FDPPI is your Privacy Companion

FDPPI, which is often referred to as the “Dada of Data Protection” in India has been publishing a quarterly journal (presently in e-form) in the name of “Data Protection Journal of India”.

The journal started in January 2021 has now seen six editions and they are available at www.dpji.in.

While we are partially proud of the achievement, we are fully aware that we have miles to go in terms of making DPJI more useful and better looking.

FDPPI believes that it is like a start up and we will not hesitate in doing things even if there could be shortcomings to start with. We shall accept our shortcomings and try to improve further.

However, in order for a project like DPJI to succeed, we need valuable contributions from the community. FDPPI has more than 200 senior professional members in its community but not more than five or six have so far contributed to the journal. This is a surprise given the enormous cumulative experience that the team possesses. Obviously, there is a hesitancy amongst the professionals in putting their thoughts in to writing.

FDPPI believes that ability to communicate through writing and through making presentations to the peers is part of the skills required by a DPO and the Jnaanavardhini as well as DPJI are opportunities available to the members to hone their skills.

I therefore wish that more members try to use these opportunities to present their views to the public and at the same time sharpen their own understanding of the subject.

Presently Mr M G Kodandaraman is in charge of the DPJI content management  and Ms T C Manju is in charge of the Jnaanavardhini Sessions. Those of you who would like to contribute articles to DPJI and also to speak in any of the Jnaana Vardhini sessions.

The next DPJI issue is scheduled for July 2022. Last quarter, the release was delayed but we want to be back on our time schedule for the next issue. We want to also add one section exclusively on “Technology” in our next issue where we want to discuss issues of technology relevant to Privacy Professionals. Since this is the familiar domain for most of our members, we hope members will take up this opportunity and contribute more articles in this domain.

In the Jnaana Vardhini sessions, soon we want to introduce “Members only sessions” at least one per month.  We conducted two such “Star Jnaana Vardhini sessions” in the past and there after continued with free sessions. It is time we re-introduce these Monthly Star Sessions which will be aimed at covering some special topics that will add value to the membership. Watch out for announcements in this regard.

I invite members as well as non members to contribute articles of relevance to the DPJI and send speaking proposals. The requests may be sent by email to fdppi and it will be directed to the relevant persons for further follow up.

Students from educational institutions are also invited to present their papers through DPJI on relevant topics.

FDPPI members may kindly spread this word around so that we can start getting more contributions to the Journal and for Jnaana Vardhini sessions.

Naavi

The JPC for PDPB decided to include parts of Non Personal Data regulation within the provisions of the DPA 2021. In the process a situation of overlapping jurisdiction was created between the ITA 2000 and DPA 2021. Earlier with Section 43A of ITA 2000 being replaced by PDPB2019 gave a clear distinction between “Personal Data Regulation” under PDPB 2019 and “Non Personal Data Protection” under ITA 2000 with the possible “Non Personal Data Governance” under a new act as suggested by Kris Gopalakrishna report.

In a bid to avoid creating a  Non Personal Data Governance Authority of India, the JPC decided to make the DPAI also responsible for Non Personal Data to the extent of Breach notification. This left the door for future regulation on “Non Personal Data Governance” also with the DPAI.

Without going into the merits of whether an authority which is “Privacy Protection Oriented” would be the right authority for “Monetization of Data” which would be the essential part of the Non Personal Data Governance Act, we can note that the decision of the JPC has created overlapping of DPA 2021 with ITA 2000.

ITA 2000 essentially applies to data of all kinds and hence it applies both to personal data and non personal data. To the extent DPA 2021 deals with “Reasonable Security Practice” which was earlier under Section 43A, there is no overlapping of provisions. DPA 2021 also does not cover criminal offences which are covered under Chapter XI of ITA 2000/8. The only offensive section under DPA 2021 could have been covered under ITA 2000 itself. This  section (Section 83) under DPA 2021 relates to “Unauthorized modification of de-identified data back to identified data and thereby diminishing the value of de-identified data” and can be covered under ITA 2000 under Section 43(i) read with Section 66.

