By Resham Jain on 22 October, 2020

Category : Data protection and privacy

It is not unusual for Indian employers to collect extensive personal and sensitive personal data of their employees. From the more obvious personal identifiers, to sensitive information such as marital status, sexual orientation, health records, biometrics, etc, are collected and processed for various reasons, namely, pre-employment background checks, employee profiling, drug or alcohol abuse tests, and gender sensitization. Any internal or external misuse of such sensitive data can have serious ramifications for employees including identity theft, loss of employment and social discrimination. In fact, such privacy invasive practices could also expose employers to financial and reputational risks.

In a landmark decision related to unauthorized access to employee data, on October 1, 2020, the Hamburg Commissioner for Data Protection and Freedom of Information (“Hamburg Commissioner”) imposed a fine of €35 million on Hennes & Mauritz Online Shop A.B. & Co KG (“H&M Online”), subsidiary of the Swedish multinational clothing retail chain Hennes & Mauritz AB (“H&M Group”).

By Arya Tripathy on 27 September, 2020

Category : Data protection and privacy

On August 26, 2020, the Ministry of Health & Family Welfare (MoHFW) published the draft Health Data Management Policy (Policy). MoHFW has been advocating for digitisation of health records, creation of registries, and adoption of a federated health data management structure to ensure interoperability and transferability of health data within the healthcare ecosystem. A federated structure, simply put, allows collection, processing and storage of data at all levels, instead of a centralised repository. The bigger picture – creation of a “national digital health ecosystem”, where health records can be collected, processed and transferred inter se stakeholders with patient consent for universal and continued health care (NDHE). Consequently, it is essential that a detailed data management framework is put in place to maintain confidentiality of health data and patient privacy.

The Personal Data Protection Bill, 2019 (PDP Bill) is still being debated by the parliament and is unlikely to be notified before 2021. There is absence of a comprehensive data protection framework, and minimal binding rules are prescribed under the Information Technology (Reasonable Security Practices & Procedures and Sensitive Personal Data) Rules, 2011. The Policy aims at bridging the gap, and currently, pilots are being implemented in union territories. This post aims at providing an overview of the Policy while comparing it with PDP Bill, with an aim to evaluate the efficacy and necessity of a specialised health data management guideline.

By Arya Tripathy on 07 August, 2020

Category : Data protection and privacy

In the earlier post Part I, we delved into some of the recommendations made by the Committee of Experts on Non-Personal Data (NPD Committee)[1] in its report of July 12, 2020 (Report)[2]. We discussed the genesis, Committee’s rationale for regulation of non-personal data (NPD), its scope, the distinction between NPDs based on sensitive nature, and consent mechanism for anonymisation.

In this post, we continue our analysis on a few other aspects.

1. Key stakeholders: The Report contemplates 4 key stakeholders in the NPD ecosystem and processing chain – data principal, data custodian, data trustees, and data trusts.

  • Data principal: The Report observes that in NPD context, the natural person cannot be the data principal as is the case for personal data. Determining data principal will be dependent on the type of NPD. Accordingly, the data principal in case of public and private NPD will refer to the natural or legal person to whom the data relates to, such as government bodies, companies, etc. For instance, Ministry of Health will be the data principal for anonymised health data collated through Aaroogya Setu app, and Uber will be the data principal for anonymised ride data collected through Uber application. In case of community data, the community from where NPD originates will be the data principal, and will be entitled to exercise economic and other key rights vis-à-vis the community NPD.

By Arya Tripathy on 06 August, 2020

Category : Data protection and privacy

In September 2019, the Government constituted the Committee of Experts to study various issues relating to Non-Personal Data (NPD), and make recommendations for its regulation (NPD Committee)[1]. NPD Committee released its report on July 12, 2020 (Report)[2] which is open for public consultation till August 13, 2020. The Report is structured into 7 key chapters delving into rationale for the regulation of NPD, its scope, key players in NPD ecosystem, the legal basis for ownership over NPD, contours of undertaking data business, need and technology architecture for data sharing, and proposes a new regulatory framework for NPD governance. The new set of regulations will likely deal with anonymisation standards, data sharing protocols, regulation of data businesses and markets, etc. The Report also contemplates creating a new regulator – the Non-Personal Data Regulatory Authority (NPDA).

