Naavi.org

(This is in continuation of the previous article)

We shall now take a few other comments made by Mr Kris Gopalakrishna as follows and try to derive an inference out them.

5.“I think our concept of privacy will go through a change because we are voluntarily disclosing whom we are because we want some service”.

6.“The understanding of data privacy would go through a change once the boundaries around data were clearly drawn, dispelling concerns about disclosing identity”

7.“Establishing policies around data, how industry must responsibly use your data and respect your privacy — today it’s not codified and hence the worry about disclosing your identity,”

I am not sure why Mr Kris says that “Establishing policies around data…is not codified today”. The PDPA does exactly address this issue (though it is in the process of being enacted). The Corporate responsibilities on what principles of collection and processing is to be followed and how the “Data Trust Score” has to be developed etc has been addressed by PDPA. We have to only get the law passed without delay and get the implementation process into action.

As regards the concerns about disclosing the identity, the concept of the data collector being a “Data Fiduciary” and exercising the responsibility of a trustee can address the concern to a large extent, much more than what GDPR has addressed in GDPR as the Data Controller’s responsibilities.

If therefore the KGC does not trample on the implementation process of PDPA,  privacy governance in India through data protection would make substantial progress. If the DPA then takes control then the data protection regime can bring confidence to people concerned with their privacy.

Speaking on “Anonymity” Mr Kris has commented

8) “Globally, companies are looking at anonymising data — stripping data sets of personal attributes of individuals and gleaning meaningful inferences from the data points.”

This aspect has been addressed by PDPA both by declaring that Anonymization will make a personal data go out of the jurisdiction of PDPA and also criminalizing the re-identification where anonymized information may be re-identified.

The very definition of “Anonymization” is that it can never be re-identified, but under the concept of “Dynamic Data” and the “Corporate restructuring” as well as AI, no body can be certain that an anonymization process be 100% effective.

The failure of anonymization and consequential re-identification can be addressed under PDPA if properly implemented by hoisting vicarious liabilities on the inefficient anonymization as well as the re-identification.

Lastly, Mr Kris has reflected

9. “Unfortunately or fortunately, data, compared to all the previous eras — agriculture, manufacturing and IT or digital — where the economic value lay in physical goods, knows no national boundaries. It can be transmitted without friction. How does a nation create value on the data of its citizens? How does a nation protect the data of its citizens? These are the questions everyone is grappling with”

In this comment, Mr Kris has acknowledged the need for data sovereignty and the need for the country to consider aggregated personal data as an asset of the nation. It is precisely this concept which is in conflict with commercial exploitation and the committee has to  show how it will ensure that the national interests are not compromised.

Partially the PDPA will address this issue. KGC will however need to ensure that any of its recommendations donot provide loopholes for commercial establishments to take out the benefits of Indian personal data out of the country. If they are allowed, this will be considered as “Data Laundering” or “Data havala” similar to money laundering and havala.

If this committee can find a Data Governance framework that can prevent the TransUnion type of data heist, then it will be a great achievement. Let us hope the committee would be able to reach this goal.

(Comments welcome)

Naavi

(This is in continuation of the previous article)

The next two comments of Shri Kris Gopalakrishna that we would like to analyze is

2. “India has a huge opportunity to leverage data in every aspect: data will be very important in providing credit, better banking services, healthcare, education, retail and ecommerce.”

3. “Everywhere, the efficiency can be improved, services levels enhanced. It is not just the companies benefitting, the individual also benefits,”

These comments reflect the potential for corporate benefit such as credit rating, health insurance etc which are projected to be beneficial to the individual because of better efficiency.

Ever since e-Governance and E Banking concepts became a reality in India, we the Citizens and the Consumers have been held the promise of “Economy through Digitization”. But in practice such economies have never been realized. At one time we had free Banking. Now we need to pay for ATM services and also for physical visits to the branches. There are charges for NEFT transfers (May be it is removed now). The annual ledger charges have now become service charges and the Government benefits on these through Service tax and GST. As a result, E Banking has become more expensive than non e-Banking. Similarly, E Governance has become more expensive than non e-Banking. Over and above this, fraud risks are to be borne by customers. Even Cyber Insurance cost is hoisted on the consumers.