If this section 83 DPA 2021 had been removed, DPA 2021 could have remained entirely a “Section 43A supporting compliance legislation”.  This would have maintained the two legislations distinct.

Now that JPC did not factor the existence of a statutory body called CERT-IN, it appears that CERT-IN has decided that it would announce its statutory status and published the latest data breach notification directive of April 28, 2022.

The industry representatives have already got perturbed and ran to the Minister to complain that this would affect the Privacy which he has correctly defended. (Refer indianexpress here)

The recent directive has asserted the power of CERT-IN and hence it cannot be challenged even after DPA 2021 is enacted.

However, a potential conflict situation between DPAI and Director General CERT-IN may arise and both need to show statesmanship in collaborating with each other. Though the CERT-IN and DPAI may resolve their differences, it is likely that the industry will play one against the other for their own advantage and project CERT-IN as an “Official of MeitY” and not to be respected like a DPAI which has 7 august members with expertise in different areas such as Law, Technology, Data Science etc.

In order to prevent the weakening of the perceived role of CERT IN, it is necessary for the Meity and CERT-In to strengthen its perceived position. One suggestion in this regard is given below.

1. An Advisory Committee should be established by a gazette notification under the chairmanship of Director General, CERT-IN.
2. The committee shall have at least Six members consisting of experts in the area of Cyber Law, Technology Data Science, Data Security, National Security, grievance redressal experience (Example Arbitration, etc, or a lawyer who is eligible for being appointed as a Judge of a High Court).
3. The Committee shall meet as often as necessary either through virtual meetings or physical meetings and provide its views on various issues on which the CERT-IN needs to take decisions, in particular when action is to be initiated against an entity under Section 70B(7)
4. The committee shall also recommend to the CERT-IN to initiate a complaint with a relevant Adjudicator (Under section 46 of ITA 2000) to undertake an inquiry as per the Information Technology (Qualification and Experience of Adjudicating officers and manner of holding enquiry) rules 2003.

Under the above suggestion the CERT-IN and his advisory committee will match the expertise of the DPAI in terms of experience and skills so that any interaction between the CERT-IN and DPAI shall take place with two nearly equally empowered regulatory authorities.

Also under Section 70B(7) action may be initiated by the CERT-IN against any entity that contravenes the directions of the CERT-IN or otherwise fails to report a data breach, by recommending prosecution for a punishment of imprisonment upto 1 year and a fine of Rs one lakh.

Under Section 70B, it may be difficult to impose any penalty on any entity as a deterrent. Such power under ITA 2000 vests only with the adjudicator who can take either a “Suo Moto” cognizance of a contravention of ITA 2000 or act under a complaint which can be filed by any person who can claim compensation for a loss suffered.

If there is a data breach, there would be some affected person who may or may not come forward to file a complaint with the Adjudicating officer. But the Adjudicating officer coming to know of a contravention (which may be through a report submitted by the CERT-IN) can initiate an inquiry. If the inquiry finds that there has been a contravention and there has been a wrongful loss to some body and wrongful gain to some body else, he can order collection of penalty from the person responsible for the loss and hold it in trust for the claims that may arise from any affected victim.

Since the notification of ITA 2000 on 17th October 2000 and the creation of Adjudicating officers through notification of 25th march 2003, there have not been any published reorts of Adjudicating officers imposing fines except on specific complaints preferred by some complainants.

There could be some cases where the Police have sought  the assistance of the Adjudicating officer (eg: Karnataka) where fines have been imposed on Cyber Cafes under Section 45 of ITA 2000 (Residual penalty) which must have been appropriated by the Government as if it is a penalty imposed for a criminal offence. Such cases have not been widely reported.

