Certified Data Protection Professionals from FDPPI receive their Certificates

 

The first Certificates of the CDPP course conducted in December 2019-February 2010 were given to Mr Durai Kannaiyan and Mr Nikhil Ranjan Nayak in a function in Chennai on 14th March 2020, by the honurable guests Justice K.N. Basha (Former Judge of Madras High Court) and M.P. Mr P.Wilson. (Current Member of Rajyasabha).

They were two of the nine persons who successfully completed the certification program. Two others are from Mumbai and Five others are from Bangalore.

The successful candidates were:

M/S Durai Kanniyan, Nikhil Ranjan Nayak from Chennai, Mr Anil Chiplunkar and Bondiah Adepu from Mumbai , Mr Suresh Balepur, Rajesh Kumar, Vasanthika Srinath, Suma Nagraja and V.K.Jyothi from Bangalore.

Cyber Law College which was the training partner for the program and FDPPI convey its hearty congratulations to all these professionals who got certified through the rigorous certification program conducted over a three moth period under the supervision of Sri Na.Vijayashankar, (Naavi) Chairman of FDPPI and the Director of Cyber Law College,

Naavi

Print Friendly, PDF & Email
Posted in Cyber Law | Leave a comment

CEAC adopts a new system of Section 65B Certification

It may be recalled that on 17th January 2017, the High Court of Madhya Pradesh came up with a concept of “Contemporaneous Certificate” for production of  Section 65B Certified electronic documents to the Court, in the case of Sharadendu Tiwari Vs Ajay Arjun Singh (17th January 2017) . Accordingly when an electronic document is converted from one form to another and stored, a Section 65B certificate will be required to authenticate each stage of such conversion. As long as the chain of these contemporaneous certificates is maintained properly, the last document is as good as the original for the purpose of admissibility.

Using this principle, CEAC (Cyber Evidence Archival Center), which is a pioneer in the production of Section 65B certified electronic documents, has decided to introduce the following system for distribution of the certificates.

Accordingly, when CEAC observes any electronic document and creates a computer output as per Section 65B of Indian Evidence Act for admissibility, the same would be stored in the CEAC Dropbox under a secure access of the person who requests for the certificate. The certificate can then be viewed and downloaded by the authorized person. The uploaded document will carry the Section 65B certificate from CEAC. The authorized person would create his own Section 65B certificate and produce it in a Court when required.

This system has been introduced since in some cases , the signatory of a Section 65B certificate may be summoned by a Court just to confirm if the certificate has in deed been issued by him. The certifier having already added the details of how the observation was made in the certificate itself, has nothing more to add to the document as a witness. But this would involve additional cost to be incurred by the person who presents the document in the Court.

In the new system, the need to summon the CEAC official to the Court would not arise except under very special circumstance.

Naavi

Print Friendly, PDF & Email
Posted in Cyber Law | Leave a comment

GDPR Compliance Checklist for Indian Companies

[P.S: This is a guest post from Ms Badal Patel, Gurugram.]

Privacy rights have come to the forefront in recent years due to the exponential role played by the internet and social media in our everyday life. The question of how the privacy of a person is affected by the internet cannot be answered in a few words. Data is collected from even the most basic search a person makes. But these violations have huge implications on the privacy of a person and hence the personal data has to be protected.

The General Data Protection Regulation was one such regulation introduced by the EU to protect the data of its member states and its citizens. This Regulation is not region-specific and has an extraterritorial application (Article 3 of the GDPR). Any third parties who intend to get into agreement with the EU members have to strictly comply with these regulations, the non-adherence of which would result in penalties.

Moreover, under Article 44 of the Regulations, it is stated that the flow of personal information from the EU to a non-EU country can only take place if that country is in compliance with the GDPR standards. Under Article 45, the regulations have laid down certain levels of standards that the non-EU country shall meet for the flow of information to take place without any additional authorization. The circumstances looked into is whether that country has provided a safe environment for personal data and information protection. The data privacy rules are reviewed and their effectiveness calculated. The international conventions or treaties that the non-EU nations have has entered into shall also be looked into.

In India, with the recent decision given in Justice Puttuswamy v. Union of India, the Supreme Court, for the very first time, explicitly recognized the right to privacy of a person. With this landmark decision, the prevailing conditions of privacy and data protection came under scrutiny. The introduction of the Data Protection Bill of 2019 is a huge step in this direction and was a direct result of the historic judgment. This bill was put forward by Justice B.N. Srikrishna Committee which was appointed to analyze the current laws regarding data protection and also to suggest more contemporary regulations to be put in place. This Bill specifically focuses on the data protection regulations for protecting the personal data of Indian citizens. The EU has given GDPR adequacy approval to only thirteen countries. India has not received this approval but the new Bill has the potential to pave the way for the grant of the EU approval. Receiving this approval would both boost the IT sector in the country and will also make the compliance requirements to the GDPR much simpler for Indian Companies.

