FDPPI to Join hands with GIA Global group, Czechia

FDPPI and GIA Global Group have entered into a mutual cooperation  for promoting activities on Privacy and Data Protection.

GIA Global is based in Chechia (Chech Republic).

We will be sharing our mutual activity calendar so that our members can benefit from this arrangement.

Immediately GIA Global under their GIA virtual series is conducting a webinar titled “International Data Transfers & Compliance” on June 18th to discuss “Legal Framework” How to build a mature compliance program?

The webinar will be on June 18th at 18.00 CEST (8.30 PM IST) and will be for 90 mts.

Interested persons may register here

Naavi

Posted in Uncategorized | Leave a comment

A Movement has started in India …by Data Protection Professionals

A detailed 44 minute video including the Question and Answer session is also available here

Posted in Uncategorized | Leave a comment

Next Course for Certified Data Protection Professionals to commence on June 6 2020

Copy of Prospectus is available here

FDPPI (Foundation of Data Protection Professionals in India) has already conducted two Certification oriented training programs for CDPP-Module I. (Certified Data Protection Professional-Module I) through  Cyber Law College.

Additionally Cyber Law College has also conducted stand alone training programs on Personal Data Protection Act and some of the persons who took the program later opted to take the online examination for the purpose of certification.

The next batch of Certification oriented training will start on 6th June 2020. This will be a week end batch to be conducted on 6th, 7th, 13th and 14th of June. Each of these four days there will be two sessions of 90 minutes each, one in the morning between 10.00 am and 11.30 am and one in the evening between 4.00 pm to 5.30 pm.

The sessions will be conducted online by Naavi, the Director of Cyber Law College, which is the training partner for FDPPI.

The content of the program will cover the existing Privacy and Data protection laws in India and the proposed Personal Data Protection Bill.

The participants will be provided necessary reading material and can take the  online examination on 28th June 2020. The online examination would be for 90 minutes.

The fees for the course would be as follows

Course Fee Rs 5000/-
Examination fee Rs 5000/-
FDPPI Membership fee (lifetime) Rs 5000/-
Total Rs 15000/-

The current program is called Module-I and is part of a 5 part “Certified Expert Data Protection Professional” which will consist of the following four more modules which will be conducted some time later independently.

Module-G Global Privacy and Data protection laws covering more particularly, GDPR, CCPA and Singapore PDPA
Module-T Technology for Data Protection Professional
Module -A Audit for Data Protection Professional
Module-B Behavioural skills for Data Protection Professional

Interested persons can register by  completing the payment.
For any further information, contact Naavi.

Payment Link :

REGISTRATION CLOSED

Clarifications:

  1. The four sessions together constitute 12 hours of training. Morning and evening classes are not repetitions.
  2. If a participant wants to opt of FDPPI membership, the option is to opt out of the examination also and only attend the training for which the fee would be Rs 5000/- only.
  3. The FDPPI membership fee is presently a life time membership. In case of future certification modules, it is not payable again. In future there is a possibility that the membership fee may be revised upwards but the existing members may continue without additional payment.
  4. There are certain concessions Cyber Law College may pass on for existing FDPPI members and some associate organizations. But such concessions are only for those who opt for the entire program with examination and not training alone.
  5. Special Corporate plan for group certification will be available on request by organizations.

Naavi

Posted in Uncategorized | Leave a comment

FDPPI completes online Examination for the second batch of Certification

On May 3, 2020, FDPPI conducted the online examination for the second batch of professionals who took the examination for “Certified Data Protection Officer-Module-I”. A total of 23 persons took the examination.

Some of the participants have opted to take an improvement examination and the results would be collated after the completion of the process.

We congratulate all the participants for their effort.

FDPPI is now preparing to plan for conduct of Module-G which covers the global laws. In this module the coverage will include the knowledge of GDPR, CCPA and Singapore PDPA in particular.

At the end of Module-G, those who complete Module-I and Module G should be the minimal awareness of the major data protection laws that are relevant for an Indian DPO working in an environment where personal data is gathered from multiple countries.

CDPO (M-I+M-G) is aimed to be comparable to the existing international certifications which can be  completed at a more affordable cost.

