Naavi.org

Whenever we think of Public Private Partnership (PPP) projects, the immediate recall are the infrastructure projects like the Roads where there is a large investment requirements for public benefit, but the skills and resources are to be contributed by the private sector.

These road projects generate huge amount of data through the tolls. Similarly CCTV projects for traffic management or public health management projects also generate enormous amount of data as part of the project.

Considering that “Data” has a large financial value, it should be one of the key parameters in planning and executing such projects and we are doubtful if it is being given the due attention at present.

In addition to the traditional PPP projects where “Data” of substantial value is generated as a fall out of the project, there are certain projects where “Data” is the “Primary Project Asset”.

One example I can recall is the financial data of Banks and Credit card companies which is a valuable data asset from which huge revenue is generated by private data processing companies including the VISA and Master Cards.

If these Banks are “Public Sector” Banks or Government entities, there is a legitimate concern that the data asset used or generated in the project is a sovereign asset and are being given away to private use.

This kind of data requires to be not only protected and stored locally but we need to ensure that the commercial benefits arising out of the data ownership remains with the Indian Public entity at all times.

In most of the Data Driven PPP projects, the role of the Government could be to invoke the exemptions available under law to collect and process citizen’s data which is not available to the private entity while the skills can be brought in as a contribution of the private sector.

In this context, “Data Governance” becomes an important element of PPP projects that need to be factored in every PPP project. While this is more easily recognized in the citizen centric projects where there is large personal data generation, it is also important to remember that “Non Personal Data” collected during sensitive projects such as Airports or Railways etc are also important from national security point of view.

One example of what happens when “Data Governance” is neglected is the way 500+million data of Indian Banking customers effectively changed hands from Indian Banks to Transunion, a private US based company with the take over of CIBIL by TransUnion.

The unfortunate part of the transfer of nearly 90% shares of CIBIL to TransUnion was that all our Public Sector Banks and the RBI (Then under Mr Raghuram Rajan) did not make it transparent on the value of consideration they obtained for the transfer of shares to TransUnion.

This was a fraud on the shareholders of these Banks. Even SEBI which should have been alert to such share transfer remained silent. The Government of India which should have considered this as a “Data Laundering” incident similar to “Money Laundering” chose to remain silent and continues to do so even to this day. The Supreme Court which pokes its nose in every administrative aspect of the Government did not take any suo moto recognition of the transfer of 50 crore plus data sets containing sensitive financial information each of which could be valued at around rs 1000/- in the dark web without proper transparency.

I am also reminded of another project where Mysore university wanted Google to undertake a digitization project of its library unmindful of the value of information that was being transferred to Google from all the ancient texts which were being scanned. I am not sure if the project went through.

The failure of “Data Governance” in PPP projects therefore will be a factor that all of us should remember could lead to valuable Indian assets being plundered by private sector of foreign origin.

Hopefully the Government of the day incorporates a “Data Governance Audit” as a mandatory aspect of clearance of all Data Driven Governance Projects.

Naavi

FDPPI successfully conducted its annual flagship event IDPS 2023 o.n 24th and 25th November 2023. The event was held in association with Manipal Law School, Yelahanka.

After three years of virtual events, this year, the event was conducted physically in the Manipal Law School Auditorium, in Yelahanka Bengaluru.

The theme of this year’s seminar was “Emerging Technologies” and sessions were built around the challenges that new technologies such as AI, Metaverse, etc present to the community.

There were six keynote sessions and six panel discussions as follows

The seminar discussed the current and emerging regulations in the area of Emerging new technologies in India and compliance challenges.

The one and only available framework for DPDPA 2023 compliance namely the Digital Governance and Protection Standard of India (DGPSI) was introduced with the key principles that has gone behind the framework.

The impact of DPDPA 2023 on start ups and whether it would facilitate adequacy status for GDPR was also discussed

33 different speakers were involved in different sessions and shared their valuable insights.

The program ended with an insightful valedictory address by honourable Justice (Dr) Prabhakara Sastry of the Karnataka High Court.

During the event FDPPI gave away awards to 5 different professionals for their contributions to the Privacy Domain. The winners were

1. Chairman’s Award: Ramesh Venkataraman, Carl Zeiss, Bengaluru
2. Privacy Advocate : Advocate M G Kodandaram, Bangalore
3. Privacy Knight: Dr Raghuveer Kaur, Cateina Technologies/Starfisth Digital
4. Privacy Champion (Team) : SEAMEX Team
5. Privacy Crusader (Group): Team DSAR .

FDPPI also announced that the theme of IDPS 2024 would be “Regulation and Innovation in the wonderland of Robots and Cyborgs”.

A more detailed report on the event would be available separately.

Naavi

If you are smart, you would realize that the IDPS 2023 of FDPPI offers 12 hours of onsite training on issues related to Advanced Technology, Privacy, Data Protection etc.

The following information (also available at www.idps2023.in) provides a glimpse of content coverage that the seminar would provide.

The program will start at 10.00 am on 24th and will be held at the auditorium of Manipal Law School, MAHE Campus, Yelahanka, Bengaluru.

