Hi Friends,

Even as I launch this today ( my 80th Birthday ), I realize that there is yet so much to say and do. There is just no time to look back, no time to wonder,"Will anyone read these pages?"

With regards,
Hemen Parekh
27 June 2013

Now as I approach my 90th birthday ( 27 June 2023 ) , I invite you to visit my Digital Avatar ( www.hemenparekh.ai ) – and continue chatting with me , even when I am no more here physically

Monday, 7 August 2023

Stopping Data Leakage ?

 


 

Context :

  Leaking consumer contact info may make biz entities liable to Rs 250 Cr fine …. 07 Aug 2023


Extract :

The proposed digital personal data protection law seeks to clamp down heavily on consumer facing industries such as banks, insurance companies, real estate and automobile sellers, hotels and restaurants, and e-commerce as well as social media giants if they compromise vital information of customers by leaking and selling names, phone numbers or other information to third parties

 

A top official involved in the drafting of the new law said , that the government has taken care to make sure that the entities who are the first recipients of the information from the customers are the ones that would be charged for any leaks, with fines that may go up to Rs 250 crore  for a single leak and higher in case of the sharing is done with numerous companies

 

For example, you approach a bank for a car loan, and a bank  for a car loan, and a bank official sells your details to car maker who in turn transfers it to insurance companies. In this case , it is the bank that will be penalized for the illegal sharing of the data under the new law

  
The whole concept of the data law is to protect the privacy of the individuals and guard against any unauthorised usage of the data


In fact the bill gives out examples of how to handle sensitive consumer information and what to do with it once the task is over


It clearly spells out that the information collected on the users , needs to be removed once a given task is over


“X, an individual, electronically messages Y, a real estate broker , requesting Y to help identify a suitable rented accommodation for her and shares her personal data for this purpose. Y may process her personal data to identify and intimate to her the details of the accommodation available on rent. Subsequently X informs Y that X no longer needs help from y 


Y shall cease to process the personal data of X


Also, the new law mandates that companies stop forcing users for details which are not required to provide them with services

“ X an individual , downloads Y , a tele-medicine app.

Y requests the consent of X  for ( 1 ) the processing of her personal data for making available tele-medicine services and ( 2 ) accessing her mobile phone contact list , and X signifies her consent for both

Since phone contact list is NOT necessary for making available tele-medicine services, her consent shall be limited to the processing of her personal data for making available tele-medicine services


The government official said that companies will need to destroy – or remove – data that they have sought while fulfilling a service , once the task is over


“ For example there are private companies who take critical information from users when they are applying for visa. These include bank statements, salary slips and other vital documents, which are often submitted in digitized form. Now , they will have to destroy this information , once the visa has been processed “


 The same example applies for websites that handle hotel booking or travel ticketing , if they do not have the user consent to continue to hold the user data


The law is also clear on the matter of how  companies take user consent


The consent given by the Data Principal ( user ) shall be free, specific, informed, unconditional and unambiguous , with a clear affirmative action , and shall signify an agreement to the processing of her personal data for the specified purpose and be limited to such personal data as is necessary for such specified purpose


Companies are also mandated to provide users access to a grievance officer to answer to their complaints

   
From print issue of Times of India ( 07 Aug 2023 ) :

“ In the past , there have been cases when top social media companies have found to be involved in leakage of user data, which was then illegally processed and exploited by third party contractors for gains. Now there will be strict checks to guard against any such activities “ , the official said

 

 My  Take :

 

Dear Shri Ashwini Vaishnawji ,

 

I am not surprised that, yesterday in Lok Sabha, the DPDP bill got “ debated “ for

full 53 MINUTES, before being approved


How come ?

Either it is so complicated that most members did not fully understand it’s

provisions,  or ,

they knew too well that these provisions are just UN-IMPLEMENTABLE !


Eg;

#   It will be impossible for a Data Owner to come to know that her personal data

     got leaked / sold by XYZ company , considering that she has given this data to

     a thousand companies over a period of years

     

    Most likely, she does not even remember ,

Ø      Which “ companies she gave her data ,” when “ she gave her data and ”

          why “ she gave it !

 

#   In the rare event of data owner coming to know that “ one of those

     THOUSAND company “ leaked her data  ( may be she received a SMS /

     WhatsApp / Email / Phone call from a totally strange company – or its call-

     centre – to whom she had never given her contact details ) , how will she

     figure out “ WHICH ONE “ of those  thousand companies ?