The Indian companies are required to comply with the GDPR for conducting transactions with the EU. Before understanding the compliance requirements, it is necessary to look into two terms used under the GDPR for the better understanding of the requirements; controller and processor.

Article 4 of the GDPR defines both these terms as given below:

“ (7) controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;

(8)‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;”

Both these terms are extensively used throughout the Regulations. The controller acts as the principal and the processor acts as the agent of the controller and acts on his request. It is important to understand what they are as the responsibility thrust on them is quite different from each other.

The requirements that Indian Companies need to comply with can be put into a checklist.

1. Records of Processing Personal Data Activities

Article 30 of the Regulations elaborates on the details to be recorded when it comes to the processing of the personal data. Paragraphs 1 and 2 of the Article enumerates the information to be recorded by the controller and the processor respectively. Both these lists are very specific and impose specific recording obligations on both the controller and the processor. As per paragraph 3, these records shall be in writing. They are also under the obligation to make the record available to their supervisory authority on request.
The information that is to be recorded under paragraphs 1 and 2 specifically points to disclosures are to be made when the personal data is transferred to third countries or international organisations, and the identification of such third countries and international organisations should be made along with the safeguards taken to ensure the safety of personal data in such cases.

The definition of ‘personal data’ is wide but must be ascertained in order to inform individuals about what type of personal data is being collected. ‘Personal data’ means any information relating to an identified or identifiable natural person. An identifiable person is one who can be identified, directly or indirectly, by reference to an identifier such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.

2. Determine if the company is a data processor or a Data controller

The determination of whether a company is a data processor or a data controller is very important both for absolving the liability of the company and for imposing liability on the company. The definitions of both these terms have been mentioned earlier in this article. The definition is not an elaborate one. It only differentiates the controller and the processor based on whether they are in charge of the data and on who has the responsibility to process it. But the Regulation is very elaborate and it places specific responsibilities and liabilities on both the controller and the processor. Hence, it is important to understand whether you are a controller company or processor company to understand the responsibilities that fall on you and to fulfil them to ensure that there is no liability on your part.

Article 24 of the Regulations speaks about the “Responsibility of the Controller”. Paragraph 1 of the article lays an obligation on the controller company to implement appropriate technical and organisational measures to ensure compliance with the Regulations. Article 28 elaborates on the processor and his obligations both towards the controller and the data subject.

In order to understand which category you fall under, in simple terms, the power you have over the data is to be looked at. To be more accurate, the controller will have the following powers:

● To determine what is to be collected from the data subject.
● How to store the data collected.
● To what end the collected data is used and what portion of the data is to be used.
● To set guidelines for the data processor to follow while processing the data.

The data processor will have only the power to process the data as per the contract between them and the data controller. They will not have any power to augment the data in any way and the actions they take have to be in compliance with the Regulations.

3. Updating the privacy policy with privacy notices and consent

The Indian companies have to update their internal procedures to be GDPR compliant. One of the procedures that they have to adhere to is issuing notices and taking consent from the data subjects. These provisions are given under Article 12-14 and 19.
Article 12 lays the model in which data is to be collected and the relevant disclosures that are necessary when data is collected from different categories of data subjects by the Controller. This provision also enables the Controller to request for additional information when there is a necessity to confirm the identity of the data subject. Article 13 lays down the information disclosure requirements when the personal data is collected from the data subject. Under this Article, paragraph 1, there is a specific list of information that the controller has to disclose. Paragraph 2 provides additional disclosure requirements that the controller has to provide to ensure fair and transparent processing. Under Paragraph 3, it also says that if the controller intends to further process the data for something other than the purpose it was collected for, he has to give notice to the data subject prior to such processing. Under Article 14 lays down the information to be provided when the personal data is collected but not from the data subject.

Under Article 19, the controller has the obligation to communicate any rectification or erasure of personal data to each recipient the data has been disclosed to and to inform the data subject about the recipients of the data.

