data protection

A Guide to India’s Data Protection Law:         The Digital Personal Data Protection Bill, 2022

March 23, 2023 Leave a comment

              

Background & Evolution of Privacy in India

A.  The journey of India’s Right to Privacy is more than 6 decades old, and it was only in the year 2017, the Apex Court of the land recognized and declared the “Right to Privacy” as a fundamental right enshrined under Article 21 of the Indian Constitution, 1950, in a landmark decision in  Justice K S Puttaswamy(Retd.), & Anr v UOI& Ors(2017). Little did we know, but this landmark decision changed the course of History.

B.  With the advent of the right to privacy as a fundamental right, a Committee of experts was set up in August 2017, for the purpose of preparing a draft report on Data Protection under the leadership of Justice B.N Srikrishna, (former) Judge of the Supreme Court. 

C. The Experts Committee submitted its report along with a draft version of the legislation in the year 2018 which was titled “Personal Data Protection Bill, 2018” (“PDP, 18”). The PDP, 18 was further analyzed and approved by the Cabinet Ministry on 4th December, 2019. Later, the draft version was introduced in the Lok Sabha, however, the title was changed to- Personal Data Protection Bill, 2019 (“PDP, 19”). 

D.  The PDP, 18 and PDP, 19 were drafted for the same purpose, but both had flaws that did not make them a comprehensive draft version of the law, and hence, none of them were adopted/passed. With the aim to make PDP, 19 more comprehensive, it was referred to a newly constituted committee i.e., Joint Parliamentary Committee (“JPC”).

E. The JPC on 16th December 2021 during the Winter session, released a recommendation report on the PDP, 19 with 81 amendments and 12 recommendations. The recommendation report was released after 2 years to the public and was renamed “the Data Protection Bill, 2021” (“DPB, 21”), with a widened scope of the bill in its entirety (inclusion of non-personal data, etc).

F.   However, the DPB, 21 was withdrawn in the Parliament in the month of August 2022 on the ground that the Government was working on a more comprehensive legal framework, and the present draft version did not allow it.

G. Surprisingly, on 18th November, a 4th draft version of the bill was introduced for public consultation. This time the title of the draft version has been changed to- The Digital Personal Data Protection Bill, 2022 (“DPDP, 22”)

The purpose of this article is to be a go-to guide for your understanding of the DPDP, 22. Here, we will not just summarize the entire draft bill, but highlight all the key provisions from an industry perspective.

PURPOSE:

The purpose of this legislation is to regulate the processing of digital personal data, to enable an individual to practice his/her right to privacy of their personal data, and to ensure that such processing is done for a lawful purpose. 

APPLICABILITY:

The law applies to the processing of “digital personal data” and excludes “offline personal data”, however, if such offline personal data is later digitized then the processing of such data would fall under the ambit of this Bill. 

Further, from the territorial scope of the DPDP, 22, it applies to data processing both within and outside the territory of India. For the law to apply outside the territory of India, it is essential that such processing of digital personal data is related to-

  • Any profiling of a Data Principal within the territory of India; or
  • Any activity pertaining to offering goods/services to users (Data Principal) inside the territory of India.

The provisions of the DPDP, 22 shall not apply to-

  • Any non-automated processing of personal data;
  • Offline personal data;
  • Processing, done by an individual for a personal/domestic purpose;
  • If the personal data of an individual has been existing in a record for at least 100 years.

Surprisingly, there is no classification of the personal data provided in the DPDP, 22. However, the sector-specific regulations in due time may establish additional requirements pertaining to safeguarding such personal data. Lastly, the DPDP, 22 does not apply to non-personal data as compared to its previous version.

CONSENT 

  • The DPDP, 22 under section 5 states the grounds on which the Data Fiduciary shall process the personal data of the Data Principal. The processing under the DPDP, 22 shall be considered lawful only when the Data Principal has given consent or the consent is deemed to have been given.
  • The DPDP, 22 under section 7 defines the concept of “Consent” and states- that when the Data Principal has freely given, a specific, informed, and unambiguous indication to a Data Fiduciary for processing their personal data for a “specific purpose.” However, the same must be shown through an affirmative action by the Data Principal.
  • Moreover, the DPDP, 22 under section 6 provides for a mandatory requirement that must be fulfilled by the Data Fiduciary on or before seeking the consent of a Data Principal. The Data Fiduciary is mandated to provide an itemized notice to the Data Principal in clear language, which shall contain the description pertaining to the data that is required to be collected from the user and the purpose behind it.
  • In the itemized notice that is issued for seeking/requesting consent from the Data Principal for processing their personal data, the contact details of the authorized person/data protection officer of the Data Fiduciary must be mentioned. The Data Principal shall have the right to access such itemized notice requesting consent in either English or any language specified in the Eighth Schedule to the Constitution of India.
  • It is also essential to note that any additional personal data which is not necessary for the performance and fulfillment of a contract/agreement between the Data Principal & Data Fiduciary. In such scenarios, the Data Principal shall be free to refrain from giving consent.