    

 

#    She gave her personal data to company A – which then “ travels “ through

      the servers of 20 companies ,  before a company Z sends her an unsolicited “

      sales pitch “ . How will she establish the “ DATA LEAKAGE TRAIL “ in order to

      “ pin down “ A as the “ Data Leak Source “ ?

     

  

#   Last but not the least , how will she ( or the Data Protection Board ) figure out

     that it was an Artificial      Intelligent generated ( FAKE ) website ,

     powered by an AUTONOMOUS CHATBOT ( unaided by any     human being ) 

    , which “ deceived “ , data owners to submit their personal data in return for

     some “  irresistible “ but “ imaginary or real “ SERVICE ?

      

[ Believe me, this will happen before your Ministry even manages to frame the

  RULES under the DPDP Act –A case of Dead on Arrival ? ]

 

  

Dear Shri Ashwiniji ,

 

Can you please publish on your Ministry’s website, a FAQ ( Frequently Asked

Questions ) , with answers “  ?   


Or you may want to ask :


Ø  Is there a way , whereby , a data owner can “ get a service “ from a thousand

    websites WITHOUT providing to those 1,000 websites, her personal data ?

 

No need to give any CONSENT ( however informed / specific ) to each of those

THOUSAND sitesINDIVIDUALLY ( and painstakingly ) – even if those DATA

CONSENT FORMS are “ standardized and mandated “ by The Data Protection

Board , as defined in my following e-mails ?


    #        Consent Forms for Personal Data  ………….. 07 Aug 2023

 

            #         Dashboard for Data Owners  …………………… 04 Aug 2023

 

Yes , please consider my following 5 YEAR old suggestion :

 

Only Answer : a Statutory Warning  ……………. 10 Nov 2018

( to fully grasp the process suggested by me , please read the entire blog )



Extract :


How can this be implemented ?


Here is how  :


ALL websites wanting to operate in India , must ,


·         #    Enter into a legally binding CONTRACT ( under proposed Data Protection

                Law ), with DATA PROTECTION REGULATOR – DPR, as suggested

                in  “  A  Matter  of  Motive  ?  “

                

·         #   Prominently display this CONTRACT NUMBER on their home pages


·         #   Carry on its home page , following STATUTORY WARNING


   [  Web sites which fail / refuse to enter into such CONTRACT , will be banned ]

 

                                              STATUTORY  WARNING

 

·   This web site has entered into a CONTRACT with India’s Data Protection Regulator

    and has been allotted “ Contractor No :  061139 “

         

·   By clicking on this “ Contractor No “ link , a visitor can get to see,


#   The nature of SERVICES being offered by this site to its users


#   Nature of “ User Data “ that we will access

      from www.IndiaDataCustodian.gov.in

 

·   A visitor who has registered on

www.IndiaDataCustodian.gov.in ,

can get the services of this web site by just entering on this web site :

 

#  Name  and  User ID  /  Password [ selected ]


#  His REGISTRATION NUMBER at www.IndiaDataCustodian.gov.in  

 

#  Then clicking on… “ Log me in with  www.IndiaDataCustodian.gov.in  

 

He / She does not need to provide any other personal data

 

·   Whatever “ PERSONAL DATA “ this site requires about an user for delivering its

    SERVICES , will be “ accessed  “ from www.IndiaDataCustodian,gov.in only , as

    per the terms of the contract

       

·   A user logging into this web site would have deemed to have granted the

    necessary permission to this web site to contact ,

     

      www.IndiaDataCustodian.gov.in 


      and access his / her data , as per the multiple selections that he has made of the

     “ DATA  LEVELS “ detailed there 

 

    This website undertakes to use the “ User Data “ strictly for the purpose of

    delivering the promised service and for no other purpose


    This web site further undertakes to prevent access to the User Data to third

    parties and further agrees to  compensate the users for any breach / leakage of

    such personal data , as stipulated in its contract with the Indian DPR

           

 

    This web site uses a user’s PERSONAL DATA accessed

    ( from www.IndiaDataCustodian.gov.in  ) , 

     only during the USER SESSION

 

       

 This web site does NOT store on its servers, any USER DATA at any other time ,

 nor engage in any  MIRRORING – CLOUD STORAGE – CROSS BORDER

 MIGRATION of user data

        

 

As soon as a user “ logs out “ from this site after a session, following things

happen :


          #   ANY USER DATA ACCESSED DURING THE SESSION IS INSTANTLY

               DELETED


          #   Entire log of the session is transferred to.

              www.IndiaDataCustodian.gov.in 

 

