Naavi.org

Media is considered the fourth pillar of democracy and “Free Press” is considered the hallmark of a mature democratic society. The same society also holds “Privacy Right” in high esteem. But often the “Privacy Right” of individuals clash with the “Freedom of the Press” to disseminate information.

Just as the Privacy Vs Security debate is important, Privacy Vs Free Press debate is also important for the greater good of the community.

Today, Media is also an “Industry” as much as the “Health Care” or “BFSI” or “Outsourcing”. Worldwide there has been an attempt to develop sector specific laws to address Privacy Issues which cannot be effectively handled through the approach of an omnibus Privacy Protection law  which some countries try to practice.

In this connection, a debate is due on whether there should be an attempt at a specific Privacy Law addressing the needs of the Media Industry.

In his competitive world of “One-Upmanship Journalism” and the “24 hour TV news Channels”, media chases revenue through higher Readership or Viewership ratings ignoring the “Ethics” which was once a hallmark of good journalism.

In this context of competitive reporting, “Breaking News” and “Investigative Journalism” have become important business strategies for the media. This often leads to a “Media Trial” and “Misreporting” where the “Privacy Rights” of individuals goes for a toss.

We can look at some examples to appreciate how Media in its bid to outdo others often hurt the privacy rights of others.

Presently the Complaint of Mr Ratan Tata lies in the Indian Supreme Court concerning his Privacy rights in the Nira Radia Tape issue.  The recorded telephonic conversations which were captured by the Income Tax department for their investigation of possible tax evasion by a PR Professional, Ms Nira Radia and her firm were leaked into public place because the Tax department failed to manage “Inforamtion Security” at their end. The eager media trying to expose political machinations of Nir a Radia,  also brought to open her telephonic conversations of Mr Ratan Tata which according to his complaint had no public interest component.

In the Sheena Bora murder case, TV channels conducted their own investigations and dragged a forgotten ex-husband of Indrani Mukherjee into TV studios unmindful of the damage to his own family with wife and children.

In both these cases, Media had no respect for the Privacy rights of the individuals.  There are many instances of irresponsible political criticism politicians freely infringe on the privacy of individuals and when challenged, simply escape defamation charge with an apology.

Media keeps publishing such stories without any respect for the privacy of the politicians under the ground that a “Public Servant has no right to Privacy”.

At the same time, we also observe that there are instances where Media tries to show a  holier than thou attitude and goes out of the way to protect the privacy of information which perhaps requires to be disclosed in public interest.

A few months back, two Companies in Mumbai were reported to have paid a ransom of $ 5 million each to hackers who threatened to disclose some corporate data to which they had hacked in. The Companies paid the ransom but succeeded in ensuring that no publication revealed the names of the companies who had suffered the data breach.

The fact that the companies considered that they could pay a ransom of $5 million to keep the data under wraps indicated that probably the revelation might have uncovered an illegal activity  which could have caused a huge embarassment to the company.

But media wanted to protect the “Confidentiality” of the identity of the companies to protect their reputation. Though “Protection of Confidentiality of a Company’s identity” is not the same as “Protecting the identity of an individual” in the context of Privacy Rights, media mis-understood the need to protect a corporate interest where there was a public interest for disclosure as a “Privacy Issue” where there was a duty to disclose.

In a similar manner, the health status of important leaders like Ms Sonia Gandhi and J. Jayalalitha have been kept under wraps though there is a public interest involved in such information.

There are also many instances of information involving Judicial Authorities where there is a public interest involved but the information does not become news since there is the fear of “Contempt of Court” proceedings.

This inconsistent approach to   “Protection of Privacy” and “Confidentiality of Information” by media indicates that perhaps there is a need to think of a sectoral Privacy law exclusively directed to provide a guideline to the Media on how to handle Private information.

I am aware that any such hint would immediately be jumped upon by media as “Regressive”, “Draconian” etc.

But the same media would not hesitate to bring new legislation on Social Media including “WhatsApp” or “Facebook” or “Twitter”.

