Naavi.org

Personal Data Protection Standard of India (PDPSI) is the standard being developed by Cyber Law College of Naavi to assist the compliance of Personal Data Protection regulations in India. We had earlier mentioned the first version of PDPSI as PDPSI-0219. It is time now to report a small progress with the second version of the document PDPSI-0319, which is also a work in progress.

The objective of this Document is to codify the set of standards that are aimed at providing compliance of data protection regulations in India.

The scope of this document  encompasses the requirements of ITA 2000/8, the proposed PDPA 2018, BS10012 principles of  GDPR.

We the people of India have adopted our own regulatory standard for personal data protection and protection of Information Privacy of Indian Citizens as guaranteed by our constitution. We first notified Information Technology Act 2000 (ITA 2000) with effect from 17^th October 2000 incorporating the responsibilities of citizens including corporate entities for protecting data both personal and otherwise. With the amendments in 2008 effective from 27^th October 2009, the new version of ITA 2000 namely the Information Technology Act 2000/8 (ITA2008) further codified the responsibilities of Body Corporates and others in protecting Personal Data and Sensitive Personal Data.  ITA 2008 and the rules that followed on 11th April 2011 also had provisions for “Reasonable Security Practice” and “Due Diligence” which were the grounds for the first set of “Personal Data Protection Standards” in India.

After the Supreme Court of India came out with its judgement on Privacy which inter-alia recognized the need for “Information Privacy Protection”, a strong emphasis was laid on Personal Data Protection in India. The operating guidelines for meeting the expectations of the Supreme Court expanding the scope of ITA 2008 and its rules came in the draft form through the Draft Bill titled “Personal Data Protection Act 2018” (PDPA 2018). Though PDPA 2018 is today only a work in progress to be re-introduced as a new Bill after the next elections, the broad contours of Personal Data Protection in India has been firmly laid by this proposed bill drafted by a former Justice of Supreme Court namely Justice Bellur Narayanaswamy Srikrishna.

Though PDPA 2018 has adopted several principles of Privacy Protection from global documents including the GDPR (General Data Protection Regulation of the European Union), the compliance requirements in India regarding Information Privacy Protection is distinct and includes compliance of ITA 2000/8 as well as parts of Aadhaar Act as well as the proposed PDPA 2018 etc.

In view of this wider and distinctive scope of Indian regulations on Information Privacy Protection, it is considered that global standards of data protection contained in ISO 27001 or BS 10012 are considered inadequate to meet the requirements in India.

The long term objective of this document is to ensure that “Standards” are not to remain “Proprietary” and must be made known to the stake holders who are expected to implement them. Hence Naavi intends to make this standard open source once a formal sufficiently refined version of the standard emerges.  Until then, only some high level concepts may be publicly released.

In the new version, an attempt has been made to expand the portion of “Classification of Data” because it is the key to further implementation. The required classification is depicted in the following diagram.

Salient Features

This system of data classification will first recognize the data that may be flowing in the organization and classify them in the first level to “Individually Identifiable Data” and “Corporate Data”.

Personal data will consist of such data that identifies an individual. Corporate data includes business related data which does not contain personal data. Protection of Corporate data is part of the DPSI while PDPSI focuses on protection of Personal data.

Individually Identifiable Data is further tagged with the following attributes

1. 1. Employees and Non Employees
   2. Subject to Indian Laws only and Subject to Indian and Foreign Laws
   3. Personal and Sensitive Personal
   4. Adult and Minor

Individually identifiable data of Employees is considered as “Corporate Data” but may be subject to additional compliance requirements depending on the applicable laws whether Indian or foreign.

Classification of Personal and Sensitive Personal, adult and minor may also be different based on the applicable laws.

The above attribute tagging will be applied to a set of data elements which is considered as a “Package”. Each such “Individually identifiable Data package” shall carry a distinct identity as “Package ID”. Every element of the Package ID shall be tagged in further usage with the “Package ID”.

Every package will be identified with a “lead element”, which could be the name or another identity parameter.

