Naavi.org

The concept of “Consent Manager” in DPDPA 2023 is not understood by many. It is obviously a registered Data Fiduciary with necessary infrastructure to get themselves appointed by data principals. The registration will require some conditions that Meity may prescribe.

Such conditions may include the Capital and Networth consideration, expertise, information security etc. The ownership of the consent manager as a company, whether it can be owned by foreign interests, will there be a “Fit and Proper Criteria” will there be a minimum period for withdrawal from business, the distance to be kept with Data Fiduciaries etc need to be specified or factored.

One of the recommendations we have is to encourage Consent Managers as sector specific experts so that they will be able to provide better assurance to the data principals.

DGPSI will be working on such sector specific compliance guidelines as part of its development of detailed guidelines.

In the process FDPPI may also develop Consent Manager-DTS or CM-DTS as an indicator of the maturity of compliance as a Data Fiduciary engaged in the service of a C0nsent Manager.

It is possible that the Meity may come up with its own version of rules without taking into account all the requirements that we may suggest. But we hope that the guidance developed by the DGPSI team being the experts in Data Protection will eventually be a “Best Practice”.

To enable this it is better if MeitY does not come up with rigid rules and leave flexibility for compliance.

Naavi

There is a need to flag the condemnable attitude of service providers including “WhatsApp” who have the temerity to approach the Indian Courts against Government regulations by treating India as a country whose regulations are ignored.

I call the attention of Mr Modi, Mr Amit Shah and Mr Rajeev Chandrashekar with good wishes for their re-election to take note of some of the web sites who set terms of service stating that the jurisdiction for dispute resolution for their consumers is in their country and not in India. While the services are rendered in India, the consumers are barred by a contract to approach Indian Courts.

Some websites have started providing supplementary terms recognizing the rights of EU citizens and Californian Citizens besides the country of the origin of the service. But no other country is mentioned.

While we can accept that any company has the freedom to set its own rules and is not bound to recognize the Indian sovereignty, it is our responsibility to ensure that our citizens are protected.

This can be done only through an omnibus protection provided to Indian users of foreign services through the DPDPA 2023.

Currently such users are considered “Data Fiduciaries” and are liable under the Indian law. Hence any contractual terms that sets the dispute resolution outside the legal mandate of ITA 2000 and DPDPA 2023 is ultra-vires and cannot be considered valid.

However it is better if the MeitY through its rules on DPDPA 2023 makes it clear that

“Clauses in the contracts with any Data Fiduciary, Indian or foreign, which are not in conformity with the Indian laws shall be considered as void and the dispute resolution provisions provided under ITA2000/DPDPA2023 shall prevail.”

Ignoring this and bringing pressure on Indian users to agree to online click wrap contracts should be considered as an attempt to deliberately over-rule the law of the land and should be made punishable.

The DGPSI supported Dispute Resolution Policy shall support introduction of such a clause.

In one of the websites I observed the following clause:

Applicable Law and Jurisdiction. These Terms of Use shall be construed in accordance with the laws of Singapore without regard to its conflict of laws rules. Any dispute arising out of or in connection with these Terms, including any question regarding existence, validity or termination of these Terms, shall be referred to and finally resolved by arbitration administered by the Singapore International Arbitration Centre in accordance with the Arbitration Rules of the Singapore International Arbitration Centre for the time being in force, which rules are deemed to be incorporated by reference in this clause. The seat of the arbitration shall be Singapore. The Tribunal shall consist of three (3) arbitrators. The language of the arbitration shall be English.

…It continues..

The following terms apply if you reside in the European Union:

Dispute Resolution. Notwithstanding the “Applicable Law and Jurisdiction” section of these Terms, if you are a “consumer” as defined under the EU Direction 83/2011/EU, any dispute, controversy or claim (whether in contract, tort or otherwise) between us and you, arising out of, relating to, or in connection with these Terms will be referred to and finally resolved by the court of your place or residence or domicile. You can also file a complaint at the online platform for alternative dispute resolution (ODR-platform). You can find the ODR-platform through the following link: https://ec.europa.eu/consumers/odr.

