediary” as the cause for his hurt. Then it is the responsibility of the Courts to consider that the Intermediary had some responsibility which he has overlooked and then hold them liable along with the original perpetrator of the crime.
Hence most of the objections that have been raised in the comments in the 608+84 page document are untenable.
I request the interested persons to kindly peruse the suggestions and provide their feedback.
Naavi
In providing comments on the proposed Intermediary guidelines, the undersigned suggested a new system of Governance of Intermediaries through the comments submitted by FDPPI. The suggestion was made that a new system of dispute resolution on the lines of the domain name dispute resolution policy (IDRP) could be used for detailed due diligence guidelines for the intermediaries.
The IDRP (or whatever other name by which it may be called) is essentially a “Self Commitment” by the Intermediary to a set of due diligence guidelines.
The IDRP will be developed by voluntary agencies who will be the Intermediary Disputes Management centers (IDMC) and such agencies will accredit themselves with the MeiTy/CERT-IN.
The Intermediary in its Privacy Policy and Terms declare that they will subject themselves to the IDRP of the specific IDMC.
The IDMC will be responsible for resolving disputes that arise in the course of the activities of the Intermediary.
The IDMC can introduce three levels of dispute resolution namely
a) Ombudsman who will assess a complaint and provide his award which if accepted will close the dispute.
b) Mediation (Preferably online) as per the general principles of the Indian Arbitration and Conciliation Act as amended, which if successful result in the resolution documented as a conciliation agreement.
c) Arbitration (preferably online) as per the general principles of the Indian Arbitration and Conciliation Act as amended , which if accepted will be the final arbitration of the dispute, except for any permitted legal challenges under the said Arbitration Act.
It is envisaged that the CERT-In will take the lead in ensuring that the Intermediaries follow specified guidelines as are relevant for National Security and in conformity with the principles of the Constitution. Hence at the time of accreditation of an IDMC, the CERT-In will scrutinize the registered policy of an IDMC and approve it after discussion.
This approved policy of an IDMC will be similar to the “Certification Policy Statement” or CPS of a Certifying Authority for issue of digital certificates.
This policy which will be called IDRP of …….. (Name of IDMC) and will be tagged with a “Version Number”. It can be modified from time to time by the IDMC as it may deem fit but each such modified version needs to be approved by the registering authority (CERT-IN).
The IDMC will be bound to faithfully resolve disputes in accordance with the declared policy and any disputes thereof failing which it would be disenfranchised by the CERT-In based on a complaint.
It is envisaged that a suitable customer friendly procedure would be developed by each IDMC for the purpose of dispute resolution. It is recommended that an ODR process would be used. A recommended ODR process is available at www.odrglobal.in for consideration.
The IDRP will take into account all the legal issues that will be considered as an obligation of the Intermediary and the Privacy Policy and Terms that the Intermediary otherwise adopts would be “Subject to the IDRP Version xx of ….. ” and will only contain the functional aspects as are relevant to the services rendered by the Intermediary.
The scope of IDRP would be to settle disputes as regards “Due Diligence” and record the findings. If after a settlement under IDRP, the aggrieved party goes to Court on any contravention and seeks to arraign the Intermediary as a respondent for any liability, civil or criminal, the Intermediary can hold out the defense in the form of a faithful following of due diligence as per IDRP. It will be left to the Courts to take a final call if the Intermediary should still be considered liable or not. Hopefully Courts will in most cases respect the due diligence process if it has been properly implemented. Hence unless the Intermediary is found to have “abetted” in the crime, it should get the protection it envisages under Section 79.
The MEITY as in the case of accreditation of agencies under the Digital Locker System, Certifying agencies etc., may issue general directions on the qualifications for accreditation (which should be predominantly Techno Legal) along with other conditions that are reasonable and necessary. The detailed procedure for dispute resolution would be developed by each IDMC for itself. It may function like a specialized Arbitration Center for Intermediary disputes.
This system will ensure
a) Different IDRPs can be constructed to suit different types of Intermediaries and hence the charge that “One notification fits all will not be correct” is addressed.
b) IDRP will offload all the legal obligations on to a Non Government organization so that the suspicion of Government interference is addressed.
c) Since IDRP will be subject to the Indian Arbitration Act, it is within the domain of the judicial system as accepted and will be further within the writ jurisdiction of the Courts so that any charge of “arbitrariness” or “Vagueness”, “Constitutional Impropriety” etc would be addressed.