(I welcome comments)

Naavi

We have earlier discussed the broad contours of Naavi’s  “Personal Data Protection Standard of India” (PDPSI) followed by Ujvala Consultant’s Pvt Ltd. The PDPSI is meant to cover the requirements of Data Protection by Indian Companies exposed to the compliance requirements under PDPA 2018 (as proposed) and encompass the best practices covered under BS10012.

As a refinement of the approach to the standards, it is now decided that PDPSI-0219 will be considered as a subset of DPSI which shall be the standard for Data Protection in general by a Data Processing industry. This should be compliant with the ITA 2000/8 which applies to all kinds of data whether it is Personal or Corporate.

PDPSI itself will be divided into two levels namely Level I which will apply to Personal Data and Level 2 which will apply to Sensitive personal Data. DPSI will apply to Personal Data, Sensitive personal data and corporate data which does not consist of Personal Data.

Further DPSI will have schedules that map PDPSI to different regulations of other countries such as GDPR, CCPA, HIPAA, UK-PDPA etc.

The Data Protection Audit suggested by Naavi would be based on DPSI/PDPSI as the case may be.

The objective of developing these standards is to make the guideline available free of charge to the companies who need to implement data security as against the current system where they need to incur enormous expenses to buy standards even before implementing them.

More information will follow.

Naavi

It was interesting to note that one of the law colleges in Bangalore has announced a moot court competition which recognizes some of the latest developments in the field of technology and law in India.

It is a general observation that the curriculum of LLB does not have an in depth discussion of ITA 2000/8. Though Bar Council has requested all colleges to incorporate Cyber Laws in their regular curriculum, it remains mainly an optional subject.

In the light of this perception, it was a surprise to know that Bishop Cotton Women’s Christian Law College, Bangalore has chosen for its 7th National Moot Court competition a problem which includes “Artificial Intelligence”, “Facebook Cambridge Analytica”, “Personal  Data Protection Act” etc.

A Copy of the Moot Court challenge is available here.

Though the link between AI, FaceBook and PDPA 2018 are structured a bit artificially, the attempt to introduce new technology terms to the law students is a matter to be appreciated.

Naavi

Naavi joins the lighting of the lamp in inaugurating the workshop 

A Unique one day workshop was conducted in Chennai on 16th March 2019 on “Section 65B of Indian Evidence Act”.

The Workshop was inaugurated by Honourable Justice Sri M. Jaichandren, in the presence of Honourable Justice, Dr S. Vimala, Senior Advocates, Mr Masilamani and A Thiagarajan. Mr Na Vijayashankar (Naavi) as Founder Chairman of Foundation of Data Protection Professionals in India (FDPPI), and a pioneer in Section 65B, conducted the knowledge session. Mr S.Balu President of Cyber Society of India (CySi) and formerly head of the Cyber Crime division of Chennai organized the event.

The Print Version of the book with latest updation, titled “Section 65B of Indian Evidence Act Clarified” by Naavi was released during the event.

The workshop was unique because it was completely focussed on Section 65B which has been in operation since 17th October 2000 but whose importance had not been fully realized until the Supreme Court judgement in 2014 in P V Anvar Vs P.K. Basheer, declaring that it is mandatory for admissibility of electronic document as evidence.

Since then the difficulties in understanding the provisions of Section 65B has also come up for discussion in some fora even to suggest that it may need an amendment.

Naavi clarified the doubts regarding the section and also highlighted why Section 65B was a master stroke in ITA 2000.

An illustrative caricature drawn by Mrs Saranya Devi under the guidance of S.Balu which explained the concept and attracted attention during the workshop is reproduced below.

The caricature explains how unlike a human witness who reproduces an evidence from his brain memory is not asked for any certification (other than the deposition itself) while  a CCTV footage when produced as an evidence requires to be certified under Section 65B under the same logic that the “Computer Witness like a human witness needs to depose but can do so only with the assistance of a human who is the Section 65B certifier.”

A gallery of eminent speakers made the event memorable.

A more detailed report on the event would be provided later.

During the event the Chennai Chapter of FDPPI (www.fdppi.in) was also inaugurated and Naavi explained why Section 65B is also relevant to the Data Protection Industry.

The event was a great success.

More information on the event will follow.