Now CERT-IN needs to take the responsibility to advise the relevant Adjudicating officer (the IT Secretary of the State where the victim of a contravention resides) that there has been a data breach in his jurisdiction and it warrants a suo moto inquiry and deterrent action.

It is noted that the Minister of IT, Sri Rajeev Chandrashekar has reported today that there is also an attempt to amend the ITA 2000/8 and a draft would be presented for public comments within a month. If required, some of the changes suggested above of creating an Advisory body for the Director General CERT-IN can be formally introduced into the Act.

It may also be noted that ITA 200o envisaged a committee called “Cyber Advisory Committee” which has to endorse any amendment to the Act as per section 88 of ITA 2000. It can also be recalled that the Controller of Certifying Authorities had created one such advisory committee in the year 2000 of which the undersigned was also a part. There was also an Inter-Ministerial working group of which also the undersigned was a part. These committees had limited existence and subsequently most decisions are being taken by the executives in MeitY. Many of these decisions including the Intermediary Guidelines of 25th February 2021 have been systematically challenged in the Supreme Court and inefficient handling of the Shreya Singhal petition lead to Section 66A being scrapped by the Supreme Court without a proper replacement of the provisions as was promised by the then IT Minister.

The creation of the CERT-IN Advisory board will therefore provide a legal strength to the decisions given out  by the Director General of CERT-IN. It could become a “Shadow DPAI” so that any data breach related directions for non personal data under section 25 of the proposed data protection act (DPA 2021) can be issued by CERT-IN instead of by the DPAI.

Naavi

Also refer: 

CERT-In Re-issues its order of 4th January 2017

Madras Management Association and FDPPI successfully conducted a one day symposium on DPA 2021-Compliance View, at Chennai, on 23rd April 2021 at the MMA auditorium.

A large contingent of participants from ISACA and CySi who partnered the event made the event successful.

Following are some photographs of the event.

The event started with an welcome address from Captain Vijaykumar of MMA,  an inaugural address by Mr Ravichandran, IRS, Commissioner of Income Tax, followed by an overview of DPA 2021 by Naavi.

Subsequently there were 4 panel discussions, one on Legal aspects, One on Technology aspects, One on Professional opportunities and another on Compliance frameworks.

Naavi anchored the entire day’s deliberations while experts from the industry such as Rohan K George, Geetha Jayaraman (Capgemini), Rupak Nagarajan (KPMG), R Vittal Raj, Dr mahesh Kalyanaraman from HP and others participated. From FDPPI, apart from naavi, Directors, Mr Ramesh Venkataraman, Nagendra Javagal, and members such as Govind Srinivasan also participated in the discussions.

The proceedings of the symposium would be available on the MMA youtube channel at present. It may also appear on the FDPPI youtube channel shortly.

The event was part of the National Movement of DPA 2021 awareness that FDPPI has charted out. Hopefully with the availability of other partners in other parts of the country, similar events can be repeated.

Naavi

Video Links

1. Inaugural Session

2. Legal Aspects of DPA 2021

3. Technology Aspects of DPA 2021

4. Career opportunities from DPA 2021

5. Audit perspective of DPA 2021.

Madras Management Association (MMA) and FDPPI are organizing a symposium on DPA 2021-Compliance View. ISACA, IACC and CySi are partnering the program and offering special privileges to their members to attend the event.

If you can be in Chennai on the next weekend, make MMA Auditorium as your destination.

Naavi

India is planning to pass a law on Privacy and Data Protection and the Bill titled Data Protection Act 2021 (DPA 2021) which is pending in the Parliament. The copy of this Bill originated in 2018 following the Srikrishna Committee report and was later modified as Personal Data Protection Bill 2019 (PDPB 2019)  and a Joint Parliamentary Committee (JPC) has deliberated on the bill for more than two years, held consultations with many stakeholders and has now revised the PDPB 2019. The revised version now referred to as DPA 2021 is ready for final debate in the Parliament and being passed into a law.

