IS 17428 and PDPSI

Recently, the Bureau of Indian Standards introduced a new standard called IS 17428 as the standard for providing privacy assurance for individuals and for organizations to set up a “DPMS” or data protection Management System.

Obviously there is a need to compare IS 17428 with PDPSI which is already being used to evaluate the Personal Data Protection Compliance System (PDP-CMS) in organizations that process Personal Data.

IS 17428 comes with a good pedigree since it is backed by the BIS . But compared to PDPSI, it is observed that the standard does not make an attempt to cover the requirements of the PDPB 2019 which is the forthcoming law of data protection in India. It also does not confine to the requirements under Section 43A of ITA 2000 which is the current law of data protection in India. The standard tries to look at GDPR and replicate ISO 27701.

Like ISO 27701, IS 17428 cannot be implemented without ISO 27001 and is not certifiable. On the other hand, PDPSI is inclusive of technical security measures and is certifiable with DTS calculation.

The IS 17428 standard has two parts, the first part being termed as “Requirements” and the second part as “Guidelines”. The Guidelines are said to be “Optional”.

Part 1 has the following six sections

1.Scope

2.References

3.Definitions

4.Privacy Engineering

5.Privacy Management

6.Compliance.

Part 2 contains the first 5 sections and not the 6th section.

The standard tries to distinguish the terms “Privacy Engineering” and “Privacy Management”. Rather than providing clarity on two roles in Privacy Protection one for the technical team and the second for the organizational team, this adds more confusion to the compliance process.  If Privacy Engineering refers to the technical side of processing and Privacy Management refers to the policy level of processing, it is unclear whether a Data Protection Officer is a Privacy Engineer or a Privacy Manager.

In PDPSI, it is not only the DPO who will be responsible for compliance but under the “Distributed Responsibility” concept, every employee is a DPO for his area of function. This concept raises the level of “Accountability” of the organization as an aggregation of the accountability of every employee.

PDPSI addresses “Privacy Engineering” by the Implementation specification on “Privacy By Design” but leaves the direction to the DPO along with the distributed responsibility of the engineering team.

Unlike ISO 27701 which integrates ISO 27001/2 into the standard itself IS 17428 only provides DPMS related requirements relegating the ISO 27001 reference to the optional guideline under Part 2.

As a result there is lack of adequate clarity in the document.

On the other hand, PDPSI comes with 12 standards and 50 implementation specifications. The Standards are a overview while Implementation specifications go a step further into the details.

The 50 implementation specifications of PDPSI cover not only the PIMS related aspects in ISO 27701 or the DPMS requirements under IS 17428, they also cover the requirements of the ISO 27001/2, though the requirements are clubbed under less than 50 items.

It is for this reason PDPSI is considered as “Essence of the Essentials but different by far”.

( Continued…)

Naavi

Print Friendly, PDF & Email
Posted in Cyber Law | Leave a comment

i-Phone 13 may have to be banned in India

Apple is posing a great challenge to law enforcement across the world with its proposal to introduce its new version of phone (I phone 13) with a chip that can connect to the Low Earth Orbit (LOE) Satellite. The phone comes with a customized Qualcomm X60 baseband chip  which may be able to connect to the Global star’s satellite communication.  This facility will enable the phone to have connectivity from remote locations where there are no network connectivity. It is said that adventurists such as hikers, mountaineers etc may find this very useful if they are lost in the wilderness.

While for technological considerations, this appears exciting,  the introduction of this type of universal connectivity will pose a huge threat to the society. It will be immediately used by all Naxalites, Terrorists and Criminals. At present the tracking of mobile phones with reference to the mobile location is one of the biggest advantages that the law enforcement is using to crack many crimes. Crimes like rapes, murders etc are often tranced with the help of the mobile phone tracking.

Once iphone 13 is introduced,  whether normal users use the facility or not, all criminals will definitely use the facility. It is said that the price of the phone may not be much different from other models and there could be increased subscription costs. But “Affordability” is never a challenge for criminals and hence Apple will be the biggest abettor for all types of crimes.

