Naavi.org

Ever since GDPR came into circulation, it has become a trend setter in Data Protection Regulation. When PDPA 2018 followed, it was natural that several concepts which were part of GDPR also became a part of PDPA.

Since GDPR had a legacy of EU Data Protection, the WP 29 documents and further a two year leadtime for implementation and now nearly one year after its implementation, there is a huge knowledge base already created on GDPR and most of the Indian practitioners are also familiar with the provisions as they have had multiple rounds of discussions with their foreign counterparts.

It is therefore natural that any aspect of PDPA2018 will quickly be interpreted as per the learning under GDPR. In this process there is a danger of misinterpreting PDPA 2018 and this should be avoided. We need to explore PDPA 2018 withut being prejudiced by our perceptions of GDPR. If necessary we need to unlearn some of our dogmas created if any out of GDPR before we learn PDPA.

Naavi therefore advocates a clean interpretation approach to PDPA without the overhang of our GDPR baggage. The PDPSI (Personal Data Protection Standard of India) is one such approach advocated in this context because PDPA holds some innovative differences with GDPR which needs to be recognized.

There is no doubt that the first and the most critical differences between GDPR and PDPA is the re-defining of the Data Subject-Data Controller relationship as Data Principal-Data Fiduciary relationship. This has been discussed several times in the past through these columns and remains the fundamental difference between GDPR and PDPA and any comparison without taking this into consideration would be like comparing  Apple and Oranges.

I am not sure that the full implications of this innovative master stroke has sunk in the minds of the Indian Data Protection Professionals as they try to look into PDPA with the colored glass of GDPR. There is a danger of this being missed by legal pundits also as we move towards the formalization of the PDPA Bill into an Act in the coming days. Even the DPA when it comes through may not find it easy to remember that PDPA is not Indian GDPR and they need to be reminded again and again that “It is different”.

But in addition to this fundamental redefinition of the role of the so called “Data Controller” as a “Data Fiduciary”, there are some more  differences which we need to recognize so that we realize that PDPA 2018 is not a copycat of GDPR. It does incorporate many of the provisions of GDPR but tries to add it’s own spice in between.

Let us try to capture some of these minor differences before we get back to the analysis of the  Data Fiduciary master stroke.

1.  Classes of Data Fiduciaries

GDPR recognizes Controllers, Joint Controllers, Processors and Recipients as different entities who handle the personal data and sensitive personal data which is the subject matter of protection.

On the other hand PDPA recognizes Data Fiduciaries, Significant Data Fiduciaries, Guardian Data Fiduciaries as different classes of Fiduciaries in addition to the Processor. Significant and Guardian Data fiduciaries maybe required to register themselves with the DPA.

2. Criminal Penalties

PDPA includes Criminal punishments for data breach while GDPR does not

3. Right to Forget

Under PDPA, right to erasure requests are subject to adjudication by an external authority. In GDPR it is the decision of the Company.

4. Dispute Resolution Mechanism

Instituting a dispute resolution mechanism is mandatory under PDPA and is a recommended good practice under GDPR.

5. Mandatory Annual third party Data Audit

PDPA requires a mandatory data audit by an external auditor on an annual basis besides DPIA. No such requirement is there in GDPR.

6. DPO as a Service

GDPR provides an external consultant who can work as a DPO. PDPA has no such provision

7. Harm Audit

PDPA includes a concept of “Harm Audit” to be conducted which is an assessment of the gravity of a data breach incident. This may also be required when there is a conflict between RTI Act and disclosure under PDPA. Under GDPR no such mention has been made though the concept is inherent in every data breach notification policy.

8.Data Trust Score

 PDPA requires Data Auditors to compute a Data Trust Score for every organization they audit. This is not part of GDPR.

9.  Data Breach notification

Under PDPA, data breach notification to the data principals is determined by the DPA. There is no such requirement under GDPR where the company has to decide.

10: Official Identifier

Official identifier such as Aadhaar is declared as a Sensitive Personal Information under PDPA. GDPR leaves it to the member countries to determine how the national identifiers would be processed.