DEEMED CONSENT

Here are some instances mentioned in the DPDP, 22 wherein, it is presumed that the processing of personal data is based on Deemed Consent. Deemed consent has been discussed under section 8 of the DPDP, 22. At present the DPDP, 22 provides 9 instances wherein consent is considered as deemed, and they are-

  1. In an event wherein, the Data Principal voluntarily provides their personal data to the Data Fiduciary, and the same is reasonably expected from them;
  2. In an event, wherein, the processing is based on the performance of any function under law, or provision of any service, or benefit to the Data Principal/issuance of any certificate/license or permit to any action of the Data Principal by any State institutions or agencies;
  3. Processing done in relation to compliance with court order(s)/judgement(s);
  4. Processing done in relation to medical emergency pertaining to threat to life/health of the Data Principal or any other person;
  5. Processing done in relation to provide medical treatment/assistance to people during epidemic, outbreak, and/or any such threat to public health;
  6. Processing done in relation to taking safety measures for providing services to people during disaster, and/or breakdown of public order;
  7. Processing done in relation to employment-related purposes;
  8. Processing done on the grounds of public interest;
  9. Processing done for any fair and reasonable purpose- wherein the legitimate interests of the Data Fiduciary outweigh any adverse effect on the Data Principal, public interest and the reasonable expectations of the Data Principal.

It is essential to note here that the notice mentioned under section 6 is not mandated where deemed consent is given by the Data Principal.

CROSS-BORDER TRANSFERS

The DPDP, 22 also lays down a provision for the cross-border transfer of digital personal data. Although, it does not specify or name which countries/territories will be treated as “trusted geographies” for permitting the cross-border transfer of digital personal data. However, section 17 states that the Central Government will only allow and notify those countries/territories for cross-border transfers, based on an assessment as it may consider necessary.

EXEMPTIONS

Moreover, under section 18, there are some exemptions listed out, which simply means that the provisions of the DPDP, 22 shall not apply, except section 9(4)- which states that the Data Fiduciary and Data Processor shall take all the reasonable security measures in order to mitigate potential breaches. The exemptions have been listed below-

  • Wherein, processing such personal data is essential to enforce a legal right/claim;
  • Wherein, the processing of personal data is in the interest of prevention, detection, investigation/prosecution of any offence/contravention of any law;
  • Wherein, the processing of personal data is done by the court of law, tribunal, quasi-judicial body, etc;
  • Wherein, the personal data belongs to an individual outside the Indian territory and is processed based on a contract between an individual from outside the Indian territory and a person based in India.

The DPDP, 22 further permits the government to exempt any of its agencies from the application of this law on the ground-

  • In the interest of the sovereignty & integrity of India;
  • State’s security;
  • Friendly relations with foreign States;
  • Public order.

OBLIGATIONS OF Data Fiduciary

The DPDP, 22 under section 9 onwards up to section 11 states the obligations of Data Fiduciary. 

  • Under section 9– This provision deals with the general obligations, such as the Data Fiduciary shall be held solely responsible in relation to complying with this law, even in cases wherein the data is processed on behalf of them by Data Processors and/or by another Data Fiduciary.
  • ensuring that the personal data processed is accurate and complete especially when such data is likely to be disclosed to another Data Fiduciary and/or the data processed will be used to make decisions that affects the Data Principal itself.
  • The Data Fiduciary shall also implement both technical and organizational measures with the aim to ensure complete compliance with this law. The Data Fiduciary and Data Processor shall ensure that they take all the possible reasonable measures and safeguards to mitigate potential breach.
  • In an event of a personal data breach, the Data Fiduciary or the Data Processor (as the case may be), shall notify the Data Protection Board along with each affected Data Principal.
  • The Data Fiduciary shall ensure that the personal data of the Data Principal is not retained once the purpose behind such processing is fulfilled, and/or where retention of the data is no more required for any legal/business purpose.
  • The Data Fiduciary is also required to publish the contact details of the data protection officer or the authorised personnel who may answer on behalf of the Data Fiduciary to all such questions/queries posed by the Data Principals pertaining to the processing of their personal data. They are also required to ensure a mechanism is at place that shall focus on grievance redressal.
  • Under section 10– These provisions lay out the additional obligations of the Data Fiduciary pertaining to the processing of children’s personal data.
  • Under the DPDP, 22 for processing of a child’s (anyone who has not completed 18 years of age) personal data, the Data Fiduciary is mandated to seek the parental consent, and only after obtaining the same, they may process the child’s data.
  • Furthermore, a Data Fiduciary shall not process a child’s personal data in scenarios where such processing will likely cause harm to that child.
  • A Data Fiduciary shall not track nor monitor a child’s behviour or direct targeted advertising upon a child.
  • Under section 11–  This provision states the additional obligations of a Significant Data Fiduciary. However, before getting into the obligations, we need to understand who exactly falls under the ambit of a “Significant Data Fiduciary.” 
  • A Significant Data Fiduciary is any Data Fiduciary or a class of data fiduciaries that are notified by the Central Government. They shall be notified based on some factors such as- the amount of personal data that is being processed; the risk of harm that the Data Principals are likely to face; its impact on the integrity & sovereignty, security, and public order of the nation.
  • Furthermore, a Significant Data Fiduciary is required to appoint a Data Protection Officer, and an independent Data Auditor, and is further mandated to take measures such as Data Protection Impact Assessment, etc.

