Naavi.org

In the last one week, Naavi has been looking at the WebDTS prospects of some of the websites and it has revealed some challenges that throws light on the overall DPDPA 2023 compliance.

Many of the WebDTS Certification requests have failed because the way the website Privacy compliance is currently designed is generally faulty. There is a need for correction.

Yesterday, Naavi had an extensive discussion with some industry experts to understand why most of the Websites may not qualify for the FDPPI’s WebDTS tag. The reasons are many and there is a need for further education of the Website Owners to make them appreciate the compliance requirements drawn up by Naavi/FDPPI. A brief attempt is made here to explain the reasons for wide prevalence of non compliance and more information will be published from time to time as a part of DGPSI compliance framework.

For example, one of the basic principles of DGPSI is that “Purpose Oriented” collection and processing of personal data is the essence of Privacy Commitment. This requires that the personal data collected has to be minimized for the required purpose at the time of collection and retention.

A Company is a bundle of many personal data processing activities and the Website is one activity where the purpose of personal data processing is “Enabling a Visitor to receive the information published”. However, a Website can also be used for conducting E Commerce. It can also be used as an application interface. The “Information publication” itself may be at the primary level of “Read what is published” which can be extended to “Request for further information”.

In view of the different requirements of a website for different purposes, the collection, retention, disclosure, requirements for each purpose differs.

For example, if the purpose is “Enabling a visitor to receive information as published” (fundamental objective of a website), then there is no need to know the name or email address or the mobile number of the visitor. The technology may require knowing the IP address of the visiting device without which the basic IP handshake cannot occur. Then there is a requirement to know whether the device is a mobile or a computer so that the GUI can be dynamically modified based on the browser and device. For these purposes the name, email or mobile is not required. The information collected for such browsing can be through session cookies which some call as “Essential Cookies”. Such session cookies get automatically purged when the session ends.

However if a website decides that We will retain information about the BIOS identity of the device, and that will help me use the same display configurations when the visitor visits next time, then they may use “Persistent Cookies” which need to be retained and stored. If this information is not capable of identifying the human visiting the website, it does not constitute collection of “Personally Identifiable Information”.

Hence the DPDPA compliance is restricted to ensure that there is no persistent cookie and even if present, the cookie is not collecting personally identifiable information.

The Level 1 of WebDTS needs to enable just this data minimization requirement. We can discuss the higher levels of WebDTS compliance in subsequent articles.

It is an observation that even this Level 1 compliance of a website is not available with most websites. We may share some of the following observations in this regard so that we all can strive towards a better compliance eco system.

Some Observations

1.The lack of compliance could be because the hosting of the website is outsourced and the owner of the website may not have complete knowledge of what cookies are working on the website and what are their purposes. As a result the personal information may be collected by the hosting company and used for its own marketing efforts without a proper consent.

2.In the event a website works only with a basic functionality of company information being displayed and no personal identifiable information of the visitor is collected, then the website is compliant with DPDPA by default. But most websites have a purpose beyond presentation of information.

3.Since the website owner is dependent on the hosting provider for cookies used during hosting, it may be preferable to declare the identity of the hosting company and declare him as responsible for any undisclosed cookies collected by him.

4.It is also possible that the website may host cookies other than what the hosting company may install. This could normally come from data analytics companies including Google Analytic tools or associated Advertisements which are part of the Content monetization objective.

Such cookies may also be collecting only information which is not personally identifiable information but the cookies may be “Persistent” and may be stored and accessed beyond the session.

Further some information like Bios information and IP information may be used along with other information available with the analytics company and could lead to eventual identification of the individual. This is a consequential risk and the website owner may have to have some disclaimers in this regard.

5.The Base level of WebDTS (Level1) may therefore include such disclosures as may be necessary to declare that the possibility of undisclosed persistent cookies (beacons) hosted on the website by others exists and such companies will be considered as “Joint Data Fiduciaries” and are notified to identify themselves to the owner.

6. At the base level of WebDTS, some requirements of ITA 2000 compliance such as updation of declared privacy policy, provision of grievance redressal information, identifying the name and address of the website owner are considered essential.

7. A website is free to take a stand “We donot collect any personally identifiable information and hence this website is outside the scope of DPDPA 2023”.

8. If the website declares that it still wants to present a more detailed “Privacy Policy”, it has to declare if it is in compliance with the “Privacy Notice” under Section 5 of DPDPA 2023 which may include the 22 language criteria.