This “Higher Efficiency and benefit to the consumer” is therefore a scam that IT companies promote. Less said about it better it is.

Let us therefore forget this benefit coming to consumers out of Big Data Governance. The fact is that eventually, commercial companies will make more money, consumers will pay for more security. There could be of course new services and convenience but it is a trade off with additional cost

we can also look at another comment made by Mr Kris that is related to the above.

4. In the physical world, property rights have been clearly established. I think, over time, property rights will be clearly established in the online world.”

We have debated this at length earlier. GDPR has not adopted the “Property” concept. California Consumer Privacy Act has adopted the “Property Concept”. In India DISHA (proposed) endorsed the property concept of personal data but PDPA rejected it and brought in a superior concept of “Data Trusteeship”.

The concept adopted by PDPA is globally unique though many in the industry may not appreciate its value and by ignorance degrade it to the GDPR concept of “Personal data being a transferable Right”.

This is one area where I would wish the KGC does not err. I urge each of the members of the committee to go through the discussions presented at naavi.org on the concept of “Data Fiduciary-Data Principal relationship” and how it differs from “Data Controller-Data Subject relationship”.

Initially, I had also preferred the “Property” concept at one level and a separate intermediary of “Data Trusts”, but Justice Srikrishna was more innovative and suggested something better in the concept and merged the concept of Data Trusts into the concept of Data Controller and created the “Data Fiduciary”.

This innovation needs to be preserved as it has the potential to be one of the most innovative concepts in Data Protection regulations across the globe.

While leveraging the benefits of the Personal data aggregation, the KGC should ensure that “Data Laundering” through “Mergers and Acquisitions” as we have pointed out in the case of TransUnion taking over CIBIL.

Similar corporate re-structuring tactics may be used to defeat the some of the provisions of Data Protection such as Data Sovereignty and cross border restriction of personal data transfer.

We need to watch if these contentious issues will be addressed by the committee with National Interest in mind.

Personally, I have an apprehension that the strong industry lobby that opposed Data Localization in PDPA will, through NASSCOM and other industry members of the committee try to dilute the Data Sovereignty principle and the Data Localization requirements. Taking a conspiratorial speculative outlook, I even have a thought in the corner of my mind that this committee has been formed only with the idea of killing the Data Localization concept strongly promoted by Justice Srikrishna committee. I hope Mr Kris will realize this in due course and does not allow such manipulation.

I hope the minutes of meeting of this committee would be available under RTI for the public to ensure that no such deviations of purpose occur.

In fact, these are the days when Legislative proceedings are broadcast in realtime and we are asking Supreme Court to conduct hearings with a real time video broadcast to the public. It is therefore time to consider that committees such as these also should consider public broadcast of their proceedings. This will ensure transparency to the operations of the committee.

Will the Chairman consider video  broadcasting of proceedings in real time?

(Continued)

Naavi

(Continued from the previous article)

Shri Kris Gopalakrishna, Co-Founder of Infosys who has been appointed the “Chairman” of the “Expert Committee on Data Governance Framework” with the terms of reference

a) To study various issues relating to Non Personal Data

b) To make specific suggestion for consideration of the Central Government on regulation of Non Personal Data

has provided some indication of what is in his mind on “Privacy” and “Data Protection” through is interview in ET  From his interview we have culled out 9 statements on which we provide our comments.

The reason why we are taking up this for debate is that the views of the Chairman of the committee could influence the final outcome of its recommendations and hence it is necessary for data protection regulation watchers to understand his mindset.

The views and corresponding comments are as follows. These comments donot necessarily indicate any disagreements but try to clarify issues.

1.  “the broad strokes of data regulations lie in trying to leverage the economic value of data for the benefit of the citizens, not just for corporations, and protecting them from the vulnerabilities inherent in the digital era.

