FDPPI is your Privacy Companion

FDPPI is an organization of the data protection professionals and by the data protection professionals. The organization is supported by the aggregation of activities of its members.  For practical reasons some members are designated as “Supporting Members” so that they act as divisions of FDPPI for generation of revenue through their activities. But all other members are like flesh and blood of the organization. If they are active, FDPPI is active.

This concept extends to the conduct of IDPS 2022 the flagship event of FDPPI. We would like to make this event the flagship event of the Data Protection Community in India of which FDPPI is a part.

The event is being conducted as a 3 day virtual event between 11th, 12th and 13th November 2022 between 2.00 pm and 8.00 pm (IST) or 8.30 am GMT to 2.30 pm GMT.

During this time and day, the event would be live. During these 18 hours we can accommodate perhaps 6-8 keynotes and another 6-8 panel discussions.  This  means that we can listen to around 30 -35 speakers and share their thoughts with the audience.

The canvas of discussion is “Privacy and Data Protection” and the theme is “Shape of Things to Come”. We therefore need to discuss the current laws in India and elsewhere, the technology of protecting Privacy and data, the Governance of Data for protection and monetization and many other related issues.

We are fully aware that the number of available speakers and the amount of knowledge they can contribute are much more than what we can present in 3 days. We cannot accommodate them all despite our best intentions.

We are also aware that this is a dilemma that is faced by every organizer of such programs world over. There are too many deserving speakers who ought to be heard. But either the organizers cannot reach out to them or the speakers are not available at the required time and place for the event. This often results in losing an opportunity to hear the experts and some times disappointing speakers who are eager to share their knowledge.

FDPPI therefore has opened it’s doors for speaking opportunities during the IDPS 2022 to the community so that IDPS 2022 is to be an event of the Data Protection Professionals by the data protection professionals and for the data protection professionals.

We therefore invite data protection professionals who would like to contribute their thoughts to the “Shape of things to come” in the domain of Privacy and Data Protection in the IDPS 2022 to send us recorded video clips preferably of less than 5 minutes. These recorded videos would be broadcast on the IDPS 2022 platform during the time 6.00 am (IST) to 12.00 noon (IST). This will ensure that the content would be available for the US-Australia time zone as an extension of the live sessions which are more suitable for the India-Gulf-EU time zones.

The video may be kindly recorded if possible with the background setting of the image provided above. Naavi would be available for checking the topic of discussion as well as for a participative recording of the views as a conversation if it is preferred.

The end objective of this exercise is to ensure that IDPS 2022 becomes an event of the community of data protection professionals.

We hope that we will also be able to show case the professionals who would otherwise miss participation in the event. For the upcoming speakers this is an opportunity to be present on this platform.

I request all professionals to make this concept a success.

Naavi

FDPPI is conducting IDPS 2022 which is a flagship event of FDPPI and an apex national event. During the three day virtual event that is taking place this year between November 11-13, about 30-40 speakers would be taking part.

We are aware that there are many more experts in the domain not all of whom can be identified by us and invited for the program. In fact FDPPI has over 200 members each of whom are decorated professionals and could contribute to the society with their knowledge. But we cannot accommodate all of them as speakers in this prestigious event.

However, we now have an alternative. We would like to collect both text and video messages from experts around the world and publish it as pre-recorded videos or messages during the IDPS 2022.

We therefore invite experts to contribute text or video messages by email  if they have a view on Privacy and Data Protection or related areas.

One of the features of this year’s IDPS  would be the awards  to be provided to different category of persons recognizing their contribution to the Privacy and Data Protection eco system in India.

(Download the flyer with all information on the awards)

Naavi

FDPPI is now planning to conduct IDPS 2022 on November 11^th and 12^th, 2022 as a virtual event.

The program will be conducted between 2.00 pm IST to 8.00 pm IST for the convenience of the global audience.

In the event the Government of India comes up with a new version of Data Protection Bill for public comments, IDPS 2022 may be conducted over three days and will conduct a special discussion on the draft law for one full day.

In such an event the program would be conducted on November 11,12 and 13.

Sponsorship opportunities are available for interested organizations.

Contact for details

Naavi

Foundation of Data Protection Professionals in India, which is the premier organisation in India dedicated to Privacy and Data Protection has come out with its latest issue of Data Protection Journal of India (www.dpji.in).