RIGHTS & DUTIES OF Data Principal

The rights and duties of the Data Principal have been laid down in Chapter 3 of the DPDP, 22 starting from section 12 up till section 16. Here is the list of rights mentioned under section 12

  1. The Data Principal shall have the right to seek confirmation from the Data Fiduciary on whether their data has been processed or is being processed by them;
  2. The data subject shall have the right to seek the summary of their data that has been processed or is being processed by the Data Fiduciary;
  3. The Data Principal shall have the right to know with whom all the Data Fiduciary has shared their personal data, along with the categories of personal data that has been shared.

Under section 13– The Data Principal shall have the right to correction and erasure of their personal data that is with the Data Fiduciary.

Under section 14–  The Data Principal shall have the right to seek grievance redressal by registering a grievance with the Data Fiduciary. Moreover, if the Data Principal is not satisfied with the response, or does not receive any response from the Data Fiduciary, then in such scenarios, the Data Principal may register the complaint at the Data Protection Board.

Under section 15– The Data Principal shall have the right to nominate anyone, who shall exercise the rights of a Data Principal under the DPDP, 22 after the death/incapacity of the Data Principal.

Under section 16– The Data Principal is obliged under DPDP, 22 to perform certain duties such as-

  1. Shall ensure that they do not register any false/frivolous complaint with the Data Fiduciary and/or at the Data Protection Board;
  2. Shall not furnish false documents, impersonate another person, and/or suppress information while applying for any document, service, proof of identity, etc.
  3. While exercising their rights under section 13 pertaining to correction and erasure, Data Principal shall furnish verifiable and authentic information.  

DATA PROTECTION BOARD OF INDIA

The DPDP, 22 also proposes to establish a Board i.e., the Data Protection Board of India to pronounce decisions against complaints filed by Data Principals, to impose penalties for non-compliance not exceeding Rs. 500 crores, and perform all such functions as and when notified by the Central Government in due time.

PENALTIES

Here are the financial penalties listed out under schedule 1 of the DPDP, 22 for non-compliance with the provisions of the law.

  1. In an event, wherein the Data Fiduciary or Data Processor fails to take reasonable security measures in order to mitigate/prevent a data breach. For such incidents, a penalty of up to Rs. 250 crores shall be imposed.
  2. Where the Data Fiduciary fails to notify the Data Protection Board & the affected Data Principals about the breach. For such incidents, a penalty of up to Rs. 200 crores shall be imposed.
  3. In an event, wherein the Data Fiduciary fails to comply with the additional obligations pertaining to the processing of a child’s personal data (section 10). For such incidents, a penalty of Rs. 200 crores shall be imposed.
  4. Wherein, the Significant Data Fiduciary fails to comply with the additional obligations mentioned under section 11. In such scenarios, a penalty of up to Rs. 150 crores shall be imposed.
  5. In an event, wherein a Data Principal fails to comply with the duties mentioned under section 16. In such scenarios, a penalty of up to Rs. 10 thousand shall be imposed.
  6. Non-compliance with the provisions of the DPDP, 22 except for those listed above, shall lead to a penalty of up to Rs. 50 crore.

Privacy concerns abound in the official Beijing 2022 Winter Olympics app

March 23, 2023 Leave a comment

Introduction

The 2022 Winter Olympics were held in Beijing, China from 4th Feb-20th Feb 2022. Even before the start of the Winter Olympics 2022, China was being criticised and accused of allegations pertaining to human rights violations and other related controversies globally. Around 180 human rights groups were of the opinion that all the leaders globally and the governments should boycott the Winter Olympics in Beijing as the Chinese government was held solely responsible for the genocide of the minority communities in China. The Canadian government along with the UK and the United States government were the ones who decided to diplomatically boycott the games; this meant that these countries would only send their athletes to be a part of the games, whereas the government delegates and officials won’t either attend the games or be a part of the event.

But was this the only issue raised by the officials?

The other issue that was largely concerning the majority and the same was being discussed everywhere from news channels to even the U.S Olympics and Paralympics committee was related to the ‘privacy’ of the athletes as well as the ones who were planning to attend the games in Beijing.

The catch to this privacy-related issue is that those who were preparing to attend the 2022 Winter Olympics had to compulsorily download a mobile application called “MY2022”. This app had multiple security flaws and resulted in privacy concerns that were very much applicable to both the domestic as well as international athletes along with the ones who were merely attending. 

What is MY2022?

