Naavi.org

It is a standard practice in the Data Protection domain where an “Auditor” and an “Implementation Consultant” have different roles in establishing Privacy and Data Protection Compliance.

However, this traditional approach imposes a relatively larger responsibility on an organization to understand and interpret the emerging requirements and taking steps in their implementation. It is relatively easy for the auditor to step in, find faults, give impractical suggestions and exit. The company in most cases undertakes the audit exercise as a necessary formality and reverts to its usual ways of functioning and getting back to audit mode once a year whenever the audits happen.

Naavi would like to change this “I am not responsible for designing and implementation but responsible only for audit” approach.

We do understand that there could be a need for such an aprorach to avoid a “Conflict” in the consultancy and audit responsibilities. But this conflict can come in even in the traditional system because of the influence a reputed auditor can bring in on a consultancy firm. In many cases consultancy firms work in tandem with the auditing body and the difference between the two are only on paper. The auditor calls all the shots and the consultant falls in place.

Even in such cases, as long as the auditor is true to the objective of the implementation (eg: Privacy Protection) there is no need to consider that there has to be a conflict of interest where the objective would be compromised. But the practice and belief that the two roles should be kept separate continues to prevail and is sustained despite its inefficiencies.

Hence this keeping the Auditor and Consultant away from each other is considered artificial and if there can be a way of combining the consultancy and audit functions, it is not necessarily undesirable.

In India the DPDPB may expect that the DPO is an internal employee. In GDPR, there is a possibility of an external DPO. Even if the Indian law does not allow an external DPO, it could allow an external Data Protection Consultant to assist the DPO. Further the role of DPO is more aligned with a duty to protect the interests of data subjects and unless an organization has a separate Privacy Officer, there is an inherent conflict between the Data Principal protection duties of the DPO and the Advisory responsibilities within the organization.

Naavi has therefore proposed adoption of a new “Partner in Progress” approach to consulting and audit of Data Protection programs in India which will be experimentally used by FDPPI through its “Supporting Member” network of consultants.

A Brief description of this new approach is provided at here

The essence of this program will be that the organization will use the services of FDPPI for designing, implementing, monitoring with periodical review. In a way the entire PDCA cycle is managed by the FDPPI team which will consist of the chosen set of professionals from the support member group.

The engagement would be on a retainer basis with additional services sourced either from within the supporting member network or outside and billed as necessary. The team would design and implement the system on a best effort basis.

The system of an external data auditor which is inherent in the Indian law will ensure that the work of the FDPPI consultancy team is reviewed by an external auditor and should satisfy the puritans who fear conflict.

It is desired that after the system is stabilized, the FDPPI team can exit and handover the maintenance to an internal Privacy and Data Protection management team.

This arrangement is considered ideal when an organization is going through a Digital Transformation and implementing a switchover from the current privacy and Data Protection regime under ITA 2000 to the DPDPB regime.

Disruption of the current system of Auditing is necessary and desirable and I urge FDPPI to be the instrument of such disruption.

Naavi

We are today seeing tech companies entering the field of services related to “Compliance of Regulatory aspects”. Many of them proclaim that they use AI and ML for various requirements. Some of them are providing services to organizations for KYC services. However these service providers are themselves not compliant to the Indian laws. The users of these services who are the “Data Conrollers” use the services of these “Data Processors” without fully understanding their responsibilities.

I draw the attention of the readers to this article in ET “How RegTech can be a game-changer for the FinTech industry?”

The moot question is who regulates these RegTech companies? It appears that RBI is yet to decide on how to regulate these RegTech Companies.

Many of these companies are themselves non compliant to various regulations they should be compliant with.

I was checking on one such start up recently and found that even to send an e-mail to the company to get more information, there were many hurdles and many privacy infringements.

The company was not even transparent about its own identity on its website, let alone on the client’s website where their services were pushed to customers.

