CERT-IN's Cyber Security Breach Reporting: An Update

The Indian Computer Emergency Response Team (CERT-In) was constituted in 2004 under section 70B of the Information Technology Act, 2000. It is the national nodal agency that responds to cyber security threats within the country and is under the Ministry of Electronics and Information Technology, Government of India. Recently, CERT-In released a direction [1] relating to information security practices, procedures, prevention, response and reporting of cyber security threats.

Key Features of the Cyber Security Breach Reporting Directions 

 

Mandatory Reporting

The direction mandates all service providers, government organisations, data centres, intermediaries and body corporates to mandatorily report within 6 hours of noticing or being brought to notice of any cyber incident. Rule 12(1)(a) of the Information Technology (The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules, 2013 provides for a list of cyber security incidents that needed to be reported mandatorily by these entities mentioned above. The rules had previously listed 10 different types of cyber security incidents which need to be mandatorily reported. Apart from these 10 types, the new direction has also categorised data breaches, data leaks, attacks on IoT, and payment systems, fake mobile apps, unauthorised access to social media accounts and attacks or suspicious activities affecting software/servers/systems/apps relating to big data, blockchain, virtual assets, 3Dand 4D printing, drones as cyber security incidents which should be mandatorily reported. 

 

 

Point of Contact

All service providers, intermediaries, data centres, body corporates and Government organisations shall appoint a point of contact within their organisation, who shall ensure effective coordination with the CERT-In. The name and other details of the point of contact shall be sent to CERT-In and the entity should also ensure that it is updated every now and then when there is a change.

 

 

Log Retention and Data Localisation Requirement

The direction mandates all entities mentioned in the direction to mandatorily maintain and secure logs of their ICT systems for a period of 180 days. All such logs should be stored within the jurisdiction of the country and the same should be handed over to the CERT-In in the event of a cyber security incident or any order or direction from CERT-In.

 

 

Registration of Information

The direction has mandated data centres, Virtual Private Server (VPS) providers, Cloud Service providers and Virtual Private Network Service (VPN Service) providers to register certain information with CERT-In. All these entities are required to maintain such information for a period of 5 years or longer duration as mandated by law, even after the cancellation or expiration of the registration. The following information is required to be registered with CERT-In:

  • Validated names of subscribers/customers hiring the services.
  • Period of hire, including dates.
  • IPs allotted to/being used by the members.
  • Email address and IP address and time stamp used at the time of registration/on-boarding.
  • The purpose of hiring services.
  • Validated address and contact numbers.
  • Ownership pattern of the subscribers/customers hiring services.

 

KYC Requirement

This decade has witnessed the rise of cryptocurrencies across the globe and most countries, including India, still lack a dedicated framework to regulate this space. These new directions from CERT-In intend to regulate and streamline some aspects of this exponentially expanding sector. The directions mandate that virtual asset service providers, virtual asset exchange providers and custodian wallet providers to obtain KYC information from their customers. Further, these entities are also obligated to record all their financial transactions for a period of 5 years. Entities are also directed to maintain information about the IP addresses along with timestamps and time zones, transaction ID, the public keys, addresses or accounts involved, the nature and date of the transaction, and the amount transferred. 

 

 

Integration into ICT System

The direction calls on data centres, body corporates and government organisations to connect to the Network Time Protocol (NTP) Server of the National Informatics Centre (NIC) or the National Physical Laboratory (NPL) for synchronisation into the ICT system. Moreover, where ICT infrastructure of the entities are scattered in multiple locations, the entities are free to use accurate and standard time sources other than NPL and NIC.

 

Non-compliance

In the event that the above-mentioned entities fail to adhere or comply with these directions issued by CERT-In, they shall be punishable with imprisonment for a term which may extend to one year or with a fine which may extend to one lakh rupees or with both under subsection (7) of section 70B of the IT Act, 2000.

 

Conclusion

These new directions issued by CERT-In have acknowledged the concerns of end-users, who were kept in the dark regarding their data and the process undertaken by a corporate body in the event of a data breach or leak. The directions have also touched upon the latest technological developments like cloud services, virtual assets, and online payments, which are yet to be completely regulated by the government. When compared with the CERT rules 2013, the new directions have an expanded scope and applicability as well as a significantly increased compliance bracket for entities.