4. Rights of Data subjects

Under the GDPR, an entire chapter (Chapter 3) is dedicated to set forth the rights of the data subjects. There are 11 Articles (Articles 12-23) under this chapter. For an Indian Company to be compliant with the GDPR, they have to ensure that these rights are safeguarded. Article 12,13,14 and 19 have been elaborated under the previous sub-topic. Article 15 provides for the right to access any information as to the data obtained by the controller from the data subject. Under this Article, the data subject also has the right to be notified if his personal data is being transferred to a third country or international organisation. Article 16 guarantees a right to rectify personal data to the data subject. Under Article 17, the data subject will have the right to request the controller for erasing any personal data pertaining to them and the controller is liable to oblige without undue delay. As per Article 18, the data subject has the right to place restrictions on the processing of data by the controller. Article 20 enumerates the rights the data subject has in relation to portability of the data provided by him to the controller and how he can obtain it from the controller and transfer it to another person. Another right that is available to the data subject is the right to object to the processing of his personal data under Article 21. Under Article 22, the data subject has the right to not be subject to profiling resulting from the processing of his data. But under Paragraph 2, certain exceptions to this right are provided. If the Indian company is successful in incorporating all these rights into their framework, they will be GDPR compliant.

5. Update the security incident management processes

Ensuring the security of the personal data of natural persons belonging to the EU are at the core of the GDPR guidelines. Article 33 lays down that in case of a personal data breach the controller shall without delay (not more than 72 hours) notify the personal data breach to the supervisory authority. The controller has an obligation to document the data breaches, its effects and the remedial action taken. Under Article 34, when there is personal data breach, the controller has the responsibility to communicate this breach to the data subjects without undue delay. There are also certain exceptions provided under Paragraph 3 of the Article.

6. Working of the Data Protection Impact Assessment (DPIA)

A data protection impact assessment is done by the controller to assess the impact of the processing of data especially if a new processing technique is used and the risk to the rights and freedoms of the natural persons is higher. Article 35 of the Regulations the provisions regarding data protection impact assessment. Paragraph 3 of the Article lists out the cases where such an assessment will be mandatorily be required. Paragraph 7 points out what all the assessment should contain. Article 36 lays down an obligation on the controller to consult the supervisory authority prior to the processing in case there is a higher risk present. Under paragraph 3 of the Article, the supervisor is liable to provide certain information to the supervisory authority regarding the same.

7. Appointment of a Data Protection Officer

Articles 37,38 and 39 are the provisions which are dealing with the appointment of the data protection officer. Under Article 37, a data protection officer needs to be appointed by the controller and the processor when the circumstances are those which are given under paragraph 1 of the Article. As per Article 38, the Controller and the processor shall facilitate the functioning of the tasks of the Data Protection Officer given under Article 39. The tasks that the Data Protection Officer is responsible for is listed out in paragraph 1 of the Article. So, an Indian company, be it a controller or a processor, will have to appoint a Data Protection Officer if they fall under the criteria given under Article 37.

8. Displaying legitimate interest as to why the Personal Data is being collected and how the company intends on using it.

Under Article 6 (1), there is a list of criteria given to determine the lawfulness of the processing of the data. At least one of the given criteria has to be fulfilled for the processing to be lawful. One of the criteria that is given is legitimate interests pursued by the controller. But sadly, what constitutes legitimate interest is not defined in the regulations. Recital 47 under the GDPR explains that legitimate interest could exist:

● Where there is a relevant and appropriate relationship between the data subject and the controller in situations such as where the data subject is a client or in the service of the controller.
● The processing of personal data strictly necessary for the purposes of preventing fraud also constitutes a legitimate interest of the data controller concerned.
● The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.

So showing legitimate interest is essential in the collection of data from the data subject.
The GDPR is extremely relevant in today’s world where the personal data of the persons are collected for various purposes. The implementation of GDPR ensures that there is transparency and the personal data is safeguarded. Hence the Regulations mandates that disclosures are made to the data subject as to the purpose of collecting the data.

9. Transferring personal data outside the European Economic Area (‘EEA’)

If personal data transfers take place outside the EEA the data controller must inform individuals in the privacy policy and specify mechanisms which will be used to protect the same (for instance the third party may have Privacy Shield certification).

10. Policy language

Privacy policies should be clear and easy to understand by individuals who have no knowledge of privacy law. There should be a translation of the policy to the relevant local language made available if the website targets users of different countries.

Conclusion

The compliance requirements will be significantly simpler and easier if the Data Protection Bill (2019) is passed and the provisions in the Bill are accepted as adequate by the EU for the protection of personal data. In the eventuality of this acceptance, India stands to gain a lot of benefits. It will have a positive impact on the IT sector and it will also ensure that the personal data of her citizens are protected.

Badal Patel
MyAdvo.in

P.S: This is a guest post. Views expressed here in are the views of the author.

Print Friendly, PDF & Email
Posted in Cyber Law | Leave a comment

Bitcoin Community gives a Terrorist like warning to RBI.. We will destroy You…

In a surprisingly abrasive article, the bitcoin community has given a warning to RBI, which looks more like an ISIS warning.

An article that has appeared in nasdaq.com titled “Institutional Crypto Opponents to Fight Supreme Court Decision in India”  .The article is credited to one Landon Manning.