I request all the agencies that have submitted their comments now may take a deep look at this suggestion and check if all their concerns can be addressed through this system. If so, there can be a consensus on the system and the Government may be suggested to adopt it.
Towards this objective, the suggestion as filed by FDPPI (Page 21-28 of the first compendium of 609 pages) is reproduced as under:
Rule 14: to be introduced
Notwithstanding what is contained above, an intermediary at his sole option may opt to adopt the “Intermediary Dispute Resolution Policy “ (IDRP) as defined here under.
a) The Intermediary Dispute Resolution Policy may be created and defined by a “Intermediary Dispute Management Center” (IDMC) that intends to specialize in resolving consumer disputes related to the use of Intermediary services and registered with the IN-CERT
b) Any Intermediary can voluntarily associate itself to an “Intermediary Dispute Management Center” and adopt the Intermediary Dispute resolution Policy of that Center.
c) The IDRP shall represent the basic commitment provided by the Intermediary for compliance of the Act and other legal obligations and may include intermediary specific policies as may be required.
d) After adoption of IDRP the Intermediary may disclose the same in its terms and conditions and the Privacy Policy that it shall bind itself to the IDRP of the designated IDMC and that such IDRP shall also be binding on the users. It shall also inform the users that all disputes relating to the service shall be subject to the resolution through an Ombudsman/Mediator/Adjudicator as determined by the policy of the IDMC without any prejudice to the supervisory authority of any Court in India.
e) Adoption of the IDRP as a means of defining the Terms and Privacy Policy and it may restrict its policy declarations to only the functional aspects of its service which will supplement the IDRP.
f) Use of IDRP shall be purely voluntary on the part of the Intermediary.
g) The IN-CERT will receive the necessary applications from intending IDMC s along with their self developed “Dispute Resolution Policy Disclosure Document” and upon satisfaction, shall list such an agency as an accredited IDMC. Such approvals will be provided by a committee headed by the Secretary MEITY and consisting of the Director General of CERT-IN with three co-opted members from the industry with adequate experience and reputation.
We may however add an additional para to accommodate the dis-accreditation requirement in case of necessity.
This could be stated as follows.
h) In the case of any IDMC not adhering to the declared policy or if the policy is considered inappropriate, Any person may raise an objection thereof with the CERT-In and seek dis accreditation of the IDMC. The request shall be reviewed by the designated committee and after providing a reasonable opportunity to the Intermediary and a decision in writing would be issued by the committee either rejecting the request or approving the request. This request itself could be subject to further judicial scrutiny in the appropriate Courts.
I look forward to the reactions on this suggestion. Such comments can be sent to the undersigned or FDPPI or directly to the Government as part of the Counter comments that may be submitted.
Naavi
MeitY has released an addendum to the earlier 609 page consolidation of comments received on the proposed amendments to the intermediary guidelines under Section 79 of ITA 2000.
This document is available here
This is a 85 page document (including the cover page) and contains the comments as listed below. (Page numbers as in the downloaded document).
Addendum
| Sl No | Name | Category | Page nos |
| 1 | Pawan Kaul | Individual | 2-5 |
| 2 | J Sagar Associates | Law Firm | 6-9 |
| 3 | ? | ? | 10-18 |
| 4 | ? | ? | 19-37 |
| 5 | ASSOCHAM | Industry | 38-53 |
| 6 | US-India Strategic Partnership Forum | ? | 54-65 |
| 7 | Global Network Initiative | ? | 66-69 |
| 8 | Microsoft | IT | 70-78 |
| 9 | MEDIANAMA | NGO | 79-83 |
| 10 | ? | Individual | 84 |
| 11 | ? | Individual | 85 |
It is interesting to observe that Microsoft has added its views to the kitty along with several NGOs active in such deliberations namely MEDIANAMA.
ASSOCHAM has provided its detailed views which is unfortunately concluding that “the interests of the Indian Internet users would not be met by enhancing the obligations of the intermediaries”. We would like ASSOCHAM to reflect on the issue of Cyber Crimes which are aided and abetted by the negligence of the Intermediaries and whether ASSOCHAM would be able to guarantee the Internet users their security against risks caused by lack of due diligence by the Intermediaries.