The European Union enacted the EU Directive on Security of Networks and Information Systems (called the NIS Directive), which supervises the cyber security of European markets. Unlike the present directive, the scope and applicability of the NIS directive are much larger. Certain critical sectors such as energy, transport, water, health, digital infrastructure, finance, and digital service providers such as online marketplaces, cloud and online search engines are all required to comply with these directives.

CERT-In has provided the entities with a 60-day window to comply with the directions. The increased compliance requirements and the added cost that comes along with such compliance will make smaller entities anxious. Hence, the effectiveness of these directions can only be judged with the passage of time. Significant concern can also be placed on the fact that these new directions will merely add to the compliance burden rather than improve the cyber security environment of the country.

References:

[1] https://www.cert-in.org.in/Directions70B.jsp

Image Credits: Image by Pete Linforth from Pixabay

These new directions issued by CERT-In have acknowledged the concerns of end-users, who were kept in the dark regarding their data and the process undertaken by a body corporate in the event of a data breach or leak. The directions have also touched upon the latest technological developments like cloud services, virtual assets, and online payments, which are yet to be completely regulated by the government. When compared to the CERT rules 2013, the new directions have an expanded scope and applicability and a significantly increased compliance bracket for entities.

POST A COMMENT

Privacy Shield 2.0: Cue for EU-India Data Transfer Mechanism?

Since the implementation of GDPR standards across the EU, data transfer between other countries and the EU has become a widely debated complex issue across the world. Article 44 of GDPR permits the transfer of personal data outside the EU, only when the recipient country has an equivalent level of security to protect the personal data of EU citizens, as guaranteed by the General Data Protection Regulation (GDPR). The biggest dilemma that many countries across the globe face is that they either lack a national legislation on data privacy or if they do have one in place, it may not be considered at par with the standards set by GDPR. Such a situation creates a genuine legal obstacle to the transfer of personal data between the EU and those countries.

Conceptualization of the Privacy Shield

Over the years EU and various other countries have developed certain mechanisms to tackle these obstacles created by requirements mentioned under Article 44. Standard contractual clauses (SCC), binding corporate rules (BCR) are such instruments that the countries and corporates have adopted for the transfer of personal data. The United States of America lacks a comprehensively dedicated legislation for data privacy.  However, the country has many sectorial legislation and regulations ensuring the privacy protection of individuals, yet, the EU has consistently ruled that the USA does not guarantee an equivalent level of protection.  Safe Harbour Framework, one such additional mechanism agreed upon between the Governments of the EU and USA defines a series of principles to be followed and adopted by companies for the transfer of personal data. US companies were required to self-certify these principles mentioned under the safe harbour framework and the US regulators would in turn enforce such framework within their limits and jurisdictions.  In 2013, Edward Snowden rocked the world with some lethal revelations about various global surveillance programs run by the NSA. In light of such a disclosure, an Austrian citizen named Max Schrems filed a complaint stating that the US does not provide adequate protection of personal data against such mass surveillance undertaken by authorities. The European Court of Justice (“ECJ/ Court”), noted that the US could allow any national security, public interest argument and law enforcement requirement to prevail over the Safe Harbour framework. Hence, the ECJ concluded that the safe harbour decision was invalid, as it interfered with the fundamental rights of an EU citizen. This decision is widely known as Schrems I. After courts invalidated the safe harbour decision, the European Commission and the US Department of Commerce came up with the Privacy Shield framework for the continued transfer of data from the EU to the US.  US Corporations who intend to receive personal data from the EU self-certify before the Department of Commerce that they will adhere to certain principles recognised in the Privacy Shield. These principles were developed by the US Department of Commerce in consultation with the European Commission. This led Max Schrems to again file a complaint challenging the validity of the privacy shield and the use of SCCs by companies to bypass the requirements of adequate protection stipulated by Article 44 of the GDPR on the ground that US investigation agencies have unlimited access rights of personal data retained with USA corporations neither Privacy Shield nor SCCs prevents those rights. Accordingly, it was argued that Privacy Shield or SCCs does not ensure the privacy rights of EU citizens. This case soon came to be known as Schrems II. The Court of Justice of the European Union (CJEU) examined the US’s Foreign Intelligence Surveillance Act and the surveillance programmes that such provisions allow and found that US agencies have wider access rights on every data retained with USA corporations and Privacy Shield in any manner takes away these rights of USA investigative agencies.   CJEU accordingly invalidated the EU-US privacy shield mechanism. The judgment in Schrems II had led to a major deadlock between US-EU economic relations, particularly concerning the transfer of data. With no approved mechanism in sight, companies found it difficult to transfer data for achieving their business obligations. On 25th March 2022, the EU commission and US government announced that they had agreed in principle on a new framework for the purpose of cross border transfer of data, known as Privacy shield 2.0. The new framework promises to provide benefits to both sides of the Atlantic and ensure that a balance is created between the new safeguards and the national security objectives of the US, which will ensure the privacy of EU personal data. The text of this new framework has not been released.  The press note released by the White House contains a few details that the framework might incorporate. It states that intelligence collection might be undertaken only where it is necessary to advance legitimate national security objectives and in no way should impact the protection of privacy and civil liberties[1]. In addition, the US intelligence agencies will adapt procedures to ensure effective oversight of new privacy and civil liberties standards[2]. Moreover, a proposal to set up an independent Data Protection Review Court has been mooted for EU individuals seeking claims and damages for breach of their personal data by the US Government. The proposal also details that the adjudicating members or individuals shall be chosen from outside the US Government. If Privacy shield 2.0 does pass the test laid down by the European courts, experts believe that this could trigger an estimated $7.1 trillion economic relationship between the US and the EU. Hopefully, Privacy shield 2.0 will be able to provide a predictable, effective and lasting remedy for transferring personal data from the EU to the USA.