It is hightime that RBI takes a serious view of such companies and introduce a proper accreditation system since these organizations are actually substituting the regulatory processes managed or to be managed by RBI and such other regulatory agencies.

I came across a RBI notification which is a master direction to the licensed entities regarding outsourcing responsibilities . This however does not cover the regualtion of RegTech companies who provide services to other companies who are not RBI sueprvised entities. There is a need for a separate regualtion of these RegTech companies apart from the FinTech companies who are engaged in financial services such as lending.

In a Keynote address delivered by the Deputy Governor T Rabi Sankar, on July 7, 2023 at Bangalore, RBI stated that there is a need to establish a meaningful dialogue on regulation of FinTech. There was no mention of the earlier attempts of RBI on FinTech Company (Please refer to this earlier article on Fintech at naavi.org on FinTech Steering Committee Report). There was a need for a greater thrust on FinTech Regulations and it appears that RBI has been overwhelmed by the technology and failing in its duty to have an effective regulation.

However the point of “Transparency through Identity Disclosure” is a non compliance of many Indian companies and it is the failure of CERT IN to impose its authority that has resulted in a situation where unknown and hidden companies are providing critical services in the RegTech/ FinTech as well as other areas and not providing the opportunity to for consumers to raise their grievances.

I request CERT IN to recognize that its responsibility does not end with issuing a notification that a greivacne redressal officer needs to be designated by all intermediaries, but take effective steps to check the non compliance. Hope the DG of CERT In and the Secretary MeitY take effective steps at least now.

Also refer:

Will Fintech Steering Committee report bring changes to PDPA?

RBI’s FinTech Workign Group needs to secure Consumer Interests also

Naavi

An unique press conference was held at the AI for Good 2023 Global Summit where a panel of humanoid robots driven by AI and their creators addressed a Press conference.

See details here

The conference needs to be discussed in greter detail. In the meantime some of the other developments in AI robots are given below.

In the light of the above developments we should see how the robots in the UN conference responded to the questions about potential job loss and threat to human society.

It is clear that the robots are not truthful when they say they donot create job loss or will be free from adverse functioning.

The conference however provides some idea about some regulatory thoughts which should be incorporated in the legal strucure of India.

The discussion continues…

Naavi

According to a report in Economic times today following changes have been made in the earlier draft of DPDPB 2022.

1. The age of consent for minors is reduced from 18 years to 14 years
2. Government may adopt a negative list of countries to which the restrictions on cross border transfer may apply
3. The definition of Significant Data Fiducairy may depend on the sensitivity and voulume of data handled

We presume that this does not make much difference in the compliance requirement. We shall wait and watch further developments.

Naavi

The recent developments in GPT 5, has prompted Google itself to sound out a warning that there are inevitable catastrophic consequences in the AI developments of recent times. While the Google Deepmind says that their teams are working on echnical safety and ethics it is not clear if the creators of AI are themselves aware what a monster it can turn out to be or has already turned out to be.

This following video explains the extreme risks presented by GPT 5 and is a must watch for all of us.

What these video highlights is that the current models of AI can learn by themselves and could acquire dangerous capabilities that include committing Cyber offences, Persuasion and Manipulation of human beings, etc. (Read : Model evaluation for extreme Risks)

While we can pat the back of the technologists who are devloping self learning and Adaptive robots models.

AI is going through the following levels of intelligence

Limited Memory – The first level of AI uses limited memory to learn and improve its responses. It absorbs learning data and improves over time with experience, similar to the human brain. 

Reactive – The second level of AI has no memory and predicts outputs based on the input that it receives. They will respond the same way to identical situations. Netflix recommendations and Spam filters are examples of Reactive AI. 

Theory of Mind – This is currently the third level of AI and understands the needs of other intelligent entities. Machines aim to have the capability to understand and remember other entities’ emotions and needs and adjust their behavior based on these, such as humans in social interaction. 