THE UNITED STATES

If you are a user of our Services in the United States of America, the below Additional Terms: (a) are incorporated into these Terms; (b) apply to your use of our Services; and (c) override the head terms of these Terms to the extent of any inconsistency.

If you are a user of the Services in the United States of America, the following terms expressly replaces the above “Applicable Law and Jurisdiction” section of these Terms.

California Resident. If you are a California resident, in accordance with Cal. Civ. Code § 1789.3, you may report complaints to the Complaint Assistance Unit of the Division of Consumer Services of the California Department of Consumer Affairs by contacting them in writing at 1625 North Market Blvd., Suite N 112 Sacramento, CA 95834, or by telephone at (800) 952-5210.

If you are a California resident, then (except to the extent prohibited by applicable laws) you agree to waive California Civil Code Section 1542, and any similar provision in any other jurisdiction (if you are a resident of such other jurisdiction), which states: “A general release does not extend to claims which the creditor does not know or suspect to exist in his favour at the time of executing the release, which, if known by him must have materially affected his settlement with the debtor”.

If such companies can selectively accept laws of EU and California, why should we not insist that they also take into account the laws of India. We need to protect Indian data principals against such clauses on the websites.

Suggestions are invited.

Naavi

The Web scrapping industry is one of the industries like the Digital Marketing industry which would be seriously affected by the Data Protection Authorities.

According to a report on Webscrapping from stellar the market for Webscraping software and services may grow at a CAGR of 133% from around USD $ 800 million at present.

However the emergence of Data Protection laws across the globe is likely to be a serious threat to the development of the industry.

DPDPA 2023 provides that if personal information is “Publicly made available by a data principal” the act may not apply to such data. A question therefore arises on whether personal data available on the web either in websites or sites like Linkedin, Twitter or FaceBook can be freely scraped and used by businesses.

Most of the platforms like LinkedIn have themselves made “Scraping” a licensable service and therefore any company which scrapes data from these platforms will be liable to the platform if it violates the terms of the contract. But the question whether the platform itself has the power to license scraping is debatable. This permission has to be part of the consent to be sought from the data principal. If the data principal has provided the data for a specific purpose, its use for any other purpose including monetization by further licensing should be considered as secondary purpose.

If the platforms are clear in their notice and seek explicit consent, “Consent to allow Scraping of data by any web crawler” can be considered as not part of the basic consent. It is likely that many data principals who use the platform may agree that their profile may be made visible to any visitor to the profile page but scraping it for use by another third party for its own monetization may not be permitted.

If this provision is strictly applied, the business of “Web scraping” may suffer adversely.

Also these platforms need to determine if they incorporate a default condition that permission from the data principals is required before scrapping.

DGPSI recommends that platforms conduct their own DGPSI audits and set appropriate compliance conditions applicable for different jurisdictions.

In this context we may note that many of the GDPR supervisory authorities are issuing guidelines for Webscrapping.

For example the April 30, 2020 guideline of CNIL states

 When individuals share their personal data with one data controller, it is not reasonably expected that they will receive direct marketing from another company – another company may re-use their data for such purposes only with the individuals’ consent.

Similarly, when a company re-uses publicly available online data of individuals in order to send direct marketing communications about its products and services by e-mail or through automated calling systems, the company must obtain the individuals’ consent before sending.

The guidelines therefore expect that Data Controllers before using web scraping tools should

• Verify the nature and origin of the data that will be scraped
• Minimize data collection
• Provide notice to individuals
• Manage the contractual relationship with the web scraping service provider
• Carry out a Data Protection Impact Assessment (“DPIA”) if necessary

Recently the Netherlands authority also issued guidelines stating the following.

The key takeaways from the guidelines are as follows.