Data Transfer between EU and India

The above discussions and mechanisms have a significant relevance in relation to data transfer between the EU and India. The Indian investigation and intelligence agencies have similar powers to their US counterparts in terms of their right to access or demand or conduct searches in any Indian enterprises and collect all relevant data required.  The fundamental right to privacy recognised in the Puttuswamy case is not absolute. Further, as per Article 19(2) of the constitution, the state can impose reasonable restrictions on the exercise of fundamental rights in the interests of the sovereignty and integrity of India, the security of the State, friendly relations with foreign States, public order, decency or morality or in relation to contempt of court, defamation or incitement to an offence. Moreover, Section 69, of the IT Act, 2000 provides the Central and State government with the power to intercept or monitor any information stored in a computer resource provided such information is required for:
  • In the interests of India’s sovereignty and integrity.
  • Defence of India,
  • State’s security,
  • To maintain friendly relations with other nations, or
  • To maintain public order, or
  • For preventing incitement to the commission of any cognizable offence relating to the above, or
  • For investigation purposes
The above provisions are similar to the rights available to US investigative agencies. For the same reasons, the Schrems II judgment and Privacy Shield mechanisms are relevant while considering EU-India data transfer. Currently, there are no approved mechanisms for data transfer between the EU and India like the Privacy Shield framework. Hence, the European companies are justifiably reluctant to establish business relations with our country. Since India is a hub of IT-enabled services like BPOs and KPOs, it is desirable to have an efficient and clear legal regime for data transfer to foster a symbiotically advantageous economic relationship between the two sovereigns. Unfortunately, neither of the Governments has taken any urgency to initiate the formulation of rules similar to the Privacy Shield. It is worthwhile to consider whether the new Privacy Shield 2.0 could be considered and replicated in India.  If both the governments can demonstrate their intent, the groundwork for a contusive business environment for data transfer between the two sovereigns can be initiated.

Currently, there are no approved mechanisms for data transfer between the EU and India like the Privacy Shield framework. Hence, the European companies are justifiably reluctant to establish business relations with our country. Since India is a hub of IT-enabled services like BPOs and KPOs, it is desirable to have an efficient and clear legal regime for data transfer to foster a symbiotically advantageous economic relationship between the two sovereigns. 

POST A COMMENT

The Metaverse and its Numerous Concerns

There is a lot of buzz being generated around the “Metaverse,” which can be defined as a virtual reality-based shared digital world in which users (through their “avatars”) can enjoy three-dimensional, multi-sensory experiences. This rapidly-evolving, technology-driven paradigm is a huge shift away from the present, where digital interactions are based on text, audio and two-dimensional images/videos. The excitement around the Metaverse is due to the immense possibilities that exist around how it can be used for social interactions, commerce, media & entertainment, education, manufacturing, healthcare, defense etc. Not surprisingly, many companies, even in India, are investing in Metaverse capabilities.

While the potential for metaverse cannot be denied, it is just as important to recognize and acknowledge that there are several grey areas around this paradigm. If timely actions to prevent the misuse of the metaverse are not taken by the global community, we run the serious risk of opening a new Pandora’s Box. And once the proverbial genie is released from the bottle, it is virtually impossible (pun intended) to put it back inside.

