FDPPI to introduce a continuing Professional Education (CPE) program

The year 2022 is unfolding before us and I wish all of you a happy new year.

The year 2022 is more likely than ever before to see the passing of the Indian Data Protection Act.

Since September 2018 when FDPPI was formed we have been preparing professionals in India  to be aware of the Indian Data protection scenario through our continuous educational activities.

In the process we have conducted Training Programs leading to “Certification”, webinars in the form of “Indian Data Protection Summit” and “Jnaana Vardhini” events.

We have also developed a base framework for compliance for the industry.

The time has now come to upgrade all our efforts to a higher level as the country prepares itself for the full fledged Privacy and Data Protection Era.

In this direction FDPPI will be introducing a FDPPI “Continuing Professional Education Program (FDPPI-CPE Program) similar to other professional organizations.

The FDPPI-CPE program is aimed at not only ensuring that our professionals  will be better placed to meet challenges that they may encounter in the domain of Privacy and Data Protection  in the real world, but also ensure that the industry respects our professionals more than ever before.

It is desired that an FDPPI Certified professional should command a respect as well informed and updated professional in the eyes of the industry and the FDPPI-CPE program has to enable it.

Please watch out for the details of the program that would be shared here in a couple of days.

We may start the program with some simple provisions and introduce more features in the coming days.

Naavi

Posted in Uncategorized | Leave a comment

Plain Text : Encrypted Text with destroyed decryption key::Personal Data : Anonymised Personal Data

If we follow the discussions around the DPA 2021, it appears that there is a confusion regarding the term “Anonymization” and its effect on Personal Data. It is strange that after so much of discussions on the GDPR and the Data Protection laws, we come back to the basics of what is “Personal Data”.

Personal Data is such data which either directly or indirectly can identify a living natural person. This means that set of characters such as  “Chandrashekar” is an element that can identify a living natural person. But the string of data “Chandrashekar” alone has no identity with a living individual since there could be several persons with such name. Further, whether it is a name or not is itself a factor of the knowledge of a recipient of the data. An Indian would recognize it as a name.

Will a person from interior Africa would recognize it even if he is aware of the English Alphabets? or will a person in China who does not know the English alphabets recognize it as a name?

If not, why should we consider “Chandrashekar” as a “Personal data”?. Is it not just  a stream of binaries which one software renders  as text in English  “Chandrashekar”. In another rendition it may look different and may not appear to be a name.

The fundamental principal this suggests is that “Data” is neither personal nor non personal per-se. In a context it may be perceived as “Personal” by some and not by others. (Please refer to Naavi’s Theory of Data for a more detailed discussion)

Can any data that can be perceived as “Personal” by  some body in the world be considered as “Personal Data” by all under law? … Certainly not.

Hence just because we sit in India and get a feeling that “Chandrashekar” is the name of a person, does not mean that “Chandrashekar” should be considered as “Personal Data”.

Another example….What does a string called “Bhajji” or “Submarine” represent?. Is it the name of a dish in South India or name of a naval contraception?.

For a Cricket follower in India, Bhajji  may be a nickname of Harbhajan Singh and Submarine may be the nick name of Mr Subramanyam (Former test cricketer from Mysore).

Hence “Chandrashekar” by itself should not be considered as “Personal Information” no more than Bajji, or Submarine. This is the part of the “Theory of Data” and the hypothesis is that “Data is in the beholder’s eyes”.

Recently, A German Court in an order related to GDPR held that an IP address is a “Personal Data” and if any American Company is touching the IP address then it would be considered as a disclosure of personal data to a US entity which is not permitted by the cross border data transfer restrictions under GDPR. (See this article).

In this instance, the IP address is related to an action by an individual (Such as visiting a website).  But if the data is merely the “IP address” it is not sufficient to identify a living natural individual. Hence it should not be treated as “Personal Information” but be classified as “Non Personal Information”. However if the recipient of the data (IP Address) has in possession more information that the profile of the visiting person is identifiable because he is a member of some service and his full particulars are available with the same person who is looking at the IP address.

This is to be considered as Privacy Jurisprudence .

In India, even the JPC members seem to have an unresolved doubt about what is “Anonymised Data” and how does it relate to “Personal Data”.

Personal data by definition contains elements that lead to an identifiable individual. These identity parameters such as the name, PAN number, E Mail address, IP address, Cookie information etc in combination represent the identity parameters that render a piece of information as “Personal Information” to which the data protection law becomes applicable.

