The Energy Conservation (Amendment) Bill, 2022 – A Retort to Increasing Emissions

On August 9, 2022, the Energy Conservation (Amendment) Bill, 2022 (the “Bill”) passed the muster of the Lok Sabha (lower house of the Indian Parliament). The Government of India had identified new areas to achieve higher levels of penetration of Renewable energy and the bill sought to enhance demand for renewable energy at the end- use sectors such as Industry, buildings, transport etc.

What demanded the introduction of the Bill?

Decarbonization. The Bill, which amends the Energy Conservation Act, 2001 (the “Act”), introduces a series of modifications that opens the door for sustainable development. According to Bill’s statement of objects and reasons, it aims to, among other things, promote the use of green fuels and the growing renewable energy sector, ensure industrial energy efficiency, and establish a domestic “carbon market”, and carbon trading scheme to fulfil the commitments made by India at COP-26 (Conference of Parties -26) in Glasgow in 2021.

 

What are the major changes proposed in the Bill?

 

The Penalty


To enhance the effectiveness of the law and create stronger deterrence, the bill introduced stricter enforcement mechanisms. The changes include new penalties and aggravation of existing penalties for violations of certain provisions relating to the efficient use of energy and its conservation[1], use of deceptive names (introduced in the Bill)[2], and provision of information[3].

A new penalty introduced, for instance, is that if a vehicle manufacturer fails to comply with fuel consumption standards, he will be liable to pay an additional penalty (in addition to the penalties he is liable to under the Act) per unit of vehicles sold in the corresponding year, as follows:

  • twenty-five thousand rupees per vehicle for non-compliance with norms up to 0.2 litres per 100 km.
  • fifty thousand rupees per vehicle for non-compliance with norms above 0.2 litres per 100 km.[4]


Carbon Credit Trading


The Bill seeks to reduce carbon emissions by creating a carbon credit trading scheme. The Central Government is empowered under Section 14AA of the Bill to specify such a scheme.

Interestingly, the Act has enumerated a scheme through which energy savings certificates are issued by the Central Government to those plants or industrial units whose energy consumption is less than the prescribed norms and standards. Units that are unable to comply with the set energy consumption norms are entitled to purchase the energy savings certificate to ensure compliance. The industrial units that fail to meet the energy savings targets even after purchasing the energy saving certificates are liable to be punished with a fine as per the provisions of the Act.

To understand how a carbon credit trading scheme would aid in reducing emissions, we must understand what a carbon credit trading scheme is. A carbon credit is a certificate/permit that gives its holder the right to emit a certain amount (usually a tonne) of carbon dioxide. Based on historical emissions, carbon credits are provided to an organisation in a particular sector. If the organisation goes over its allocated amount of carbon credits, then it would have to purchase more credits from the carbon market, where carbon credits are bought and sold. And the price of the carbon credit is determined by the market forces of supply and demand. Additional factors that influence the pricing of carbon credits include regulations established by the government, international climate change protocols, emission trading schemes, and a carbon tax. This scheme or system of buying and selling carbon credits is, in simplistic terms, a carbon trading scheme. Hence, the carbon trading scheme aims to reduce carbon/greenhouse gas emissions by assigning a financial cost for causing pollution. This implies that for such units, carbon emissions will now be equivalent to any other capital investment like raw materials or labour.


Expanding, Enlarging, and Empowering


  1. Vehicles and Vessels– The Act, under Section 14, empowers the Central Government to set standards to enable efficient use of energy and its conservation for any equipment, appliance that consumes, generates, transmits, or supplies energy. The Bill seeks to include vehicles (as defined under the Motor Vehicles Act) and vessels into the scope of Section 14. Corresponding provisions for penalties have also been included in the Bill for violations of the provisions of the Act.
  1. Buildings- Under the Act, the Central Government and the Bureau of Energy Efficiency have the authority to lay down energy conservation standards for buildings, ascertained in terms of area. The Bill seeks to amend the provision to the effect that, now, the Bureau and the government shall set energy conservation and sustainable building codes, that shall elaborate upon standards for energy efficiency and conservation, use of renewable energy, and other requirements for green buildings.
  1. Residential Buildings– The energy conservation code in the Act has only been made applicable to commercial buildings. The Bill seeks to include residential buildings along with commercial buildings under the scope of the Code. As per the amended provision of the Bill, the State Governments have also been empowered to lower the load threshold. By bringing residential buildings under the scope of the energy conservation code, the responsibility for ensuring mindful energy consumption would effectively fall on citizens as well as industries.
  1. Composition of BEE Governing Council– The governing council of the Bureau of Energy Efficiency (BEE) created under the Act has twenty, not exceeding twenty-six members, which is intended to be expanded to thirty-one, but not exceeding thirty-seven members by the Bill. This expansion is likely intended to improve bureaucratic efficiency in the administration and enforcement of the provisions of the Act.
  2. State Electricity Regulatory Commission– The Act empowers the Bureau of Energy Efficiency to make regulations as necessitated, with the approval of the Central Government[5]. The Bill also envisages empowering the State Commission to make regulations for discharging its functions under this Act[6].


Concluding Thoughts


The amendments that are envisioned under the Bill are strides in the right direction for enabling better regulation of carbon emissions and promoting the objective of sustainable development by encouraging a switch from fossil fuels to renewable energy sources. While the carbon trading scheme under the Bill has the right intentions, it is still lacking in clarifications pertaining to the market structure and incentive scheme for facilitating carbon trading in the country.