The Potential Dangers of the Metaverse

 
What are the biggest fears surrounding the Metaverse? Concerns have been expressed from different quarters around issues relating to the privacy, safety and well-being of people who are active in the metaverse. In the current scenario, people use social platforms to connect with each other. If someone with whom I do not wish to engage seeks to connect with me in a basic digital world, I can easily deny the friend request. Even after having granted them permission initially, I can choose to block such persons. During the time they have permission to engage with me, the worst that can happen is that they send unwanted texts, audio messages or images and videos.

This is bad enough, but in the metaverse, the kind and nature of obscene or harmful content will change drastically; consequently, so will the impact of such material and experiences on vulnerable segments of society. 

For example, in the metaverse, it is quite possible for complete strangers to enter someone else’s personal space – without the latter being aware of who the former is. Given the multi-sensory capabilities of the metaverse, which includes haptic technology (the sense of touch), the experience and impact can be far worse. Arguably, the metaverse (as it exists currently) lends itself more easily to bullying, sexual abuse or intimidation. Indeed, there have been recent media reports that some VR-based games that are accessible to young children contain inappropriate content. 

AI-driven deep fakes can further muddy the waters by creating and distributing patently false content that is almost impossible to detect as fake. There is enough fake information circulating on Whatsapp as it is, think of the danger of content that purportedly shows politicians or others saying things designed to inflame emotions.

NFTs will be key to the evolution and growth of the metaverse, providing owners of physical assets such as paintings and IPR such as rights to music, movies etc. new avenues to monetize them at scale. Cryptocurrencies and tokens are likely to form the principal currency in the metaverse, powering commerce and payments. As of now, cryptocurrencies are anonymous and independent of mainstream banking and financial systems. 

In the absence of regulations that are uniformly enforced globally, such parallel payment systems can be easily misused for illegal and immoral activities and transactions, including child sexual abuse. It is likely that fraud and crimes will increasingly crisscross between the current digital world and the metaverse (and perhaps the physical world), making them harder to detect and bring the perpetrators to book.

Addressing the Issues Surrounding Metaverse 

 

A multipronged approach is key to addressing the potential dangers of the metaverse. It is vital to frame appropriate legislation and arm various regulatory agencies with the power to catch and punish violators is vital. The basic premise around legislation has to be this: if something is illegal or against the law or generally accepted social mores in the “real”, physical world, it must be treated the same way in any parallel “virtual reality” based universe.

However, legislation alone cannot secure the metaverse. It will be essential to hold creators of content and platforms that enable distribution and access responsible for violations. The metaverse infrastructure needs to be designed with more intent to put in place appropriate safety mechanisms right at the beginning. As a global society, we must learn from our experiences with the downsides of social media platforms (false information, cyber-bullying, digital fraud etc.) and take preemptive actions that can prevent problems before they become common. This is significant because changing processes after people have grown accustomed to them is never easy; also, some damage may have already occurred. It may also be necessary to think of ways to incentivize good behaviour in the metaverse.

The metaverse is expected to surge ahead quickly on its evolutionary path. Its trajectory cannot be predicted in advance, therefore, what is needed is constant vigilance and for global action to be taken in a concerted manner. The UN system is supposed to be the primary keeper of international order. A number of events over the past couple of decades have painfully driven home the point that the UN architecture needs an urgent and major overhaul. As part of this exercise, it may be useful to establish a new global body tasked with the responsibility of overseeing and governing the metaverse. Regional political/economic blocs must be encouraged to ensure that their members comply with rules and regulations related to the metaverse.

The metaverse is expected to surge ahead quickly on its evolutionary path. Its trajectory cannot be predicted in advance; therefore, what is needed is constant vigilance and for global action to be taken in a concerted manner.

POST A COMMENT

IS17428 -A New Privacy Assurance Standard in India

Recently, Aditya Birla Fashion and Retail Ltd (ABFR) faced a major data breach on its e-commerce portal. As per the reports, personal information of over 5.4 million users of the platform was made public. The 700 GB data leak included personal customer details like order histories, names, dates of birth, credit card information, addresses and contact numbers. Additionally, details like salaries, religion, marital status of employees were also leaked.  Forensic and data security experts were pro-actively engaged to implement the requisite damage-control measures and launch a detailed investigation into the matter.[1] This demonstrates the need to have wider awareness and establish standardized protocols for personal data management. 