MY2022 is a mobile application that was made a requirement for all the athletes and the attendees of the Winter Olympic Games. The app performs multiple functions right from real-time chat with your contacts along with that video and audio options are also available for the users; users have the option to even share files with each other, as well as the app notifies its users about the weather and news updates. Furthermore, the app is also used to submit health customs information of those who are visiting China from other nations. This includes submitting the user’s passport details, demographic information along with travel, medical history (if any), COVID-19 vaccination status, and lab test results including users’ daily health status.

China’s intention behind collecting this information as per their official statements was to prevent the transmission of COVID-19 and hence was a part of the COVID protocol that was being followed during the Winter Olympics.

It was prescribed that all the athletes and attendees should download the app 14 days prior to their visit to China, and were required to monitor and submit their health information in order to track their health status on a daily basis. Many countries have relied on similar apps in order to track the health status of their citizens and the foreign travelers, especially if we take India as an example here, the app named ‘Aarogya Setu’ was extensively used and is even used today in order to monitor the health status of the people in India.

As per the Chinese government’s guide on the Olympic games, it was discovered that the MY2022 app was created by the Beijing Organising Committee for the 2022 Winter Olympics. However, later through public records and the App Store’s information, it was revealed that the owner of the app is a state-owned company called the ‘Beijing Financial Holding Groups’. continue reading

Impact of Data Breaches on Brand Value

March 23, 2023 Leave a comment

  

Introduction

Do you know what is more important for an entrepreneur or for a company other than profit making? It’s the reputation of that business in the market, in other words- Goodwill or Brand value. Haven’t you heard before that when a company’s representatives or a start-up seeks investment or funding from an investor(s), they have to do a valuation of their business before meeting their potential investors? Surprisingly, even while calculating the valuation of a company, its goodwill or brand value as of that date is also considered.

Since the brand value of a company is an intangible asset and is based on the trust and perception of the end-users or consumers, it becomes quite essential for every business to maintain that trust and relationship with their customers and users in order to be profitable.

Now this trust as discussed above is always at risk, due to factors such as- competition in the market, quality of the service/product offered, privacy issues, and many such other factors could affect the trust and relationship between the business and its customers and users. As the phrase rightly claims- “Customer is the King.” In this day and age, it is easy for businesses to reach out to a wide audience, thanks to the Internet. With the internet, today any business can easily be established and anyone can sell and provide products and services to anyone. 

The only concern or issue  that we tend to neglect is with regard to the privacy of the customers or the users of such products and services. Neglecting this issue could drastically impact the brand value of the business, and in this blog we will discuss privacy concerns that arise from data breaches and how it impacts the brand value.

       Impact of Data Breaches on Brand Value

To understand the current topic we rely on a report published by Infosys, titled, “Invisible Tech Real Impact.” This report takes into account the top 100 most valuable brands and talks about how privacy issues such as data breaches directly impact the brand value of the business. Since the brand value of a company is an intangible asset and is based on the trust and perception of the end-users or consumers, it becomes quite essential for every business to maintain that trust and relationship with their consumers and clients in order to be profitable. With the shift towards a digital economy, consumers globally prefer their privacy over every other concern.

Did you know?

  1. The year 2021 witnessed an increase in data breaches because every business and organization shifted their work to the online mode, which led to such breaches.
  2. There was a sudden hike in the average cost of a data breach after almost 17 years, and the cost rose from US$3.86 million to US$4.24 million on an annual basis. 
  3. The most common data breaches were of users’ credentials being stolen. The average cost of such breaches was US$4.3 million.
  4. Almost 36% of the breaches reported were connected to phishing attacks. Google identified nearly 2 million phishing websites in January 2022.
  5. The year 2021-22 also witnessed a sudden rise in android banking malware.
  6. Even social engineering attacks were at their peak in the year 2021-22.
  1. If we talk about Financial services (Investment banks, Insurance service providers, Credit/Debit card service providers, and Retail banks), it becomes quite obvious that they hold a lot of personal data or personally identifiable information of their customers, and cyber-criminals are often looking for such data. Hence, privacy issues such as phishing with the aim to compromise the users’ account credentials to gain unauthorized access becomes a prevailing concern in the financial sector. The report states that cyberattacks occur 300 times more in this sector. The cumulative value at risk (both monetary loss and loss in brand value) due to such data breaches in this sector is almost as high as $2.6 billion. Whereas, when it comes to traditional banks then the risk is almost up to 16-17% of their brand value.
  1. Technology companies are also at great risk- A recent survey states that 94% of telecom operators and experts confirmed that data breaches would increase with the advent of 5G technologies. Moreover, the cumulative risk including both the monetary and brand value amounts to as high as $29 billion. 53% of which represents the cumulative brand value of these technology companies. 
  1. The next on the list will be Consumer Brands (including- beverages, baby products, personal care, and food). As consumer brands are increasingly adopting the digital pathway, the potential threat to these brands is also rising. With an estimate of up to $4.3 billion at risk due to cyberattacks. As per a leading cybersecurity company’s statements, there has been a rise in cyberattacks against the manufacturers of these consumer goods by seven times in the year 2020-21.
  1. Automotive brands– The auto brands face reputational risk which can go up to 9% of their total brand value.
  1. The Media industry is also exposed to cyber threats, as it operates in the digital space. Hence their users are also exposed to such threats. The potential of such attacks such as disruption of service due to unauthorized access to their users’ accounts and data without their consent is always there. The OTT platform’s potential brand value at risk due to such threats is nearly 60% of its net income. Whereas, for audio streaming platforms the percentage is nearly 400% of their net income.
  1. Business services such as SaaS, Networking services, and other related services. As these services handle a vast amount of corporate data and it is often on the list of cyber-criminals. The cumulative brand value at risk could be high as $3.5 billion, and in some cases, it could be high by 111%. The work-from-home format during the pandemic has also led to an increase in such data breaches in almost 20% of organizations.