 

Naavi

Posted in Uncategorized | Leave a comment

Some Queries on PDPA answered

Today (30th April 2020) there was an interesting webinar by Justice B N Srikrishna on the Personal Data Protection Act. A detailed report on the webinar has been provided in www.naavi.org. In the well attended webinar where more than 890 people were on board the Zoom platform which remained perfectly stable, several questions were raised by the participants and due to the paucity of time Justice Srikrishna was not able to answer them.  To build the general knowledge base, the questions have been picked up and answered here. I hope it would be useful.

Q 1:  What is the punishment under PDPA for illegal transfer of data

Answer: PDPA is basically a legislation to promote proactive compliance  of measures that would help in protection of Privacy through “Information Privacy”. It therefore prescribes restrictions on transfer of data outside India. If this is contravened, there could be civil penalties to the extent of 4% of the total worldwide turnover of the data fiduciary or Rs 15 crore which ever is higher. (In case of Government organizations the penalty is limited to Rs 5 crore). No criminal punishment is envisaged for this contravention.

Q 2: What is the punishment for taking data in the name of investigation and sovereignty of India

Answer: Misuse of law by law enforcement and the Government agencies due to political and other influences cannot be fully prevented by law alone. However when the law has provided some powers under certain conditions and it is used in a situation where the conditions are not fulfilled, the act would become an “Unauthorized Action”.

In such cases the law enforcement person or the Government employee whoever he is can be charged of “Unauthorized Access”, “Unauthorized diminition of the value of the information” which are cognizable offences under ITA 2000 (Information Technology Act 2000) as well as some provisions under IPC. The difficulty of bringing such influential persons to answer the law and the problem of delays tin court proceedings are hurdles for which the system has to take responsibility.

Q3: The Right to be forgotten has been truncated in PDPB compared to GDPR. Why?

The rights provided under PDPB is not truncated compared to GDPR. The Right to Access, Right to Correction, Right to Portability and Right to Forget are all available in Indian law as well as GDPR.

The only distinction is that the “Right to Forget” can be exercised only after clearance from the Adjudicator. This is a welcome step to ensure that criminals donot take advantage to remove the traces of crime and evidence.

Q4: What would be the impact of GDPR on Indian Companies post PDPA?

GDPR applies to personal data collected from the EU region or profiling done in the EU region. PDPA applies to personal data collected from the Indian region or profiling done in Indian region.

Indian law has also recognized the need to provide exemption on specific notification when EU personal data is processed in India by an Indian Data Processor under a contract from the EU Data Controller.

Hence there is no overlapping of GDPR with PDPA.

Q5: How do we cover Data Privacy in the current scenario before the Act becomes effective?

PDPA is conceived as an extension of ITA 2000. Presently there is Section 43A of ITA 2000 which provides obligations to “Body Corporates” to follow “Reasonable Security Practice”. The Reasonable Security Practice includes the best industry practices and the contractual obligations. Now the best industry practice represented as “Due Diligence” covers the entire PDPB. Hence we already have a legal framework to impose penalties under ITA 2000 though we may not have a DPA mechanism or 2% or 4% penalty regime.

ITA 2000 also has provisions under Section 43 linked to Section 66 as well as Section 72A, Section 67C, Section 69, 69A, 69B and 70B all of which impose different responsibilities of data protection which includes personal data protection and covers both civil and criminal penalties.

Hence we already have a law which will get refined and get a better implementation mechanism after PDPB becomes PDPA

Q 6: Would Targeted Ads on Social Media Sites is “Breach of Privacy”?

Privacy is breached when personal information of a data subject is used without his consent. Targetted Ads is an indication that the profile of the individual has been created by the advertiser.

It is possible that the profile might have been created out of information shared by the individual with consent. Alternatively the profiling might have been accidental or related to the environment.

For example, if a person opens the Zomato app, and an advertisement of a restaurant appears, it is because the Zomato environment has been branded as a place visited by some body who is on the look out for a hotel.

If however the individual is on twitter discussing politics but he gets an ad related to a computer which he had explored for purchasing on Amazon yesterday, there is an indication that Amazon has shared the information to the ad serving company.

Perhaps Amazon has already taken the “Implied Consent” of the individual as part of the terms and conditions. If we donot like it, we can check back on the terms of Amazon and decide whether you should continue to use Amazon or not.