The battle of data protection and privacy currently stands at a juxtaposition with a flourishing data economy. 2021 was a watershed moment in the privacy & data protection dialogue in the country. The need for comprehensive data protection law was louder than ever and there were major initiatives on the legislative and executive front.

In June of 2021, the Bureau of India Standards (BIS) introduced IS 17428 for data privacy assurance. It is a privacy framework designed for organisations to handle the personal data of individuals that they collect or process. The certification provided by BIS for IS 17428 can be deemed as an assurance extended to the customers/users by the organizations of well-implemented privacy practice. The BIS being a statutorily created standard-setting body of our country will bring some welcome change in our data management.  

IS 17428 is divided into 2 parts[2]:

  • Part 1 deals with the Management and Engineering parameters that are mandatory for an organization to comply with. This part provides for establishing and cultivating a competent Data Privacy Management System.
  • Part 2 deals with the Engineering and Management guidelines which enable the implementation of Part 1. These guidelines are not mandatory in nature but a reference framework for an organization to implement good practices internally.

 

The Context – Privacy & Data Protection laws in India

 

The Data protection bill was expected to be tabled in parliament back in 2019 but was postponed due to the ongoing pandemic. The country was hoping to pass the bill last year, however, it was sent to the Joint Parliament Committee (JPC) for perusal. The JPC made its report on the bill public in the month of December 2021.

Also, Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 had been implemented back in 2011, primarily to safeguard the sensitive personal data of individuals that are collected, processed, transferred, or stored by any organisation and enumerate security practices. The rule lays down certain practices and procedures to be followed by a stakeholder while dealing with sensitive personal data. International Standard IS/ISO/IEC 27001 is one such acceptable standard.

Later ISO27701 was specifically introduced that focused on Privacy Information Management.  However, our Indian enactment has not specifically endorsed any such standards though Standards formulated by the industry association that is approved and notified by the Central Government are also deemed appropriate.  In this background, BIS introducing a standard is a welcome initiative as it will help in bringing uniformity in terms of the implementation of privacy practices across Indian industries.

Components of Part 1 of IS 17428[3]

 
Development of Privacy Requirements:

While developing the privacy requirements of the organisation in relation to the data collected or processed, the organisation has to take into consideration various factors such as jurisdiction, statutory requirements and business needs.

Personal Data Collection and Limitation:

The organisation is permitted to collect the personal information of the individuals, provided the same has been consented to by such individuals.

Privacy notice: 

The organisation is bound to provide a notice to individuals while collecting information from them and when such collection is through an indirect method employed by the organisation, then it is the duty of the former to convey by the same in an unambiguous and legitimate means.

The contents of a privacy notice at the minimum should include the following[4]:

  • Name and Address of the entity collecting the personal data
  • Name and Address of the entity retaining the personal data, if different from above
  • Types and categories of personal data collected
  • Purpose of collection and processing
  • Recipients of personal data, including any transfers
Choice and Consent:

As mentioned earlier, while collecting information, the organisation should get the consent of the individual at the initiation of the process while offering such individuals the choice of the information that they consent to disclose. This entire process should be done in a lawful manner and according to the privacy policies implemented by the organisation.

Data Accuracy: 

The data collected by the organisation should be accurate, and in case it is inaccurate, it should be corrected promptly.

Use Limitation: 

The data collected by the organisation should be used for the legitimate purpose for which it was agreed upon and it shall not be used for any other purposes.

Security: 

The organisation should implement a strict security program to ensure that the information collected is not breached or compromised in any manner.

Data Privacy Management System: 

The organisation is required to establish a Data Privacy Management System (DPMS). The DPMS shall act as a point of reference and baseline for the organisation’s privacy requirements/objectives.

Privacy Objectives: 

The privacy objective of the organisation shall be fixed and set out by the organisation itself. While determining the objectives the organisation shall also look into various factors such as the nature of business operations involving the GDPR processing of personal information, the industry domain, type of individuals, the extent to which the processed information is outsourced and the personal information collected. Moreover, the organisation shall also ensure that the objectives are in alignment with its privacy policy, business objectives and the geographical distribution of its operations.

Personal Data Storage Limitation: 

The organisation shall be allowed to retain the information collected from the individual only for a specific time period as required by the law or the completion of the purpose for which it was collected in the first place. The individual shall have the right to delete their personal information from the organisation database upon request.