Solution: Building a privacy culture and ecosystem

  1. Awareness about digital privacy- The first step to instilling a privacy culture and contributing to the privacy ecosystem of the organization should be taken by the organization’s management. They will have to take the first call to introduce the concept of digital privacy and make this concept familiar to the entire organization through various seminars, conferences, team meetings, campaigns, and conducting many other social events. Nowadays, every organization be it tech or non-tech, consumes a lot of customer data and even their employees’ data too. Hence, it is essential to have a robust privacy ecosystem. This can only be achieved by educating the entire organization about the issues pertaining to data privacy and its impact on the organization’s reputation. 
  1. Understanding the law- The second stage is where the management level members and all the employees from different departments are to be taught about the governing laws regarding data protection & privacy. This stage is more like an extended version of the first stage, as just awareness about data privacy would not impact much. But by teaching them what each data protection law mandates, the technicalities, the compliance requirements, etc. If each employee is equipped with some of the basic privacy skills and knowledge, the organization will soon be privacy ready along with a robust privacy ecosystem.
  1. Training the employees and complying with industry standards- – This is another way of promoting a privacy culture inside an organization by way of training. Training your employees with the relevant skillset is a practice especially followed in the privacy domain today. Moreover, hiring employees with such a skill set is the new trend. It doesn’t matter which position you are applying for, having an additional skill set in privacy is an add-on. There are a few certifications that are recognized as industry standards, and it is considered essential standards of practice in multiple industries today. ISO standards are among them, along with IAPP’s certifications such as CIPP, CIPT, CIPM, etc., are some trending certificates that are seen as relevant in this domain, and people with such certifications have the edge over others.
  1. Investing and developing your security programs and practices- It is quite evident that if the organization has a privacy security program, then the same must be utilized. A security program would help the organization to keep track of all the data that was generated, shared, and used, along with the relevant timelines, the purpose of such data, the retention period, etc. Recording such details about the data in an organization is considered an essential practice, and for such practices to be followed requires investment. Hence, investing in security programs would promote the privacy culture and make the organization’s privacy ecosystem much stronger.   
  1. Choose vendors and other third parties wisely- Another important aspect that an organization should not neglect is to choose vendors and other third parties with whom the organization will share the data, either of their customers or employees.  Everything must be duly recorded, and such transactions should be governed by written contracts with clauses stating obligations upon such vendors and third parties, especially in the event of a data breach or any other potential dispute occurring out of a breach of any of the clauses partially or wholly. 

Conclusion

From the above statistics, we can easily draw the correlation between data breaches and their impact on the brand value of businesses. Every business runs on faith and trust between the business and their users, privacy issues pertaining to data breaches risk not just a handful of their users but every user data becomes a target. This is why countries have been implementing their own federal and state laws on data privacy and consumer safety and businesses are required to comply with those laws if they are processing the personal data of their users. These laws give a wide range of rights to the users such as- right to access to their data, right to deletion/correction of their data, etc.

California Privacy Rights Act & what it’s bringing to the table

March 23, 2023 Leave a comment

Introduction

In 2019, during the Facebook F8 Developer Conference, Facebook (now Meta) CEO- Mark Zuckerberg said something which was never been said before by any big techs, he said: “the future is private.” Based on this statement we can understand it’s not just Facebook alone or any other big techs, who are working in order to come in line with privacy, as privacy is the only hope available for tech companies to survive in this competing market today. We have seen and witnessed the rise in privacy-related concerns raised by millions of people, organizations, activists, lawyers, institutions, and other governmental agencies. This has only been possible due to the recent changes in the market, earlier the concept of privacy and the laws relating to privacy weren’t common, but due to global awareness about data & privacy of the individuals, lawmakers around the world have tried to accommodate legislations on data protection & privacy, one such example is of the General Data Protection Regulation (GDPR). 

The GDPR has truly influenced many nations to formulate their own laws regulating the flow of personal data in and outside their economy. As rightly said, “data is the new oil of the digital economy.” Having a regulation along with a regulatory authority becomes an essential part to monitor and safeguard the rights of the individuals as well as flow of this new oil in this digital era. 