When it comes to applying data protection laws, apart from checking on the consent, we need to check what harm has been committed in the process other than the ad being shown (as long as it is not obscene or inducing disharmony etc).

Q 7:  What is the difference between the Data Fiduciary and the Data Processor?

Both the Data Fiduciary and the Data Processor, undertake activities of “Processing” which may include collection, storing, transmission, aggregation etc. But the Data Processor does not take an independent decision on the “Purpose” and “Means of Processing”. Data Fiduciary decides what to do with the personal data and how it has to be processed. In most cases, the personal data is collected by the Data Fiduciary after obtaining the consent since he known the purpose of collection. Occassionally, he may engage the services of another (Data Processor) who collects the personal data based on the consent requirement that is mandated by the Data Fiduciary.

As long as the Data Processor remains a faithful follower of the Contract of Processing, he remains a Data Processor. If he starts using his discretion, he would be taking on the role of a “Co-Data Fiduciary”.

Law makes Data Fiduciary mostly responsible for following the data protection principals, honouring the data principal’s rights, security etc. because he is responsible for the way data is processed.  The Data Processor is mainly responsible for security and faithful following of the contractual obligations. He does not have a discretion to act as he likes. Hence there is a difference in the liability of the two.

In any practical case, distinguishing the roles is important and often complicated.

Q 8: Why is Password not part of the data protection regime?

Password has been omitted from the list of Sensitive Personal Information. But it is still part of the security that both the Data Fiduciary and the Data Processor are responsible.

Also, India has other means of authentication such as Digital Signatures which are legally recognized while Password is only a business convenience. All authentication methods are part of the Security requirements and passwords alone cannot be added as sensitive, unless all “Access Credentials” by whatever name they are called including “Encryption and Decryption keys”  are brought into the higher level of security.

Q 9: If personal data is stored outside India, will there be a Jurisdictional issue?

Yes. It is for this reason that the law enforcement is pressing for “Data Localization” or atleast for a copy of the data to be kept in India.

Data Localization is also an economic benefit to the country as it would boost the data storage industry and the eco system around it.

Presently only sensitive information needs to be retained in India as a copy. Critical data alone is prohibited for transfer. Personal data can be freely transferred.

Q 10: What happens to data stored prior to the act becoming effective

In the absence of any specific direction in this regard from the DPA, it would be necessary for organizations to renew the consent on legacy personal data or purge them.

Q 11: Is a separate law required for Community data?

PDPA covers the law regarding an individual’s personal data. If there is a personal data of a group of persons then that data belongs to all of them jointly and severally. The right should be shared.

What Justice Srikrishna called as “Community data” in the report was data such as Google Maps which were contributed by many individuals but collectively exploited by a commercial entity. He felt that this belongs to the category of “Non Personal Data” but is an aggregation of personal data  collection, de-identified to some extent. Such data may also come up in Smart Cities and IoTs.

It would have been possible to include regulation of such data in PDPA but since it may involve other technology related dimensions, perhaps the Srikrishna Committee felt that it was beyond the scope of what the Supreme Court expected a Personal Data Protection act could do.

We can wait and see what Kris Gopalakrishna committee on Data Governance framework may suggest in this regard.

Q 12: There is X company having Co-location data center in India. Will the laws of X Country apply?

This sort of a situation presents a difficult legal proposition. The “Data” is processed in devices physically located in India but it relates to individuals whose “Privacy” or any other right is protected under the laws of that country. Hence both country’s laws have an impact.

PDPA has however tried to overcome this dilemma by making a provision that if personal data of foreign citizens is being processed in India (Whether through servers owned by a foreign entity or an Indian entity), then such facility can be notified as exempt from Indian PDPA. This eases the problem of foreign entities using India for establishing their data centers.

Q 13: What is the Sprinklr Scam?

Sprinklr is a US Company engaged in Data Analytics. Kerala Government used the services to process the data of Covid patients to track the people infected, the progress of the infections in the state etc.

Initially a form was provided on the portal of the Company where information could be entered by the public or the health workers. Later a separate website was opened under a domain name of the Kerala Government in which the form was hosted.

There was also a political objection raised by Congress party in Kerala that the contract was not properly awarded after evaluation and there was some favouritism involved in awarding the contract. The contract was for free for 6 months which could be either considered as a favour done to the Government or that the data was of such value that processing fee was waived.