This post aims at analysing select few recommendations of the Report and evaluating the impact of the proposed NPD governance framework. In our subsequent posts, we will further continue with our analysis.

1. Genesis: Justice B.N. Srikrishna Committee Report, while laying out the norms for the Personal Data Protection law (PDP Bill), suggested regulation of community data (i.e., body of data sourced from multiple individuals) for group privacy rights, as an extension of a robust data protection framework[3]. It observed that individual control over aggregated data sets is impractical, and a suitable law should facilitate collective protection of privacy on basis of certain principles. Alongside, such protection should take into account intellectual property ownership of the entity processing the data. Thus, the Srikrishna Committee Report recommended that the government must consider promulgating a law that accords specific protection to “community” and “corporate” data.

By Nikhil Issar on 9 April, 2020

Category : Data protection and privacy

COVID-19 has brought the world to a stand-still. It is rightly being called “infodemic” due to the efflux of related (mis)information on the internet. Since January 2020, 16,000 coronavirus-related domains have been registered, with over 6,000 new domains registered last week1. There is widespread fear and panic caused by high incidences of viral fake news and constant media coverage. With organizations transitioning to compulsory work-from-home models, corporate networks and data are being accessed through not-so-secured means at the risk of unauthorized access and use. Despite deployment of effective VPNs and firewall technology, no measure can account for the weakest link in a security chain i.e., the people who use, administer and operate computer systems. This atmosphere is conducive for cybercriminals to exploit human fear and ‘phish’ for personal information. The objective is either to gain access to a computer system and its data, or defraud a person of their assets. In these desperate times, phishing e-mails have spiked by over 600%, and old malwares are getting a novel COVID-makeover for attacking curious, fearful, or empathetic humans.2 Therefore, it will not be an exaggeration to state that cybersecurity risks are at an all-time high.

This blog seeks to examine types of coronavirus related phishing scams, review applicable Indian laws, examine practicality of legal response, affix liability and enlist best practices to be followed by individuals and corporates.

1. Identifying phishing hooks: Cybercriminals are using COVID-19 related click baits for infecting computers/mobiles with malware. Malwares can access e-mail, banking login credentials and credit card information. Apart from malwares, online scammers are claiming to sell cures, face-masks, as well as elicit investment in vaccine companies. The modus operandi is to obtain credit card details through any possible means, and thereafter, either trade the information on dark-web, or commit fraud. The top originator of COVID-19 spam is Vietnam, followed by USA, China, India and Russia.3 Illustratively, cybercriminals have adopted the following COVID-19 linked phishing techniques across a pandemic and paranoid globe:

By Arya Tripathy on 30 March, 2020

Category : Data protection and privacy

COVID-19 has de-globalized the world and yet, ushered a new global citizenship, where the order is simple – solidarity in isolation. In battling the highly contagious pandemic, governments are focused on breaking the transmission chain. They are deploying old and new tracking and surveillance technologies, with minimal checks, and in certain instances, at the cost of an individual’s right to bodily and informational privacy. Indeed, desperate times call for desperate measures, but this may have significant cascading effects outlasting the pandemic.

Case in point – the Karnataka government to deter contact transmission published a consolidated list of quarantined residents’ addresses, irrespective whether covered individuals had travel history to affected areas, or tested COVID-19 positive. The proportionality of such measure probably will remain unevaluated in these dire times, even though the covered individuals can be subjected to social stigmatization, and not just social distancing.

In this post, we scrutinise the case for government deploying technology for COVID-19 surveillance, its impact on containing further spread of pandemic, the suspension of informational privacy, global approaches followed and way forward.