In light of the above, California is one such state in the United States that has been successful in formulating a law on data protection & privacy for the residents of California, it was called the CCPA or California Consumer Privacy Act. It came into effect on 1st January 2020. But what we all need to know about this Act is that in November 2020, the voters in California approved and voted for an amended version of the CCPA and very soon this Act will get replaced by its successor called the CPRA or California Privacy Rights Act. In this blog we will dive into the new legislation i.e., the CPRA  and what all it brings to the table.

What is CPRA?

The California Privacy Rights Act (CPRA) is an extension or a successor to the former law on data protection & privacy also known as the California Consumer Privacy Act (CCPA). The CPRA will be effective from 1st January, 2023. However, some of its provisions have already been in action since 1st January, 2022, such as the consumers’ data collected by businesses and organizations on or after 1st January, 2022, CPRA will apply to such entities. Hence, it is advised that organizations and businesses that fall under the ambit of this new legislation should comply with its requirements starting from 1st January, 2022.

If we compare CPRA to its earlier version- CCPA, then the current Act in some way is more friendly toward small-businesses. Additionally, the CPRA widens the scope of the following-

  1. Consumers under this law get more rights;
  2. Fines for violating the provisions pertaining to children’s privacy have tripled;
  3. Limitation in the use of “sensitive personal information” of the users;
  4. Prevents and restricts businesses and organizations from knowing the users’ geolocation;
  5. Restricts businesses and organizations from profiling the users;
  6. Establishes a new agency- California Privacy Protection Agency, in order to ensure rigorous enforcement of the law;

However, we will be discussing all the new changes brought into this law in the later part of this blog.

CPRA applies to which entities?

The present law- CPRA, applies to only for-profit businesses & organizations that are either located in the State of California or do business with the residents of California. The essential ingredient that needs to be satisfied here is that- even if your business is not located in the State of California but if you have users’ from California, and your business is involved in collecting their data, your business would fall under the ambit of CPRA. Further, any one of the following requirements needs to be fulfilled in order to make sure, that CPRA applies to your business/organization-

  1. The entity needs to have annual gross revenue of $25 million or more;
  2. The entity should be involved in selling, sharing, or buying of 100,000 or more users’ personal information who are residing in California per year;
  3. The entity earns 50% or more of its annual gross revenue by way of sharing or selling the personal information of its California users/customers.

The following entities will also fall under the ambit of the current legislation-

  1. Joint ventures & partnerships- When each business has at least 40% or more interest, in such scenarios, each business/entity who falls under this category will be considered as a separate entity in itself.
  2. Moreover, if any entity/business who wishes to comply with CPRA, may do so, even if such entity doesn’t fulfill the above requirements.
  3. Even commonly controlled entities fall under the ambit of this legislation. Controlled entity is either controlled or controls a covered entity; Shares common branding with such entity; or has access to the covered entity’s consumers’ personal information.

Consumer rights under CPRA

  1. Right to opt-out- Under this new legislation, consumers now have the right to opt-in or opt-out in cases of collection, selling and/or sharing (with the third parties) of their sensitive personal information. Businesses that are involved in selling/sharing personal data with third-parties are required to add a “Do not sell my personal information” link on their homepage of their website. Moreover, businesses will also be required to add a “Limit the use of my sensitive personal information” link to comply with the CPRA’s requirement pertaining to limitation of using consumers’ sensitive information.
  2. Right to correct & delete personal information- The CPRA gives the consumer the right to both correct as well as delete their inaccurate personal information. Entities that fall under the ambit of this law, need to disclose this right to the users/consumers and fix all such errors/mistakes with respect to their personal information after receiving such requests from their users.
  3. Right to access data- Under this new legislation, consumers have the right to access their data by the entities who have collected it, and the time period is not restricted  or limited to 12-months, rather it goes beyond 12-month. The only exception to this right is that if doing so is impossible or requires disproportionate effort by the entity, in such scenarios the CPPA will determine what exactly “disproportionate effort” means as it could vary from case to case basis.
  4. Right to opt-out from automated decision making & profiling- Under this law, consumers have the right to opt-out from being part of both automated decisions & getting profiled by businesses and organizations based on their personal or sensitive personal data. Such organizations and businesses who are into collection of these data must notify the public or their users before such collection and also about how automated decision making works along with how it affects such individuals autonomy.
  5. Private right of action- Under this law, consumers have the right to sue and seek damages from the businesses and/or organizations who have collected their personal data and due to their negligence, the consumers’/users’ data get compromised or breached. In such cases, even an individual has a private right of action against such defaulting business/organization. Especially in cases when such user’s or consumer’s data exposes the following information:
  1. Email & password along with the security question and answer due to which it grants the attacker to easily access the user’s/innocent party’s account.
  2. In cases when the business or the organization is negligent in maintaining proper security standards as it is their responsibility and obligation to ensure reasonable security of the personal data of the consumers.
  3. Minors’ rights- The CPRA also aims to protect the privacy of children, as it specifically mentions that businesses and organizations must seek and obtain explicit consent before collecting, sharing or selling their data, how their data will be used and for how long it will be retained.

Note: Businesses and organizations who willfully neglect this criteria/exception, shall be deemed to have had actual knowledge about the consumer’s age.