In the past, the broad strokes of “Data Protection regulation” was embedded in “Cyber Crime Prevention” legislations such as ITA 2000/8. It recognized “Data” as a valuable asset of the organization and companies do protect data in their own interests. But when an enterprise fails to protect data and apart from adversely affecting its own interest, adversely affects the interests of other persons, the law provided a remedy which included prosecution of company and its officials for negligence.

After the advent of strong data protection laws, the broad strokes of “Data Protection Regulation” leveraged the need of individual privacy protection. Hence GDPR prescribed stringent penalties that made the industry sit up and take notice of the compliance requirements. In India, PDPA was framed by Justice Srikrishna to provide a similar “Data Protection Governance Framework”.

These regulations kept a window open to accommodate the interests of the Data Analytics industry by accommodating “Legitimate Interest” and “Anonymization of Personal Data”.

Anonymized data was completely out of the Data protection regulation and “Re-identification of anonymized data” was a punishable offence/civil wrong in some of these regulations. Similarly, Corporate data was out of the purview of these legislation, though some ambiguities remained on “Employee Data” and “Business E-Mail”.

The “Data Governance Framework” of pre-data protection regulation era and also the “Anonymized and Non Personal Corporate Data” in the “Post-data protection regulation era” was dictated by frameworks such as the Information Security models of ISO.. In the post data protection regulation era, the GDPR/PDPA compliance framework assumed importance and supplemented the earlier ISO frameworks. Some of the ISO frameworks like ISO27001 voluntarily added ISO27701 like provisions as extensions so that it can assist companies for securing both corporate and personal data.

The PDPSI (Personal Data Protection Standard of India) as proposed by Naavi was a “Data Governance Framework for personal data and suggests a similar approach to Corporate/Non personal data.

Now the Kris Gopalakrishna Committee (KGC) on Data Governance Framework has flagged the “leveraging the economic value of data” for the benefit of the citizens. This “economic value” gets generated by the aggregation and derivation out of the individual data  accumulated from different sources. If the source is “Anonymized pool” of personal data (Which may include the IoT data), the economic value of the aggregated data is what the Big Data industry is today exploiting.

The Justice Srikrishna committee however flagged a different type of data where one person provides an identified data under a consent but it automatically reveals the personal data of his family or community and on aggregation reveals certain value added behavioural information and raised a concern that this needs to be regulated.

It is not clear if KGK committee will restrict its recommendations to the processing of ” Anonymized personal data” only or “Identified community information” which relates to “Community Privacy”.

The views of Kris Gopalakrishna indicates that contributors of individual data  should benefit by their contribution even when anonymized, and converted into value added data. This is the concern raised by Naavi in his article on Dynamic Data.

There is an IPR issue in the case of such value creation and whether the citizen can be provided a part of the benefit through a legislation and if so, how needs to be explored.

(To be continued)

Naavi

We refer to our two earlier articles on the subject of “Data Governance Framework” and the new Expert Committee on Data Governance that has been announced.

It was pointed out that the Srikrishna committee had spoken of the necessity of a new regulation for what Justice Srikrishna described as “Community Privacy”. This new “Right” of the “Community” was recognized because the “Identified Personal Data” of individuals to which the PDPA (Personal Data Protection Act) referred to, would  when aggregated lead to “Identifiable Community Data”.

The notification of the committee however referred to a different term called “Non Personal Data”. Non Personal Data could be “Anonymized Data” since “Anonymized data” is any way out of scope of PDPA and not considered as “Personal Data” at all.

Non Personal data however includes corporate business data as well as the community data which Justice Srikrishna committee referred to. Presently such data is being secured under ITA 2000/8 and the “Prohibition of Re-identification” under PDPA. But neither of these two aspects cover the concept of “Community Privacy” which remains a term yet to be legally defined and covered under any law.

We pointed out in our articles that creating a regulatory framework for addressing the “Community Privacy” issues is a continuation of the PDPA work and is as complex as the personal data protection itself. We also pointed out that the “Data Governance Framework” as the industry perceives is today dictated by the Business requirements of an enterprise and the personal data protection requirements are super imposed on the Corporate Data Governance Framework as “Compliance Requirements”.