Privacy Policy: 

The organisation shall create and implement a privacy policy that shall determine the scope and be applicable to all its business affiliates. The senior management of the organisation shall be in charge of the data privacy function. Moreover, the privacy policy should be in consonance with the privacy objectives of the organisation.

Records and Document Management

The organisation shall keep a record of its processing activities which shall, in turn, ensure responsibility towards the compliance of data privacy. The possible way to achieve such a standard is to lay out procedures that help to identify various records. While laying out procedures, the organisation shall take into consideration certain factors such as a record of logs that demonstrate affirmative action and options chosen by individuals on privacy consent and notice, evidence of capture events related to access or use of personal information, and retention period of obsolete documents.

Privacy Impact Assessment: 

A privacy impact assessment shall be carried out by the organisation from time to time. Such an assessment shall help in estimating the changes and the impact that they can possibly have on the data privacy of the individuals.

Privacy Risk Management

The organisation shall put in place and document a privacy risk management methodology. The methodology shall determine how the risks are managed and how the risks are kept at an acceptable level.

Grievance Redress:  

A grievance redressal mechanism shall be established by the organisation to handle the grievances of the individuals promptly. The organisation shall ensure that the contact information of the grievance officer shall be displayed or published and that they have the channel of receiving complaints from the individuals. Moreover, the organisation shall also make it clear as to the provision for escalation and appeal and the timelines for resolution of the grievance.

Periodic Audits: 

The organisation shall conduct periodic audits for the data privacy management system. The audit shall be conducted by an independent authority competent in data privacy, internal or external to the organization, at a periodicity appropriate for the organization, at least once a year.

Privacy Incident Management: 

Privacy breaches and data privacy incidents shall be reported regularly and the organisation shall come up with a mechanism to manage such incidents. The process shall involve identifying the incident at the first stage and investigating the root cause, preparing analysis and correcting the incidents in the second stage. The last stage is basically informing the key stakeholders including Data Privacy Authority about the breach or incident.

Data Subject’s Request Management: 

The organisation shall develop a mechanism to respond to requests from individuals concerning their personal data. This process shall include the means to verify the identity of the individual, provision access to the information and the means to update the information.

 

How IS 17428 would help in Privacy and Data Protection? 

 

The Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 (RSPP and SPDI rules) had been the only law for organisations to follow. The rules did not prescribe or detail any specific requirements or standards in relation to personal data management and in the absence of formulated standards for the protection of the sensitive personal data of individuals, industry bodies were struggling to have uniform procedures. 

This being the case, introducing specific standards for personal data management will bring more clarity and will help companies to adhere to an approved standard prescribed by a government agency. Moreover, principles narrated in this standard are in accordance with the Internationally recognised privacy principles and will help Indian companies to proffer confidence when dealing with their commercial counterparts.

Introduction of record and document management, risk assessment and data subject request management are a few of the aspects that bring onerous responsibilities on companies making them more accountable and transparent.  These aspects have laid down procedures and mechanisms for an organisation to improve their privacy management, for example, introducing processes such as verification of identity, access to information, evidence of capture events of consent and retention period of obsolete documents.

 

The proposed data protection legislation and the IS 17428

 

The IS 17428 standard has been inspired primarily from the principles dictated from OECD privacy principles, GDPR and ISO27701. The proposed data protection legislation on the other hand has many divergences from the above instruments in many respects. For Instance, the IS standard has an elaborate description provided for the privacy objective of the organisation and the factors that need to be taken into account. Most of these objectives are covered under Sections 22 and 23 of the draft Bill but nevertheless, the standard has recommended a few other factors such as geographical operation, industrial domain and type of individuals as specific factors to be taken into consideration while drafting the privacy objectives. How much discretionary privacy standards can be created, what is allowed freedom for industries in this regard is unclear.

Section 28 of the draft bill talks about the records and document management of the data collected or processed and the standard covers almost every bit of the section. In addition to the consideration mentioned under the bill, the standard goes forward and echoes the need to establish a policy on the preservation of obsolete policies and process documents. Data and record-keeping should be for a defined period. The majority of other legislation prescribes an average of 7 years of data-keeping. Keeping any data beyond such a reasonable period may not serve many purposes. Why this standard has prescribed such obsolete data retention is again unclear.