From the perspective of the Privacy, the absence of proper data protection contract, the possibility of sensitive data being used by a foreign agency, the fact that dispute resolution was subject to the New York Jurisdiction (like many other web based contracts) were raised. The Kerala High Court has given an interim order stating that only “Anonymized” personal data should have been shared and not what the Government did.

More than the “Scam” angle what is relevant is that this case has underscored the need for the PDPA to be made effective as soon as possible so that erring companies face regulatory supervision.

Q 14: What will happen to the Copyright of one data fiduciary when porting is requested?

In the event porting of personal data along with the profile built over the information provided by him involves revealing of any trade secret, the Data Fiduciary can contest the porting in full and also approach the Adjudicator if required.

This problem underscores the need to understand the nature of data and its lifecycle in an organisation and how law may have to be modified in its application at different points of time.

Q 15: Will a consent taken through EULA be valid?

While certain aspects of privacy related consent can be obtained in the EULA, the “Notice” and “Consent” has to be taken in such a manner that the data principal understands the context in which the permissions are asked for and taken.

When sensitive personal information is involved in the processing, explicit consent is necessary. Even in other cases where implicit consent may suffice, taking it through EULA would not provide the appropriate focus to the Privacy protection.

It is therefore recommended that Privacy Notice should be properly highlighted even when taken along with the terms of service and there is no scope for the data principal being confused with extraneous aspects.

Q 16: What happens to the data in a Company which is amalgamated with another Company?

In amalgamations or acquisitions, the entity survives in a new capacity and the data gets transferred like any other property to the amalgamated entity. Acquisitions are therefore a way of buying data if it is a valuable asset.

One classic example is the case of CIBIL which was acquired by TransUnion and was renamed as TransUnion CIBIL. With this acquisition, Transunion which earlier had a share holding of 10% raised its shareholding to 92.1% and in the process 600 million sensitive data sets of Indian Citizens and 32 million data sets of businesses came under the control of the US Company.

At present PDPA does not address such “Data Laundering” directly. In fact Consent is exempted in cases of Credit Scoring for collection of non sensitive data. However the organization like Trans Union CIBIL would be considered as a “Data Fiduciary” and would be subject to the authority of DPA to conduct data audits. The financial data would also be considered as “Sensitive Personal Data” and the company would be considered as a Significant Data Fiduciary.

Q 17: How Would Arogya Setu app reconcile with Privacy?

Arogyasetu is an app floated by the Government to enable tracking of Covid infected patients and preventing them from coming in to close contact with others and spread the infection.

The use of the app as an instrument of public safety would be considered acceptable under the permitted exemption.

The App managers have to however ensure that appropriate consent is obtained, data is properly secured and all compliance measures envisaged under the Act are followed.

Q 18: Government often uses Drones for maintaining public peace and in the process the Drones capture images of people in the street and inside the houses. Does it affect Privacy.

Use of Drones for maintaining vigilance to control riots and to otherwise manage public safety is an exempted use  from Privacy Perspective. Normally Drone would capture images from public space and hence privacy may not be involved. However if any pictures capture within the private property, it may be considered as ” Incidental to the main purpose of keeping vigilance on public street”

Also if a criminal runs away from public space and hides inside a private premises, the doctrine of hot chase should apply to track him and bring him out.

These incidents are special incidents and law has to be treated them as such.

Q 19: When is “Deletion of Data” required under PDPA

Personal data which was collected for a specific purpose should be deleted after the purpose is over. Similarly the Data Principal has a right to demand deletion of data for the purpose of correction and in exercise of his rights of portability and right to forget. Right to forget is however subject to mandatory Adjudication.

Q 20: When does the Breach of Privacy occur?… At the time of collection? or at the time of its use?

Since the law prescribes that personal data shall be collected under a consent, used for a specific purpose etc., breach of the law of privacy can occur at both occassions.

Q 21: Why is it necessary that personal data has to be given to every telephone operator when a data principal wants to open accounts with each of them? Can there not be a centralized data center?

Presently RBI is trying to set up a Centralized KYC system for Banks. Similar system can be used by telecom operators. Besides PDPA has a provision of a “Consent Manager” who can act as a centralized repository of personal data and prevent data duplication and associated multiplicity of risks.