Presently, even the Delhi High Court in its judgement on the WhatsApp Privacy Policy has commented that the services such as WhatsApp may be regulated by the Government.

Why should “Social Media” be subjected to a different “Privacy Law” than the “Conventional Media”? is a point we need to discuss.

If regulation of Privacy in Social Media is acceptable, we should also be able to consider a Privacy regulation for the conventional media to  ensure the protection of Privacy in media coverage.

Perhaps this “Privacy Law for the Media Industry” will attempt to strike a balance between the Right to Privacy and Right to Free Expression in such a manner that without hurting the fourth pillar of democracy which is the “Free Press”, we usher in an era of “Decent Journalism”.

In structuring the “Privacy laws for the Media”, we need to incorporate the role of Media and Social Media, when does a “One to one Messaging” becomes “Publishing”, “How the “Advertising Norms” and “Press Council Norms” be integrated”, “How the law of Contempt of Court or Copyright to the extent they affect the media”, may also be addressed. Obviously, there will be some aspects of “Prevention of Press Censorship” or “Dispute Resolution Mechanism” which should also be integrated with such a law.

Comments?

Naavi

In an interesting report highlighting the new dimensions of Cyber threats that may arise from IoT (Internet of Things)  devices, BBC reported (Refer article here) that a webhosting company OVH suffered a DDOS attack from an army of Webcams acting as Zombies remotely controlled by the attacker. This is reported to be perhaps the largest DDOS attack with more than one terrabit of data being fired at the server to bring it down.

The attack was mounted by around 145000 web cams acting as a botnet and indicates how the large number of devices capable of being connected to a server and sending data could be misused by the hackers to redirect the data towards a single server and cause the server to be brought down.

According to security experts such attacks could be easily executed using tools available on the net with minimal amount of skills required.

With more and more devices under IoT getting connected through internet, there is an urgent need to ensure that enough security is built into the device to prevent this sort of hacking. This also means that professionals who install such devices as smart Webcams or other smart devices should have a reasonable knowledge of information security and configure the devices with suitable information security controls.

Some of these controls need to be enabled at the time of manufacturing of the PLCs (Programmable Logic Controllers) that may drive such devices and the quality certifications of such devices should include their security evaluations.

India is dreaming of Smart Cities, smart Trains and various other devices where off the shelf devices are likely to be used with default security configurations which create the security vulnerabilities that can be exploited.

Hopefully the corporate security professionals will wake up to this new type of emerging threat which use “Physical Security Devices” and create “Cyber Security Issues”.

Naavi

It is reported that the Insurance Regulatory and Development Authority of India (IRDA) has mandated that the Indian Insurance companies should store all critical customer data in domestic servers within the next 3 to 6 months. (See article here)

This would mean that many of the Insurance companies which have joint ventures and are storing their data in foreign servers (or on the cloud) will now be required to set up new data centers in India so that Customer data does not move out of India.

It is expected that this move would require substantial investments from these insurance companies such as Tata AIG, Bharti AXA, ICICI Lombard, Birla Sunlife, Bajaj Alliance etc.

The decision follows the issue of the Outsourcing guidelines which inter alia indicate the following norms.

According to the guidelines, only Indian companies can be the outsource agents though there is a provision to approve any other authority that may be approved by IRDA.

The guidelines also suggest that the Insurance company has to ensure that the outsourcing agency has adequate information security measures and also conduct periodical audit of the outsourcing arrangement.

A detailed guideline of the clauses that the outsourcing contract must have has also been indicated in the exposure draft.

Though the guideline only reiterates some of the known principles of Information security for management of outsourcing agencies which are already in place in case of other regulated industries such as the Banks, it brings in a new focus on the Insurance companies and the need for storing the data within India.

Naavi

The multiplicity of frameworks trying to compete with each other on how “Privacy” of an individual has to be protected has created a web of confusion in the Corporate circles since all managements ultimately have limited resources and has to balance their compliance activities in the form of audits, generation of reports etc with their commercial limitations.