As with any other law, strict enforcement and alignment of all the relevant stakeholders contingent on the success of proposed policies under the Bill would be key in ensuring that India achieves its goals towards facilitating a steady shift from fossil fuels to promotion of new and renewable energy (wind, solar, etc.), accomplishes milestones contemplated in the National Green Hydrogen Mission, and actualizes its vision to meet 50 per cent of its energy requirements from renewable sources by 2030, as envisaged under the ‘Panchamrit’ strategy announced at the COP 26 conference in Glasgow.  

References:

[1] Section 14 clause (c) or clause (d) or clause (h) or clause (i) or clause (k) or clause (l) or clauses (n) and (x); and Section 15 clause (b) or clause (c) or clause (h) of the Act.

[2] Sub-section (1) of Section 13A of the Bill.

[3] Section 52 of the Act.

[4] Second proviso to Section 26 (2) of the Bill.

[5] Section 58 of the Act.

[6] Section 13 of the Bill.

Image Credits: Photo by catazul from Pixabay 

The amendments that are envisioned under the Bill are strides in the right direction for enabling better regulation of carbon emissions and promoting the objective of sustainable development by encouraging a switch from fossil fuels to renewable energy sources. While the carbon trading scheme under the Bill has the right intentions, it is still lacking in clarifications pertaining to the market structure and incentive scheme for facilitating carbon trading in the country.

POST A COMMENT

The Indian Telecommunication Bill, 2022: An Au Courant Approach

Telegraph was first introduced in India in the year 1851 and telephone exchanges were set up in the early 1880s. The Indian Telegraph Act, 1885; the Indian Wireless Telegraphy Act, 1933; the Telegraph Wires (Unlawful Possession) Act, 1950, were enacted to suit the needs of the day. The usage of the telegraph as a telecommunication mode became obsolete in 2013, and today technologies such as 4G and 5G, the Internet of Things, Industry 4.0, M2M communications, Mobile Edge Computing, etc. are revolutionising the sector.

While these technologies create new opportunities for social and economic growth, issues relating to dispute resolution and penalties, data privacy, the infrastructural needs of the industry, etc. become more complex.

With the objective of reforming the telecommunication law and making it more sensitive towards the concerns of this ever-evolving sector, a consultation paper on the “Need for a new legal framework governing Telecommunication in India[1] was issued by the Department of Telecommunication on July 23, 2022, inviting comments.

The Consultation Paper proposed a new legal framework to address the following:

  1. Simplification of the regulatory framework while ensuring regulatory certainty, minimising policy disruption, promoting investment, and preventing retrospective application.
  2. Spectrum assignment should be to best serve the common good and widespread access, with utilisation of spectrum liberally and neutrally allowed, as should the deployment of new technologies, the repurposing and rearrangement of frequency range, and the authorisation of the central government to share, trade, lease, and surrender spectrum.
  3. Provide a robust regulatory framework to obtain Right of Way and resolve disputes thereby ensuring the deployment of new technologies and ensuring continuous connectivity.
  4. Simplify the framework for mergers, acquisitions, or other restructuring.
  5. Ensure the license is not suspended or terminated during Insolvency while services are being provided, and ensure there is no default on license or spectrum dues.
  6. Expanding the scope of the Universal Service Obligation Fund to address delivery of telecommunications service to underserved rural and urban areas.
  7. Proportionate penalty for offences.
  8. Address situations of public emergency, public safety, or national security.

The draft Telecommunication Bill 2022 was created in response to public feedback on the consultation paper [2].  Further comments on the draft have been invited till 20th October 2022. It intends to replace the Indian Telegraph Act, 1885; the Indian Wireless Telegraphy Act, 1933; and the Telegraph Wires (Unlawful Possession) Act, 1950.

 

Key Takeaways of the Draft Telecommunication Bill, 2022

 

Over-the-top (OTT)

 

There was an interpretational discord as to whether OTT is regulated under the current legal system. The government is of the opinion that OTT is adequately covered under the definition of “Telegraph” in the Telegraph Act. However, there is no explicit legal backing. The proposed bill explicitly clarifies that OTT communication services are a telecommunication service. The bill’s definition of telecommunication service incorporates current technological trends in the industry and includes voice and video communication services, machine-to-machine services, and broadcasting services. Any transmission and receipt of a message through a wire, radio, optical, or electromagnetic system would be telecommunication. Such telecommunication, when intended to be received by the general public, becomes a broadcasting service. Therefore, an OTT service provider, be it broadcasting/streaming services or data/video call services, falls explicitly within the ambit of the Telecommunications Bill, 2022.

 

User-Beneficial Provisions

The bill requires that the identity of the person sending a message be made available to the user receiving the message at all times. Therefore, any call recipient from a landline, cellular, or through OTT platforms like WhatsApp, Facetime, or Zoom calls will have information about the caller. To achieve this end, the KYC of all the users has to be obtained by all service providers, including OTT platforms.  Users are prohibited from providing false information about their identity when obtaining telecommunications services. Any misrepresentation of identity is punishable with imprisonment for one year or a fine of up to 50,000 rupees. An advertisement or promotional message, whether fictitious or real, shall not be sent unless consent is procured from the recipient. Any unsolicited message shall be an offense, and the sender is liable to be penalized. The Bill formulates a mechanism for the preparation and maintenance of the ‘Do Not Disturb’ register. The user-beneficial provisions and the penalty for violation are not substantial enough. When the losses caused to the public because of cyber frauds are more than 1 lakh crore each year, the penalty for such fraud of INR 50,000 is not a deterrent. It is ideal that such offenders are abstained from providing telecommunication services so that repeated cyber frauds or impersonations can be avoided.