Q 22: Mobile Apps often misuse the permissions given at the time of downloading by taking permission for purposes that are irrelevant. Does PDPA address this.

Mobile App owners are data fiduciaries under PDPA and are bound by all compliance measures envisaged under the Act. This includes purpose specific and purpose limited collection of information. If this is violated fines can be levied at 2% pr 4% of global turnover. The DPA will have power to conduct its own audit. In case of popular Apps, DPA may declare it as a “Significant Data Fiduciary” and an annual data audit from an external data auditor could be mandatory. The Data Principals can also make a complaint directly to the DPA. While the sheer number of Apps may pose their own challenges, there are adequate measures to prevent misuse of permissions at least in case of popular Apps.

Q 23: If some one steals a mobile phone and data from the phone,  is it an offence?

Such offences are already covered under Information Technology Act 2000. What PDPA does is to add penalties to the companies who manage Apps through which personal data is collected and misused when not required for the purpose of the App.

Q 24: Is there any time limit for storage of data in the Bill?

The time limits would be specified through regulations from DPA. Until then it would be guided by the purpose of collection and the legitimate interest of the data fiducairy.

Q 25: As per the bill protection is provided only for natural persons. What happens in the case of dead persons?

The Personal Data Protection Bill tries to protect the Privacy rights of the citizens of India through pro-active measures to be taken by organizations which collect and process personal information.  Hence it is limited to natural persons.

The concept of privacy protection through data protection is being achieved by capturing a choice to the data principal to declare how his/her personal data has to be processed by the person who collects it. This choice is expressed through a document of consent which is like a contract.

Hence in case of a dead person, the Constitutional right such as “Right to Dignified Life and Liberty” ceases to have meaning and there is no way consent of a dead person to considered valid. Hence it is impractical to expect that “Privacy Right” has to be extended to dead persons. Dignity of a dead person in respect of providing a decent cremation etc is not “Privacy”. Secrecy of the affairs of the dead person is also not “Privacy” though it is important for the legal heirs to protect the truth about a dead person becoming public after death.

Hence PDPA as a law to protect Privacy does not address the right of a dead person, though in some other countries like Singapore some rights continue after death for a specific time period.

Some of the service providers like Google or Face Book may consider the information assets of a person in the accounts as some thing which can be revealed to the legal heirs just as the contents of a Bank locker is given to the legal heirs. These are dictated by inheritance rights and not Privacy.

Q 26: When a data fiduciary has transferred the data to a third party data processor and the data principal exercises his right to erasure, how does the data fiduciary manage it?

It is necessary for the data fiduciary to bind the data processors by contract and ensure that at all times the shared data is synchronized not only in cases of deletion but also in cases of correction. This is an essential aspect of compliance.

Q 27: How Will a consent based law work in a country like India where people are illiterate?

The mechanism of Consent Manager is one of the innovative methods that PDPB 2019 has suggested to address such issues.

Q 28: How do we protect recording of telephone calls?

When A is talking to B, a conversation is generated which belongs to both A and B jointly. If either one of them records, it cannot be objected on the grounds of privacy because the data is being disclosed voluntarily.

Only if a third party intercepts the conversation and records, an offence can be recognized and it will be recognized under PDPA for civil compensation and under ITA 2000 for both civil and criminal remedies.

Q 29: Can one use data from someone elses’s phone and use it as evidence?

Yes. Under Indian Evidence Act irrespective of the means of collection of evidence, if it is a fact and has to be produced as evidence, it can be admitted under the relevant procedure such as Section 65B of Indian Evidence Act. If in the process there is any violation of PDPA, then the person should face the consequences parallelly.

Q 30: What would be the time period for implementation of the PDPB?

The Government while passing the Act may specify different time schedule for implementation of different provisions.

(P.S: The views expressed above are the personal views of Naavi based on the interpretation of the current version of the Bill. These could change with the passage of the bill and the issue of clarifications by the Government and/or DPA.  Further questions if any can be sent to FDPPI/Naavi)

Posted in Uncategorized | Leave a comment

Free Program on Privacy Protection through Data Protection by FDPPI

On receipt of several requests, FDPPI intends to conduct a free 30 minute webinar on the “Privacy Protection through Data Protection”. The exact date and time will be finalized shortly.

