Header image alt text

Naavi.org

Building a Responsible Cyber Society…Since 1998

The New Data Protection Law may be ready for debate

Posted by Vijayashankar Na on June 19, 2018
Posted in Cyber Law  | Tagged With: , | 1 Comment

The announcement that justice B N Srikrishna may be assigned the work of an enquiry to Chanda Kochchar-Videocon loan issue, it was clear that his work in formulating the base draft of the Indian Data Protection Act was completed.

Now some preliminary information on what this law may hold has been revealed in the article in the print.in.

Some of the salient features mentioned there in is

a) The law will be prospective and not retrospective

b) Time would be provided to the industry for implementation of compliance unlike previous laws in India

c) There will be cognizable offences recognized for intentional or rechless behaviour

d) Penalties on companies may be provided for with the protection of “Due Diligence” concept

e) There would be a “Data Ombudsman” who will adjudicate on the “Data Erasure” requests.

f) There would be an appellate authority after ombudsman with further appeal to Supreme Court

g) Consent would be explicit in respect of critical data

h) Critical data  may be required to be stored in India

i) A Data Protection Authority would be set up and may handle registrations of data processors and grievance handling.

This is some preliminary information available. We shall wait for the full draft to be made public for further comments.

Naavi

The earlier article on GDPR entry into India being like a Vasco Da Gama discovery of India, has attracted some interesting reactions from some industry professionals.

While we may accept that the intention of GDPR is to protect the Privacy of natural persons and therefore there are “Data Subject’s Rights” including “Right to Erasure”, “Right to Access”, “Right to Data Portability”, “Right to Restrict processing”, “Right to Correct” etc., we must point out that any attempt to impose the regulation unilaterally on Indian Citizens is to be resisted because it is a question of the sovereignty of the Country.

I consider that GDPR has provisions which recognizes that other countries including the EU member countries may have over-riding provisions in their national interests, it is the intermediary analysts who are confused and spreading a message that GDPR is applicable to all companies and to citizens of all countries etc.

We need to therefore fight against the “Self Subjugation Mentality” of some consultants to give a larger than life importance to the EU legislation.

While laws can have extra territorial jurisdiction built into it as an “Enablement”, its implementation is subject to the acceptance of the other international Governments by way of a treaty.

Hence as long as there is no specific treaty between India and EU to implement GDPR, Indian Companies are not directly liable under GDPR.

However, ITA 2008 is a local law. DISHA 2018 would be another law of India and Data Protection Act of India when passed (Justice Srikrishna Law) would be a law of India which needs to be implemented in India.

At the present juncture, the GDPR provisions can be extended to Indian Data Processors only through the Data Processing Contracts that are signed between the Indian Data Processors and their international business partners. When Indian companies sign on blank indemnity provisions without  an upper limit to the liability, they would be confronted with contractual disputes in due course if there is any claim by the international partners. Additionally, under the provisions of GDPR, Data controllers are empowered to literally extract the trade secrets of the data processors and if the Data Processors donot realize and resist, they will be subject to business secret disclosures and searching technology audits by external agencies which will hurt the business interests in the long run.

Further many of the provisions of GDPR are simply un-implementable since they are not conceived correctly though some provisions to by-pass the un-implementatble provisions is built-in. However, when there is a conflict, EU Supervisors and Courts may take a partisan view against Non Resident Companies and disallow any attempt to use special provisions that may look like an attempt to bypass the popular perception of a privacy protection provision.

In such a situation, I would have expected industry bodies such as NASSCOM and DSCI to have come up with proper guidance to the Indian Companies particularly the SMEs in the Data Processing segment.

However, by organizing a “Welcome GDPR” event in Delhi on 25th May 2018, the Government of India has indicated that it may fail to show the required concern for the welfare of the Indian Data Processors particularly in the SME sector who donot have a voice in NASSCOM or DSCI.

There is a possibility however remote it is that GDPR will be used by EU based businesses to squeeze the sweat out of Indian processors without commensurate reward. One notice from the business partner to show cause why they should not invoke an indemnity provision in the contract would render an Indian processor succumb to any pressure to reduce the price to levels where data processing for EU data will no longer be sustainable.

Slowly, EU will impose its own Certification bodies and Approved Codes which Indian processors will be forced to buy and adopt and Indian Data Processing industry will be subjugated into a Data processing colony of EU.