DPJI is presently a journal published on internet and its issues are available at www.dpji.in. The current issue is the 7th issue in the series. The earlier issues covered different aspects of Data Protection

In the past issues several interesting topics such as the Valuation of Data, the PDPSI framework (Now renamed as DPCSI framework), the need for compliance culture to be developed in India have been discussed.

In the current issue an important aspect of Data Protection namely the role of people have been discussed.

By focussing on the concept of “Human Firewall” a focus has been brought to the use of humans to develop a security cover to combat the risk of privacy and information security. Just as technology tools such as encryption, firewall and Intrusion detection systems are used to combat technology risks, this concept envisages that human skills have to be used for risk mitigation.

The involvement of humans as part of the security posture is important both because insider frauds constitute a large percentage of cyber risks and cannot be mitigated by policies, procedure and technology. Also even the technology or policy controls have to be implemented by the humans only and motivating them to be “Security Champions” is necessary.

This concept has been well ingrained in our earlier discussions on “Vulnerabilities in human space” and “Theory of Information Security Motivation” etc.

We had also incorporated several principles of using human resources in the unique indigenous framework for Privacy and Data Protection, namely the DPCSI (Data Protection Standard of India). In particular, we had introduced a standard titled

“Distributed Responsibility, along with implementations for Augmented HR policy which included incentivisation and dis incentivisation for motivational purpose. Further the “Augmented Whistle-blower policy” extended the concept to a “Human IDS system”.

Naavi.org has also been discussing from time to time, concepts such as the “Human Bomb”, “Deviant Minds in Workforce”, “Technology Intoxication” etc all revolving around the concept of “Mitigating human Risks” in Cyber Crime prevention.

It was therefore a pleasure to observe that Dr Anirban Ghosh, a professional working in BT group had actually worked on a research thesis on the topic of “Human Firewall” and with his permission the entire thesis has been reproduced in the July issue of the  journal.

We hope that professionals interested in the field of Cyber Psychology, Human Resource Management  and related topics would find the issue worth going through.

Kindly do share the copy within your organization as a part of your knowledge management.

Any queries on any of the topics are welcome.

Naavi

The IT community has gone through the phase of discussing the need for building an “Information Security” culture in the organization. There after we also went through the phase of building a “Privacy Culture”.

In both these phases, we focussed on the people in the organization and tried to educate them on security issues and privacy issues.

While the efforts for building an information security culture and privacy culture continue, they are now being subsumed by the new requirement of building a “Compliance Culture” in organizations.

This requirement is  typical of the Indian market where we always stretch the compliance requirement till we are forced to comply.

The time has therefore come now to build a “Compliance Culture” in an organization. In this context, an “Organization” is the aggregation of the senior executives who have gone through the implementation of measures in their respective work places to ensure that their subordinates are impregnated with the importance of information security and privacy and why they all need to change their attitudes to work and attitudinally re-orient themselves to practice better security and privacy ethics and technology in their day to day work.

FDPPI is now embarking on leading Indian organizations into this phase through its program.. “Data Trust Score, the future of Privacy Protection”.

“Data Trust Score” or DTS, is the suggested measure of “Maturity of Data Protection Law Compliance” in India. It is a suggested deliverable of a data auditor who audits the data protection practices of a company in India. It works like the “Credit Rating” assigned for financial instruments by Credit rating agencies such as CRISIL or ICRA.

FDPPI which has created an eco-system for certified Data protection audits based on the indigenously developed framework of DPCSI (Data Protection Compliance Standard of India) is adopting the DTS-DPCSI, as  model for calculation of DTS on the DPCSI framework.

DTS-DPCSI is the first of its kind concept and would be the forerunner of similar assessment yardsticks that will emerge in future for other frameworks also.

The life of a Data Protection Professional will not be complete without understanding the concept of DTS and how it can be applied in their work environment.

Let us start our journey in understanding the concept of DTS through a virtual presentation to be made by Naavi on 10th July 2022 at 11.00 am.

For registration, contact Naavi through email at : dts@ujvala.com

Naavi

FDPPI would like to form a group of professionals interested in NeuroTech and Neuro Rights to take the study further.

This will be  an exploratory group to identify the requirements of developing Neuro Rights legislation in India and application of Privacy laws in the Neuro tech context.

Interested persons may contact Naavi.

Naavi

FDPPI, which is often referred to as the “Dada of Data Protection” in India has been publishing a quarterly journal (presently in e-form) in the name of “Data Protection Journal of India”.

The journal started in January 2021 has now seen six editions and they are available at www.dpji.in.

While we are partially proud of the achievement, we are fully aware that we have miles to go in terms of making DPJI more useful and better looking.