If there is an Indian Company having 10% of its business in EU data processing, 10% of business from HIPAA entities and balance in India, and would use cloud services of Amazon, they need to address the questions such as

– Should I opt for compliance of ISO 27001/ 27018, HIPAA-HITECH Act, GDPR or ITA 2008?

-besides other security frameworks such as PCI DSS which may also be applicable to them?

-How practical is it to consider compliance of all regulations concurrently,… which is of course the ideal approach?

I am sure that the Privacy Professionals attached to these companies will be scrambling to develop excel sheets showing the mapping of controls meant for one framework with the other.  They will try to prove that if I am ISO 27001 certified, I am already deemed to have been compliant with ITA 2008 or HIPAA or a EU data protection requirement.

However since most frameworks are also insisting on “Certifications” from an “Accredited” “Certification Agency”, the plight of an organization does not end with “Being Compliant” and would require “Documenting that it is Compliant”.

This is certainly good for agencies that provide “Certifications”, “Conduct Seminars/Training Programs”, “Sell Compliance Manuals” etc, (and also for consultants), one needs to pause and think if we are going overboard with the proliferation of regulations to the extent that one day organizations will revolt ignoring compliance.

It could then be the field day for Dispute Resolution Managers, (which includes the undersigned who proposes to manage an online dispute resolution mechanism under odrglobal.in) and the legal firms who specialize in such matters.

But in the interest of the industry in general we need to see how we mitigate the “Privacy Regulation Proliferation Risk”.

At the end of the day, the end objective of all Privacy Regulations is to ensure that an individual’s identity information is protected from the time it is collected by an organization, through the life cycle of its usage and until it is destroyed.

The key instruments of such protection are “Disclosure”, “Consent”,”Security”,”Destruction” and above all “Ethical Usage”.

The different frameworks may differ in the detailing of how these objectives are met and how the measures of compliance are documented, audited and reported.

If therefore there is a strong common framework that addresses the principles of Privacy protection, it should suffice.

We must recognize that no framework is in a position to completely deny the powers of an authority to demand information for national security reasons.

Hence the principle of “Privacy Right subject to reasonable Regulations” will continue to rule. The problems of the empowered law enforcement authorities themselves not following the laid down principles is a risk that no framework can address effectively.

Currently, the emphasis of privacy regulation appears to be veering towards strict enforcement with hefty fines. The GDRP proposition of 4% on global turnover appears insane.

The fines that are being contemplated and imposed under HIPAA and EU guidelines will all be transferred to the Business Associates in India through the Business Associate Contracts. Validity of such contracts are further fortified by the ITA 2000/8. Therefore these penalties need to be taken note of by the Indian companies who have a stake in the Data Processing Business.

But it is clear that the million and billion dollar penalties which are being brandished about in the US and EU market can only be indemnified by Indian companies on paper and never fulfilled without simply closing down its business. Even if they are to be insured, the insurance will be expensive and the insurers will limit their own liabilities by various means.

If therefore, one takes the penalties seriously, tries to comply and obtain coverage of Cyber Insurance to meet the contingencies, then these regulations are having such devastating effect on the Indian outsourcing industry that the costs are going to increase astronomically. The increasing costs will only make the competitive edge to vanish and harm even the US and EU companies.

It is therefore the responsibility of NASSCOM and other industry organizations to deliberate how this competing and potentially crippling privacy regulations could affect our industry in general and what steps need to be taken to provide a protective umbrella to Indian companies so that they are not dragged to international arbitration for billion dollar penalties at the drop of the hat.

On the other hand the Companies have to also organize their own compliance activities in such a manner that they try to address the compliance efforts proportionate to the risk of penalties. In this context, the managements need to realize that if they are operating in India, then they are exposed to the requirements of the Information Technology Act 2000/8 where the penalties for non compliance are “Unlimited” in civil terms and could also result in the imprisonment of the CEO and top executives for 3 to 7 years or more for non compliance.

Prudent managements realize that a “Law is as effective as its enforcement machinery”. Some times this is interpreted that they can always manage the Indian law enforcement even if they are caught in a non compliant state.  However we need to realize that Indian law has the immediate jurisdiction to enforce where as the international regulations have to hit through arbitration on contractual agreements and further through international treaties. In this aspect we can say that Indian laws are more threatening to Companies in India than the international laws.