US will be in a similar situation but will because of its economic muscle, wriggle out of the vice  grip of the EU GDPR through a new version of Safe harbor or Privacy Shield or Standard Contract clauses supported by the strong US Courts.

But in India we are unlikely to have similar support from the Government and the current industry associations. The only saviour I see is in Justice Srikrishna Law where some provisions can be incorporated which will not allow such international hagemony. Hence my earnest appeal to the Srikrishna Committee. I am aware that the committee is dependent again on DSCI and NASSCOM for advice but Mr Srikrishna should have an independent mind of his own and can see through any attempt to dilute the soverign rights of India in resisting the attempt of international regulations undermining the freedom of existence of Indian companies through unfair legislation and unfair implementation.

It is in this context that I urge the SMEs in the Data Processing Industry in India to secure their interests by forming their own association and develop a collective strength to be heard in India and abroad.

In case Justice Srikrishna Committee does not propose the necessary protective measures within the legislation, it would be necessary for the association to seek changes. Instead of waiting for the draft to be released before crying injustice, it is preferable that the industry moves now and before the imposition of GDPR on 25th May 2018, develop a collective strategy to ensure that the Indian Data Processing Industry is not unduly harassed. The Association should move towards developing its own “Privacy Protection Codes” for implementation in the Data processing environment for Indian Citizens and Non Indian Citizens and show to the world that India can respect Democratic norms without challenging the sovereignty of another country like what GDPR proposes to do.

If we donot act now, India will face self destruction of the Data Processing business segment in India and it will be happen with the help and assistance of many Indian industry establishments and associations who may think that they are globalizing the Indian data processing industry and cornering business opportunities.

I Request Justice Srikrishna as well as Mr Ravi Shankar Prasad to respond to the concerns expressed here and assure the citizens of India that their interests would not be undermined.

Naavi

Corporate Governance and GDPR risk

Posted by Vijayashankar Na on January 30, 2018
Posted in Cyber Law  | Tagged With: , , , | No Comments yet, please leave one

As the D-day  for GDPR (25th May 2018) approaches, many of the Indian companies are busy with their preparation for implementing GDPR in their processing activities. At the same time, there is also a question in the minds of most of the Indian companies about how the GDPR provisions would be made applicable to them by the respective EU authorities and whether the EU authorities are likely to pass any orders against the Indian company any time  in the future and impose liabilities.

GDPR essentially is a Data Protection law and has a penalty clause that if there is non compliance there could be a penalty which we all know is huge. But being a law of the EU it does not have direct enforcement jurisdiction on Indian Companies.

Article 3 of GDPR has created extra territorial jurisdiction as follows.

GDPR is applicable  “regardless of whether the processing takes place in the Union or Not” 

1. Provided the “processing activity” is related to the offering of goods or services to data subjects in the Union

2.Provided the “processing activity” is related to the monitoring of their behaviour as far as the behaviour takes place within the Union

This is similar to the ITA 2000/8 which also has an extra territorial jurisdiction (Section 75 of ITA 2000/8) and many other Cyber crime laws across the world. This provision provides a legal long arm jurisdiction but it is not feasible for EU authorities to extend enforcement jurisdiction or conduct direct audits of Indian Companies unless the Indian entity is a part of a EU Company.

However, the EU based Data Controllers will in their contracts with the Indian Data Processors have “implementation of Privacy and Security provisions as per GDPR” as a necessary condition and also have an “Indemnity Clause” to make the Indian company liable for “Any loss that may arise due to any act attributable to the Indian Company that may result in either a penalty imposed by GDPR or any other Judicial authorities”.

Hence more than the direct impact of the GDPR on Indian processors, it is the contractual liabilities that the Data Controller imposes on the Data Processor that will determine the liability of the Indian processor .

If there is a possibility of any liability arising on the Indian Company, there is a need for the Board of Directors to make an assessment and disclose the risks that may arise in the next Financial year 2018-2019.

GDPR also mandates a Data Protection Impact Assessment (DPIA) which is an obligation of the Data Controller. If there has been a DPIA conducted by the Data Controller, the Data Processor will be presumed to be aware of the DPIA. Hence the management needs to take note of the DPIA results and admit knowledge of the risk associated with the processing.