We pointed out that the notification refers to “Deliberation of Data Governance Framework” but refers to the Srikrishna committee in is preamble( Which concerned with Community privacy”), while the terms of reference made a reference to issues related “Non Personal Data”. In the context of the legislatory requirements envisaged by the Justice Srikrishna committee, it was also pointed out that the constitution of the committee did not reflect the requirements.

If however, the reference to Srikrishna committee is ignored and what this committee is to deliberate is only on “Big Data Processing”, then its constitution with people with IT industry experience is good enough. It would then be like the Committee on E Commerce which gave its own recommendations within the PDPA provisions. But the committee in its final report should not over step its expertise boundaries and recommend concessions to the Data Analytics industry which would be in conflict with PDPA, either by design or by error.

I am reminded of two other instances in the legislative history of Cyber Laws in India which presented similar issues and Naavi.org had reasons to raise its voice.

The first was the “Expert Committee” which was formed in 2005 to look into amendments to ITA 2000 following the Bazee.com issue which wanted an immunity to be given to Intermediaries from being held liable under Section 79 of ITA 2000.

Second was when the G Gopalakrishna Committee of RBI deliberating on the E Banking security guidelines was tried to be manipulated by some Bankers within the Committee to secure their interests by declaring OTP and 2F authentication as “Electronic Signature”.

On both these occasions, Naavi.org vehemently opposed the moves and finally the committees made changes to incorporate the views.

In the first instance, the 2005 amendments were replaced with the 2008 amendments by the standing committee of the Parliament headed by a Congress MP Mr Nikhil Kumar. (Refer here)

In the second instance, the GGWG committee itself dropped an entire proposed chapter on legal issues and reverted back to the Internet Banking guidelines of 2001. (Refer here for details)

We wish that the Kris Gopalakrishna committee will be responsive enough to understand the concern expressed by us that What Srikrishna Committee wanted is different from what the terms of reference to this committee indicate and it would not be proper for this committee to tread into the shoes of regulatory extension of PDPA, unless the committee consists of a strong judicially oriented person/s. Otherwise the committee may come up with recommendations which will meet opposition of Privacy activists.

What Kris Gopalakrishna says

In this context it is interesting to note what Mr Kris Gopalakrishna has said yesterday in an interview with ET.

His comments as indicated  in the ET report are as follows and we shall comment on each of these as the “Views of the Chairperson of the proposed committee which may redefine Privacy laws in India”.

a) “the broad strokes of data regulations lie in trying to leverage the economic value of data for the benefit of the citizens, not just for corporations, and protecting them from the vulnerabilities inherent in the digital era.”

b) “India has a huge opportunity to leverage data in every aspect: data will be very important in providing credit, better banking services, healthcare, education, retail and ecommerce.”

c) “Everywhere, the efficiency can be improved, services levels enhanced. It is not just the companies benefitting, the individual also benefits,”

d) “Globally, companies are looking at anonymising data — stripping data sets of personal attributes of individuals and gleaning meaningful inferences from the data points.”

e) “The understanding of data privacy would go through a change once the boundaries around data were clearly drawn, dispelling concerns about disclosing identity”.

f) “Establishing policies around data, how industry must responsibly use your data and respect your privacy — today it’s not codified and hence the worry about disclosing your identity,”

g) “I think our concept of privacy will go through a change because we are voluntarily disclosing whom we are because we want some service”.

h) In the physical world, property rights have been clearly established. I think, over time, property rights will be clearly established in the online world.”

i) “Unfortunately or fortunately, data, compared to all the previous eras — agriculture, manufacturing and IT or digital — where the economic value lay in physical goods, knows no national boundaries. It can be transmitted without friction. How does a nation create value on the data of its citizens? How does a nation protect the data of its citizens? These are the questions everyone is grappling with”.

These indicate his present views and could get reflected in the final report of the committee also. It can be considered as what the Committee may view as its own interpretations of the terms of reference.

Hence we need to take this up for debate so that the Committee proceeds in the right direction.