1.Provides a clear definition and distinguishes between scraping and web crawling.
2. Discusses the stringent conditions under which scraping can meet the ‘legitimate interest’ basis, emphasizing that mere commercial interest is not sufficient.
3. Highlights the significant privacy risks associated with scraping, including the inadvertent collection of sensitive and criminal personal data, which often makes lawful processing challenging.
4. Advises on conducting a DPIA to assess risks and ensure compliance with GDPR before initiating any scraping projects.
5. Points out the complexities of using scraped data to train algorithms, stressing the need for ethical considerations to prevent biases and inaccuracies.

An english version of the guideline is available here

Naavi

The Dutch protection authority recently imposed a fine of Euro 10 million on Uber technologies for failure to disclose the full details of its retention periods to the drivers.

In this context one has to question the decision from the point of view of whether the “Uber Driver’s Data” is “Personal Data” or “Business Data” . If it is considered as “Business Data” then it should not come under the GDPR restrictions.

To answer this question, one has to see what is the relationship between a Uber driver and Uber. If the driver is under an employment contract then he would be treated as any other employee.

Otherwise if he is sharing a business commission, it is difficult to accept that the relationship is any thing other than B2B. The driver as an individual is doing business with Uber and in India we recognize him as a taxable entity different from the same individual for personal tax of non business nature.

The data of the driver that comes with the driving license should therefore be considered as “Business Contact Data” and “Mandatory statutory data to be retained under law”. As a Business contact data it is outside the scope of GDPR/DPDPA.  It could be considered as a mandatory data to be collected and  bound by the terms of agreement as a contract.

Any data collected by the driver of the passengers for the journey is data collected on behalf of Uber and it belongs to Uber and not the driver. The driver is a processor in this context.

DPDPA 2023 recognizes “Business Contact Data” as a concept in the context of the DPO and hence it accepts that a “personal looking data” may actually be shared for the “Business Purpose” which can be considered different from personal data shared for processing for a service.

For example, an Uber driver hiring another Uber car for reaching home is a customer of the second driver and his information shared is for the purpose of travelling and is like personal data. But his own data with the  Contract department is to be considered as “Business Data”. It is possible that Uber may run some welfare measures to the drivers “. In this context it may be considered similar to employee’s personal data.

The classification of data as “Personal” and “Non Personal” may therefore depend on the context and purpose. This needs to be identified during compliance. The process oriented classification of data under DGPSI addresses this.

Please let me know your views.

Naavi

After August 11, 2023, DPDPA 2023 or Digital Personal Data Protection Act 2023 has become a law in India. Though the notification of rules is pending, DPDPA 2023 as of today is considered “Due Diligence” and part of “Reasonable Security Practice” under Sections 43A and Section 79 of ITA 2000.

The provisions of the Act are therefore considered effective as of now though the penalty clauses may not be fully relevant. However the Adjudicator under ITA 2000 has the powers to impose penalties if there is an adequate cause of action and may use the penalty table under DPDPA 2023 as a guidance.

To be fair however, no Adjudicator in India may be aware of this power nor are inclined to use them. So the companies who want to procrastinate can breath easily for some more time. Assuming that the Modi Government comes back to power after the elections, the notification of rules may be in the First 100 day agenda.

Hence companies need to start working on compliance today.

If however we try to identify the accountability at corporate level on who has to raise the red flag first, it appears that only the CISOs/CIOs or GDPR aware CCOs/designated privacy officers are the first to recognize the potential impact of the DPDPA and trying to draw the attention of their Board into sanctioning budgets for next level action.

Ideally it should have been the “Independent Directors” or the “Company Secretaries” who should have brought it to the notice of the Board the need to initiate compliance action.

Given the importance of DPDPA compliance and the need to cover the potential penalty risk, associations of these professionals need to draw the attention of these professionals to start understanding their specific responsibility in this regard.