Naavi

The ordinance promulgated by the government on March 2, 2019, has once again brought the focus back on the use of Aadhaar and a possible challenge to it in the Supreme Court.

Aadhaar has become an “Instrument of Identity” similar to the “Social Security Number” and similar national identity instruments prevailing in other countries. Even the Supreme Court has conceded that Aadhaar can play a significant role in efficient and transparent governance, and more importantly, in the prevention of corruption.  However, the use of Aadhaar is being repeatedly challenged by privacy activists, alleging that its widespread use could lead to infringement of privacy—a fundamental right of all citizens.

It would, therefore, not be surprising if some privacy activists again knock at the doors of the Supreme Court with a plea to get the ordinance scrapped, perhaps alleging that it is an attempt to violate the principles of privacy laid out in the Supreme Court judgment of September 2018 on Aadhaar (KS Puttaswamy vs Union of India case).

The Puttaswamy judgment raised serious concerns about the use of Aadhaar by private sector companies which had been permitted under Section 57 of the Aadhaar Act. The majority judgment struck down that part of Section 57. Consequently, Section 57 of the Aadhaar Act stood read down with the following effect:

57. Act not to prevent use of Aadhaar number for other purposes under law.

Nothing contained in this Act shall prevent the use of Aadhaar number for establishing the identity of an individual for any purpose, whether by the State or any body corporate or person, pursuant to any law, for the time being in force. Provided that the use of Aadhaar number under this section shall be subject to the procedure and obligations under section 8 and Chapter VI.

It must be recognised that the Puttaswamy judgment did not impose a blanket ban on the use of Aadhaar, either by the government or other entities. It only prohibits the use of Aadhaar under any contract not pursuant to any law. The Court therefore suggested that a proper law should be passed to enable the use of Aadhaar.

The citizens of the country are well aware of the fact that Aadhaar is an “Identity Infrastructure” created by two successive governments at enormous cost to the people of the country. Therefore, it is illogical to block the use of this infrastructure to be harnessed fully for the benefit of the citizens.

However, after the Puttaswamy judgment, the private sector stopped using Aadhaar as an identity management tool since the widely used Aadhaar authentication-based e-KYC system was not part of the Aadhaar Act.

The e-KYC system used for Aadhaar was part of the notified rules of the Controller of Certifying Authorities for e-Sign as an electronic signature under Section 3A of the Information Technology Act, which may be considered as an extension of a statutory base for its use in that context. But KYC which was part of many other regulations such as the RBI guidelines was more of an administrative guideline or a best practice adopted by the industry.

Hence, the government was under an obligation to clarify the use of Aadhaar by private sector companies by enacting suitable legislation so that it became part of Section 57 after its partial striking down by the Supreme Court.

Further, the Justice Srikrishna Committee on Data Protection had recommended a full set of amendments to the Aadhaar Act in an appendix to its report. While the government had introduced the Personal Data Protection Bill as recommended by the Srikrishna Committee, it had to introduce the Aadhaar-related amendments recommended by the committee as a separate amendment bill.

The government was therefore correct in introducing the Aadhaar (Amendment) Bill on January 2, 2019. Though this Bill was passed by the Lok Sabha, it could not be passed in the Rajya Sabha during the current tenure and hence lapsed. In order to ensure that the private sector is not inconvenienced due to the lack of a lawful process of using Aadhaar, the government came up with the Aadhaar ordinance.

Hence, sufficient justification can be provided for the need for the ordinance and its promulgation by the government at this point of time.

Key Provisions of the Ordinance

Some of the key provisions of the ordinance which we can take note of are as follows:

• The ordinance completely removes Section 57 of the Aadhaar Act though only a part of it had been struck down by the Supreme Court. The other changes are meant to offset the adverse effect of the removal of Section 57.

This was an unwarranted overreaction by the government.

• A distinction is sought to be made between the use of Aadhaar for “Authentication” and “Verification” and the concepts of “Offline Verification” and “Voluntary Permission to use Aadhaar based on an Informed Consent”. However, the distinction made between “Authentication” and “Verification” is very fragile and may require reconsideration.