The standard could be made effective by only having an enactment for data protection legislation in place. For instance, the grievance redressal mechanism, though the standards do envisage an appeal mechanism, they do not establish appeal machinery. This part of the standard can be put to use only after the Data Protection Authority as per section 32 is constituted. The standard also calls for an investigative process in the event of any breach or compromise of data. The organisation is welcome to conduct an onsite or internal investigation into the breach or incidents, but once again an independent authority to investigate in a legitimate and fair manner is required.

In short, I am afraid, has it failed to take into account the special requirements contemplated under the PDPB, 2019 which may eventually become the law of the country thereby, once this law is enacted, this standard will also be required to be modified. The government has not made any announcement as per the RSPP and SPDI rules, that IS 17428 is an appropriate standard certifying the compliance of personal data management. In the absence of such explicit endorsement, the ambiguity continues as to whether the adoption of this standard is sufficient compliance under the said rules.

Finally, with the Data protection bill around the corner, the Data Protection Authority envisaged being constituted under the legislation which shall have the power to issue code, guidelines, and best practices for protecting the privacy of data subjects. How IS 17428 standards framed by the BIS will be looked at by the DPA or the proposed rule will offer a different set of practices shall be an interesting development to observe.

References:

[1] https://economictimes.indiatimes.com/industry/cons-products/fashion-/-cosmetics-/-jewellery/abfrl-faces-data-breach-on-its-portal/articleshow/88930807.cms

[2] The IS 17438 was established on November 20, 2020 and notified in the official gazette on December 4, 2020. Please see the notification available at: https://egazette.nic.in/WriteReadData/2020/223869.pdf (last visited Jan 18, 2022).

[3] Supra note 2.

[4] Sub-clause 4.2.2 of the IS Requirements: “Privacy Notice”.

 

 

Photo Credits:

Image by Darwin Laganzon from Pixabay 

Introduction of record and document management, risk assessment and data subject request management are a few of the aspects that bring onerous responsibilities on companies making them more accountable and transparent.  These aspects have laid down procedures and mechanisms for an organisation to improve their privacy management, for example, introducing processes such as verification of identity, access to information, evidence of capture events of consent and retention period of obsolete documents.

POST A COMMENT

Modifying the Personal Data Protection (PDP) Bill to Deal with Rising Privacy Concerns

OVERVIEW OF DATA PROTECTION REGIMES

The recent advent of WhatsApp’s updated privacy policy has brought to light the legal loopholes that the Indian Data Protection Laws are laced with. A revised and updated change in Data Protection Laws in India could have prevented the possible infringements that may take place with WhatsApp’s new privacy policy.

The European Region has been able to circumvent this issue due to its updated Data Privacy Laws that successfully provide users with protection from such policies. These policies legally mandate WhatsApp to prevent the sharing of data with Facebook and a violation of it would infringe the provisions of the General Data Protection Regulation (GDPR).

We have discussed here the modifications that could possibly be added to the Personal Data Protection Bill (PDP Bill) in India in order to ensure an air-tight privacy regulatory authority.

RISING PRIVACY CONCERNS- A STUDY ON WHATSAPP’S PRIVACY POLICY

With an undeniable rise in the relevance and indispensability of the digital platform; comes the numerous concerns regarding its safety in terms of data and privacy protection norms. A case in this instance would be that of WhatsApp releasing its updated terms of Privacy on January 04,2021, under which it would deprive users of their choice to share data or other information with other apps, including those owned by Facebook. Moreover, this policy was accompanied by a condition under which users who did not accept the updated privacy terms, would have to quit using WhatsApp altogether- beginning February 08, 2021- when the updated terms and policies was planned to be enforced.



The updated privacy policies of WhatsApp leave the end-to-end encryption clause intact. This means that WhatsApp has no access to one’s text messages and cannot share the same with any other party. However, this clause does not cover the protection of metadata- which entails everything in a conversation apart from the actual text. This information can be shared with Facebook and other apps.

WHY THIS POSES A PROBLEM

A close perusal and analysis of the entire case reveals the observation that this issue could have been avoided with a concrete Data Protection Law or Regulation in place in India.

The core issue that centres the entire case is that people largely use WhatsApp to communicate with friends and family. The data thus shared on this App by individuals is now proposed to be shared with other companies to run their businesses, for monetary gains. This implies that the purpose for which WhatsApp would be using personal data and information is not even remotely connected to the purpose for which users had share that information on the app.