Obligations for businesses under CPRA

  1. Reasonable implementation of security measures- The businesses and organizations that fall under the ambit of CPRA, are obliged to maintain and implement reasonable security measures in order to protect the personal information of their customers/users. Further, the businesses and organizations are advised to perform annual cybersecurity checks and are required to send the results to the CPPA for the auditing purpose.
  2. Contractual obligations- Under the CPRA, new obligations have been introduced for businesses that are into sharing, selling and/or disclosing personal data of their users/customers to their contractors/third party service providers, etc. In such scenarios, the business and the contractor/service provider must have a written contract stating the following (but not limited to)-
  1. Stating that the information disclosed or sold by the business to the third-party/service provider is only for limited purposes;
  2. Ensuring that both the contracting parties comply with the CPRA requirements;
  3. The third-party/service provider is obliged to notify the business if they are unable/no longer meet the CPRA compliance obligations;
  4. Lastly, the business has the right to take reasonable measures and actions in case of unauthorized access/use of the personal information.

3. Limited Defenses- The present act imposes certain limitation on the defenses used by the businesses, such as- from now businesses won’t be able to reply on the defense of maintaining and implementing reasonable security practices and procedures after a data breach, as the same won’t be considered as a cure or defense for that breach.

4. Storage limitation & principle of data minimization- These two principles can be seen in the EU’s GDPR. The principle of storage limitation states that an entity or a business should not retain the personal data of its users’ no longer than its intended purpose, and once the purpose is met, the data should be discarded. On the other hand, the principle of data minimization states that a business should limit the collection of personal data and should only collect if its directly relevant and necessary to accomplish a required purpose.

California Privacy Protection Agency

One of the major differences between CCPA & the current legislation- CPRA, is it seeks to establish an independent agency known as the California Privacy Protection Agency (CPPA). This agency will initiate actions through the Administrative Law Court as compared to the earlier privacy legislation in California (CCPA), which gave the state court system the authority to enforce the privacy law. 

Whereas the Administrative Law Court would further provide an independent and neutral hearing, and these hearings would be less formal and more transparent.

The present change further shifts the responsibility to enforce the CPRA to the newly established agency i.e, the CPPA, whereas, for the earlier privacy legislation- CCPA, this responsibility was given to the Office of the Attorney General. The CPPA will also be responsible for educating and awaring the general public about their consumer privacy rights.

Penalties under CPRA 

There is a 3X (times) increase in the penalties as compared to the earlier privacy legislation in California. The entities covered under this legislation could be fined up to $7,500/- per intentional violation and even for violations pertaining to personal information of people under the age of 16. Whereas, for non-intentional violations, entities/businesses could still be fined up to $2,500/-. In the earlier legislation (CCPA), there was a 30-days cure period, wherein, the cure-period automatically starts once there is a charge or allegation against the business stating any kind of violation. However, this has been struck down and cannot be found in this new legislation. 

Moreover, under the CPRA, the agency (CPPA) will now decide regarding the cure period or how much time does the business have to correct such violations. 

Conclusion

From the above discussion, we can clearly draw out all the new features of this latest legislation on data protection & privacy for the State of California. The CPRA will be enforced in 2023, however, some of its provisions are in effect starting from 1st January, 2022. It becomes essential for every business and organization to check whether they fall under the ambit of this new legislation or not. Moreover, the legislation applies to all the personal data/information collected starting from 1st January 2022, making it essential for every business to start complying with all the requirements starting from 2022. 

Apart from checking the applicability and scope of this legislation, businesses are further required to update their privacy policies, review and update their contracts with their vendors and other service providers in compliance with the CPRA, and lastly, by updating their websites, and the method of processing in accordance with the upcoming legislation.

What is DMARC and why it is important for businesses?

October 15, 2022 Leave a comment

Introduction

Today, every business and organization relies and is dependent on two most important things- the Internet & Data. With the emergence of the Internet, and the evolution from Web 1 to Web 2 and now to Web 3, this transition was always accompanied by various challenges, wherein the most concerning issue not just affects businesses, corporations, and governmental agencies, but also individuals, are Cyber-Attacks. 

In this Digital era, trade and communication highly rely on the use of Electronic Mail services (E-mail). As per a recent report by Statista, over 333 billion emails are delivered and sent each day. Moreover, 90% of the cyber-attacks on businesses and organizations are achieved through Phishing, Spamming & Spoofing over E-mails.

E-mail security threats are real and could cost businesses and organizations hefty losses, if not treated. How? Well, since electronic communications are the preferred way to connect with potential clients and consumers. If businesses fail to focus on e-mail security, it would be easy for an attacker to impersonate your business and send malicious mail to your clients and consumers. 

The present study will help you understand the relevance of e-mail security and the threats pertaining to it, along with the solution that every business must ensure to take.

Case Study

The sole purpose of this case study is to bring awareness about the seriousness of cyber-attacks via e-mail on businesses and their clients in cases where e-mail security is not dealt with care. For this case study, we won’t be naming any company.