By Arya Tripathy on 3 March, 2020

Category : Data protection and privacy

Non-personal data broadly refers to data that standalone or in combination with other data does not directly or indirectly result in identification of a natural person (NPD). These data sets could include aggregated, derived, anonymous, and community data. They have enormous economic value for organizations. NPD often drives innovation, gives organizations a competitive edge, helps formulation of unique market and business strategies and creation of intellectual property. The Personal Data Protection Bill, 2018 did not include any provision concerning NPD processing and protection. However, Clause 91 of the Personal Data Protection Bill, 2019 (2019 Bill) empowers the central government to access NPD for policy reasons (as discussed at #4 below). Ever since its inclusion, Clause 91 has been extensively debated by stakeholders on whether and why the government reserves access rights in a law that primarily should aim at safeguarding data principal’s privacy rights while balancing it with interests of a digital economy.

In this post, we aim to understand the contours of Clause 91 in a global backdrop and analyse its potential impact.

1. Current regime:  So far, India does not have comprehensive law regulating processing, use and reuse of NPD. Vast pools of NPD are contractually protected as trade secrets, know-how, and other forms of proprietary and confidential information. Government’s right to access and reuse such data is limited to a reactive access for the purposes of implementing applicable laws1 national security, public order and state sovereignty. Additionally, the government is empowered to intercept communications and access personal information under various laws including Code on Criminal Procedure, and Indian Post Office, Telegraph and Information Technology acts. Exercise of government’s access rights are often subject to judicial scrutiny and must necessarily follow due process of law that provides substantive and procedural safeguards. Thus, per se the government does not have unfettered access to an entities’ corpus of NPD.

By Arya Tripathy on 17 Feb, 2020

Category : Data protection and privacy

Regulating flow of data across national borders is increasingly viewed as an essential mechanism for implementing national data protection and privacy laws extraterritorially. Most jurisdictions impose conditions on when and how data can be transferred (commonly called as data export restrictions) and very few resort to physical data localization requirements.1 Data localization is commonly understood as regulatory and policy efforts requiring some or all aspects of personal data processing to take place in a particular jurisdiction.

Governments looking at imposing localization requirements are motivated by a variety of reasons – citizen’s privacy, data security, corporate accountability, national security, protecting local businesses, checks on freedom of speech, and surveillance. Some jurisdictions like Russia have enforced localization requirements with rigour. In 2016, a Russian court of appeal ruled that professional social network LinkedIn was in violation of the data localization requirements. Consequently, the site was blocked and approximately 6 million users overnight no longer could access the site.2 At the same time, localization can result in segregation of internet, act as entry barriers for new technology and businesses, increase network latency, hamper user experience, affect robustness of network security, and raise infrastructure and resource costs for companies. Some critiques have also urged that localization could in fact endanger privacy. For instance, where a breach incident happens, it is prudent to port the data to a safer location in order to mitigate the risks, which cannot take place where governments force localization. In similar vein, where organizations are forced to store their data in a particular jurisdiction, there will be bifurcation of their limited network security resources and lesser economies of scale, resulting in additional points for security failure and privacy breach.

By Arya Tripathy on 3 Jan, 2020

Category : Data protection and privacy

Empowering data principal to exercise certain rights vis-à-vis their personal data is a fundamental element for creation of a robust data protection framework. Exercise of data principal rights is aimed at strengthening an individual’s informational privacy, providing them with autonomy and control over the processing cycle and in turn, boosts transparency and accountability. Chapter V of the Personal Data Protection Bill, 2019 (PDP 2019) deals with data principal rights and mechanism for exercising them. This Post aims at analysing the scope of the contemplated rights regime and its potential impact for organizations.

Existing framework: The concept of vesting an individual with legal rights concerning the processing of personal data is not new. The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data) Rules (IT Rules) permit an individual to review personal information collected and seek rectification. It states that any organization acting on its own or through a third party must permit review of personal information provided when requested by the concerned individual. Additionally, organizations must ensure that inaccurate or deficient personal information is corrected or amended as feasible. However, the IT Rules clarify that such organizations have no responsibility for ensuring authenticity of the personal information provided. This essentially means that where an individual provides updated information, organizations depending on feasibility must rectify the processed information, without any obligation of verifying the authenticity.

By Arya Tripathy on 17 Dec, 2019

Category : Data protection and privacy

In Personal Data Protection Bill 2019 versus 2018 – Part 1, we delved into the changes in concept of personal data, purpose limitation, retention period and notice requirements. In this post, we continue to analyse some additional key changes.