 

Spectrum Allocation

 

The Bill provides that spectrum allocation can be done only through auction, directly under circumstances specified in the schedule, such as national security, or in such a manner as mentioned in the rules. The Hon’ble Supreme Court of India, in “Union of India & Ors v. Centre for Public Interest Litigation and other” decided on February 2, 2012, stated that:

“When it comes to the alienation of scarce natural resources like spectrum, etc., it is the burden of the State to ensure that a non-discriminatory method is adopted for distribution and alienation, which would necessarily result in protection of national/public interest. In our view, a duly publicised auction conducted fairly and impartially is perhaps the best method for discharging this burden and the methods like first-come-first-served when used for alienation of natural resources/public property are likely to be misused by unscrupulous people who are only interested in garnering maximum financial benefit and have no respect for the constitutional ethos and values. In other words, while transferring or alienating the natural resources, the State is duty bound to adopt the method of auction by giving wide publicity so that all eligible persons can participate in the process.”

The Hon’ble Supreme court’s order mandates spectrum allocation only via auction. However, allocation of Spectrum under extraordinary circumstances such as national security and defence by the Central Government is understandable. Nevertheless, the entire list of Schedule I activities wherein the government is authorized to allocate spectrum to BSNL/MTNL or can assign it to “any other function or purpose as determined” is far too wide to defeat the very purpose of the order.  Further, it is ideal that such spectrum allotted under Schedule I, shall not be resaleable but only returnable to the government.

The Bill provides the Central Government rights to repurpose the spectrum frequency for a different use (“re-farm”), rearrange the frequency range (harmonization), or assign part of the assigned spectrum to another entity for efficient spectrum utilization, or if the spectrum remains unutilized.

 

Seamless Transition 

There is a new set of terms and conditions that will be formed after the Act and rules come into force. A telecom service provider and telecom infrastructure provider have a choice on whether to migrate to the new set of terms and conditions under this bill or the existing terms as per their existing license. A wireless equipment provider has to procure new authorisation (instead of a license). The existing spectrum licenses shall continue to remain valid for a period of 5 years or until the date of expiry, whichever is earlier. The existing rules under the old Telegraph enactments shall continue until superseded by the new rules. All Telecommunication Bill provisions are prospective in nature. These mechanisms would allow greater acceptance of the new Act and a seamless transition.

 

Penalties and Offences

In casesof breach of the terms and conditions of a license, registration, authorisation, or assignment, the government can revoke, suspend, or curtail such approvals. Further, the government can impose a penalty based on the severity of the breach after considering whether it is severe, major, moderate, minor, or non-severe. A licensee can provide a voluntary undertaking to the authority with respect to any breach or delay. Acceptance of a voluntary undertaking will put the proceedings on hold. An alternative dispute resolution mechanism for resolving certain disputes or classes of disputes is envisaged. The Bill provides a list of offences covered by it, the imprisonment or fine imposed, and whether such offences are bailable or cognizable.

 

Right of Way

The mechanism for Right of way is differentiated on the basis of whether it is public property or private property. In the case of public property, the authority has to provide permission in a time-bound manner.  In the case of private property, parties may mutually negotiate an agreement. To overcome the issues of the sale of property along with the telecom infrastructure, an explicit provision has been enshrined to state telecom infrastructure is different from the property it is installed on. Therefore, the property owner cannot claim ownership of the tower in his/her property, and it remains independent of any sale or lease. It is ideal that the Right of Way arrangements/agreements be standardized. Further, the legal framework should also encompass penalties in case of violation of the Right of Way by either the telecom infrastructure provider or the property owner.

 

Common Ducts & Cable Corridors

An express provision is planned under which the Central Government will require infrastructure projects to have common cable ducts and cable corridors established and such cable made available to facility providers on an open access basis.

 

Restructuring & Insolvency

A licensee entity undergoing restructuring/merger/acquisition has to merely inform the authority and an explicit prior approval is not required. The restructured entity has to thereafter follow the rules therein. In case of insolvency, service continuity is given priority, and the entity retains control over Spectrum. An enabling framework has been made for the Central Government to intervene and revert the control of the Spectrum to the Central Government in case the entity fails to provide telecommunications services, and has promptly paid the spectrum licensing fees/charges.

 

Regulatory Sandbox

A regulatory framework of simplified license terms and conditions to empower the start-up ecosystem is formulated, whereby such entities can live-test their products and services in a controlled environment.

 

The Telecommunication Bill is a framework that intends to create a comprehensive and centralised legal ecosystem for an industry that is rapidly expanding with the addition of new players in the market, investments, and technology. How the Telecommunication Act, Digital Data Protection Act, and Digital India Act finally shape up to create a legal landscape to address the new technological challenges remains to be seen. The proposed Telecommunications Bill has addressed the concerns of the present while keeping an eye on the future in its simple, light-touch approach- a concrete step in the right direction.

The Telecommunication Bill is a framework that intends to create a comprehensive and centralised legal ecosystem for an industry that is rapidly expanding with the addition of new players in the market, investments, and technology. How the Telecommunication Act, Digital Data Protection Act, and Digital India Act finally shape up to create a legal landscape to address the new technological challenges remains to be seen.

POST A COMMENT

The Best Time to Enact Data Protection Laws was 20 Years Ago; The Next Best Time is Now!

The road to personal data protection in India has been rocky. In 2017, India’s Supreme Court upheld the right to privacy as a part of our fundamental right to life and liberty. A panel chaired by retired Justice B N Srikrishna was given the task of drafting a Bill. In 2018, this panel submitted its draft to the Ministry of Electronics & Information Technology. The Personal Data Protection Bill that was eventually tabled in parliament in December 2019 proposed restrictions on the use of personal data without the explicit consent of citizens and introduced data localization requirements. It also proposed establishing a Data Protection Authority.