The Home Ministry should immediately ensure that the current system of  licensing of satellite phones is further tightened and iPhone 13 is banned. Current generation of satellite phones are at least identifiable as different by the very looks. But iPhone 13 may look similar to other phones and hence any criminal in our midst may be using the phone for nefarious purposes sitting next to us without we being able to locate such phones easily.

I wish the Government of India takes immediate steps to ban the use of iPhone 13 in India with immediate effect.

Naavi

Refer: :Computerworld.com

Also refer: Forbes.com

Print Friendly, PDF & Email
Posted in Cyber Law | Leave a comment

Unification of Data Protection Law

According to UNCTAD, 128 of the 194 UN affiliated countries have put in place legislation to secure the protection of data and privacy. 158 countries have in place the E commerce laws and 154 countries have Cyber Crime laws.

While the need for a law in each jurisdiction is essential because the countries are sovereign countries, the existence of multiple laws makes it extremely difficult for the global citizens to follow and comply. This problem is accentuated because the technology has been developing in the direction of breaking down the barriers of communication and data moving freely across the political boundaries.

This issue is more pronounced in the data protection laws since data processing is an important business activity and cross border business engagements are common.

While the commercial aspects of data and its utility has created an interest in Governments opting for “Data Localization”, most laws try to retain extra territorial jurisdictions to impose penalties and bring in impossible conditions into business contracts in the form of “Standard Contractual Clauses” and “Abdication of the local security considerations”.

In this scenario, a data processing company which operates a website and cloud services to collect, process and disclose personal data through the internet faces the challenge of being exposed to multiple data protection laws.

While most laws look similar, the very fact that  democratic countries which genuinely respect the right of privacy and implements laws to protect the right of privacy, dictatorial regimes like China, fake democracies like Pakistan,  religiously fanatic countries in the Muslim world all seem to have laws called “Data Protection Laws”, makes it obvious that that the laws can share the same name but inherently are different.

At the time of compliance this creates a problem since the entire personal data accessed by the organization needs to be properly segregated before the compliance can be achieved.

While in terms of a framework for compliance, the PDPSI or the Personal Data Protection Standard of India promoted by FDPPI (Foundation of Data Protection Professionals in India)  has developed a Unified Framework of compliance by incorporating an appropriate data classification system, the complexities of creating a “Foundation Compliance Framework” and customize it for “Law Specific Modifications” remain because every law looks similar but has some subtle differences.

It is therefore necessary that an attempt should be made by the UN to develop a “Model Law on Data Protection” and persuade its members to bring uniformity to the laws. However UN in recent days has become completely in effective because of the archaic “Veto” system and unless this system is disbanded, UN remains a useless organization.

The EU for its own reasons has tried to unify the laws within 27 countries of the Union but still retains differences in terms of State Laws. US calls itself a federation of 50 states but is allowing each state to pass its own data protection laws rather than forcing adoption of a single data protection law for the entire country.  Many other countries including Canada, UK and Australia may have issues with provincial Governments and independent administrative territories splintering the laws.

It should be appreciated that India even when it adopted the Information Technology Act adopted it as a federal law and with the integration of J&K into the country with the abolition of Article 370, the upcoming data protection law is also being framed as a “National Law”.

In the Past there has been an attempt by some States to intrude into the Central legislative powers under Information Technology Act 2000 through amendments in Police Act or State Stamp Act or other laws. Given even a slight opportunity there are rogue states  who may take  an aggressive stand to promote local laws different from national laws by citing the “Powers of the State to control law and order” to infringe on the Data Protection Laws.

To prevent such a possibility, we need to ensure that PDPB 2019 is made water tight as a single data protection law for the entire country including the Union Territories and no opportunity is given to the States to make any amendments.

It should declare that

“No State Government shall have the power to make laws which may contravene the provisions of the PDPB/A” and any amendment required to be be made for regional considerations shall be made only through the PDPB/A and not through any state law.

Based on how this “Unified Data Protection Law for the entire country” is defined, we may also amend the information technology act to define “Cyber Crime” and create a federal agency for investigation and prosecution of cyber crimes.

Comments are welcome.