9. In a process wise compliance, the “Website Visitor Personal Information Process” may not constitute an activity that may qualify as an activity of a Significant Data Fiduciary. However, in view of the way Section 10 of the DPDPA is worded, the company may otherwise be considered as a “Significant Data Fiduciary”. If so, one interpretation could be that the name of the DPO should be displayed on the website. If however, there is a proper disclosure of the process, the identity of an organization as a “Significant Data Fiduciary” is also “Process Dependent” and need to be disclosed only when a consent to the related process is sought.

10. If the website opts to collect personally identifiable information through a secondary process such as “Request for Service” placed through the website, a separate Privacy Notice may be displayed in conformity with the DPDPA Section 5 and 6.

The scope of WebDTS certification is limited to “Compliance of DPDPA 2023 for the processing of applicable personal information collected from the visitors of the website”.

The most important compliance requirement is to ensure that the Objective of the website is declared as “Publishing of information to the public” and a separate Privacy policy declaring that there is no collection of personal information in the process .

Where the website wants to use the website as a gateway to further services, it is advised that the Privacy policies/Notices for each of such subsidiary services are separately displayed before requesting for the service which shall be of the “Consent Grade”.

If a company opts to use the website for not only information dissemination but also for other purposes (even if it is not e-commerce) as is the prevalent practice, the Privacy Policy becomes a Consent request for multiple purposes and it has to be appropriately written to meet the requirements of “Clear” and “Precise” standard along with “Consent” as per “Verifiable standard”.

Getting a WebDTS compliance tag (Level 1) is therefore possible with a proper revision of the Privacy Policy. However the expectation of FDPPI is that a website as a whole needs to be compliant with DPDPA 2023 and it appears that in India at present there are not many websites that will pass this test.

In the coming days, we shall discuss the different requirements to be met by a website if it has to get the WebDTS seal without the qualified seal of (Level 1). I suppose other experts in DPDPA 2023 may debate the compliance requirements that Naavi/FDPPI may consider as “Necessary”.

Naavi

Every organization handles Corporate E Mail process. Just as having a website is one of the Digitization steps taken by all companies, having a corporate e-mail system is another early step in the process of digitization of business.

I would like to raise some issues on the application of DPDPA compliance related to handling of the E Mail system by a company for the industry professionals to debate.

For handling the email requirements, an organization sets up an e-mail server often in the domain name which is also used for its corporate website. For example abc.in is the domain name of the company and @abc.in is the email IDs used by the company.

The @abc.in emails are allocated to the employees such as vijay@abc.in. It is also allocated to certain positions in the company such as dpo@abc.in.

Outward emails are sent by different designations such a hr@abc.in or purchase@abc.in or marketing@abc.in, service@abc.in or support@abc.in etc.

Outsiders send e-mails to these email addresses and also to employees such as vijay@abc.in. E Mails to vijay@abc.in may be personal or business related. It may also contain a CV requesting for job. This could result in accumulation of unstructured personal data in the company’s assets.

Many companies are using and will continue to use “E-Mail Marketing” as a part of its corporate strategy where they will send out e-mails to their prospective customers.

In such cases different compliance issues may arise.

If a Company has to be compliant with DPDPA 2023, it has to therefore develop a policy for handling the e-mail identity of the employees.

We may recall the case of Cavauto S.R.L where the regulator fined the company for accessing the email customercare@cavouto.com in the PC of the Company allocated to the employee under the premise that there was no proper notice to the employees that their personal emails could be accessed even in the company asset and business email.

Can such a situation arise in India under DPDPA 2023?

If so, what compliance measures could mitigate this risk?

Let’s debate. Send your views …to naavi ..or comment below..

Ujvala/FDPPI ‘s service “E Mail DTS” is designed to evaluate the risk mitigation efforts towards meeting the challenge of Personal Data Processing in the E Mail management process.

Naavi

As followers of Naavi are aware, Naavi had introduced a service lookalikes.in based on his patent application around 2002. The objective of the service was to provide a third party disclaimer on the presence of confusingly similar domain names.

For example the accompanying note on the website indicates that Naavi.org does not have relationship with the site navi.co and related websites.

It is advisable for the other sites also to display similar disclaimers so that mutual distrust and trademark related disputes can be avoided.

This service was introduced long time back but was not pursued. The patent application also had to be abandoned subsequently.

The reason why this service was contemplated was to prevent the potential misleading information that an alternate website could give to a visitor. As a part of the compliance of a website it is considered that a website owner needs to take some reasonable steps to warn the visitors that there could be alternate sites with similar names that the visitor should be wary of.

Hence this is made part of the WebDTS service in whatever form it can be made available at present. Some improvement of presentation may be expected.