However, the bill was widely seen as a diluted version of what was originally envisioned by the Srikrishna panel in terms of its ability to truly protect the data/privacy of individuals. The bill was seen to place a significant regulatory burden on businesses and thus viewed as an impediment to the “ease of doing business” in India. A major bone of contention was the bill granting the government a blanket right to exempt investigative agencies from complying with privacy and data protection requirements. Understandably, there was pushback from BigTech, global financial services players as well as activists; even startups were unhappy with the proposed regulatory burdens.

In December 2021, after a number of extensions spanning over two years, the Joint Parliamentary Committee (JPC) that was set up to examine the draft bill submitted its report to the Lok Sabha. The JPC report has reportedly highlighted areas of concern and proposes a number of amendments/recommendations such as:

  • a single law to cover both personal and non-personal datasets;
  • using only “trusted hardware” in smartphones and other devices;
  • treating social media companies as content publishers, thus making them liable for the content they host.

In early August 2022, the government withdrew the Personal Data Protection Bill, 2019, with the promise to introduce a new one with a “comprehensive framework” and “contemporary digital privacy laws”.

 

India needs New Regulations to Plug the Data Protection Gap

That India needs robust data protection and privacy regulations which should be enacted soon is beyond debate. With digitalization becoming ever more pervasive by the day, the longer we are without clear regulations, the greater the risk is to our citizens. Each of the major trends below has the potential to infringe on individual privacy and can give rise to large-scale risks of user data (including personally identifiable information) being leaked/breached and misused:

  • The growth in digital banking, payment apps and other digital platforms.
  • The potential for Blockchain-based apps (in education- e.g., degree certificates, mark sheets; in health care – medical records; in unemployment benefits; KYC, passports etc.).
  • The growing popularity of crypto assets (and the attendant risk of them being used for money laundering, funding terror/anti-national activities etc.).
  • The rise of Web 3.0.
  • The increase in the use of drones for civilian purposes (e.g., delivery of vaccines, food to disaster-hit areas etc).
  • The emergence of the Metaverse as a theatre of personal/commercial interactions.

According to a news report, IRCTC had sought the services of consultants to help them analyze the huge amount of customer data they have and explore avenues to monetize the information. Given that the existing bill has been withdrawn, they have deferred this plan till new legislation is in place. Delays in enacting new data protection legislation thus also can impact revenue growth and profitability of various businesses- which is another reason for quickly coming up with new legislation.

 

The New Data Protection Law should be Well-defined and Unambiguous

While “consent” must be a cornerstone of any such legislation, the government must also ensure that users whose data need to be protected, fully understand the implications of what they are consenting to. For example, each time an individual downloads an app on his/her smartphone, the app seeks a number of permissions (e.g., to mic, contacts, camera etc.). As smartphones become repositories of larger slices of personally identifiable information as well as financial data (such as bank/investment details), and authentication details such as OTPs, emails etc., the risks of data breaches and misuse that cause serious harm increase. There are a number of frauds and digital scams to which citizens are falling prey. Commercial and other organizations that build and manage various digital platforms must be held accountable for what data they capture, how they do so, why they need the data, how/where they will store such data, who will have access to them etc.

Just as important is for the new law to define unambiguously terms like “critical data”, “localization”, “consent”, “users”, “intermediaries” etc. Many companies are establishing their Global Captive Centres (GCCs) in India, to take advantage of the large talent pool and process maturity. Strong laws will encourage more layers to consider this route seriously, thereby adding to jobs and GDP growth. Such investments also make it easier for India to be a part of emerging global supply chains for services (including high-value ones such as R&D and innovation).

It must address the risks of deliberate breaches as well. For instance, if hybrid working models are indeed going to remain in place, who should be held responsible for deliberate data leaks by employees working remotely? Or by their friends/relatives/others who take screenshots (or otherwise hack into systems) and share data with fraudsters?

While fears of an Orwellian world cannot be overstated, India’s new data privacy/protection legislation must be sufficiently forward-looking and flexible to give our citizens adequate safeguards. If the government fails to do so, our aspirations to become one of the top three nations on earth will take much longer – worse, they main only remain on paper as grandiose but unfulfilled visions.

Picture Credits: Photo By Fernando Arcos: https://www.pexels.com/photo/white-caution-cone-on-keyboard-211151/ 

While fears of an Orwellian world cannot be overstated, India’s new data privacy/protection legislation must be sufficiently forward-looking and flexible to give our citizens adequate safeguards. 

POST A COMMENT

IS17428 -A New Privacy Assurance Standard in India

Recently, Aditya Birla Fashion and Retail Ltd (ABFR) faced a major data breach on its e-commerce portal. As per the reports, personal information of over 5.4 million users of the platform was made public. The 700 GB data leak included personal customer details like order histories, names, dates of birth, credit card information, addresses and contact numbers. Additionally, details like salaries, religion, marital status of employees were also leaked.  Forensic and data security experts were pro-actively engaged to implement the requisite damage-control measures and launch a detailed investigation into the matter.[1] This demonstrates the need to have wider awareness and establish standardized protocols for personal data management. 

The battle of data protection and privacy currently stands at a juxtaposition with a flourishing data economy. 2021 was a watershed moment in the privacy & data protection dialogue in the country. The need for comprehensive data protection law was louder than ever and there were major initiatives on the legislative and executive front.

In June of 2021, the Bureau of India Standards (BIS) introduced IS 17428 for data privacy assurance. It is a privacy framework designed for organisations to handle the personal data of individuals that they collect or process. The certification provided by BIS for IS 17428 can be deemed as an assurance extended to the customers/users by the organizations of well-implemented privacy practice. The BIS being a statutorily created standard-setting body of our country will bring some welcome change in our data management.  