Naavi

Print Friendly, PDF & Email
Posted in Cyber Law | Leave a comment

Data Protection Law in China

China has announced a law called “Personal Information Protection Law” (PIPL) on 20th August 2021, coming into effect on 1st November 2021.

The PIPL is having 74 articles divided into 8 chapters as follows:

  • General Provisions;
  • Personal Information Processing Rules;
  • Rules for Cross-Border Provision of Personal Information;
  • Individuals’ Rights in Personal Information Processing Activities;
  • Obligations of Personal Information Processors;
  • Departments Performing Personal Information Protection Functions;
  • Legal Liabilities; and
  • Miscellaneous Provisions.

Considering the general Governance system in China which is a dictatorial regime, the stakeholders would be concerned about the penalty provisions and the extra territorial implications.

Knowing the political nature of Chinese Governance and its reputation as the biggest global surveillance state, China talking of “Privacy” is like the Satan quoting the Bible.

However, the global privacy community is going through the motions of hailing the “Strict Data protection Laws in China”.

There is a possibility that China may continue its “Surveillance Culture” and cyber warfare and use the law to protect its own companies engaged in secret activities to ensure that international demand on any information related to issues such as the Covid Virus related research etc cannot be demanded by US or the UNO.

There are many Indian companies who have foolishly placed their assets in China and will have to live with working with the dictatorial regime and its inconsistent policy formulations. Just as the Indians in Afghanistan who are today struggling to be physically evacuated, many of the top industrialists of India who have built up assets in China will some day be running for evacuation of their data out of China.

Naavi.org has to keep on record its total distrust on China and the expectation that PIPL being used as an instrument of protecting Chinese dictatorial interests more than protecting the “Right of Privacy” of the citizens of China.

However, from the professional view point, we can continue to study the text of the PIPL assuming that the Government of China will be honest and reliable.

If we look at the extra territorial impact of the PIPL, the law is applicable when a company outside China conducts processing activities of information of natural persons who are within China

  • for the purpose of providing products or services to natural persons in China;
  • to analyze/evaluate the behavior of natural persons in China; or
  • other circumstances prescribed by laws and administrative regulations.

Naturally, Companies having processing activities within China of personal information of natural persons would be liable.

Hence all Indian companies who are having establishments within China will have to put up with the strict Chinese regulations if they have any physical presence in China.

Like in GDPR, the PIPL will require a representative to be appointed in China if a foreign company is engaged in the collection of personal information from China.

The legal basis for processing is covered by the following:

  • consent by data subjects;
  • necessity for concluding or performing contracts to which the data subject is a party, or necessity for implementation of human resources management in accordance with legally-adopted labor rules and systems and legally-concluded collective contracts;
  • necessity for performing legal duties or legal obligations;
  • to respond to public health emergencies, or necessity for protection of natural persons’ life, health, and property safety under emergency circumstances;
  • processing, within the reasonable scope, of personal information for conducting news reports, public opinion supervision, and other acts for the public interest;
  • processing, within the reasonable scope and in accordance with the PIPL, of personal information that has been made public by data subjects or through other lawful means; and
  • other circumstances as stipulated by laws and administrative regulations.

Since one of the permitted legal basis is  “Performance of legal duties and legal obligations” ,  India should consider introducing  a clause in our law (May be in out Cyber Security law such as ITA 2000) to the effect that

“All organizations established in India including organizations which have managerial and financial control of organizations constituted under laws of other countries shall be liable to provide access to data related to their activities outside India for purposes such as National Security,..etc”.

Data Localization

All personal information collected and generated in China by Critical information infrastructure operators (“CIIOs”) and organizations processing personal information reaching a certain amount designated by the authority are required to store such information in China.

As regards the cross border transfer, PIPL states that apart from the consent Cross-border transfers of personal information can only be made for legitimate purposes such as business needs, and the transferor is obligated to take the necessary measures to ensure that the processing activities of the overseas recipient satisfies the protection standards set forth in the PIPL.

The law does include “Rights” of data subjects just like GDPR though the credibility of such provisions may be questioned.

The rights include

  • Right to know and to decide relating to their personal information;
  • Right to restrict or prohibit the processing of their personal information;
  • Right to consult and copy their personal information from the processors;
  • Right to portability of their personal information;
  • Right to correct and delete their personal information; and
  • Rright to request the processors to explain the processing rules.