Remember that the local police station where an inspector has a jurisdiction to strike is only across the road and some times non compliance of Indian laws may easily make him come hunting. Hence compliance of Indian laws cannot be ignored though for many organizations, it is fashionable to be compliant with international regulations and ignore local laws. This is clear from the fact that there may be more companies in India which are “Patriot Act Compliant” than “ITA 2008 compliant”.

While the industry should continue to deliberate on the methods for “Mitigation of Privacy Regulation Proliferation” there are certain initiatives that are required to be taken by the Government and the organizations such as NASSCOM and STPI if they need to provide a sense of security to businesses in India. I will try to bring it up for discussion some time later.

I hope sufficient attention would be given to this aspect in the coming days by the Government.

Naavi

Naavi.org has been working in the area of Cyber Law Compliance in various forms. While Naavi.org focuses on building awareness of Cyber Law, Cyber Law College focuses more on formal corporate training and educational programs.

ITA2008.in provides the basic information on ITA 2000/8. Cyber Lawguru.com and the android app “Cyberlawguru” provide interaction with the public for clarifying issues related to Cyber Law.

The services such as ceac.in, odrglobal.in, cyber-notice.in are focussing on different aspects of resolving issues arising out of non compliance of Cyber Laws such as ITA 2000/8.

Cyberinsurance.org.in and ujvala.in are other related web initiatives to build awareness about different related issues. Lookalikes.in and domaineering.org are other initiatives on resolving domain name disputes.

Yesterday, there was an important conference in Bangalore organized by Indian Bar Association (INBA) and International Association of Privacy Professionals (IAPP) where the challenges of the emerging global privacy compliance scenario arising out of the new regulations from the EU community were discussed. As a followup of the deliberations, it appears that there is a need for a focussed dissemination of Privacy related information relevant to India on the lines similar to how Naavi.org emerged under the needs to build awareness about ITA 2000.

Naavi has already been working in the area of HIPAA compliance as a compliance consultant along with similar consultancy regarding data protection aspects involved in ITA 2008 compliance. Naavi.org has been an instrument of building awareness of ITA2008 compliance as well as HIPAA compliance.

In the light of the new developments in the EU privacy scenario which will have a ripple effect across the globe, it is felt that India needs to take up fresh initiatives in the area of compliance to the emerging global data protection regulation regime.

While India may or may not pass a separate Privacy Protection law, the need to comply with the regulations as existing as a “Standard” or as a “Best Practice” in the global scenario is critical for the Indian IT/BPO industry.

In order to contribute towards this goal of better Privacy Compliance in India, Naavi.org now has decided to present relevant information related to “Privacy with special reference to India” through its new web site www.privacy.ind.in. (Privacy Knowledge Center)

Presently, privacy.ind.in will host information and articles on the privacy protection regime as collated and presented by Naavi. It may therefore start as a blog with the views of Naavi.

However, as and when other interested professionals contribute their views it is expected that this would become a platform for expression of all information related to Privacy Protection in India and assume the nature of a portal.

I invite Privacy professionals in India to contribute to this initiative and make it a success in the general interest of the Indian IT/BPO industry.

Naavi

From the 1st of August 2016, the new Privacy Shield regime in  US-EU  data market space has come into operation. This has replaced the “Safe Harbor” regime that was declared as ineffective by the Court of Justice of EU (CJEU) in October 2015.

This new Privacy Shield will provide the framework for EU-US personal data transfers from now on and will work concurrently with the alternatives such as the BCR (Binding Corporate Rules), SCC (Standard Contractual Clauses of EU) and the CBPR (Cross Border Privacy Rule).

Relevance to Indian IT Companies

These EU-US developments will also apply to the data processing that happens in India either because the data transfering customer is an EU country or that these will emerge as general standards of the industry. Hence a general understanding of these principles is essential for Indian companies engaged in data processing activities involving “Personal Data” of non Indian Citizens.