My Comments on the above views will follow in the next article. Readers can also send their comments to Naavi.

(To Be continued)

Naavi

(This is a continuation of the earlier article)

The Government of India has constituted a committee to deliberate on “Data Governance Framework”.

The notification of the committee has defined the “Terms of Reference” as

1. To Study various issues relating to Non-Personal Data
2. To Make specific suggestions for consideration of the Central Government on regulation of Non Personal Data

Accordingly, what the Government is looking at is a suggestion on “Regulation of Non Personal Data”.

The next question that arises is what is “Non Personal Data” and what are the “Issues relating to Non Personal Data”?

If we look at the preamble to the formation of the committee, there is a reference to SriKrishna Committee recommendations and its reference to ” Aggregation of Personal Data” and the “Generation of Community data through aggregation of individual data”.

The Title of the notification, the preamble and the terms of reference does not seem to converge on the same thought and hence the committee will have to start by first clarifying what it proposes to do.

A general meaning of “Data Governance Framework” (DGF) would be a standard methodology by which data can be managed in an organization from its generation to disposal.

The elements of such a DGF would cover the process of collection, processing, storage, transmission, security, exploitation etc.

Today we are managing data by  Classifying it either as Corporate Data or Personal Data. Before the advent of Data Protection regulations, the emphasis was mainly on “Protection of all Data” that an enterprise controls.

The treatment of data was basically like an “Asset” for which the enterprise has spent resources to collect and therefore it needs to be kept confidential and protected from it being stolen.

Since Data is used as a tool for business decision making, it was essential for data to be made “Reliable” for decision making and hence the Availability and Integrity was important and they became part of the CIA triad of Information Security. As the legal perspective developed, Authentication and Non Repudiation got added to the objectives.

This approach covered all data and included the “Personal Data” which was also protected.

The emergence of stringent laws such as GDPR changed the focus of Information Security and today, protecting “Personal Information” gets more attention than protecting “Information” in general. The DPO therefore is gaining more prominence than the CISO in an organization, since his role extends beyond the organization and also that under GDPR he enjoys certain immunity against management action to remove him unfairly.

As a result of the data protection regulations, the “Data Governance Framework” has to address these regulations and follow the prescriptions provided there in.

The data protection regulations like GDPR is completely devoid of a realization that “Data” is a “Raw Material” for businesses and the attempt to ignore this aspect makes the regulations impractical to be appreciated by the business managers. Though PDPA (Personal data protection act of India) is a little more considerate on the business, the window of business exploitation of “Personal Data” for business is very narrow under GDPR. The Californian Consumer Protection Law recognizes that Personal Data is a “Property” and the data subject can provide his consent for sale.

For an organization, accommodating the different personal data protection laws along with its own “legitimate interests”, is a big challenge which the “Data Governance Framework” needs to address.

It is not clear if the Kris Gopalakrishna Committee is likely to address the Data Governance in this context.

Readers of this site are familiar with the proposition of PDPSI, or Personal Data Protection Standard of India, which tries to provide a “Framework” for Personal data protection which inter-alia is a “Personal Data Governance Framework”.

Now what is required is to add the “Corporate Data Protection Standard” to PDPSI to arrive at the “Integrated Data Protection Standard which will also be the Data Governance Model for the enterprise” which has both personal data and corporate data.

The terms of reference of the committee refers to “Non Personal data” which is obviously part of the total data but is not personal data governed by the personal data protection regulations.

Can this “Non Personal Data” be considered simply as “Corporate Data” and the Data Governance model be built as a combination of “Personal Data Governance” plus “Corporate Data Governance”?… is one option which the committee can consider.

Obviously this “Corporate Data Governance” will have to focus on the CIA triad since it is the Data property of the enterprise.

However, the Srikrishna Committee which is the basis for this Kris Gopalakrishna committee as per the preamble, flagged a different aspect of Data to be brought under regulatory provisions.