PS: Requests for WebDTS can be booked through FDPPI website.

Naavi

PayTM is a well known brand when it comes to online payments. If India is proud to say that even vegetable vendors are using UPI, a large part of the credit should go to PayTM. It is sad to note that currently this reputation got a hit because their sister entity which had a Payment Banking license has run into problems with RBI in terms of compliance of regulations.

Using its brand value, PayTM had also obtained the license as a Payment Bank and called it PayTM Payment Bank. (PPB). However the regulations for Banking being much different from the operations of an intermediary service as a payment transfer mechanism, PPB encountered regulatory issues. Accordingly, on March 11, 2022, RBI had invoked Section 35A (RBI Act) powers and stopped acceptance of further onboarding of new customers.

PPB under its Payment Banking license was otherwise allowed to accept deposits of upto Rs 2 lakhs which could not be used for lending but could be used as a deposit for other services. (eg: remittance services, mobile payments/transfers/purchases and other banking services like ATM/debit cards, net banking and third party fund transfers.). After two years of observation and audits, RBI has now come to the conclusion that the PPB has failed to implement all the regulatory requirements and therefore issued a further notice on March 31, 2024 to stop further operations except allowing the customers to withdraw their current deposits in different services.

While PayTm and Paytm Payment bank are two different entities and 70% of revenue of PayTM group is said to come from its PayTM business and not PayTM Payment Bank business, the reputation loss and consequential damage to the stock market value cannot be avoided.

We have to wait and see how PayTM comes out of this problem. Currently the Company is yet to provide appropriate clarifications by way of disclaimers though the promoter has made some press statements. As of today, Paytmbank.com does not have any disclaimers about its “Arms Length Relationship” with PayTM.com which should have been one of the first things to do. (P.S: This sort of risk would be noted under the WebDTS compliance measure suggested by FDPPI)

In the meantime, we would like to highlight two aspects of policy failures which have led to this situation.

Firstly, RBI was not prudent in trying to convert FinTECH companies into Banks. Naavi.org had discussed some of these issues in the earlier articles. (https://www.naavi.org/wp/new-banking-licenses-in-india/)

Recently we have also pointed out how RBI’s over enthusiastic measures on Account Aggregators have created a set of licensees who may not be compliant with most of the regulatory requirements required for the conduct of Banking.

The “Reasonable Security Practices” required by these Banks and the Banking regulatory measures were un-natural to the “Innovation driven Fintech Industry” and it was wrong for RBI to assume that “Banking” and “E-Commerce” were two faces of the same coin.

This policy error by RBI can be considered as the main problem that has led to the current situation where the non-compliance has forced the RBI to take drastic steps.

The second policy failure is in the policies of the licensed entities who tried to raid on their current brands and started Banking activities under the same umbrella name. As a result today when the Banking business needs to be closed down for reasons of non compliance the damage to the parent brand is inevitable.

Clarification issued by the company is available here:

https://timesofindia.indiatimes.com/gadgets-news/will-your-paytm-work-after-february-29-this-is-what-ceo-vijay-shekhar-sharma-has-to-say/articleshow/107348660.cms

RBI should realize that when an existing IT Company gets into Banking, one of the strengths are their current operations and hence the extension of their IT infrastructure to the new business is a natural inclination of technology architects. It is perhaps the business strategy of aggregating their current IT infrastructure for better productivity.

However, from Compliance perspective this introduces certain risks which have come to hurt PayTM.

We may foresee similar issues when MeitY allows the RBI licensed Payment Aggregators as “Consent Managers” under DPDPA 2023. It is for this reason that Naavi has been advocating that the Consent Managers under DPDPA 2023 are different from Account Aggregators under RBI license.

We have advocated that “Licensed Consent Managers” under DPDPA 2023 are more like the “Licensed Certifying Authorities” under ITA 2000 and when Meity formulates the notifications, it has to avoid the mistakes committed by RBI in allowing brand sharing with an existing unrelated business with the licensed business.

Hence we debate that RBI was wrong to call E Commerce Companies as “Banks” in the first place and hence its licensing terms were faulty. Had PayTM Payment Bank been called as “PayTM E Commerce” or just “PP Bank” either disassociating the Bank from the name or disassociating the parent company name from the licensed entity, the damage would not have been as much as it is now.