As regards the data of the Indian Citizens, the ITA 2000/8 imposes its own obligations under Section 43A (For sensitive personal information), Section 72A (For all personal information) besides other provisions that apply to “Data” in general. The key aspect of the Indian law is that it provides legal backing to the contractual agreements between an Indian data processor and the foreign data vendor. Hence whether it is the Privacy Shield obligations or the BCR/SCC/CBPR obligations, they all get extended to Indian processors and become enforceable under the Indian law.

Indian companies therefore have to be completely alert to the developments in the EU-US data exchange scenario and follow it in India as the best Privacy practice particularly when processing of international data is involved. Since it is impractical to maintain one set of privacy standards to data of foreign nationals and another to Indian nationals, companies need to adopt the international standards for all personal data irrespective of whether it is pertaining to an Indian citizen or a foreign citizen.

This should establish the relevance of the new US-EU Privacy Shield regimes and the other frameworks to the Indian context.

What is Personal Information?

In Indian law, the rules under Section 43A define personal information as

” any information that relates to a natural person,which, either directly or indirectly, in combination with other information available or likely to be available with a body corporate, is capable of identifying such person. “

In comparison, the “Sensitive Personal Information” is such personal information that contains any of the following type of information.

(i) password;
(ii) financial information such as Bank account or credit card or debit card or other payment instrument details ;
(iii) physical, physiological and mental health condition;
(iv) sexual orientation;
(v) medical records and history;
(vi) Biometric information;
(vii) any detail relating to the above clauses as provided to body corporate for
providing service; and
(viii) any of the information received under above clauses by body corporate for
processing, stored or processed under lawful contract or otherwise:

In contrast the EU definition of Personal Information is contained in the following form

“‘personal data’ shall mean any information relating to an identified or identifiable natural person (‘data subject’); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity;”

The EU definition appears broader than the Indian definition but we can assume that for practical purposes both mean the same. (Refer for details here)

However, it must be remembered that under  European law, data is considered ‘transferred’ when it is either physically transferred to another country (i.e. to be stored in a data centre on that territory) or when a person residing in another country accesses the data from that country. It is therefore an extremely broad concept that may apply even if personal data is technically stored within the EEA.

Hence the EU guidelines will become applicable in all cases where data is actually transferred to servers outside EU or when access is provided.

Essence of Privacy Shield

Privacy Shield principles are not much different from the general principles which are being followed in Safe harbor principle, there are a few significant differences that we need to take note of mainly in the enforcement of the provisions.

Stronger Supervision:

The intent of Privacy Shield is to transform the oversight system from self-regulating to one that is more responsive and proactive. The certification and annual re-certification process will remain unchanged, but the Department of Commerce will actively monitor compliance through detailed questionnaires, among other things.

Additionally, the FTC will maintain a “wall of shame” for companies that are subject to FTC or court orders in Privacy Shield cases.

Redressal Mechanism

Any EU citizen who believes that his or her data has been misused will have several redress possibilities under Privacy Shield. Among them, EU citizens will be able to report complaints directly to their local Data Protection Authorities. Redress mechanisms include established timelines for responses by a subject company. Privacy Shield also creates a new arbitration right for unresolved complaints.

Limitations imposed on US public bodies

There will be clear limitations, safeguards, and oversight mechanisms for access by public authorities for law enforcement and national security purposes. A new redress mechanism will inform a complainant whether an access or surveillance matter has been properly investigated and that either U.S. law has been followed or has been remedied in the case of non-compliance.

Steps to Certify

The subject Company should firstly develop and maintain a Privacy or Privacy Shield policy based on the following principles of certification under the EU-U.S. Privacy Shield, which includes

1. Notice: Privacy Shield Companies must update or prepare a global or EU applicable privacy policy or EU notice statements for the data subject of the certification to ensure such policy or notice is accurate, comprehensive, and visible to data subjects.
2. Choice. The policy will also cover areas where consent, permission, data use limitations or opt-out strategies, and special treatment for “Sensitive Personal Data” are applicable.
3. Access, Data Integrity, and Redress. The policy also addresses other areas related to existing processes or controls, if applicable, to meet Access, Data Integrity, and Redress requirements needed to cover a Privacy Shield election.