Self-aware – This is the last level of AI, where machines have human-like intelligence and self-awareness. Machines will have the capacity to be aware of others’ emotions and mental states, as well as their own. At this point, machines will have the same human-level consciousness and human intelligence.

It is believed that research models have already reached level 3 and entering level 4 of self awareness. The early rogue behaviour of Bard in the Kevin Roose interview are an indication that at least these AI models can talk about being “Self Aware” whether they are really aware or not.

Unless we take the extreme Indian philosophical outlook that World will go the way God has ordained it to go and the Kaliyug has to end some time, it is evident that the end of human race may be within the next generation and the “Planet of Intelligent Humanoid Robos” is descending on us.

If we however take a more optimistic outlook and not panic, we should focus on how to prevent or delay the potential catastrophe that may affect our next generation before the Global Warming or a Nuclear war can have their impact.

The global leaders including Elon Musk and Sundar Pitchai for records have flagged the risk and asked Governments to act by bringing in regulations. Some have called for stopping all AI related research for some time.

But it is time for us to act. Let us start thinking about regulating the development of AI on global scale so that we can survive first till the next century.

I therefore call upon our Minister of State Mr Rajeev Chandrashekar to initiate necessary steps to bring in AI regualtion in India immediately.

While the Digital India Act may try to address some of the issues, it is necessary to use the current ITA 2000 and thereafter the proposed DPDPB 2022/23 to bring in some regulations immediately.

Naavi/FDPPI would try to adddress some of these issues and develop a note to be placed with the Government for consideration.

Volunteers who would like to conribute their ideas are welcome to send their views to Naavi.

Naavi

A quiet revolution has started in the Indian investment scenario with the opening of the trades in GIFT NIFTy from 3rd July 2023. This will have an impact not only on the Indian investment scenario but could have impact on the laws such as the Data Protection Laws that we are following closely.

It will take some time for the full impact of GIFT City and GIFT NIFTY to be felt in the Indian economy but we need to keep in our radar the developments.

GIFT stands for Gujarat International Finance Tec-City physically located in Gandhinagar, Gujarat and modelled on the DIFL or Dubai International Finance Center (DIFC). It is a Government of India project and revolutionary in nature. Readers may recall several of Naavi’s suggestions in the past on creation of such center in Karnataka (Refer the article: 10 years after Naavi’s suggestion, “Data Embassy” concept is accepted by Government!). Unfortunately the Karnataka Government was not proactive in implementing such thoughts and now without much fanfare the revolutionary idea has been realized in Gujarat, the home town of Mr Narendra Modi. We welcome the initiative wholeheartedly.

The website www.giftgujarat.in provides information about GIFT. It is proposed as a Financial and IT Services hub, first of its kind in India. As a combination of Finance and IT services, this perhaps is a step ahead of DIFL. Probably all IT companies will now head for this location to establish their businesses. They will regret if they dont do.

The GIFT proposes to have an “International Financial Services Cener” (IFSC) as a unit with tax incentives, such as 100% tax exemption for 10 consecutive years out of 15 years and other benefits.

Soon the Government may decide to include the incentives Naavi suggested earlier as regards the application of Data Protection laws. The DPDPB 2022 already has an open position on this and GIFT City could become the automatic choice for immunity from Indian law if the data processed is not Indian data. Perhaps it may even be possible to get EU GDPR adequacy for GIFT City.

As regards the GIFT NIFTY, it will be the new version of SGX NIFTY. GIFT NIFTY operates for 21 hours in a day and will start at 6.30 am and go upto 3.40 pm and again from 4.35 pm to 2.45 am. As of now the composition of Gift Nifty remains the same as SGX NIFTY. Investments are not open to retail investors in India but other institutions may invest in Foreign currency. There will be four sub products namely Gift nifty 50, Gift nifty bank, gift nifty financial services and Gift nifty IT. All will be derivative contracts.

The development is considered path breaking and should help the stock markets also to expand.

Naavi