ABC Pvt Ltd, an e-commerce company based in India markets its products to its potential buyers via e-mail. The e-commerce company also relies on e-mails for sending daily discounts and fashion trends to its subscribers. 

However, the e-commerce company was later informed by multiple sources and complaints that cyber-attackers were sending phishing e-mails and impersonating the e-commerce company which led to multiple cybercrimes. It was also later observed that all the actual e-mails that were sent by the e-commerce company itself were never delivered to their subscribers, instead multiple ISPs blacklisted all the domains of the e-commerce company.

It is essential to note here that phishing e-mails/attacks like these could be convincing to your clients and it would be hard for your clients to spot the difference between the original company and the scammer, which would eventually make your client fall into such phishing scams. This would further cause huge damage to the company’s brand image, and trust among its users/customers and potential clients, and its domain reputation would get affected due to such cyber-attacks.

 Now, in such scenarios, where the company itself doesn’t know about such security breaches due to lack of visibility or low visibility, which makes it tough to investigate such cyber-attacks or phishing in general. 

What are the remedies available and how will a business resolve this security breach and protect itself from such potential security threats?

Solution

The answer to the above case study is by implementing DMARC. Let’s understand what DMARC means, right from the basics.

What is DMARC?

DMARC or Domain-based Messaging Authentication, Reporting, and Conformance is a protocol/system that helps in authenticating e-mails and further protects the business’s domain from e-mail security threats/breaches such as spoofing, phishing, etc.

Let’s try to understand how DMARC works, exactly.

The DMARC constitutes of two main techniques and is essentially built on those verification techniques, they are-

1.         SPF or Sender Policy Framework; and

2.         DKIM or Domain Keys Identified Mail

Let’s try to further simplify these verification techniques in order to understand and get an overview of DMARC.

·      SPF is an e-mail authentication standard and is used as an industry practice concerning e-mail security. It allows only the authorized Senders of the Domain to send e-mails and further blocks others who are listed as the authorized senders of the domain. 

·      Here is what happens, when you as a Business implement SPF-

a.     You are required to publish all the authorized IP addresses that may send e-mails from your domain.

b.    Now, what happens next is that when an entity receives your e-mail, the server does a crosscheck to see whether the IP address matches your published list.

c.     If it matches, then such communications land in the inbox. On the other hand, if it doesn’t match, such an e-mail gets rejected straightaway by the e-mail server. Hence, ensuring and preventing phishing and other cyber threats.

d.    However, unfortunately, hackers have come up with multiple different ways to fool and bypass SPF technology. The only way to make effective use of and rely on SPF technology is by implementing DMARC.

DMARC is simply incorporating SPF technology along with DKIM.

·      The DKIM technology helps in creating a digital signature, which simply put the onus on the e-mail sender over the message that is shared across. The digital signature further guarantees that the content of the message sent has not been altered or modified. 

·      This technology is based on cryptography, which in simple terms means it creates a pair of keys (Public & Private keys) that are then used to verify the authenticity of the e-mail.

·      With the Private key, the e-mail is signed and when the receiving server receives the e-mail, it then verifies the same with the Public key.

This is how DMARC functions, and further shares detailed reports pertaining to failed e-mail authentication with the domain owner.

How does DMARC protect your Domain Reputation?

If your business has implemented DMARC, it will prevent and protect the customers and clients from phishing, spoofing, and other related security threats. We need to understand, that these malicious e-mails not just impact your information management system or cause data breaches, rather your domain may get blacklisted by multiple ISPs, which would straightaway impact your domain reputation along with that it breaks the trust of your customers since their data is at stake.

Comparing the stance on Protection of Non-Personal Data in India and EU

March 22, 2022 Leave a comment

First published on Tsaaro

Introduction & timeline of data protection in India

It is true that soon every business will become a tech business as “data” will be the new source of income. Managing and dealing with data of so many people by businesses and organisations, large or small, cannot be as easy as you may think. Leaving this area unregulated could lead to a global crisis from human rights violation to economic domination in the market, leading to endless privacy and cyber-crimes. Hence, regulating this area should be the prime focus of our nation’s government and any other country’s government where there is no privacy regulation. India recognised “privacy” as a fundamental right back in 2017 in a landmark decision passed by the Supreme Court in Justice K S Puttaswamy v. Union of India.

Right after the declaration of the “right to privacy” as a fundamental right, in July 2017, a Committee of Experts was constituted under the leadership of…continue reading

Aarlin Moncy: Discussing Law & Technology

April 27, 2020 Leave a comment

Hello everyone! I am yours truly, LawyerStrange, aka Aarlin Moncy!

Thank you for visiting my page. Here, you will find blogs and video content on topics (but not limited to) such as- Data protection & Privacy, Cyber law, Constitutional law, contract law, movies and comics.

But the idea is to make this platform an exclusive page for Technology Law. Help me in this journey to build a community for tech & comic geeks. Let’s grow together.

Feel free to contact me and do share your suggestions.

Thanks again!

Stay safe and Take care!