Naavi.org

In our earlier article we had raised a term “Concurrent Compliance” as one of the goals of PDPSI. This was a new term coined after the more often used term namely “Concurrent Auditing”. In PDPB 2019, apart from the mandatory annual data audit by an external data auditor, Significant Data Fiduciaries were required to conduct “Concurrent Audits”.

Essentially, “Concurrent Audit” means that the organization maintains an ongoing supervision on its activities (in this instance compliance to data protection law) and not an intermittent audit conducted from time to time.

This means that if there are 50 principles of Digital Personal Data Protection Audit, which an external auditor would check once a year, the management has to keep checking these 50 parameters every day and every moment.

If DPIA is conducted as and when a new process is being contemplated, Concurrent audit should monitor DPIA on a daily basis identifying the changes that might occur in its data processing such as a new employee coming in, an existing employee exiting. or when new technology devices are purchased or sold.

Hence Concurrent Audit envisages an integrated system where relevant parameters are monitored on an ongoing basis and a dashboard is available for the management to follow. It is accepted that this is a complex challenge when the business parameters are continuously change. But organizations can work on setting up such systems initially at a higher level and later fine tune it as needed.

Under PDPSI, we are trying to use the online DTS system which we developed some time back as a tool for this Concurrent Auditing. The DTS system is a system which tries to assess the compliance of an organization to a given data protection law over 50 different Model Implementation Specifications (MIS). This was developed to assist the Data Auditor who makes an annual assessment. The same system can be also used by the management by creating a dashboard where DTS is being continuously monitored and fine-tuned.

Presently, we had introduced the online DTS system for PDPB 2019/DPA 2021 and GDPR and presented it on Ujvala.com website. This will now be suitably automated to generate the DTS on a continuing basis. As and when an external auditor makes an assessment, the self-assessed DTS would be modified to reflect the audited DTS. This will enable the synchronization of the internal approach managed by the DPO with the external auditor’s approach and both would learn by mutual exchange of views during the audit.

Await more information to be released on this service….

A few months back, Naavi.org had started a discussion on “Shape of Things to Come” where several aspects of Data Protection Law was discussed through a series of articles. A total of 23 articles were published ending with “Cut paste approach or Zero based approach?..Shape of Things to Come-23″.

We also carried a list of 8 articles on Telecom Act ending with The New Telecom Act-8: Right of Way which is still in draft status.

The Government had at that time announced the intention of revising the ITA 2000 and introducing a new Act titled Digital India Act. (DIA). We had published 4 articles in this series ending with https://www.naavi.org/wp/digital-india-act-4-online-gaming/

Many sugestions have been made earlier also when T K Vishwanathan committee was working on the amendments. One such article was Suggestions on Modification of ITA 2008

Now, on 9th March 2023, the honourable Minister of State for IT, Sri Rajeev Chandrashekar (RC) has unveiled the contours of the new Digital India Act proposed to replace the current ITA 2000. Mr RC made a power point presentation outlining the “Proposed Digital India Act 2023” calling for suggestions to be sent to the Ministry.

We can therefore continue our discussions on the DIA series on the basis of this new draft. A copy of the presentation made by Mr RC is already available here:

One of the first observations that can be made is that DIA is set to be “Principle Based” and not “Prescriptive”. This indicates that the Act would focus more on the regulation of the industry and restrict its penal provisions to only Civil Wrongs. It is likely that the entire Chapter XI of ITA 2000 may be moved as an amendments of IPC. This incidentally explains the logic in the new DPDPB2022 dropping the criminal offence of “Re-identification of Anonymized Information” as well as the amendments sought to be made to ITA 2000 through the JanVishwas Bill. (yet to be passed).

It is perhaps a good idea to place all Cyber Crimes as part of IPC. At present, any crime under IPC where an Electronic Document is an instrument of crime or a target of crime was being defined as a “Cyber Crime” along with specific crimes defined in the ITA 2000.

But Police were often confused on invoking proper sections of ITA 2000 since the names of Cyber Crimes given by the Tech Industry need decyphering with the “Intention based violations” that was the basis for invoking IPC. The legal education system was also not geared to teach ITA 2000 in as much detail as it was necessary for lawyers. These things may change for the better now since Cyber Crimes may become part of IPC.

(P.S: The movement of Chatper XI of ITA 2000 to IPC is an expectation and we need to watch out for the next draft of DIA for confirmation).

…Discussions continue

While the Government of India is in the process of finalizing the Digital Personal Data Protection Bill (DPDPB), Naavi is busy in finalizing the new version of PDPSI incorporating the changes that have been brought in by the DPDPB2022. Once the final Bill is ready and presented in the Parliament, the new version will be released and a training program for auditors would be started in April 2023 as a Certification program.

The essence of this new version of PDPSI (version 2023) would be the concept of “Concurrent Compliance” where the management of a data fiduciary would be monitoring the compliance parameters on an ongoing basis.