It is interesting to note that there is a provision that the close relatives of a natural person can exercise these rights for their own legitimate and justifiable interests after the natural person is deceased, unless the deceased has made other arrangements when she or he were alive.

It is understood that the processor’s obligations include  appropriate internal management systems and security measures for compliance but appointment of DPO may not be mandatory except for organizations involved in large scale processing.

Penalties

Violations of the PIPL may lead to an administrative fine of up to RMB 50 million or 5% of the processor’s turnover in the last year (it is unclear if this is local or global).

Other penalties include order for rectification, warning, confiscation of illegal gains, suspension or cessation of service, cessation of operation for rectification, and revocation of operating permits or business licenses. The person-in-charge or other directly liable individuals may also be individually liable and fined or prohibited from acting as directors, supervisors, senior managers or personal information protection officers.

If the processing activity violates the rights or interests of a large number of individuals, a public interest action may be initiated by the People’s Procuratorate (i.e., the authority responsible for criminal prosecution), consumer protection organizations or other organization designated by the cyberspace administration.

(P.S: We await the English version of the draft for detailed study.)

Naavi

Reference:

twobirds.com

Print Friendly, PDF & Email
Posted in Cyber Law | Leave a comment

Moot Court Competition at GH Raisoni College, Nagpur

The GH Raisoni Law College is organizing its 16th KSHAN Moot Court which will be held on the 4th and 5th of September, 2021 on a virtual platform.

As a part of the FDPPI’s activities under the P& Y Program to involve the youth of the country into the activities of FDPPI, FDPPI is collaborating with the GH Raisoni Law College, Nagpur in the conduct of the above Moot Court Competition. This is the 16th National Appellate Moot Court Competition -2021 is being organized by students of G.H. Raisoni Law College, Nagpur and G.H. Raisoni University’s School of Law. All India Reporter (AIR), and FDPPI- are collaborating in the conduct of this program.

Dr Mahendra Limaye, one of our esteemed members has been the brain behind the P& Y Program and the organization of this event.

As a part of the collaboration, FDPPI would be extending valuable educational opportunities to the Winners and the First and Second Runner’s up as rewards.

We look forward to involvement in more of such programs in association with law colleges.

About KSHAN

KSHAN is a National Level, inter-college moot court competition organized by the student bodies of the Law Schools under the Raisoni Group of Institutions. They conduct a nationally known Trial and Appellate Moot Court on Criminal Law. This year’s edition of KSHAN is the only Appellate Moot Court that has a special focus on Criminal Writ Petition and Data Privacy.

About AIR

AIR (All India Reporter) is a publication house known for its presence in all three media information transmission forms: Print, CD-ROM and Web base. It has a journal that reports on all benchmark judgements given by various courts around India. It was established in 1914 and has its head office in Nagpur.

The problem statement of the competition is available here. 

FDPPI has announced the following rewards. 

1. Winner: Free Certification Course-Admission, Video lessons and Examination for Module I and Module G and Basic Membership of FDPPI : Valued at Rs 25,000/-

2. First Runner up: Free Certification Course-Admission, Video lessons and Examination for Module I and Basic Membership of FDPPI: Valued at Rs 14,000

3.Second Runner up: Free Certification Course-Admission, Video lessons and Examination for Module I: Valued at Rs 10,000/-

Naavi

Print Friendly, PDF & Email
Posted in Cyber Law | Leave a comment

IDPS 2021 to be held on November 19th, 20th and 21st

FDPPI pioneered the Indian Data Protection Summit in 2020 and conducted a three day virtual summit on November 19th, 20th and 21st.

This year again on November 19th, 20th and 21st, FDPPI will have a virtual summit Indian Data Protection Summit 2021 or IDPS 2021.

FDPPI will invite speakers and sponsors for the program.

A Program committee would be preparing the schedule for the event and will be shared here.

Any suggestions in this regard may be sent to FDPPI/Naavi.

Print Friendly, PDF & Email
Posted in Cyber Law | 1 Comment