“Offline Verification” is defined as a “process of verifying the identity of the Aadhaar number holder without authentication, through such offline modes as may be specified by regulations” [Proposed amended section 2(pa)]. On the other hand, “Authentication” is defined as “a process by which the Aadhaar number along with demographic information or biometric information of an individual is submitted to the Central Identities Data Repository for its verification and such Repository verifies the correctness, or the lack thereof, on the basis of information available with it” [current section 2(c)]. The distinction made out appears to be merely a play of words and would be difficult to justify.

• A fairly large civil penalty of up to Rs 1 crore has been introduced for each violation in case any entity in the Aadhaar ecosystem fails to comply with the provisions of the ordinance.

The imposition of the penalty is supported by the proposal for appointment of one of the officers of the UIDAI as an adjudicator and TDSAT as the appellate authority. After a matter is decided by the TDSAT, further appeals would lie directly before the Supreme Court, thus completely eliminating the role of the high courts.

In case of Cyber Appeals, further appeals from TDSAT go to the respective state high courts and a similar provision could have been made in the Aadhaar Act also since many of the members of the Aadhaar ecosystem could be small entities across the country, and a TDSAT with a presence only in Delhi without sittings and benches elsewhere would create a huge financial burden on the litigants.

This provision has been made to make the work of UIDAI easy at the cost of inconveniencing the litigants.

• The criminal penalty prescribed under Sections 38 and 39 of the Act has been enhanced from imprisonment of 3 years to 10 years and the imprisonment term under other sections has also been enhanced, thus making the law more stringent.

This should please the privacy activists.

• In a consequential amendment to the Indian Telegraph Act, telecom companies have been permitted to use Aadhaar for identification with options being made available to the public to use alternative modes of identity verification.

This provision comes as a big relief to telecom operators.

• In a consequential amendment to the Prevention of Money Laundering Act, 2002 (PMLA 2002), the use of Aadhaar has been permitted for banking companies while others may use Offline Verification and other alternatives.

The Fintech industry is not happy with their exclusion. Perhaps those Fintech companies which are not “Banking Companies” but are registered in some regulatory category with RBI or SEBI could be provided the use of Aadhaar.

• The ordinance includes “Virtual Identity” also as an “Aadhaar number” [Proposed amended section 2(a)].

This has defeated the very purpose of introduction of the Virtual Aadhaar ID, and the government has missed an opportunity to declare it as a derivative service which does not violate the privacy of the Aadhaar holder particularly when it is used without the use of biometrics.

In summary, it can be stated that the “Ordinance” was perhaps justified but some of the provisions of the ordinance must be revisited when the Bill is finally taken up for discussion when the next Parliament meets.

It can also be stated that there is no need for any immediate judicial challenge to the ordinance since its life span is short and it will come up for automatic reconsideration within the next six months.

Naavi

[This is a reproduction of article earlier published in India Legal magazine]

Ever since GDPR came into circulation, it has become a trend setter in Data Protection Regulation. When PDPA 2018 followed, it was natural that several concepts which were part of GDPR also became a part of PDPA.

Since GDPR had a legacy of EU Data Protection, the WP 29 documents and further a two year leadtime for implementation and now nearly one year after its implementation, there is a huge knowledge base already created on GDPR and most of the Indian practitioners are also familiar with the provisions as they have had multiple rounds of discussions with their foreign counterparts.

It is therefore natural that any aspect of PDPA2018 will quickly be interpreted as per the learning under GDPR. In this process there is a danger of misinterpreting PDPA 2018 and this should be avoided. We need to explore PDPA 2018 withut being prejudiced by our perceptions of GDPR. If necessary we need to unlearn some of our dogmas created if any out of GDPR before we learn PDPA.

Naavi therefore advocates a clean interpretation approach to PDPA without the overhang of our GDPR baggage. The PDPSI (Personal Data Protection Standard of India) is one such approach advocated in this context because PDPA holds some innovative differences with GDPR which needs to be recognized.

There is no doubt that the first and the most critical differences between GDPR and PDPA is the re-defining of the Data Subject-Data Controller relationship as Data Principal-Data Fiduciary relationship. This has been discussed several times in the past through these columns and remains the fundamental difference between GDPR and PDPA and any comparison without taking this into consideration would be like comparing  Apple and Oranges.