Naavi

DGPSI (Data Governance and Protection Standard of India which is the premier framework for DPDPA Compliance in India) focusses on compliance of Data Fiduciaries who process personal data collected from India. It includes compliance requirements under DPDPA 2023, ITA 2000 and BIS standard for Data Governance.

A Data Fiduciary often conducts its business with the assistance of software suppliers. may  supply products or software services. 

If the service provider is providing service as exactly prescribed by the DF, then he will  be a Data Processor whose obligations are only to follow instructions in the contract and the compliance obligations are borne by the DF.

In many practical instances, the service provider either does not reveal the complete details of the “Means of processing” either because he treats them as his trade secret or he is too big for the DF. Most cloud service providers fall into this category.

In such cases, the DF who determines the purpose of processing is not in control of the “Means of processing”.

Hence such data processors may have the responsibility of the Data Fiduciary (DF) under the law though we all may call them as  “Data Processors”. 

DGPSI addresses this issue by defining the role of the service provider as a “Joint Data Fiduciary” and makes him directly responsible for the compliance.

In many cases the service of the service provider is contracted through dotted line contracts and not through negotiated contracts. Hence the DF is forced to pick a service available on the web by simply clicking the “I accept” button for the terms of service along with the privacy policy of the service provider.

In such cases the DF is expected to at least send a proper notice to the service provider that the DF treats him as a Joint Data Fiduciary for the purpose of compliance of DPDPA 2023 and tries to get an acknowledgement.

Going further, some DFs may request the service provider to produce an assurance in the form of an audit such as ISO 13485 for medical devices or FDA CFR audit certification.

The same issue arises when an AI service is provided in the form of an algorithm or managed services.

DGPSI considers such sub systems as a “Compliance Entity” and expects them to separately be assessed for compliance of DPDPA as if that sub system is an enterprise by itself.

In such cases, the AI algorithm becomes the subject “Data Fiduciary” which is required to be compliant with the DPDPA 2023.

Hence the AI algorithm has to be evaluated on the basis of

1. Who is the owner of the algorithm
2. What personal data elements it collects and from where?
3. Is there a Consent or other forms of established legal basis for processing?
4. What is the evidence that there is a notice and consent?
5. Who accesses the personal data and why at the time of processing or storage as long as it is within the control of the algorithm
6. How does the “Rights of data principals fulfilled”?
7. How does security of data handled and  “Breach” gets recognized?
8. How does other obligations like handling of cross border restrictions, minor data handling and nomination handling etc addressed by the algorithm owner?
9. What does the contractual terms of use state in terms of inter-se obligations of compliance?

The Data Trust Score mechanism of DGPSI addresses an evaluation of these requirements against the parameters used for compliance and through some weightage system arrives at a score which is called the “DTS”. We have already discussed Web-DTS and AI-DTS as two concepts covering compliance of the website and an AI algorithm.

A similar system is now being applied for vendors of specific devices or services to evaluate whether during the lifecycle of the data processing that happens within the service, the obligations of DPDPA is complied with and if so how.

This evaluation can be done only if there is a specific context in which we are aware what type of data is collected and processed.

However there will be some instances where a device or a system supplier would kike to claim that “When you use our products, you can meet your regulatory obligations”. This would be like evaluating a product for “Compliance Readiness When in use”.

This compliance ready evaluation has to assume a context which is representative of the most relevant use case and makes an assessment.

“Compliance Ready-when in use” is evaluation is  a DTS evaluation that represents the maturity of the product or service which addresses this issue. We may simply call them “Product-DTS” for easy reference.

When it comes to evaluation of AI algorithms, the DGPSI will draw from the EU-AI act to define the risk etc. Similarly when it comes to medical devices, DGPSI will draw from ISO 13485. With such an approach, DGPSI will remain the unified approach for compliance not only at the “Data Fiduciary” but also at the “Joint Data fiduciary” who is a contract partner of the Data Fiduciary .

Attend FDPPI training programs to discuss this further.

(Comments are welcome)

Naavi