1. Consent:  The 2019 Bill makes prior consent the primary ground for processing. Consent must be:

  • free as understood for contractual consent under the Indian Contract Act1
  • informed through the detailed notice as discussed at #4 in our previous post Personal Data Protection Bill 2019 versus 2018 – Part 1
  • specific with respect to the scope of consent factoring the processing purposes
  • clear through an affirmative action that is meaningful in given context; and
  • capable of being withdrawn as easily as is obtained.

This essentially means that consent cannot be influenced by any external factors or be conditional upon provision of goods or services, must be worded specifically with full disclosure of purposes in a simple, easy to understand language, and obtained through direct action as opposed to implied conduct.

By Arya Tripathy on 17 Dec, 2019

Category : Data protection and privacy

The Personal Data Protection Bill, 2019 was introduced in the Parliament on December 11, 2019 and has been referred to a joint select committee for further review. The committee is tasked to come out with its report on the proposed clauses, which shall be presented to the Parliament prior to its upcoming 2020 budget session. The 2019 Bill brings about significant changes over its predecessor 2018 draft.

Compared to the 2018 draft which proposed 15 chapters and 112 sections, the 2019 Bill contemplates 14 chapters and 98 sections. There are far-reaching modifications in approximately 49 clauses, some clauses of the 2018 draft have been deleted, and certain new provisions pertaining to social media intermediaries, sandbox innovations, policymaking for digital economy and processing of biometric data have also been introduced. Further, the draft available in public domain comes with an elaborate note on the statement of objects and small notes on clauses. There is scepticism that while the 2019 Bill is drafted better than the 2018 draft, grey areas continue to remain, which may not be completely without merit. This and the subsequent Post aim at providing an overview of some of the key changes in the 2019 Bill.1

• Personal data: The 2019 Bill revises the scope of personal data, sensitive personal data, and anonymised data. The meaning of these concepts under the 2018 draft were analysed in our first post

By Arya Tripathy on 29 Nov, 2019

Category : Data protection and privacy

A lot has been talked about who will get impacted by the Personal Data Protection Bill. This Post aims at providing an overview of the key stakeholders involved in processing of personal data under the Bill and analysing the underlying dynamics.

1. Existing framework: Any body corporate or any person acting on its behalf, and engaged in collecting, receiving, storing or dealing with personal information in any other manner must comply with the processing requirements under the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data) Rules (IT Rules). Body corporate includes all kinds of incorporated or unincorporated legal entities such as company, limited liability partnership, firm, sole proprietorship or an association of individuals engaged in commercial or professional activities. The person who processes personal information on behalf of the said body corporate is commonly referred as processor, and can be a legal or natural person. Further, the IT Rules must be complied if the personal information relates to a natural person only. While government agencies collect and process personal information, they are outside the purview of the IT Rules.

Thus, the existing framework involves 3 actors –

(i) private body corporates requiring processing of personal information,

(ii) any legal or natural person performing such processing, and

(iii) the natural person whose personal information is being processed.

By Arya Tripathy on 15 Nov, 2019

Category : Data protection and privacy

In view of the imminent Personal Data Protection Bill, Post 1 of PSA’s data protection law series aims at providing an overview of what is personal data and what it means for organizations processing such data.

• Existing framework: The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data) Rules (IT Rules) define “personal information” as any information processed by computer (system/network) standalone or combined with others that leads to identification of a natural person. Additionally, the IT Rules categorise some personal information as “sensitive”. These include passwords, financial information (like account, card or other payment instrument details), physical, physiological and mental health condition, sexual orientation, medical records and biometric information. Further, it has been customary for organizations processing personal information to regard anonymized pseudonymised data as outside IT Rules’ purview, even though there is no express provision.

• Personal Data under the Bill: The PDP Bill defines “personal data” as any data, alone or in combination with others that results in direct or indirect identification of a natural person. However, the Bill does not provide an illustrative list, and some examples are:

  • direct => name, phone number, e-mail ID, government ID, bank account numbers, address
  • indirect => location, purchase history, physical traits, IP address, postal code, cookie identifiers