This article refers to the possibility that RBI is likely to apply for a review and puts out a dire earning more like an ISIS dictat stating

“In other words, the message to the RBI is quite clear: This industry is going to open up all over India, it may very well directly and specifically disrupt your way of running business and that is not going to change any time soon.”

The audacity with which the author has published this threat is worth noting.

It is time that we the Indians who consider Bitcoin and other private Crypto Currencies as “Digital Black Money”, “Currency of the Criminals”, “Currency of the Terrorists”, will oppose legalization of Bitcoin in India. Even any facilitation of money laundering through Crypto currencies that this decision of the Supreme Court could have enabled will be fought against.

Let the review be undertaken by a larger bench and let’s debate how this decision of the Supreme Court is a facilitation of money laundering.

In the meantime, Naavi.org will continue to urge the Central Government to issue an ordinance to Ban Crypto Currencies. Let this also be heard by the Supreme Court and we will know if the Judiciary is on the side of honest citizens of India or the black money vendors of India.

Naavi

[Views expressed here are the personal views of Naavi]

Print Friendly, PDF & Email
Posted in Cyber Law | Leave a comment

Workshop on PDPA at Chennai

FDPPI and Cysi successfully conducted a workshop in Chennai to discuss the forthcoming Personal Data Protection Bill 2019. 

Honourable Justice K.N. Basha, retired judge of the Madras High Court and sitting MP, honourable P.Wilson graced the occasion.

Naavi made a presentation on the salient features of the Bill, and the need for the Bill to be passed into an Act. He also discussed on some of the controversies surrounding the Bill.

A detailed question and answer session followed in which the participants sought and obtained various clarifications.

Mr Wilson who is also an advocate himself spoke and highlighted  the need to create awareness among the stake holders even before the Bill is passed so that any modifications can be accommodated.

Justice K.N. Basha congratulated CySi and FDPPI for taking up the initiative and suggested that the points arising out of the discussion may be shared with the Government.

During the occasion, the Certificates of Mr Durai Kannaiyan and Nikhil Ranjan Nayak, members of FDPPI who were recently conferred the recognition as “Certified Data Protection Professionals” by FDPPI after a course and evaluation examination were handed over by Justice K.N. Basha and Mr P. Wilson.

Naavi

Print Friendly, PDF & Email
Posted in Cyber Law | Leave a comment

Stock Market Fall in India is influenced by the Bitcoin decision of the Supreme Court

The Indian Stock markets have had a free fall in the last few weeks from around an index level of 12000 to 9000. While most people consider this as a reaction to the impact of business slowing down due to the Corona virus, it cannot be denied that there could be another reason why the fall in India is accelerated and appears disproportional to the economic impact of the Corona.

One of the reasons could be the Supreme Court decision which quashed the RBI circular that Banks should not engage themselves with the Bitcoin exchanges. This decision has been interpreted by the markets as en endorsement of the Bitcoin by the Supreme Court. 

Though the Supreme Court has been clever in its judgement and has only struck down the RBI circular and not its power to regulate in the matter, it has had a chilling effect on RBI officials and encouraged those officials in SEBI and the Ministry of Finance to silently support transactions in Bitcoins.

It is possible that a large amount of investments are being moved from the Indian stock markets to Bitcons and other Crypto currencies.

This doubt is strengthened by the fact that the Ministry of Finance and SEBI has been very lethargic in controlling the bearish trend in the market and have failed in intervene in time by suspending the market operations by a few days. This should have been the normal response of a prudent regulator. But we know that SEBI has been earlier supportive of the Bitcoin exchange and MCX even submitted a recommendations to the Government to regularize Bitcoins. It cannot therefore be ruled out that the inaction of SEBI and the Ministry of Finance could be deliberate.

Mrs Nirmala Seeetharaman needs to understand that the Supreme Court judgement was an encouragement for money laundering and if this is not checked immediately there will be further drain of funds from not only the stock markets but also the Banking system.

Now the action is required from three ends.

  1. RBI should file a review petition on the Supreme Court order and seek an immediate stay on its operation.
  2. Ministry of Finance should immediately release an ordinance to pass the “Banning of Crypto Currencies” legislation.
  3. The CJI of India should recognize the link between black money, money laundering and the Crypto Currency exchanges  and suo moto order a review of the Supreme Court’s judgement to a larger bench

I suppose the saner non corrupt elements in the Government should recognize the link between Bitcoins and money laundering and urge the Ministry of Finance to act immediately.

Further, now that the Stock markets are disproportionately low, the Government agencies should start buying out some valued companies in the private sector both for better control of the Government in the private sector companies as well as short term commercial benefit which should be better than the bond yields.

Naavi

Print Friendly, PDF & Email
Posted in Cyber Law | Leave a comment