In comparison, there could be data such as the weather, the environment etc which is understood by everybody as “Non Personal Data”. Then there is information about a “Company” which is not a “Living Natural Person” which also is easy to identify as “Non Personal Data”. However there could be doubt about personal looking data of a non living natural person. In this case there is no doubt that the information may be considered as “Personal information” but there is no need for providing “Privacy Protection through data protection for the deceased individual”.  Hence compliance requirements of a data protection law may not apply to the personal data of a “deceased data principal”. In the context of compliance therefore the organization can classify the personal data of a deceased individual as different from personal data for which the obligations and rights become applicable.

Yet another category of personal data that creates a problem is the “Anonymized Data” where the identity parameters of the individual contained in a personal data set are removed and irrevocably destroyed so that even the person who created the anonymized data from an identifiable data cannot re-identify the data.

Some people consider that “Anonymization” is reversible and hence anonymised data should be also considered as “Protected Personal Data”. But if the law places a standard for anonymization which includes that the identity parameters separated from the identified information is forensically destroyed, then there is no way of reversing the process of anonymization.

In the case of “Encryption” there is a “Key” with which the encrypted data can be de-crypted. This is similar to the process of “De-identification” or “Pseudonymisation” where in identifiable data is rendered unidentifiable through a process of removal of identity parameters and/or substitution with proxy parameters. The person which has the “Key” to de-identification or pseudonymization can re-identify the data. Hence these processes are reversible.

If however we have a very strong encryption and the holder of the encrypted data does not have the decryption key. Then such data is considered “Confidential” though the data is in the hands of an unauthorized person. Data Breach notification requirements under HIPAA/HITECH Act does not consider such data breach as breach of PHI. If however the encrypted data is lost along with the key stored in the same data store, the breach is recognized.

In the Case of anonymization, the anonymization process is known to the anonymizer. However just as an encrypting person deliberately throws away the decryption key, the anonymiser forensically deletes the anonymization key so that de-anonymisation is theoretically not possible if proper standard has been followed.

Hence it is correct to consider that “Anonymised Personal Data” is not “Personal Data”. This was the status in the PDPB 2019. However in the PDPB 2021, the JPC has been confused sufficiently by some experts who have held the view that just as a data encryptor having the decryption key can decrypt the encrypted data, an anonymiser of data can de-anonymise it as a matter of routine. This is an incorrect perception of the process of anonymization which is inherently including the process of forensic deletion of all the identity parameters.

Some experts claim that Data Analysts can apply sophisticated algorithms and read meanings in to Big data which enable them to de-anonymise. This is a false premise since if the anonymisation process is as per a proper standard, the de-anonymiser can only make a guess like creating a “Profile” out of data which is just a “View” and not “Fact”.

Beyond this if some body can decrypt encrypted data without a key by use of brute force attack or social engineering, it is called a “Crime” and not the problem  of the encryption system. Similarly if anonymised data can be de-anonymised to a reliable extent by use of some technology, then it would mean that the standard of anonymisation was not good enough or the de-anonymiser was a criminal who with a persistent hacking of the data was able to extract personalized information out of the anonymised information. Such acts should be considered as a crime and PDPB 2019/2021 does consider them as publishable crimes with 3 years imprisonment.

If we are not confident of our Data Protection Authority for his capability of setting a proper anonymisation standard which cannot be broken with a reasonable level of sophistication of an attack, then the user of an unreasonable level of sophistication to break an anonymisation should be considered as a “Motivated Criminal” and the punishment should be raised from 3 years to at least 10 years or more to bring in sufficient deterrence.

Unfortunately without understanding this aspect, PDPB 2021 tries to include “Anonymised Data” as part of the regulations and create an overlap between ITA 2000 and PDPA 2021.

Technically there is no difficulty in segregating data as “Personal” and “Non Personal” using “Anonymisation” as a separator. Just as a strongly encrypted data with the key having been destroyed cannot be recovered, a properly anonymised data cannot be de-anonymised.

I wish JPC gives a serious thought to correct this situation when the Bill is taken up in the Parliament for discussion provided there is no ego issue in making  changes.

Naavi

 

Posted in Uncategorized | Leave a comment

FDPPI expands its activities

FDPPI has so far been focussing on one dimension of its activities namely the empowerment of the data protection professionals with necessary knowledge on data protection. Towards this objective, FDPPI has developed Certification programs on Indian Data Protection Laws (Module I), Certification program on Global Data Protection Laws (Module G) and the Certification program for Data Protection Officers (Certified PDPCMS auditor/Consultant).