I am not sure that the full implications of this innovative master stroke has sunk in the minds of the Indian Data Protection Professionals as they try to look into PDPA with the colored glass of GDPR. There is a danger of this being missed by legal pundits also as we move towards the formalization of the PDPA Bill into an Act in the coming days. Even the DPA when it comes through may not find it easy to remember that PDPA is not Indian GDPR and they need to be reminded again and again that “It is different”.

But in addition to this fundamental redefinition of the role of the so called “Data Controller” as a “Data Fiduciary”, there are some more  differences which we need to recognize so that we realize that PDPA 2018 is not a copycat of GDPR. It does incorporate many of the provisions of GDPR but tries to add it’s own spice in between.

Let us try to capture some of these minor differences before we get back to the analysis of the  Data Fiduciary master stroke.

1.  Classes of Data Fiduciaries

GDPR recognizes Controllers, Joint Controllers, Processors and Recipients as different entities who handle the personal data and sensitive personal data which is the subject matter of protection.

On the other hand PDPA recognizes Data Fiduciaries, Significant Data Fiduciaries, Guardian Data Fiduciaries as different classes of Fiduciaries in addition to the Processor. Significant and Guardian Data fiduciaries maybe required to register themselves with the DPA.

2. Criminal Penalties

PDPA includes Criminal punishments for data breach while GDPR does not

3. Right to Forget

Under PDPA, right to erasure requests are subject to adjudication by an external authority. In GDPR it is the decision of the Company.

4. Dispute Resolution Mechanism

Instituting a dispute resolution mechanism is mandatory under PDPA and is a recommended good practice under GDPR.

5. Mandatory Annual third party Data Audit

PDPA requires a mandatory data audit by an external auditor on an annual basis besides DPIA. No such requirement is there in GDPR.

6. DPO as a Service

GDPR provides an external consultant who can work as a DPO. PDPA has no such provision

7. Harm Audit

PDPA includes a concept of “Harm Audit” to be conducted which is an assessment of the gravity of a data breach incident. This may also be required when there is a conflict between RTI Act and disclosure under PDPA. Under GDPR no such mention has been made though the concept is inherent in every data breach notification policy.

8.Data Trust Score

 PDPA requires Data Auditors to compute a Data Trust Score for every organization they audit. This is not part of GDPR.

9.  Data Breach notification

Under PDPA, data breach notification to the data principals is determined by the DPA. There is no such requirement under GDPR where the company has to decide.

10: Official Identifier

Official identifier such as Aadhaar is declared as a Sensitive Personal Information under PDPA. GDPR leaves it to the member countries to determine how the national identifiers would be processed.

11. Codes and Practices

PDPA has left it to the DPA to define the codes and practices  besides an enabling provision for industry bodies to come up with their own codes to be approved by the DPA. GDPR has also a similar provision where the member states will encourage development of codes and practices and certification bodies will be accredited by the supervisory authorities.

12.Secular status

GDPR provides some exemptions to Churches whereby they can apply for their own regulation to be brought into the legislation. Indian PDPA has no such recognition of any religious rights and is therefore more secular than GDPR.

13. Employment

GDPR leaves it to the member states to frame laws regarding information in the course of employment. PDPA has specific reference under Section 16 providing permissions to process data for employment purposes.

14.Data Localization

PDPA has a direct provision that a copy of personal data shall be in India and  sensitive data shall not be transferred out but provides several exemptions. GDPR addresses the same issue indirectly by allowing data transfer only to such countries where EU considers considers that there are adequate laws, and also provides other exemptions. In effect there does not seem to be much difference.

Thus there are many differences between the PDPA and GDPR and as we go forward, even more differences can be spotted.

It is therefore unfair to call PDPA as a Copy Cat of GDPR. In fact leading with the Data Fiduciary, Criminal penalties, Adjudication etc., there are several unique differences that make PDPA far more practical than GDPR.

More on this should come up for discussion in the March 15 seminar in Mumbai.

Naavi