IS 17428 is divided into 2 parts[2]:

  • Part 1 deals with the Management and Engineering parameters that are mandatory for an organization to comply with. This part provides for establishing and cultivating a competent Data Privacy Management System.
  • Part 2 deals with the Engineering and Management guidelines which enable the implementation of Part 1. These guidelines are not mandatory in nature but a reference framework for an organization to implement good practices internally.

 

The Context – Privacy & Data Protection laws in India

 

The Data protection bill was expected to be tabled in parliament back in 2019 but was postponed due to the ongoing pandemic. The country was hoping to pass the bill last year, however, it was sent to the Joint Parliament Committee (JPC) for perusal. The JPC made its report on the bill public in the month of December 2021.

Also, Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 had been implemented back in 2011, primarily to safeguard the sensitive personal data of individuals that are collected, processed, transferred, or stored by any organisation and enumerate security practices. The rule lays down certain practices and procedures to be followed by a stakeholder while dealing with sensitive personal data. International Standard IS/ISO/IEC 27001 is one such acceptable standard.

Later ISO27701 was specifically introduced that focused on Privacy Information Management.  However, our Indian enactment has not specifically endorsed any such standards though Standards formulated by the industry association that is approved and notified by the Central Government are also deemed appropriate.  In this background, BIS introducing a standard is a welcome initiative as it will help in bringing uniformity in terms of the implementation of privacy practices across Indian industries.

Components of Part 1 of IS 17428[3]

 
Development of Privacy Requirements:

While developing the privacy requirements of the organisation in relation to the data collected or processed, the organisation has to take into consideration various factors such as jurisdiction, statutory requirements and business needs.

Personal Data Collection and Limitation:

The organisation is permitted to collect the personal information of the individuals, provided the same has been consented to by such individuals.

Privacy notice: 

The organisation is bound to provide a notice to individuals while collecting information from them and when such collection is through an indirect method employed by the organisation, then it is the duty of the former to convey by the same in an unambiguous and legitimate means.

The contents of a privacy notice at the minimum should include the following[4]:

  • Name and Address of the entity collecting the personal data
  • Name and Address of the entity retaining the personal data, if different from above
  • Types and categories of personal data collected
  • Purpose of collection and processing
  • Recipients of personal data, including any transfers
Choice and Consent:

As mentioned earlier, while collecting information, the organisation should get the consent of the individual at the initiation of the process while offering such individuals the choice of the information that they consent to disclose. This entire process should be done in a lawful manner and according to the privacy policies implemented by the organisation.

Data Accuracy: 

The data collected by the organisation should be accurate, and in case it is inaccurate, it should be corrected promptly.

Use Limitation: 

The data collected by the organisation should be used for the legitimate purpose for which it was agreed upon and it shall not be used for any other purposes.

Security: 

The organisation should implement a strict security program to ensure that the information collected is not breached or compromised in any manner.

Data Privacy Management System: 

The organisation is required to establish a Data Privacy Management System (DPMS). The DPMS shall act as a point of reference and baseline for the organisation’s privacy requirements/objectives.

Privacy Objectives: 

The privacy objective of the organisation shall be fixed and set out by the organisation itself. While determining the objectives the organisation shall also look into various factors such as the nature of business operations involving the GDPR processing of personal information, the industry domain, type of individuals, the extent to which the processed information is outsourced and the personal information collected. Moreover, the organisation shall also ensure that the objectives are in alignment with its privacy policy, business objectives and the geographical distribution of its operations.

Personal Data Storage Limitation: 

The organisation shall be allowed to retain the information collected from the individual only for a specific time period as required by the law or the completion of the purpose for which it was collected in the first place. The individual shall have the right to delete their personal information from the organisation database upon request.

Privacy Policy: 

The organisation shall create and implement a privacy policy that shall determine the scope and be applicable to all its business affiliates. The senior management of the organisation shall be in charge of the data privacy function. Moreover, the privacy policy should be in consonance with the privacy objectives of the organisation.

Records and Document Management

The organisation shall keep a record of its processing activities which shall, in turn, ensure responsibility towards the compliance of data privacy. The possible way to achieve such a standard is to lay out procedures that help to identify various records. While laying out procedures, the organisation shall take into consideration certain factors such as a record of logs that demonstrate affirmative action and options chosen by individuals on privacy consent and notice, evidence of capture events related to access or use of personal information, and retention period of obsolete documents.

Privacy Impact Assessment: 

A privacy impact assessment shall be carried out by the organisation from time to time. Such an assessment shall help in estimating the changes and the impact that they can possibly have on the data privacy of the individuals.

Privacy Risk Management

The organisation shall put in place and document a privacy risk management methodology. The methodology shall determine how the risks are managed and how the risks are kept at an acceptable level.

Grievance Redress:  

A grievance redressal mechanism shall be established by the organisation to handle the grievances of the individuals promptly. The organisation shall ensure that the contact information of the grievance officer shall be displayed or published and that they have the channel of receiving complaints from the individuals. Moreover, the organisation shall also make it clear as to the provision for escalation and appeal and the timelines for resolution of the grievance.

Periodic Audits: 

The organisation shall conduct periodic audits for the data privacy management system. The audit shall be conducted by an independent authority competent in data privacy, internal or external to the organization, at a periodicity appropriate for the organization, at least once a year.

Privacy Incident Management: 

Privacy breaches and data privacy incidents shall be reported regularly and the organisation shall come up with a mechanism to manage such incidents. The process shall involve identifying the incident at the first stage and investigating the root cause, preparing analysis and correcting the incidents in the second stage. The last stage is basically informing the key stakeholders including Data Privacy Authority about the breach or incident.