FDPPI believes that it is like a start up and we will not hesitate in doing things even if there could be shortcomings to start with. We shall accept our shortcomings and try to improve further.

However, in order for a project like DPJI to succeed, we need valuable contributions from the community. FDPPI has more than 200 senior professional members in its community but not more than five or six have so far contributed to the journal. This is a surprise given the enormous cumulative experience that the team possesses. Obviously, there is a hesitancy amongst the professionals in putting their thoughts in to writing.

FDPPI believes that ability to communicate through writing and through making presentations to the peers is part of the skills required by a DPO and the Jnaanavardhini as well as DPJI are opportunities available to the members to hone their skills.

I therefore wish that more members try to use these opportunities to present their views to the public and at the same time sharpen their own understanding of the subject.

Presently Mr M G Kodandaraman is in charge of the DPJI content management  and Ms T C Manju is in charge of the Jnaanavardhini Sessions. Those of you who would like to contribute articles to DPJI and also to speak in any of the Jnaana Vardhini sessions.

The next DPJI issue is scheduled for July 2022. Last quarter, the release was delayed but we want to be back on our time schedule for the next issue. We want to also add one section exclusively on “Technology” in our next issue where we want to discuss issues of technology relevant to Privacy Professionals. Since this is the familiar domain for most of our members, we hope members will take up this opportunity and contribute more articles in this domain.

In the Jnaana Vardhini sessions, soon we want to introduce “Members only sessions” at least one per month.  We conducted two such “Star Jnaana Vardhini sessions” in the past and there after continued with free sessions. It is time we re-introduce these Monthly Star Sessions which will be aimed at covering some special topics that will add value to the membership. Watch out for announcements in this regard.

I invite members as well as non members to contribute articles of relevance to the DPJI and send speaking proposals. The requests may be sent by email to fdppi and it will be directed to the relevant persons for further follow up.

Students from educational institutions are also invited to present their papers through DPJI on relevant topics.

FDPPI members may kindly spread this word around so that we can start getting more contributions to the Journal and for Jnaana Vardhini sessions.

Naavi

The JPC for PDPB decided to include parts of Non Personal Data regulation within the provisions of the DPA 2021. In the process a situation of overlapping jurisdiction was created between the ITA 2000 and DPA 2021. Earlier with Section 43A of ITA 2000 being replaced by PDPB2019 gave a clear distinction between “Personal Data Regulation” under PDPB 2019 and “Non Personal Data Protection” under ITA 2000 with the possible “Non Personal Data Governance” under a new act as suggested by Kris Gopalakrishna report.

In a bid to avoid creating a  Non Personal Data Governance Authority of India, the JPC decided to make the DPAI also responsible for Non Personal Data to the extent of Breach notification. This left the door for future regulation on “Non Personal Data Governance” also with the DPAI.

Without going into the merits of whether an authority which is “Privacy Protection Oriented” would be the right authority for “Monetization of Data” which would be the essential part of the Non Personal Data Governance Act, we can note that the decision of the JPC has created overlapping of DPA 2021 with ITA 2000.

ITA 2000 essentially applies to data of all kinds and hence it applies both to personal data and non personal data. To the extent DPA 2021 deals with “Reasonable Security Practice” which was earlier under Section 43A, there is no overlapping of provisions. DPA 2021 also does not cover criminal offences which are covered under Chapter XI of ITA 2000/8. The only offensive section under DPA 2021 could have been covered under ITA 2000 itself. This  section (Section 83) under DPA 2021 relates to “Unauthorized modification of de-identified data back to identified data and thereby diminishing the value of de-identified data” and can be covered under ITA 2000 under Section 43(i) read with Section 66.

If this section 83 DPA 2021 had been removed, DPA 2021 could have remained entirely a “Section 43A supporting compliance legislation”.  This would have maintained the two legislations distinct.

Now that JPC did not factor the existence of a statutory body called CERT-IN, it appears that CERT-IN has decided that it would announce its statutory status and published the latest data breach notification directive of April 28, 2022.

The industry representatives have already got perturbed and ran to the Minister to complain that this would affect the Privacy which he has correctly defended. (Refer indianexpress here)

The recent directive has asserted the power of CERT-IN and hence it cannot be challenged even after DPA 2021 is enacted.