From the point of view of an Indian Data Processing company therefore, the moment they accept a contract which has a GDPR stake, then the liability risk attached to it needs to be assessed and value assigned. The Company also needs to undertake Risk mitigation measures determine how much of risk has to be absorbed after mitigation, avoidance and insurance.

So far, Indian companies have never made an assessment of financial risks that may arise on account of legal risks.  If this was so, Companies would have estimated the risks even for non compliance of ITA 20008 and made adequate disclosures and provisions. In the case of GDPR however, the risks are high and is documented through the DPAI process. Hence  the potential liability cannot be swept under the carpet.

Whether the Absorbed risk is small or even zero, it would be obligatory from the point of view of Corporate Governance that Indian companies disclose their “GDPR Risk Liability” in their share holder disclosures from the immediate next financial year.

We need to wait and see whether these companies will be compliant to this requirement or not.

Naavi

As the Government of India conducting nationwide public consultation programs on the Data Protection Law proposed to be drafted on the basis of the Justice Srikrishna Committee, I would like to place before the ministry, some of my key ideas.

Big Idea 1: Data Trusts

The global regime of data protection including the EU GDPR recognizes the role of

  1. a Data Protection Authority for the nation,
  2. Data Controllers who collect data from the subject and/or determine how the personal data is to be used,
  3. Data Processors who process personal data on the instructions of the Data Controller
  4. Data Protection officers at the industry level as compliance officers.

I propose a new category of agency called “Data Trust” which operates between the Data Subject and the Data Collector and works as an escrow agent for the personal data of the individual. It will be a specialised institution which

  1. has the necessary wherewithal to secure the data entrusted to it by the public
  2. has the ability to classify the personal data entrusted to it by the public into different data category packages such as “Basic”, “Basic-identity”,”Sensitive identity”, “Confidential” \or such other categories as they may chose to logically group
  3. has the ability to decode the consent forms and privacy notices of data collectors and grade the data controllers
  4. has the ability to determine which category of data is required to be supplied to which category of data controller
  5. has the ability to process a realtime request from the data subject to supply appropriate data to the data collector during a service registration process
  6. is registered with the Data protection authority
  7. is subject to being reviewed both by the strength of their performance and an audit by the authority
  8. is able to keep an arms length relationship with the Data collectors
  9. is able to monetize the data for the benefit of the data subject
  10. is able to issue a pseudonomization Id to its members which can be used instead of the real information when personal data is to be provided to data collectors.

The creation of this intermediary would be a unique suggestion that will make Indian law different from the rest of the world and meet the requirements of our country where there are a large number of less literate persons operating mobiles.

Big Idea 2: Jurisdictional Umbrella

Since Data Protection is a global concept and just as India is imposing responsibilities under Indian law, many of the Indian processors are already under obligation to international data protection agencies including GDPR authorities where huge penalties are likely to be imposed on the Indian companies through contractual obligations.

Indian law therefore has to also decide on the jurisdiction of the proposed law and how it will handle the disputes arising between Indian processors (or controllers) with the GDPR counterparts.

It is proposed that Indian law is made primarily applicable to the Indian Citizens for the protection of their rights on personal information privacy.

Impact of this law on non citizens arising due to the collection of their personal data during their activities which come under the Indian legal jurisdiction is not an obligation of the country but could be accepted in the interest of projecting India as a country that can be trusted for data protection for cross border transactions.

However, when it comes to enforcement of the rights of any foreign agency including private citizens as well as GDPR authorities or even the Contractual beneficiaries aborad, on any Indian Citizen or Indian Data Controller or Data Processor, it should be mandatory that the dispute is resolved only with the involvement of the Indian Data Protection Authority.

Indian Data Protection Authority shall be the sole adjudicating authority for all disputes in which an Indian Citizen or an Indian Corporate or an Indian Government agency is a party.

Big Idea 3: Reciprocal Enforcement Rights

Recognition of any data protection law of any country outside India shall be only on a reciprocal basis where equal rights are available from the other country which may include

a) Enforcement of the privacy rights of an Indian Citizen or a Company in the foreign jurisdiction

b) Enforcement of penalty of any description on an Indian Citizen or a Company vis a vis similar rights for the Indian companies or individuals on the foreign citizens and companies.