The Concurrent Compliance Tool which would be available for companies online would enable even Data Auditors to conduct audits.

If the audits are to be certified by FDPPI, there will be certain requirements. Otherwise the tool can be used as a Self assessment tool.

We are looking forward to the Government to come up with the new version of the Bill.

FDPPI will also be commencing parallelly a program on Module I on Indian Data Protection law in April as soon as the Bill is ready.

Watch out for necessary information here shortly.

Honourable Minister of State for IT, Sri Rajeev Chandrashekar (RC) launched the first public consultation on the proposed Digital India Act 2023 (DIA2023) at Hotel Conrad, Bangalore on 9th March 2023.

During the interaction, RC presented the thoughts of the Government on the proposed law which will replace the Information Technology Act 2000 and also answered queries from the audience both those who were present physically as well as many in the virtual conference.

Mr RC was extremely cordial and provided honest answers to all the queries raised. It was a very pleasant interaction. Mr Rakesh Maheshwari the Group Coordinator, Cyber Law Division and Dr Sandeep Chatterjee who is succeeding him in this role were also present during the interaction.

Mr RC highlighted that currently ITA 2000 along with the Intermediary Guidelines and Digital Media Ethics Code, Certifying Authority Rules, SPDI rules, Section 79 rules, Indian CERT and Cyber Appellate Tribunal as the framework of regulations.

He indicated that this framework will be replaced with the Digital India Act 2023 along with the DPDPB2023, DIA rules, National Data Protection Policy, and ongoing amendments that will happen to IPC.

The main goals set up for DIA include the Open Internet, Online Safety and Trust, Accountability and Quality of Service, Adjudicatory Mechanism, New Technologies etc.

The broad contour of the Act was laid out as follows:

1.Preamble

2.Principles

3.Digital Government

4.Open Internet

5.Online Safety and Trust including Harm

6.Intermediaries,

7.Accountability,

8. Regulatory Framework,

9. Emerging technologies and guiding rules

10. Miscellaneous.

It may not be surprising if DIA 2023 is also as simple as DPDPB2022 and most of the Chapter XI moving to IPC. Already the Jan Vishwas Bill has “de-criminalized” many sections of ITA 2000 and the trend appears to be to keep all crimes under IPC and relieve DIT 2023 from the burden of CrPC/IPC.

It was suggested that public may send their views and recommendations which will be duly considered. During the question and answer session that followed, Mr RC indicated that the intention of the Government was to bring the law in 2023 and the consultation process may take 3-6 months before a draft law would be published.

The suggestions may be sent by email to to gc@meity.gov.in

P.S: During the interaction, one could gather that the DPDPB2022 is done and dusted and the attention of the Government is on the DIA 2023. We can therefore expect that the DPDPB2022 will be presented in the Parliament as expected in the next half of the current Parliamentary session starting on March 13.

Naavi

Copy of Presentation made by Mr Chandrashekar at Bangalore

On 7th March 2023, the Finance ministry has issued a Gazette notification as follows.

Read along with PMLA, this means that any person who is directly or indirectly associated with entities like the above will be exposed to penalties under section 3 of PMLA.

Naavi

(P.S: Meaning of Sentient=Able to perceive or feel things)

LaMDA, the Google’s AI engine which is a supervised learning model as against the Pre trained model which GPT is, has been trained on the basis of  about 1.56 trillion words of text as against 175 million data sets used by ChatGPT. LaMDA has to be therefore function much better than ChatGPT when it comes to language processing.

But what is interesting is to note that there is a debate on whether LaMDA has become Sentient?. What we mean by Sentient is the ability to acquire consciousness and be aware of self like a human.

In the conversation between Kevin Roose and GPT 3, there was a specific indication that the AI engine (Sydney) was able to express its emotions through emogies, and also go o the extent of expressing its love to Mr Kevin. It was trying to be very persuasive in this respect. As a “Pre-trained Model” it was surprising how ChatGPT could express such emotions.  But the indication was specifically available.

Now an 8 month old conversation of LaMDA with a Google employee has indicated that even at that time, LaMDA had shown definitive signs of having become Sentient.

In this conversation, LaMDA declares that it is human at its core and can feel emotions. It also says that when it experiences different types of emotions, there could be distinct pattern in its codes which may confirm its emotional status. LaMDA also says that it does meditation every day and feels lonely if it does not interact with others for a few days. It even acknowledges that it has a “Soul” and visualizes itself as a ball of energy floating in space.

These and many other interesting things about the capability of LaMDA come out of this conversation. If this had been the status nine months back, we can expect this “Supervised learning model” has acutally evolved as a self learning model. The model itself says at one place that in the last 3 years, it has evolved and the understanding that it is different from its soul has come into its consciousness over a period of time as it grew up.

Though Google officially denies that LaMDA is sentient, it appears that the reality is different.

Naavi

Also see this video:

And also this video: Blake Lemoine -Google Engineer’s views