11. Codes and Practices

PDPA has left it to the DPA to define the codes and practices  besides an enabling provision for industry bodies to come up with their own codes to be approved by the DPA. GDPR has also a similar provision where the member states will encourage development of codes and practices and certification bodies will be accredited by the supervisory authorities.

12.Secular status

GDPR provides some exemptions to Churches whereby they can apply for their own regulation to be brought into the legislation. Indian PDPA has no such recognition of any religious rights and is therefore more secular than GDPR.

13. Employment

GDPR leaves it to the member states to frame laws regarding information in the course of employment. PDPA has specific reference under Section 16 providing permissions to process data for employment purposes.

14.Data Localization

PDPA has a direct provision that a copy of personal data shall be in India and  sensitive data shall not be transferred out but provides several exemptions. GDPR addresses the same issue indirectly by allowing data transfer only to such countries where EU considers considers that there are adequate laws, and also provides other exemptions. In effect there does not seem to be much difference.

Thus there are many differences between the PDPA and GDPR and as we go forward, even more differences can be spotted.

It is therefore unfair to call PDPA as a Copy Cat of GDPR. In fact leading with the Data Fiduciary, Criminal penalties, Adjudication etc., there are several unique differences that make PDPA far more practical than GDPR.

More on this should come up for discussion in the March 15 seminar in Mumbai.

Naavi

Legal Era (www.legaleraonline.com) known for its informative legal periodical by the same name is organizing its flagship annual event “GEN-NExt 2019”  between March 14 to 16 in Mumbai.

Many eminent speakers from India and abroad as well as Judicial luminaries will be participating in the event to discuss some of the most critical aspects that are of interest to the legal community in India.

One of the discussions which is scheduled is on “Privacy” and is happening on 15th. Naavi will be moderating a panel which will consist of eminent lawyers and technical professionals from the industry and analyze different aspects of Privacy regulation as they are emerging in India .

We can look forward to some interesting discussions which will be discussed subsequently in these columns.

Naavi

We have been discussing the problem of “Fake News” in India particularly in the context of the forthcoming Indian elections. The political party in opposition has made it it’s policy to try and win the election only by brazen lies being spoken off without any hesitation under the assumption that some of the mud thrown will stick on their political opponents. To support such world of lies, Internet is being used freely and this needs to be recognized and checked before the entire Internet becomes completely untrustworthy.

Articles being planted in the media by bribing journalists is an old trick. Today, the political parties manage a laboratory to create fake news and spread it across the social media through the millions of fake Twitter or Facebook accounts that are created only for this purpose. One of the tools they use is “Artificial Intelligence” to create news stories that are created to suit their own narrative without any reference to the truth.

Today, even the illiterate rural person knows that TV news is like reality shows. Take it if you like and reject it if you don’t like. People over a course of time have developed an instinct to create his own filter  to believe or reject news stories even if the news anchors think that they are successfully  brainwashing the public.

Use of “Morphed pictures” was the next tool that fake news creators started using to prove their point. Then they started manipulating the audio stream in a video to change what a video was supposed to show as in the case of the JNU campus  incident.

Just as we thought we have reached the end of the technology of fake news creation, comes the alarming news about “Deepfake videos”. (Refer here).

Deepfake videos are created by the advanced use of Artificial Intelligence (AI) where fake videos are created of persons from the machine learning that takes place by observing some real videos. The improvement of the algorithms are achieved by pitching two AI machines one against the other to identify the flaws and improve upon the earlier creations. This reiterative process creates continuously improving fakes until it reaches a stage where it becomes indistinguishable from the real video when it can get published.

The authentic data set used for learning may consist of hundreds or thousands of still photographs of a person’s face, so the algorithm has a wide selection of images showing the face from different angles and with different facial expressions to choose from.

Tomorrow if you receive a video call from your wife asking you to immediately transfer some money to some account, it is quite possible that the video call may actually be that of a fraudster who was earlier trying to fool you with a phishing e-mail or a voice call. The risk to the reliability of the Internet system is therefore extremely high.

Naturally, there is a thinking about how such deepfakes can be prevented. In US, it is said that a new law to criminalize deepfake is being considered.