This issue assumes an even graver character due to the inability of the Indian Data Protection Laws to safeguard their users from a misuse of data. Without a data protection authority or regime in force; users will be exposing their data to the surveillance of the entire Facebook group of companies.

Its lack of effectiveness to provide remedies or relief in such situations stands in stark contrast to the legal frameworks that are in place in other jurisdictions, most particularly the European countries. These countries are equipped with laws that can impose fines on Facebook for unduly sharing and using information through WhatsApp. This clause came into effect when the Competition Commission of certain European countries imposed this condition on Facebook during its purchase and acquisition of WhatsApp.
An important point to take note of, is also the commitment made by WhatsApp during its launch in 2009- “to not sell user data or personal information to any third party”. This stance changed with the acquisition of WhatsApp by Facebook in 2014; and its sharing of data with its parent company in 2017.However, in 2017; users were given a choice to prevent the sharing of such data to other platforms. The updated policies have mandated the exposure of such data as a condition to continued usage of the App.
The users are thus breached of the expectations and commitments with which they had initially installed the App.

IMPLICATIONS ON USERS

Unfortunately, due to the technical and legal intricacies of the issue; a majority of the Indian population will stay unaware of this issue and not do much about it other than accept the terms being forced upon them.

However, there are sections of the population sensitive to data protection and privacy norms. This brings to light the possibility of shifting to alternate and safer platforms such as Signal, Telegram and iMessage. Moreover, petitions have also been filed in several legal courts pursuant to the policies introduced by WhatsApp in January 2021 seeking to stay the implementation of these policies. After all, Right to Privacy is a Fundamental Right granted under Article 21 of the Constitution of India and therefore, must not be compromised upon.

It is thus proposed that till an appropriate legal and concrete regulatory and supervisory authority is not in force vis-à-vis the Data Protection issues in India, the Court must prohibit the execution of this new Privacy Policy set forth by WhatsApp. Pursuant to this, the Supreme Court has directed WhatsApp and its parent company, Facebook, to file their replies to the petitions and growing concerns on privacy violations.

In furtherance of these directions, WhatsApp has most recently implemented its updated Privacy Policy with a new campaign. Through this updated campaign, WhatsApp aims to increase communication about its changes with its users through a small banner at the top of the chat, while also offering more time to let them read, understand and accept its terms. Following the backlash received, now the new Privacy Policy terms is expected to go into effect at a later date i.e. May 15, 2021.

HOW THE PDP BILL CAN BE MODIFIED TO INCREASE DATA PROTECTION

The PDP Bill can and must be modified in certain ways to ensure that arbitrary clauses in such online policies do not deprive the users of the rightful protection they are entitled to under the Right to Privacy. One of the main additions that the PDP Bill must incorporate is a clause or term in the law that prohibits the changing or modification of the terms of a contract after its enforcement. For instance, WhatsApp modified the terms of its contract resulting in a clause that was contrary to its initial commitments and objectives.

Moreover, since the PDP Bill has not been passed yet; it is crucial to look to other alternate legal provisions and statutes that may offer protection in such situations. For instance, the Information Technology Act of 2000, under Section 87 gives the government the authority to come up with regulations that can put a stop to arbitrary policies introduced by online platforms that pose a threat to privacy and data protection rights granted to individuals.

A company must not be able to modify terms according to their whims and mandate users to abide by it simply because they consented to the initial contract. Terms of such contracts must be regulated and privacy laws must ensure that changes in these policies have undergone user consent.

SUMMARY

In order to honour the Fundamental Right to Privacy, it is vital for the concerned platforms to provide clarity regarding its policies to ensure that a well-equipped and protective mechanism is set in force to deal with instances of data protection infringement in India. It is also crucial to formulate a structure on the PDP Bill that is well equipped to handle policy changes while ensuring a constant protection of data privacy rights. Other alternative laws must also be incorporated and interpreted in ways to prevent a breach of privacy.

The European Region was able to circumvent the imposition of data sharing norms by Watsapp due to its updated Data Privacy Laws that successfully provide users with protection from such policies. Our extant laws are glaringly inadequate and the proposed draft, as well as the delay in the passage, of the Personal Data Protection Bill (PDP Bill), is posing a serious threat to our online privacy and security.

REFERENCES

1 WhatsApp’s new privacy policy: Yet another reason why India needs data protection law – The Hindu BusinessLine.
2 Privacy Policy – Feb 2021. (whatsapp.com)

POST A COMMENT