Data Subject’s Request Management: 

The organisation shall develop a mechanism to respond to requests from individuals concerning their personal data. This process shall include the means to verify the identity of the individual, provision access to the information and the means to update the information.

 

How IS 17428 would help in Privacy and Data Protection? 

 

The Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 (RSPP and SPDI rules) had been the only law for organisations to follow. The rules did not prescribe or detail any specific requirements or standards in relation to personal data management and in the absence of formulated standards for the protection of the sensitive personal data of individuals, industry bodies were struggling to have uniform procedures. 

This being the case, introducing specific standards for personal data management will bring more clarity and will help companies to adhere to an approved standard prescribed by a government agency. Moreover, principles narrated in this standard are in accordance with the Internationally recognised privacy principles and will help Indian companies to proffer confidence when dealing with their commercial counterparts.

Introduction of record and document management, risk assessment and data subject request management are a few of the aspects that bring onerous responsibilities on companies making them more accountable and transparent.  These aspects have laid down procedures and mechanisms for an organisation to improve their privacy management, for example, introducing processes such as verification of identity, access to information, evidence of capture events of consent and retention period of obsolete documents.

 

The proposed data protection legislation and the IS 17428

 

The IS 17428 standard has been inspired primarily from the principles dictated from OECD privacy principles, GDPR and ISO27701. The proposed data protection legislation on the other hand has many divergences from the above instruments in many respects. For Instance, the IS standard has an elaborate description provided for the privacy objective of the organisation and the factors that need to be taken into account. Most of these objectives are covered under Sections 22 and 23 of the draft Bill but nevertheless, the standard has recommended a few other factors such as geographical operation, industrial domain and type of individuals as specific factors to be taken into consideration while drafting the privacy objectives. How much discretionary privacy standards can be created, what is allowed freedom for industries in this regard is unclear.

Section 28 of the draft bill talks about the records and document management of the data collected or processed and the standard covers almost every bit of the section. In addition to the consideration mentioned under the bill, the standard goes forward and echoes the need to establish a policy on the preservation of obsolete policies and process documents. Data and record-keeping should be for a defined period. The majority of other legislation prescribes an average of 7 years of data-keeping. Keeping any data beyond such a reasonable period may not serve many purposes. Why this standard has prescribed such obsolete data retention is again unclear.

The standard could be made effective by only having an enactment for data protection legislation in place. For instance, the grievance redressal mechanism, though the standards do envisage an appeal mechanism, they do not establish appeal machinery. This part of the standard can be put to use only after the Data Protection Authority as per section 32 is constituted. The standard also calls for an investigative process in the event of any breach or compromise of data. The organisation is welcome to conduct an onsite or internal investigation into the breach or incidents, but once again an independent authority to investigate in a legitimate and fair manner is required.

In short, I am afraid, has it failed to take into account the special requirements contemplated under the PDPB, 2019 which may eventually become the law of the country thereby, once this law is enacted, this standard will also be required to be modified. The government has not made any announcement as per the RSPP and SPDI rules, that IS 17428 is an appropriate standard certifying the compliance of personal data management. In the absence of such explicit endorsement, the ambiguity continues as to whether the adoption of this standard is sufficient compliance under the said rules.

Finally, with the Data protection bill around the corner, the Data Protection Authority envisaged being constituted under the legislation which shall have the power to issue code, guidelines, and best practices for protecting the privacy of data subjects. How IS 17428 standards framed by the BIS will be looked at by the DPA or the proposed rule will offer a different set of practices shall be an interesting development to observe.

References:

[1] https://economictimes.indiatimes.com/industry/cons-products/fashion-/-cosmetics-/-jewellery/abfrl-faces-data-breach-on-its-portal/articleshow/88930807.cms

[2] The IS 17438 was established on November 20, 2020 and notified in the official gazette on December 4, 2020. Please see the notification available at: https://egazette.nic.in/WriteReadData/2020/223869.pdf (last visited Jan 18, 2022).

[3] Supra note 2.

[4] Sub-clause 4.2.2 of the IS Requirements: “Privacy Notice”.

 

 

Photo Credits:

Image by Darwin Laganzon from Pixabay 

Introduction of record and document management, risk assessment and data subject request management are a few of the aspects that bring onerous responsibilities on companies making them more accountable and transparent.  These aspects have laid down procedures and mechanisms for an organisation to improve their privacy management, for example, introducing processes such as verification of identity, access to information, evidence of capture events of consent and retention period of obsolete documents.

POST A COMMENT

India's Own Crypto Asset Regulations Soon: Plugging an Important Gap

Till last year, most people (at least in India) had probably only heard of cryptocurrencies such as Bitcoin and Ethereum; now, many other names such as Dogecoin, Solana, Polkadot, XRP, Tether, Binance etc. are being spoken of commonly in media. The global cryptocurrency market cap is estimated at over US$2.5 Trillion.

India too is witnessing a surge in investment in cryptotokens – especially by millennials. There is a correspondingly increase in the number of advertisements for cryptocurrencies on national television as well as on various web sites; mainstream media reports extensively on the daily price movement of cryptocurrencies. One estimate puts the number of crypto investors in India at between 15-20 million, and the total holdings to be in excess of US$5.3Billion. 

This surge in unregulated cryptoassets is a matter of rising concern globally. Recently, PM Modi urged democracies around the world to work together to ensure that cryptocurrencies do not “end up in the wrong hands, as this can “spoil our youth”. His exhortation came just days after RBI Governor Shaktikanta Das spoke of “serious concerns” around cryptocurrencies.