(P.S: It is also time to point out this branding confusion in respect of Naavi.org and Navi group of companies promoted by the erstwhile Flipkart promoter. Authorities who have licensed navi.co.in as a business entity need to be aware that if they fail, they will be hurting the reputation of Naavi and if Naavi.org gets into bad reputation, it could hurt navi.co.in. It is for this reason that the existing brand of Naavi has issued a notice to navi.co.in that their “Lookalike-Imitation” is not a good strategy. So far their arrogance has made them ignore this mutual risk.

Naavi

PS: Views expressed here are the personal views of Naavi

Also refer:

The Watal Committee Report on Digital Payments..1

https://www.rbi.org.in/Scripts/BS_PressReleaseDisplay.aspx?prid=32615

https://cleartax.in/s/payment-bank-license

We have already discussed the WebDts concept of evaluating compliance of the processing of personal data of visitors to a website.

Ujvala has already rolled out a compliance certification for WebDts which will be free till March 31 2024.

The use of email in the domain of the company is another process where the personal data of an individual gets used.

It is important for any company to ensure that it’s email ID is not prone to spoofing.

Ujvala in association with LedgerMail is exploring how a website owner can use LedgerMail solution to eliminate the Risks of SMTP based email system.

This will be towards DPDPA 2023 compliance.

If an organization can protect it’s Web presence and EMail activity, a good part of Risks may be covered. This is in pursuance of the process centric approach to compliance.

Watch out for more information on this.

NAAVI

[This article is related to the number of earlier articles on naavi.org on neurorights which are also collated at www.neurorights.in]

We last discussed some aspects of the legal implications of human brain linking to external brain device in our article “Naavi’s theory of neuro Rights” .

In a significant development announced today, Elon Musk’s Neurolink has obtained FDA approval and implanted a chip in a human. This is considered as the first human trial to test implants.

The study will assess the functionality of the interface, which enables people with quadriplegia, or paralysis of all four limbs, to control devices with their thoughts

This article in Neuralink state that the study nick named PRIME (Precise  Robotically Implanted Brain-Computer Interface) study aims to evaluate the safety of Neuralink’s implant (N1) and surgical robot (R1) and assess the initial functionality of its Brain Computer Interface for enabling people with paralysis to control external devices with their thoughts. 

Under the study, company is recruiting patients with “Quadriplegia” condition (Limited function in all four limbs) for a six year period interaction involving monitoring of the patients.

Once surgically placed, the N1 Implant is cosmetically invisible. It records and transmits brain activity with the goal of enabling you to control a computer. The Implant records neural activity through 1024 electrodes distributed across 64 threads, each thinner than a human hair. It should help the patients to control external devices through transmission of their thoughts.

The objectives of the study are noble and it is a significant development in the human medical research.

In the context of Cyber Laws, it is however necessary to flag that while the thoughts can enable an external computing device to be activated, whether such ability can enable a person without the need for such implant to be able to hack into computers in the vicinity through thoughts.

The patient with an ability to interact with an external computing device through a chip implanted within his body is by definition a “Cyborg”. While there are “Necessary Cyborg implants” for patients with paralysis to which this FDA approval relates to, the possibility of the implant being used for other purposes in due course including manipulating the thoughts of the patients or thoughts of an otherwise healthy individual cannot be ruled out.

Hence we need to look at the risks and accordingly formulate the policies for use of such devices.

Some thoughts that comes to my mind now are that …

All Cyborgs need to

a) be transparent to disclose that they are Cyborgs with some extra human capabilities. In other words, the fact that a human has an implant inside should be disclosed through a note on the face of the person. It should not be “Cosmetically hidden”.

b) made to sign a legally binding declaration to the community that they shall not misuse the implant.

c) agree for an audit of the activity of the implant at periodical intervals from a neutral body.

d) be automatically disqualified of entering into contracts such as disposal of their properties since they donot have full control on their thoughts.

e) Such Cyborgs may be “Intelligent” but donot have a “Free Will”. Hence they cannot enter into valid contracts under Indian Contract Act or similar laws.

Let us call these “Naavi’s Principles of Cyborg regulation” which can be expanded further. Obviously these thoughts do clash with some principles of “Human Rights”. But Cyborgs must consider themselves as not strictly “Human”.

Naavi

P.S: Kindly excuse me if I sound in-human since we are in the Neuralink case discussing about people with unfortunate disabilities and have actually lost some human capabilities which are being restored through this device. But just as a doctor discusses the probability of death before undertaking surgery with the patient and takes his consent for surgery, we need to recognize that while number of deserving persons benefit out of technology there will be odd persons who will misuse them. If we donot have regulations since the majority donot need them, the minority will become terrorists and bring disrepute to the technology itself. Hence regulation is essential.

Naavi