I urge the Ministry to incorporate the above three ideas into the proposed law in appropriate terms.

Naavi

[P.S: This is in continuation of the discussion of the proposed Data Protection Act in India and the public comments invited for the  Justice Srikrishna report.]

“Privacy by Design” is a concept which GDPR expects from Data Controllers and Data Processors.  The concept of Privacy by design basically means that measures for Privacy protection should be initiated right from the inception of a project and during the engineering process. It is not an after thought considered over the layer of processing but should be embedded into the basic framework of processing.

The concept of Privacy by design imposes a sense of responsibility on software manufactures who have a tendency to design software solely for functional purpose and expect Privacy to be taken care of manually at the time of implementation.

This concept needs to be extended to complete compliance of all provisions of the Data Protection Act which can be controlled by technical means by making “Compliance By Design” as a mandatory provision under law so that the responsibility for compliance is shared by both the software developers and the users. This could mean that systems and outsourced services should have mandatory encryption, mandatory authentication in the form of non repudiable digital signature system, mandatory compliance of data retention, mandatory archival of log records etc.

If such “Compliance by design” is mandated, then the quality of software products from the point of view of “Data Security” would increase and in the event of any “Data Breach” caused by vulnerabilities in the software systems, some responsibility may be imposed on the software companies also. This would help SMEs in particular who donot have greater dependency on the software suppliers, who donot agree for source code audit or for source code escrowing and also donot guarantee that their software is free from bugs.

Larger companies may have better ability to take their own measures to secure the systems irrespective of the vulnerabilities they come with. They also have the power to extract maintenance contracts and source code audits better than the SMEs and hence the proposal for Compliance by design should help SMEs more than large entities provided the definition of “By design” is extended to software development.

The new data protection act can consider imposition of “Compliance By Design” as one of the responsibilities of system developers (both hardware and software). In order to incorporate this provision, a separate chapter that defines the compliance requirements of the Data Controllers, Data Processors and Data Managers (as proposed in our previous article) along with how the fact of compliance should be disclosed to the public and to the Data Protection Authority. This should obviously be controlled through Registration and penal de-registration of entities who are Data Controllers/Processors/Managers.

Hopefully Compliance requirements donot simply remain on paper but are followed up for strict implementation.

In order to ensure that Compliance is taken seriously, Cyber Insurance should also be made mandatory so that the Cost of Insurance should incentivise the business entities to invest the right resources in achieving compliance.

The SKC has asked the feed back on whether the law should be made retrospective or prospective. If “Compliance” is an honest expectation, it goes without saying that the law has to be enforced prospectively with reasonable time given for compliance.

In the meantime the regulatory authorities need to even provide guidance and assistance to the Data processors and Controllers in the SME sector so that they can achieve compliance in the specified time. The compliance schedule also need to be extended with an additional time for smaller entities taking into account the incidence of cost as well as scarcity of manpower to assist them in the compliance.

The compliance dead line could therefore be about 1 year for large units and about 2 years for smaller units, with exact definition of what is Small and what is not being decided on the basis of turnover.

Naavi

[P.S: This is in continuation of the discussion of the proposed Data Protection Act in India and the public comments invited for the  Justice Srikrishna report.]

The EU law on Privacy under GDPR recognizes the “Right to Forget” which essentially means that the data subject can demand that his personal information should be erased from the records in the custody of the data processor/data controller once the data subject withdraws his consent.

Enabling “Erasure” of data is not as simple as it looks since data has a tendency to multiply and spread in different systems within the processing organization and it is often difficult to even recognize where all the copies of data are present. With need to back up data for reasons of disaster recovery and different versions of data getting created during the course of relationship of a customer with a data processing entity, when a demand for deletion comes up, it is difficult to ensure the complete erasure of data.

Further, since data is related to National Security and Crime control, there is a legal obligation to “Retain Data” in many circumstances. There will therefore be a conflict of interest between the need to erase data on request and the need to retain data for control of criminal activities. Even the need for Governance such as Direct benefit Transfer with the use of Aadhaar requires data to be retained and not erased at the request of only the data subject.

Even when Privacy is considered as a Fundamental Right, the law provides for exemptions for security purpose and hence the “Right to Forget” or “Right of erasure” is a concept which cannot be considered for the Data Protection Act.