In the second dimension, FDPPI has opened up its activities under P&Y program where it would reach out to the student community and build better awareness of Privacy/Data protection knowledge.

In the third dimension FDPPI has also opened up its activities to the corporate sector with its corporate training programs, the PDPSI framework for compliance.

With the Indian Parliament taking up for debate the new version of the bill PDPB 2021, we are closer than before for the Indian data protection law to be operative. Hence the need for intensifying the activities of FDPPI has arisen.

The first such intensified outreach program would be the “All India Privacy Awareness Program” to be undertaken by FDPPI in conjunction with Cyber Law College. This is meant for ordinary persons who are  not conversant with the concept of Privacy and Data Protection and would  explain the concept of Privacy as a human right, its implications in the data protection domain, the objective of the Data Protection Act, the diverse views of the Privacy Activists and the industry, the aspects of PDPB 2021 relevant for ordinary citizens of the country, etc.

Naavi would be launching the “Privacy and Data Protection For Everyone” campaign shortly to spread the awareness of the provisions of the new PDPB 2021 along with the background and the future trends in Privacy related issues in India.

This joint program of FDPPI and Cyber Law College should help in the absorption of the knowledge of the emerging data protection laws in India.

Watch out for the details.

Naavi

Posted in Uncategorized | Leave a comment

IDPS 2021 concludes

Report prepared by Mr K N Narasingarao on each of the day’s proceedings are available here.

Day 1 : Bated Breath

Day 2: Zooming in

Day 3: Winding Down

 

Posted in Uncategorized | Leave a comment

Registration for IDPS is full…

Posted in Uncategorized | Leave a comment

Biggest Event on Data Protection in India to open on November 17th

Posted in Uncategorized | Leave a comment

Register for IDPS 2021 today…

Download Brochure here

Posted in Uncategorized | Leave a comment

Register Today for IDPS 2021

 

 

Download Brochure

Posted in Uncategorized | Leave a comment

PDPB 2019 in its past life…

As we are discussing PDPB 2019 as the Data Protection legislation of India today, it becomes necessary that we remember that this is the new incarnation of an earlier Bill called “Personal Data Protection Bill 2006” which was introduced in the Indian Paliament along with the ITA 2000 amendment bill of 2006 which became the ITA amendment act 2008 and got passed in December 2008. The PDPB 2006 however lapsed and was forgotten

But for those of us interested in studying the legislative history of Indian legislation on Data Protection, it is important to recognize the PDPB 2006 as the past Janma of PDPB 2019.

A complete discussion of this Bill was held by Naavi under the aegis of Digital Society of India way bac on 17th October 2008 as part of the Digital Society Day celebrations. It was hosted by KLE Law College and supported by KILPAR. Some of the photographs of the event are interesting.


Mr Suresh Kumar, the then Law Minister of Karnataka inaugurated a seminar on Privacy on October 17, 2008 at KLE Law College, Bangalore, seen here with Naavi

 

Complete details of the event are available  available here .

A Copy of the Personal Data Protection Bill 2006 presented in the Parliament at that time is available here and is worth looking into when analyzing the legislative history of PDPB 2019.

When the Indian Data Protection Summit 2021 (IDPS 2021) discusses the Past, Present and Future of Privacy Law in India, it is necessary to remember this 2006 version of the Bill which faded into oblivion.

Naavi

Posted in Uncategorized | Leave a comment

FDPPI Launches Indian National Privacy Awareness Movement

Naavi, the Chairman of FDPPI had earlier undertaken  “Karnataka Cyber Law Awareness Movement” in 2005 during which long certification courses were conducted across Karnataka in Bangalore, Mysore, Hubli and Mangalore under the umbrella of Cyber Law College.

Cyber Law College is a division of Ujvala Consultants Pvt Ltd which is a supporting partner of FDPPI.

In a new comprehensive outreach program, Naavi is now scheduling an “Indian National Privacy Awareness  Movement” (INPAM) starting from the Vijayadashami day on 15th October 2021.

The INPAM would be a free program aimed at ordinary citizens and students to make them aware of the concept of “Privacy”, “Data Protection” and the “PDPB 2019”.

The program would be conducted on the Mobile App- FDPPI available here:

https://play.google.com/store/apps/details?id=co.edvin.titge  (For Android)

https://apps.apple.com/in/app/myinstitute/id1472483563 (For ioS)

Please download the App and await further instructions on the batches.

The program would initially be launched in English and Kannada and later different batches would be introduced in different languages.

Naavi

Posted in Uncategorized | Leave a comment