Some of the international fora such as US-India strategic partnership forum, Global Network Initiative have expressed their strong criticism stating that the proposed amendments are “Untra vires” the scope of Section 79 and lacks procedural safeguards.
Role of Negligent Intermediaries in Proliferation of Cyber Crimes
The concerns of these organizations may be appreciated. However, we need to find a solution to the problem of increasing Cyber Crimes, the role of negligent intermediaries in furthering the Cyber Crimes and the compelling need for the Government to safeguard the interests of the common citizen. This requires a proper regulation of the intermediaries.
All those who have commented on the notification should realize that these guidelines represent the “Due Diligence” requirement under Section 79. They are free to ignore the suggestions provided they are able to absorb the risk of being held liable for contravention of any of the provisions of ITA 2000/8 which may arise out of a “Message/Information” handled by them as an “Intermediary”.
It is to be also recognized that these guidelines donot create a penal provision in the law by themselves. It is only defining the conditions under which the consequences of violation of law will not result in liability against the Intermediary.
It is therefore incorrect to interpret the guidelines itself as a “Proposed Law” and invoke the bogey of infringement of constitutional rights and international conventions.
It is hypocritical for organizations in countries who specialize in introducing Stuxnet type of viruses into the system and buy viruses from underworld to carry out Information warfare, to advise India on what it should do to protect its citizens from the impact of the Cyber Crimes.
We rather invite these organizations to suggest measures to regulate intermediaries from the perspective of Cyber Crime control. The domain name registrars who register phishing domains, the Tor services which support the dark web etc are part of the “Intermediary”. We would like to demand if these organizations have done anything to stop the “DarkWeb” rather than crying out that it is “Impossible” to prevent the dark web which is larger than the over the ground internet activities.
Cyber Security is a Fundamental Right of “We the People of India”
The Government has an obligation to the Citizens of India for ensuring their “Security” and “Cyber Security is a fundamental Right of the Citizens” as much as “Privacy” and “Freedom of Expression”.
We strongly object to the tendency to undermine the “Cyber Security” aspect of the Fundamental Rights in preference to the protection of “Right of Exploitation of the masses by the Intermediaries” for financial gains.
The citizens of India who are concerned about Cyber Security are very much the key stake holders in this exercise and the Government cannot listen only to the business interests and take its decisions.
We strongly oppose any move of the Government to succumb to these pressures. We are aware that these vested interests are capable of moving the Supreme Court and the Supreme Court has the power and the inclination to take over day to day administration of the Executive by interfering in every administrative order of the Government.
We are also aware that this strategy to create policy paralysis by drawing the Supreme Court into every action of the Government suits the politicians who want to shut down the Government function and harm it’s agenda of progress.
Yet, we trust that the Government will not yield and face the challenge of the objections that will be raised in the Supreme Court.
We also trust that the Supreme Court which is headed by the CJI who not so long ago held a press conference and declared that it is accountable to the people of India, does not ignore the need for “Cyber Security” as fundamental to the exercising of “Other Fundamental Rights” including “unfettered right of abuse of law under the guise of Freedom of Expression”.
In this context, Intermediaries need to contribute to the protection of Citizens and “Due Diligence” is a legitimate expectation of the society. These guidelines are meant to ensure that Intermediaries are responsible and remain responsible.
Let us once for all decide if “Cyber Security” is a fundamental right or not and in a situation of conflict with other fundamental rights, whether it is desirable to subordinate the security to other rights.
FDPPI suggestions balance out the conflicts
The suggestions made by FDPPI (Foundation of Data Protection Professionals in India: www.fdppi.in ) have several features that balance out the requirements of the industry and the need for cyber security. It addresses most of the concerns expressed by others. I invite readers to examine it in depth.
The time available before 14th February for submission of counter comments may not be sufficient to analyze all the comments individually within this time frame, though I would like to do so. However, I will try to provide some additional comments in the coming days why the suggestions made in the FDPPI note (pages 21-28 of the first document of 609 pages) address most of the concerns expressed by others.
Naavi