It could be tentatively held on 15th April 2020 at 11.00 am  provided we have confirmed interest.

Interested persons may indicate by sending their request here by e-mail to fdppi@fdppi.in

REQUEST TO PARTICIPATE IN WEBINAR ON 15/04/2020

 

Posted in Uncategorized | 7 Comments

Certificate Program to be accelerated

The Course on Certified  Data Protection Professional (CDPP) being conducted with virtual classes from Naavi  was planned to be conducted over 6 weeks with one session each on Saturday’s and Sundays starting from April 4th.

In view of the lock down conditions in the country with most professionals working from home, it has been decided to complete the course of 12 sessions over 3 weeks instead of 6 weeks, by conducting two sessions per day on Saturday’s, and Sundays on April 4, 5, 11,12, 18 and 19th.

The sessions will be conducted between 11.00 AM to 12.30 PM and 3.00 to 4.30 PM on these days.

This program will be called Module-I which is about the Indian laws regarding data protection. This is the foundation module for all Data Protection Professionals. In the coming days, FDPPI will be conducting additional modules such as Module G (Global laws including GDPR), Module T (Technology for Data Protection), Module A (Data Audit) and Module B (Behavioural skills for DPOs).

FDPPI welcomes professionals interested in entering the Data Protection domain to make use of this opportunity to upgrade their skills and knowledge and be ready before the Companies will be  looking out for professionals with the right attitude, knowledge and skills to take over the responsibility as DPOs.

Naavi

Posted in Uncategorized | 2 Comments

First Certificates of CDPP given away at Chennai

 

The first Certificates of the CDPP course conducted in December 2019-February 2010 were given to Mr Durai Kannaiyan and Mr Nikhil Ranjan Nayak in a function in Chennai on 14th March 2020, by the honurable guests Justice K.N. Basha and M.P. Mr P.Wilson.

They were two of the nine persons who successfully completed the certification program. Two others are from Mumbai and Five others are from Bangalore.

The successful candidates were:

M/S Durai Kannaiyan, Nikhil Ranjan Nayak from Chennai, Mr Anil Chiplunkar and Bondiah Adepu from Mumbai , Mr Suresh Balepur, Rajesh Kumar, Vasanthika Srinath, Suma Nagraja and V.K.Jyothi from Bangalore.

FDPPI conveys its hearty congratulations to all these professionals who got certified through the rigorous certification program conducted over a three moth period under the supervision of Sri Na.Vijayashankar, (Naavi) Chairman of FDPPI and the Director of Cyber Law College.

Naavi

Posted in Uncategorized | Leave a comment

Registrations for the CDPP Course to be closed

The Early bird discount period for the registration for the second batch of the course for “Certified Data Protection Professionals” has ended.

The registrations will however continue upto 28th March 2020.

Specific discounts offered by Cyber Law College to members of some associate organizations will continue as per their offer made directly to those members.

If you are members of any of the organizations namely,  CYSI, BSPIN, ISACA, they may contact naavi directly for the special discount offered to them.

Naavi

Posted in Uncategorized | Leave a comment

Discussion on PDPA Bill at Chennai

FDPPI and Cysi successfully conducted a workshop in Chennai to discuss the forthcoming Personal Data Protection Bill 2019. 

Honourable Justice K.N. Basha, retired judge of the Madras High Court and sitting MP, honourable P.Wilson graced the occasion.

Naavi made a presentation on the salient features of the Bill, and the need for the Bill to be passed into an Act. He also discussed on some of the controversies surrounding the Bill.

A detailed question and answer session followed in which the participants sought and obtained various clarifications.

Mr Wilson who is also an advocate himself spoke and highlighted  the need to create awareness among the stake holders even before the Bill is passed so that any modifications can be accommodated.

Justice K.N. Basha congratulated CySi and FDPPI for taking up the initiative and suggested that the points arising out of the discussion may be shared with the Government.

During the occasion, the Certificates of Mr Durai Kannaiyan and Nikhil Ranjan Nayak, members of FDPPI who were recently conferred the recognition as “Certified Data Protection Professionals” by FDPPI after a course and evaluation examination were handed over by Justice K.N. Basha and Mr P. Wilson.

Naavi

Posted in Uncategorized | Leave a comment