Like all laws that have a significant impact on the society, DPA 2021 has also been facing opposition from a section of the industry. As a result,  the mainstream industry has been presented with a skewed view of the proposed law and creating uncertainty in the minds of the industry professionals on whether the law  will be passed and whether it is desirable or not. This has resulted in many organizations delaying the implementation of their compliance program.

We need to  realize that  DPA 2021 is  a continuation and expansion of the currently applicable law namely, Information Technology Act 2000 (ITA 2000) and forms the part of the “Due Diligence” under Section 43A of the ITA 2000. Several Courts have taken cognizance of the Bill and incorporated the provisions in their decisions. Prudent Companies therefore think that the time for compliance has already come and the time upto the actual passage of the Bill and further implementation time that may be provided there in is a cushion against being held liable to the potential penalties envisaged in the Act for non compliance.

FDPPI (Foundation of Data Protection Professionals in India) is an organization that  is  dedicated to the cause of “Data Protection” in India and building a Data Protection Compliance Eco system in India. FDPPI since 2018 has been engaged in outreach programs to build awareness of the Privacy and Data Protection concepts and also the development of professionals who are certified in the relevant skills to provide consultancy to organisations and conduct audits of the “Data Protection Compliance Management Systems”.  FDPPI is today the apex organization in India dedicated to the establishment of the Data Protection compliant environment in India.

During the pandemic times, FDPPI conducted nearly 100 online events on Data Protection regulations and related issues which has already created wide awareness of the forthcoming laws.

As a part of the activities in the post-pandemic scenario, FDPPI is now conducting a series of physical programs in different parts of the country in association with multiple organizations to spread the awareness of the regulation from the compliance perspective.

In this series, FDPPI conducted one program in Bangalore in association with Indo American  Chamber of Commerce (IACC) on 04^th March, 2022. On April 23^rd 2022, FDPPI is conducting a program in Chennai in association with Madras Management Association, ISACA Chennai Chapter, Cyber Society of India and IACC.

During these programs, we discuss the compliance measures that are required to be followed by the industry steering clear of the controversies. The discussions cover the overview of the law as presented in DPA 2021, the Technology and Business Challenges that the law presents, the Professional opportunities created for Data Protection Officers and Data Auditors and also the Compliance framework exclusively designed for compliance of the law.

FDPPI presently has developed a Compliance framework called “Data Protection Compliance Management Standard of India (DPCMS)” which is focussed on the compliance of DPA 2021 incorporating the best principles of other international frameworks. This is an indigenous approach designed to be a Unified Framework for Indian companies to be compliant with all Personal Data Protection laws and includes some aspects of compliance of Non-Personal Data protection which is part of DPA 2021.

The framework includes innovative and globally unique concepts such as “Data Valuation”, “Distributed Implementation Responsibility”, “ Generation of Data Trust Score” etc. It is flexible enough to be customized and adopted by different industry segments.

Recognizing the difficulties that arise when implementing one law applying  equally to all industries and entities of all sizes, FDPPI is now in the process of developing different “Sector Specific Compliance Code of Practice” which meet the requirements of law under Section 50 of DPA 2021. The Data Protection Authority of India (when operative) can approve such codes of practice after due consideration whether they meet the requirements of the law. This should substantially ease compliance and encourage increased voluntary compliance in the industry. FDPPI has a vision to create tailor made Compliance frameworks for different industry segments with  the participation of  industry representatives.  This is a “First in the World” approach to the customization of data protection law compliance to different sectors and would help in reducing the pain of compliance.

FDPPI however is a Not-for-Profit organization and its bandwidth to conduct the outreach programs in different locations is dependent on the partner organizations. Presently we are working with organizations like IACC and ISACA which have presence in multiple locations. However we are looking for other  suitable partners who are interested in associating with FDPPI for this “National Data Protection Compliance Movement” where we disseminate knowledge, motivate companies to start compliance initiatives and develop sector specific codes of practice.