The RBI’s 2018 blanket ban on cryptocurrencies was lifted by the Supreme Court in 2020. However, the time has now come for the government and regulators to act quickly, and there are indications that regulations are just around the corner. At the time of writing, the government has already announced its intention to table The Cryptocurrency and Regulation of Official Digital Currency Bill, 2021 in parliament in the winter session.

It is expected that through this legislation, the Indian government will seek to ban private cryptoassets. This means that those trade in such cryptoassets may be liable for penalties and/or other punishment. It is also expected that there will be tighter regulations around advertising such products and platforms where cryptoassets can be bought and sold. Another regulatory salvo could be around taxing cryptogains at a higher rate (although such notifications may have to wait for the next budget due to be announced in another three months). The bill is also expected to deny the status of “currency” to cryptoassets because the prevailing ones are issued by private enterprises, and not backed by any sovereign.

The government has also acknowledged the potential of sovereign digital currencies (or CBDC- Central Bank Digital Currency, as they are officially called) in the days ahead. Countries such as China and the USA, are at various stages of launching their own digital currencies, and experts predict that such CBDC will be the “future of money”. In this context, the proposed bill is expected to create a “facilitative framework” to pave the way for the RBI to launch India’s sovereign digital currency in the days ahead by. In fact, the RBI is already working on India’s CBDC, and some media reports suggest that such a launch may happen in the next couple of months (which may also explain the timing of tabling the The Cryptocurrency and Regulation of Official Digital Currency Bill, 2021, at this time). CBDCs too require crypto and blockchain technologies that are similar to those that underpin cryptoassets, so the bill is also expected to promote these technologies for specific purposes. Indeed, not doing so would be akin to throwing out the baby with the bathwater.

Given their wide global reach, cryptoassets arguably will have a role to play in the world’s financial system. However, countries such as India must ensure proper regulation because by their very nature, cryptoassets can easily be misused for various activities that can destabilize the nation. They will allow for free inward/outward remittances that will make it harder to trace; being encrypted, the origins of such wealth too will become easier to hide. All this will make cryptoassets even more convenient ideal for nefarious activities such as money laundering, terror-funding, drugs-financing etc. In the absence of appropriate regulations, the rising supply of cryptocurrencies can hobble the RBI’s ability to perform its basic role. Its ability to manage the Rupee’s value against global currencies too will weaken, as will its ability to use domestic interest rates as a means to balance the economy’s twin needs of inflation management and providing growth impetus. This is a scary scenario, but not one that could unfold in the short-term. Even so, India needs to be prepared.

PS: The Indian government’s announcement to regulate cryptoassets has already triggered a significant (8-10%) correction in the prices of various cryptoassets. It’s therefore a good idea for resident Indians holding cryptoassets to sell them. They can decide on their future course of action once there is clarity on the specific regulatory impact of the proposed bill.

 

Image Credits: 

Photo by Worldspectrum from Pexels

Given their wide global reach, cryptoassets arguably will have a role to play in the world’s financial system. However, countries such as India must ensure proper regulation because by their very nature, cryptoassets can easily be misused for various activities that can destabilize the nation.

POST A COMMENT

Bulk Data Sharing & Procedure Notification - A Data Breach?

In this digital era, data has become one of the most valuable assets to own. Elections have been won and international alliances have toppled because of support that could be garnered by utilizing data analytics. While heated debate surrounding data breaches by private entities baffles the world, at home, it is accused that the Indian Government has monetized from sale of personal data of Individuals, in the pretext of public purposes” under a notification released by the Ministry of Road Transport and Highways in March 2019 titled “Bulk Data Sharing & Procedure”.

In July 2019, a parliamentary debate pertaining to “sale of data” by the State was raised because the Government had provided access to databases containing driving license and vehicle registration details to private companies and Government entities and generated revenue out of them.  The two databases of Ministry of Road Transport and Highways named Vahan and Sarathi were under discussion.  These databases contained details such as vehicle owner’s names, registration details, chasis number, engine number, and driving license related particulars of individuals.  These details amount to personal information by which an individual could be identified (“Personal Data”).  

The sale of data was pursuant to a notification released by the Ministry of Road Transport and Highways in March 2019 titled Bulk Data Sharing & Procedure wherein a policy framework on sale of bulk data relating to driving license and vehicle registration was introduced.  Among other things, this writeup discusses whether such sale of Personal Data for revenue generation is acceptable in light of privacy as a fundamental right and the Data Protection Bill 2018? and whether such access constitutes data breach? 

 

Bulk Data Sharing & Procedure Notification 

The “Bulk Data Sharing & Procedure” notification by the Ministry of Road Transport and Highways states the purpose for which bulk data access would be  provided: 

it is recognized that sharing this data for other purposes, in a controlled manner, can support the transport and automobile industry.  The sharing of data will also help in service improvements and wider benefits to citizens & Government. In addition, it will also benefit the country’s economy”.  

As per the notification, only such entities that qualify the eligibility criteria would be provided access to bulk data.  The eligibility criteria are that an entity should be registered in India with at least 50% Indian ownership, such bulk data should be processed/stored in Servers/Data Centers in India, and the entity should have obtained security pre-audit report from CERT-In empanelled auditor.  The bulk data access would be provided for a price.  

Commercial organizations could have such data for an amount of INR 3 crores and educational institutions could have them for 5 lakhs.  As per the notification, the bulk data will be provided in encrypted form with restricted access.  Such entities would be restricted from any activity that would identify individuals using such data sets.  The entities would be required to follow certain protocols for data loss prevention, access controls, audit logs, security and vulnerability.  Violation of these protocols is punishable under the Information Technology Act, 2000. 