In India we have so many anti nationals in the guise of journalists and activists that if we attempt to pass any law even to impose responsibilities on intermediaries to check the spread of fake news, immediately people rush to the Supreme Court alleging infringement of constitutional rights.

It is therefore time for us take a realistic assessment of the situation and ensure that irrespective of what the fake activists think, there is a need for a strong internet regulation that has to preserve the trust in the system. Otherwise the entire edifice of E Commerce and E Governance is in the danger of falling apart.

Presently, the amendments to Intermediary Guidelines under Section 79 of ITA 2000 is under consideration and it is time for the Government to take a tough stand on the intermediaries and make them responsible for fake news and liable for the consequences.

Naavi

Cyber Society of India (CySi) and Foundation of Data Protection Professionals in India (FDPPI) are jointly organizing a one day seminar on Section 65B of Indian Evidence Act at Chennai.

Venue :Hotel RainTree, Annasalai, Teynempet, Chennai 600035

Time: 10.00 am to 5.30 pm 

Date: 16th March 2019, Saturday

Naavi

Naavi has updated the E Book on Section 65B, titled “Section 65B of Indian Evidence Act Clarified” with an additional chapter on ‘Section 65B for Data Protection Professionals”.

A print copy of the above book is scheduled to be released in Chennai on March 16, along with the launching of the Chennai Chapter of FDPPI and a day long workshop on Section 65B organized jointly by Cyber Society of India (CySi) and FDPPI.

Naavi was the founder secretary CySi and a continuing life member, as also the Founder Chairman of FDPPI. Mr S.Balu the current president of CySi is also a member of FDPPI.

The E Book is currently priced at Rs 150/-. The Printed version of which limited copies would be available is priced at Rs 200/-. (Will be available at the conference at a concessional price of Rs 100/-).

Naavi

The Justice Srikrishna Committee on Data Protection under Appendix had provided a comprehensive recommendation for amendment of the Aadhaar Act (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act 2016. These recommendations were not included in the draft Bill for PDPA 2018 which the Committee submitted. Subsequently the Aadhaar judgement of the Supreme Court (Refer the series of articles) gave certain recommendations which prevented the use of Aadhaar services by private sector including the Banks.

After taking into consideration the recommendations of the Srikrishna Committee and the Judgement of the Supreme Court, the Government came up with a draft Bill . However the Bill could not be passed through Rajyasabha and would lapse soon.

In order to therefore alleviate the problems created by the Supreme Court Judgement on the industry, Government has come up with an ordinance to implement some of the recommendations of the Srikrishna Committee by promulgating an “Ordinance” on 28th February 2019.

The ordinance provides for “Offline Verification of Aadhaar number” after obtaining the consent of the individual and using only the demographic information with safe guards for the information to be used only for the purpose for which it is sought.

Section 57 of the Aadhaar Act has been omitted in deference to the wishes of the Supreme Court.

The ordinance will provide the option of the use of offline Verification without authentication to verify the demographic information about an individual who provides consent to an agency to use the Aadhaar number .

Hopefully this will mitigate some of the immediate problems of the industry. However, some murmurs are being heard about challenging the ordinance in the Supreme Court and we need to wait and see how things develop.

Naavi

Reference Articles:

10:Aadhar Judgement-10: Let us debate the changes required in PDPA 2018 
9: Aadhaar Judgement-9: Definition of Personal Information revised?
8: Aadhaar Judgement-8: Limited use
7: Aadhaar Judgement-7… Can the Private Sector use Aadhaar for Authentication?
6. Aadhaar Judgement-6.. Joint Secretary is too junior?:
5:Aadhaar Judgement-5…Collection of Metadata
4:Aadhaar Judgement…4… Making the life of law enforcement difficult…
3:Aadhaar Judgement..3.. Data retention limit of 6 months.. 
2:Aadhaar Judgement….2.. The Answers and Conclusions of the majority 
1.Aadhaar Judgement…1… Debate the areas where clarity is required.

Other References

Aadhaar Act : Srikrishna Committee Suggestions in Appendix : Aadhaar Amendment Bill :Aadhaar Amendment Ordinance