Come, Let’s together  bring about a Data Protection Revolution in the country.

FDPPI in association with Madras Management Association and other partner organizations will be conducting an offline seminar in Chennai on April 23, 2022.

The theme of the seminar is “DPA 2021-Compliance perspective”.

There is a campaign in the media that the JPC modified version of PDPB 2019 need to be re-drafted.

Firstly the set of objections were centered around

“Government has too much powers under Section 35 of the Act”.

The second was on the “Restrictions on Data Transfer” under Sections 33/34 of the Act.

Now the third set of objections cantering around “Difficulties to Start Ups” and “Compliance Cost” has been raised.

The net objective of all these objections are to lobby with the Government that the current weak set of laws continue and the Tech Companies like the Twitter, Meta and Google can continue their Data Exploits in India without accountability.

FDPPI however believes that Compliance to the data protection regulation is in the interest of the community and even if there is some disruptions in the operations of the Data user organizations, it is not the reason to defer the law indefinitely.

In order not to let the industry slip into complacency thinking that the Data protection  law will not be introduced in India,  FDPPI would  like to present the “Compliance Perspective” so that responsible companies start working towards compliance without being under too much of stress.

On April 23rd, over a day long seminar in Chennai, FDPPI along with FDPPI will discuss the DPA 2021, from the perspective of companies who would like to work towards compliance.

Watch out for more details.

Naavi

Cyber Law College as training partner of FDPPI is conducting the next program on Data Protection Laws in India for FDPPI Certification, tentatively starting from April 30th. Details are as follows:

1. The program is leading to the Certification of FDPPI -“Certified Data Protection Professional-Module I” and is part of the larger “Certified Data Protection Compliance Management System Auditor/Consultant” (CDPCMS Auditor/Consultant). This program includes includes two other modules namely Module on Global Laws (Module G) and another on Audit (Module A).
2. The program is based on the new JPC approved version of the Data Protection Bill. It will be conducted online on Zoom platform.
3. Appropriate reading material would be provided during the course.
4. At the end of the course a multiple choice an online examination of 90 minutes would be available. Those who are successful will get a certification “Certified Data Protection Professional-Module I”.
5. The course content would be as follows:

1. 1. Evolution of Privacy Laws in India
   2. Applicability
   3. Obligations of a Data Fiduciary
   4. Rights of Data Principal
   5. Exemptions
   6. Restrictions on Data Transfer outside India
   7. Penalties and Offences
   8. Data Protection Authority
   9. Adjudication and Cyber Appellate Tribunal 
   10. Data Audit
   11. Data Protection Compliance Management System (DPCMS) and Data Protection Compliance Standard of India (DPCSI)

Registration can be done here.

6. The fees for the course is Rs 12,000/- plus GST of Rs 2160/- . Total Rs 14160/-.

7. Those who attended the FDPPI-IACC seminar on April 4th  are entitled to a discount of Rs 2000/- and the fees payable to them would be Rs 10,000/- plus Rs 1800/- (GST). Total Rs 11800/-. (An email has already been sent to all the registered participants of the program)

8. The registrants will also be provided a complimentary “Basic Membership” of  FDPPI which otherwise costs R 4000/-.

9. For further clarifications if any contact Naavi

Naavi

You can register either at IACC or FDPPI.

IACC registration for physical event

FDPPI registration for webinar: 

Registrants who attend the webinar will receive further benefits of value from FDPPI

The Data Protection Journal of India was launched on the Data privacy Day 2021 to disseminate knowledge on Data Protection from time to time. So far four quarterly issued had been released during the year 2021 and the first issue of 2022 has now been released.

The issue is available on the web at www.dpji.in.

The current issue covers the new version of the Data Protection Act as presented by the JPC in the Parliament and discusses the changes.

For the first time the issue embeds a video presentation also making it a hybrid journal.

Naavi