The concept which the Srikrishna Committee flagged  was “Community Privacy” which was the need to protect aggregated personal data. Such aggregated personal data might have been   collected individually under a “Consent” regime and hence may be covered under the Personal Data Governance model which complies with the GDPR/PDPA etc.

What the Srikrishna committee was referring to was the recognition of the concept of “Dynamic Data” which we highlighted earlier and explained in the following two articles.

1. Data Processors may be able to create a Diamond out of Charcoal…
2. The theory of Dynamic Data

I request readers to spend some time trying to assimilate the thoughts that may be buried in these articles which are relevant for our discussion on what the Kris Gopalakrishna Committee is expected to do.

The basic idea I have tried to explain in these articles is that the concept of Personal Data as we now try to apply may need a re look. Personal Data is not like a PDF document that exists containing the name, address etc of an individual to be able to be classified as either “Personal data” or “Sensitive personal data” and subjected to the controls of Governance.

Within an organization, “Data is Dynamic”. It starts with a few elements of the data which soon like a rolling snowball acquires other data around it and  becomes significant.

This change of the nature and value of personal data into something else by aggregation or derivation is what the Srikrishna committee recognized as “Community Data” and suggested a legislative framework to be explored beyond PDPA.

Ideally this exploration should have been entrusted to Justice Srikrishna himself since he could have then created a legislation which was seamlessly integrated to the PDPA. Instead we now have a corporate committee sitting to develop a new legislation which is a complicated legal challenge.

The industry is interested in protecting its “Right to Process Data” and make money out of it. This includes the “Right to Sell Personal Data of its customers” either in the raw form in which it is supplied by the data subjects or in a modified value added form which the enterprise develops through its own investment.

The GDPR was clearly ambiguous in its approach because it could lead to an interpretation that when the data subject requires portability or erasure of his data, it extends not only to the data supplied by the data subject but also the data derived by the organization in the form of a “Profile”.

It is in this context that we had raised the issue of if the data subject has given charcoal and the data processor has created diamond out of it, when a portability request is received, how fair it would be to demand that the diamond be returned.

The Kris Gopalakrishna Committee has to find an answer to this dilemma.

In our theory of Dynamic Data, we have also raised the issue of “Data being a stream of binary expressions” and all other forms of data are “Interpretations of the software and hardware”. We are receiving the “Consent” for the data to be used for a purpose but more often the data processor discovers new uses of the data for which no consent has been obtained earlier. GDPR simply disposes of this challenge saying that let the data processor/controller obtain new additional consent without understanding the practical difficulties in building a business with such a rigid control of purpose.

Many times, the controller/processor need not do any specific processing routine for the raw data to acquire value over time like the value of wine that increases with age. One example of this is the CEAC Drop Box concept of Naavi or even the Webarchive.org service.

Recognizing that data changes it status by efflux of time as well as by aggregation, application of data analytics etc and providing room for their usage is part of the Data Governance legislation that this committee needs to address.

Whether “Anonymization” addresses all requirements of a Big Data Company or there are specific instances under which identifiable personal data also needs to be aggregated are issues to be debated and provided for in the Data Governance Framework.

The Data Governance Framework also needs to address the “Data Laundering” that happens through mergers and acquisitions as we recently highlighted in the TransUnion CIBIL case

The Data Governance Framework also needs to address the need for “Data Sovereignty” which will have an impact on Data Localization.

Thus it appears that the Terms of Reference is too sketchy and needs to be expanded further

. At the same time, for all the issues mentioned here, the constitution of the Committee will be ill equipped to debate and arrive at the right decisions.

Now that the committee has already been announced with a former CEO of an IT Company as its head, it is impossible to bring a heavy weight Judicial person like Justice Srikrishna. But none of the present committee members represent the  Techno legal experience required to interpret the status of different kinds of data and how data changes status etc.

We need to wait whether like in the case of Srikrishna Committee, it holds consultations with the public, presents a draft report for further discussion etc. On the other hand, if it just meets a couple of times and releases a NASSCOM draft as its report, then there could be conflicts with the PDPA.

Let’s wait and Watch.

Naavi

Reference

Data Governance Framework

Infosys Data Governance