The Ministry of Road Transport and Highways has in accordance with this policy framework provided database access to 87 private companies and 32 government entities for a price of 65 crores resulting in Personal Data of all individuals being accessible to them.  The Data Principal (the individual whose information is in the database) has no knowledge or control over any use or misuse of his/her information.   

In any data protection framework worldwide, the Data Principal’s consent should be sought stating the purpose for which data ought to be used.  It is only pursuant to Data Principal’s consent that any information can be processed.  On the contrary, providing access to Personal Data to third party private companies without any consent of the Data Principal will keep them out of effective control.  This is against the basic principles of data protection. 

 

Proposed Legislation for Data Protection 

India is on the verge of a new Data Protection Act as the bill is being placed in the Parliament.  The Data Protection Bill, 2018 contains certain provisions to address the above-mentioned issues.  Section 5 of the Data Protection Bill states when personal data can be processed.  Personal Data shall be allowed only for such purposes that are  clear, specific, and lawful.  Section 5 is extracted below: 

  1. Purpose limitation— (1) Personal data shall be processed only for purposes that are clear, specific and lawful. (2) Personal data shall be processed only for purposes specified or for any other incidental purpose that the data principal would reasonably expect the personal data to be used for, having regard to the specified purposes, and the context and circumstances in which the personal data was collected.

Moreover, the relevant enactment regulating driving license and vehicle registration i.e. Motor Vehicle Act does not explicitly permit the State to sell or provide third parties access to Personal Data for generation of revenue.  Therefore, there is no clear, specific, or lawful indication of such access in the enactment.  The question arises whether access to bulk Personal Data can be interpreted as an “incidental purpose” that “data principal would reasonably expect”.  The data principal has provided this information only for the purpose of grant of motor vehicle license and vehicle registration.  The Data Principal ought not have expected his/her data to be sold by the Government. 

Section 13 of the Data Protection Bill is also of relevance here because it authorizes the State to process Personal Data for provision of services, benefit or issuance of certification, licenses or permits.  Section 13 is extracted below: 

Section 13 – Processing of personal data for functions of the State. — Personal data may be processed if such processing is necessary for excise of the functions of the State authorised by law for: (a) the provision of any service or benefit to the data principal from the State. (b) the issuance of any certification, license, or permit for any action or activity of the data principal of the State. 

 

By this section, the State is authorized to use Personal Data for grant of license or permits or to provide any benefit or service.  However, whether the State is authorized to give access to Personal Data to third party private companies is unclear. 

Section 17 of the Data Protection Bill tries to shed some light on this anomaly.  The section states that Personal Data may be processed for “reasonable purposes” after considering if there is any public interest involved in processing the same.  What constitutes reasonable purpose is yet to be specified by the Data Protection Authority to be constituted.  Section 17 is extracted hereunder: 

  1. Processing of data for reasonable purposes. — 

(1) In addition to the grounds for processing contained in section12 to section 16, personal data may be processed if such processing is necessary for such reasonable purposes as may be specified after taking into consideration— 

(a) the interest of the data fiduciary in processing for that purpose; 

(b) whether the data fiduciary can reasonably be expected to obtain the consent of the data principal; 

(c) any public interest in processing for that purpose; 

(d) the effect of the processing activity on the rights of the data principal; and 

(e) the reasonable expectations of the data principal having regard to the context of the processing. 

(2) For the purpose of sub-section (1), the Authority may specify reasonable purposes related to the following activities, including— 

(a) prevention and detection of any unlawful activity including fraud; 

(b) whistle blowing; 

(c) mergers and acquisitions; 

(d) network and information security; 

(e) credit scoring; 

(f) recovery of debt; 

(g) processing of publicly available personal data; 

(3) Where the Authority specifies a reasonable purpose under sub-section (1), it shall: (a) lay down such safeguards as may be appropriate to ensure the protection of the rights of data principals; and (b) determine where the provision of notice under section 8 would not apply having regard to whether such provision would substantially prejudice the relevant reasonable purpose. 

 

Section 17, therefore, clarifies that when there is any public interest involved, the State may provide access to publicly available personal data to third parties.  This read with Section 13 indicates that State is not required to get the consent of Data Principal in order to provide services and benefits.   

 

Whether the State has provided access to personal data for public interest or to provide services and benefits? 

The Bulk Data Processing & Procedure notification states that the purpose of providing access of bulk Personal Data is to “support the transport and automobile industry” & “help in service improvements and wider benefits to citizens & Government”.  Supporting the transport and automobile industry and improving services may qualify as public interest, whereas, mere revenue generation will not.  However, there is no clarification from the Government as to how these private companies to whom database access is being provided assist in public interest.  Further, whether all driving license and registration details related data can be classified as publicly available information is again contentious and questionable as the information provided therein is intended to be provided only to license holders & vehicle owners and is partially masked. 

In the event if this Personal Data is not construed as public data or these public companies have been given access to personal data in the absence of any public interest, it would result  in personal data breach by the Government Departments where the head of Department will be held liable as per section 96 of the Data Protection Bill. 

It is quite preposterous to note that on the one hand Data Protection Bill is being tabled in parliament and on the other, the Government is selling Personal Data of the general public for economic gains.  Whether it results in the exploitation of personal and private data on the pretext of public interest without an individual’s consent needs to be ascertained. 

Image Credits:

Photo by Markus Spiske on Unsplash

 

It is quite preposterous to note that on the one hand Data Protection Bill is being tabled in parliament and on the other, the Government is selling Personal Data of the general public for economic gains.

POST A COMMENT