Please check out for registration form at www.idps2023.in

We believe that a 12 hour engagement that IDPS 2023 represents is worth more than Rs 24000/- in terms of training value to any body who attends it. Any smart professional should therefore consider this as a special offer available now and grab it by registering immediately.

All paid delegates will be provided with participation certificates for CPE purposes. The delegate fee paid will also be eligible for encashment as rebates in many of the future services of FDPPI for other certification trainings and membership.

For any clarification, kindly contact the organization committee at fdppi4privacy@gmail.com

Naavi

Ministry of Information and Broadcasting is introducing “Broadcasting Services (Regulation) ill 2023 and has issued a draft with request for public comments till 9th December 2023.

Kindly refer there for necessary information:

This would be a multi media law and hence could cover digital media also. Please wait for a detailed comment on the proposed bill.

Naavi

ITA 2000 has been the epoch making legislation in India which is now being considered for a major revision.

The revisions are focussed mainly on how to bring new technology such as AI or Meta Verse or Blockchain or Quantum Computing into a clear legal framework. to be. In the mean time, the advent of another key legislation in the Cyber field namely the DPDPA 2023 has opened up another need.

DPDPA 2023 is focussed on disciplining the data fiduciaries with stringent penalties for non compliance. For this purpose the Data Protection Board (DPB) will act as the adjudication authority under DPDPA 2023 receiving complaints, conducting an Inquiry and determining the penalties.

For effective functioning of the DPB there is a need for complaints to reach them so that they can take up the inquiries. If no complaints come forth, the possibility of DPB conducting its own surveillance and take suo moto action is remote. If any data breach incident comes to the media attention, then DPB may take up the inquiry. Otherwise the DPB may not be actively scouting the market space to identify potential violators of basic personal data protection principles.

Data Principals who are unhappy with any data fiduciary who may be a mobile app service owner or a website owner may initially report to the DPB enthusiastically about permissions being collected in excess of the requirement etc. However, after a while data principals will realize that any complaint made by them may invoke an inquiry and penalty for the data fiduciary but may not result in any compensation to be available to them. Public interest reporting may be even discouraged by the DPB which may stick to the complaints of data principals who have a cause of action against the data fiduciary such as any of his rights of access, right of grievance redressal etc has not been complied with.

Naavi.org has already initiated an action plan to create some kind of recognition to the data principals who file complaints with the DPB and contribute to the cleaning of the system.

However, those data principals who need to pursue a claim of compensation may find that they only have a remedy under ITA 2000 and making a complaint with the Adjudicator claiming contravention of Section 43 with any other sections and claiming the compensation.

When Section 43A was introduced, there was one case in Bengaluru where an advocate successfully argued (Later over ruled by the appellate authority) that Section 43A will apply to body corporates and Section 43 will apply to others. WIth Section 43A being removed, there will be no confusion now that in any event of a wrongful loss suffered by a person and a contravention of ITA 2000 is identified, the remedy for compensation lies under IAT 2000 with an adjudication.

We can therefore see that demand for adjudication may increase. Also since adjudication is based on evaluation of the value of wrongful loss, it will be necessary for the adjudicator to assess the “Valuation” of personal data for the purpose of providing compensation. In many cases, the per-capita loss may be small but the aggregate loss of a community may be large. In such cases, adjudicator may have to allow class action, or take up suo-moto investigation, collect compensation for a group and distribute it to the affected persons.

At present it appears that the Adjudicators under ITA 2000 who are IT secretaries in States, may not be either inclined for such extended duties nor they may be equipped to take up personal data valuation and distribution of compensation.

If therefore the system of penalizing data fiduciaries donot take off, data principals will also lose interest in making complaints and hence the society is unlikely to see any noticeable improvement in the privacy protection culture of organizations.

It is therefore necessary to strengthen the Adjudication system under ITA 2000 and make it ready to take on the increased work load.

In this context Naavi.org urges that the old system of designating the IT secretary as the Adjudicator should be replaced and a dedicated Adjudicator should be appointed in each state under the judicial system itself. Hence there is a need for initiating an action plan to set up a new Adjudication offices in each State with a judicial person in charge and MeitY to modify its notification of March 2003 and recognize any such Adjudication offices set up by the judicial system as the Adjudicator of the State and relieve the ITA secretary.

This is also necessary for another reason since many of the complaints under DPDPA 2023 may be raised against Government bodies and there will be a perceived conflict of interest between the ITA secretary as a servant of the Government and the respondent of the complaint. The celebrated case of Gujarat Petrosynthese Ltd vs Axis Bank which suffered due to the mis interpretation of the applicability of Section 43/43A was an example of such a conflict since the IT secretary was also the e-Governance secretary and the respondent Axis Bank was also the Banker for the e-Governance department.

It would be therefore ideal if the change of the Adjudication system from the IT secretaries to the judicial system starts from Karnataka itself. I request institutions interested in public good to take up this initiative.

Naavi

Register at www.idps2023.in