A Privacy Shield company must maintain adequate and reasonable administrative, technical, and physical safeguards and controls designed to address appropriate security requirements for U.S. and EU applications that capture or process data within the scope of the certification.

Following a review of existing contracts, the contracts with the downstream Business Associates  must be updated to  addresses the specific Privacy Shield wording requirements.

Training of manpower to update them on the requirements of the Privacy Shield requirements need to be undertaken.

Documentation supporting the company’s Privacy Shield certification (e.g., policies and procedures, gap assessment report, and contract addendum) should be prepared/compiled and included in a compliance binder.

Registration

Companies who decide to adopt the Privacy Shield must register themselves with the International Trade Administration of the US department of Commerce and subject themselves to the self certification process involving completion of the required questionnaires.

Presently it is reported that 200 companies have signed up for the process in the first month when the registration started. Others may be weighing the need for registration vis a vis their present privacy practices which may have incorporated other measures such as BCR, SCC or CBPR.

Alternatives to Privacy Shield

BCR:

BCR or Binding Corporate rules are internal rules adopted by multi national group companies which define the global policy with regard to the international transfers of personal data within the same corporate group to entities located in countries which do not provide an adequate level of protection.  Once approved under the EU cooperation procedure, BCR provide a sufficient level of protection to companies to get authorisation of transfers by national data protection authorities (“DPA”).   BCR does not however provide a basis for transfers made outside the group.

EU Standard Contractual Clauses

The Council and the European Parliament have given the EU Commission the power to decide, that certain standard contractual clauses offer sufficient safeguards as required.

The Commission has so far issued three sets of standard contractual clauses

• two sets for transfers from data controllers in EU to data controllers outside EU/EEA
• one set for the transfer from EU data controller to processors established outside the EU/EEA.

Adoption of these standard clauses could be considered if found suitable.

CBPR (Cross Border Privacy Rules of APEC)

The APEC Cross Border Privacy Rules (CBPR) system helps bridge the differences in privacy rules between different countries by providing a single framework for the exchange of personal information among participating economies in the APEC region.There are currently three participating APEC CBPR system economies: USA, Mexico and Japan, with more expected to join soon.

The APEC Electronic Commerce Steering Group (ECSG) and the EU Article 29 Working Party have produced a common referential for the requirements of the APEC CBPR system and the EU Binding Corporate Rules.

Participating companies are required to adhere to the standards established by the APEC CBPR system. All APEC CBPR system certified companies have their privacy policies and practices evaluated by an approved independent third party verifier (known as an “Accountability Agent”). Accountability Agents monitor and enforce companies’ compliance with the APEC CBPR program requirements. In appropriate cases, they are also required to report non-compliance to Privacy Enforcement Authorities.

Final Word

The mechanisms such as the Privacy Shield, BCR, SCC or CBPR  are different framework approaches to manage the privacy concerns when data from one country flows across to another and there could be differences in privacy laws between the two countries. Some of these frameworks differ in the system of enforcement and grievance redressal mechanism. While Privacy Shield is totally a self declaration based certification system, CBPR tries to bring in the Accountability Agent to certify at the first place. BCR may be for intra group data transfers in multi national companies and may not apply as a comprehensive approach. SCC framework is a good indicator and needs to be explored while drafting the Business Associate Contracts where data is transferred to sub contractors.

While these frameworks are essentially for the participating economies such as the EU-USA data transfers or within the CBPR signatories etc, Indian companies need to recognize the endorsement of ITA 2000/8 to these frameworks and the possibility that the vendors of USA or EU or any other country who transfer data for transfer to Indian companies may have incorporated a fine print clause in the SLAs or the Business Associate contracts and try to enforce indemnity clauses for any intended or negligent contravention of the privacy obligations.

It is time companies in India audit their privacy policies and its implementation status within the company to ensure that they are within manageable levels of deviation if any.

Naavi