However, a potential conflict situation between DPAI and Director General CERT-IN may arise and both need to show statesmanship in collaborating with each other. Though the CERT-IN and DPAI may resolve their differences, it is likely that the industry will play one against the other for their own advantage and project CERT-IN as an “Official of MeitY” and not to be respected like a DPAI which has 7 august members with expertise in different areas such as Law, Technology, Data Science etc.

In order to prevent the weakening of the perceived role of CERT IN, it is necessary for the Meity and CERT-In to strengthen its perceived position. One suggestion in this regard is given below.

1. An Advisory Committee should be established by a gazette notification under the chairmanship of Director General, CERT-IN.
2. The committee shall have at least Six members consisting of experts in the area of Cyber Law, Technology Data Science, Data Security, National Security, grievance redressal experience (Example Arbitration, etc, or a lawyer who is eligible for being appointed as a Judge of a High Court).
3. The Committee shall meet as often as necessary either through virtual meetings or physical meetings and provide its views on various issues on which the CERT-IN needs to take decisions, in particular when action is to be initiated against an entity under Section 70B(7)
4. The committee shall also recommend to the CERT-IN to initiate a complaint with a relevant Adjudicator (Under section 46 of ITA 2000) to undertake an inquiry as per the Information Technology (Qualification and Experience of Adjudicating officers and manner of holding enquiry) rules 2003.

Under the above suggestion the CERT-IN and his advisory committee will match the expertise of the DPAI in terms of experience and skills so that any interaction between the CERT-IN and DPAI shall take place with two nearly equally empowered regulatory authorities.

Also under Section 70B(7) action may be initiated by the CERT-IN against any entity that contravenes the directions of the CERT-IN or otherwise fails to report a data breach, by recommending prosecution for a punishment of imprisonment upto 1 year and a fine of Rs one lakh.

Under Section 70B, it may be difficult to impose any penalty on any entity as a deterrent. Such power under ITA 2000 vests only with the adjudicator who can take either a “Suo Moto” cognizance of a contravention of ITA 2000 or act under a complaint which can be filed by any person who can claim compensation for a loss suffered.

If there is a data breach, there would be some affected person who may or may not come forward to file a complaint with the Adjudicating officer. But the Adjudicating officer coming to know of a contravention (which may be through a report submitted by the CERT-IN) can initiate an inquiry. If the inquiry finds that there has been a contravention and there has been a wrongful loss to some body and wrongful gain to some body else, he can order collection of penalty from the person responsible for the loss and hold it in trust for the claims that may arise from any affected victim.

Since the notification of ITA 2000 on 17th October 2000 and the creation of Adjudicating officers through notification of 25th march 2003, there have not been any published reorts of Adjudicating officers imposing fines except on specific complaints preferred by some complainants.

There could be some cases where the Police have sought  the assistance of the Adjudicating officer (eg: Karnataka) where fines have been imposed on Cyber Cafes under Section 45 of ITA 2000 (Residual penalty) which must have been appropriated by the Government as if it is a penalty imposed for a criminal offence. Such cases have not been widely reported.

Now CERT-IN needs to take the responsibility to advise the relevant Adjudicating officer (the IT Secretary of the State where the victim of a contravention resides) that there has been a data breach in his jurisdiction and it warrants a suo moto inquiry and deterrent action.

It is noted that the Minister of IT, Sri Rajeev Chandrashekar has reported today that there is also an attempt to amend the ITA 2000/8 and a draft would be presented for public comments within a month. If required, some of the changes suggested above of creating an Advisory body for the Director General CERT-IN can be formally introduced into the Act.

It may also be noted that ITA 200o envisaged a committee called “Cyber Advisory Committee” which has to endorse any amendment to the Act as per section 88 of ITA 2000. It can also be recalled that the Controller of Certifying Authorities had created one such advisory committee in the year 2000 of which the undersigned was also a part. There was also an Inter-Ministerial working group of which also the undersigned was a part. These committees had limited existence and subsequently most decisions are being taken by the executives in MeitY. Many of these decisions including the Intermediary Guidelines of 25th February 2021 have been systematically challenged in the Supreme Court and inefficient handling of the Shreya Singhal petition lead to Section 66A being scrapped by the Supreme Court without a proper replacement of the provisions as was promised by the then IT Minister.

The creation of the CERT-IN Advisory board will therefore provide a legal strength to the decisions given out  by the Director General of CERT-IN. It could become a “Shadow DPAI” so that any data breach related directions for non personal data under section 25 of the proposed data protection act (DPA 2021) can be issued by CERT-IN instead of by the DPAI.

Naavi

Also refer: 

CERT-In Re-issues its order of 4th January 2017