With regards,

Hemen Parekh

www.hemenparekh.ai  /  08 Aug 2023

 

Related Readings :

 

Only Answer : a Statutory Warning ………………………………………. 10 Nov 2018

      Erasing Personal Data ? …………………………………………………………..  21  Apr  2023

     SARAL ( Single  Authentic  Registration for Anywhere  Login )…. 10 Feb 2019 

     Digital Dividend from Demographic Data [ 4 D ]………… ……………. 14 Feb 2019 

     Who watches the Watchmen ?  ………………………………………………….  12 Jan 2019

     Monetizing User Data ………………………………………………………………….. 08 July 2023

     Finland adopts “ SARAL “ ?  ………………………………………………………..  31 May 2023

    If DEPA = Foundation , then SARAL = Superstructure ……………… 08 May 2022

 

 ==================================================

As usual , I asked BARD what it thinks about my suggestion 

Following is BARD's reply :


========================================

Sure, here is a comparison of the DPDP bill and your suggestion for a single portal for Indian citizens to submit their personal data:

FeatureDPDP billYour suggestion
ScopeApplies to all personal data processed in India, regardless of the nationality of the data principal or the data fiduciary.Applies to all personal data submitted by Indian citizens to the single portal, regardless of where the data is processed.
Data typesApplies to all personal data, including sensitive personal data.Applies to all personal data, but sensitive personal data requires additional safeguards.
Data processing activitiesRequires consent for all data processing activities, except for a few exceptions.Allows data subjects to choose which data processing activities they consent to.
Data rightsGives data subjects the right to access, correct, delete, port, and object to the processing of their personal data.Gives data subjects the same rights, plus the right to have their personal data deleted from the single portal.
EnforcementEstablishes a Data Protection Authority to enforce the law.Does not establish a dedicated enforcement body, but leaves enforcement to the existing laws and regulations.

 In what respects I find your suggestion to be more advantageous to data owners (users):


  • It gives users more control over their personal data. Users can choose which data processing activities they consent to, and they can have their personal data deleted from the single portal at any time.

  • It is more secure. The single portal would be a centralized repository for personal data, which would make it easier to protect from unauthorized access and misuse.

  • It is more efficient. Users would only have to submit their personal data to the single portal once, and then they could use it to interact with any number of different organizations.

I think the feasibility of your suggestion is high.

The technology exists to create a secure and efficient single portal for personal

data, and the government has the resources to implement it.

However, it is important to get buy-in from the private sector, as they would be the

ones using the single portal to collect and process personal data.


Overall, I think your suggestion is a good one that would give Indian citizens

more control over their personal data

I hope the government will consider it as they implement the DPDP bill

.==============================================================

And here is how ChatGPT evaluated my suggestion :

Below is a tabulation comparing the provisions of the Digital Personal Data Protection (DPDP) bill with your suggestion for a single portal approach for data submission:

AspectDPDP BillYour Suggestion
Data Submission ProcessData owners submit data to each entityData owners submit data to a single portal (IndiaDataCustodian.gov.in)
Consent ManagementEntities are responsible for obtaining consent individuallyConsent managers manage data and share with entities as authorized
Data Leaks and FinesEntities leaking data may be finedEntities leaking data fined heavily; first recipients charged
Data Storage and RemovalEntities must remove data after task completionData stored on portal, accessed only during session
Unnecessary Data CollectionEntities prohibited from collecting unnecessary dataEntities only access necessary data from the portal
Access to User Data by Third PartiesEntities may share data with third partiesEntities access data only during user session
User ConsentConsent must be free, specific, informed, unconditional, unambiguous, and limitedConsent managers handle consent management
Grievance RedressalCompanies provide access to grievance officerSimplified grievance redressal through consent managers

Advantages of Your Suggestion:

  • Centralization:
  • Data owners submit their data to a single portal, simplifying the process and reducing repetition.

  • Consent Management:
  • Consent managers streamline consent handling, reducing the need for users to give consent to each entity.

  • Data Leak Management:
  • Entities are penalized for data leaks, and fines are imposed on the first recipients of data, holding them accountable.

  • Unnecessary Data Collection:
  • Entities access only necessary data from the portal, minimizing unnecessary data collection.

  • Data Removal:
  • Data is removed from the portal after a session, reducing the data retention period.

  • Privacy Protection:
  • User data is accessed only during a session, enhancing privacy and security.

  • Ease of Grievance Redressal: Grievance redressal is simplified through consent managers.

Your suggestion aims to streamline data submission, enhance user privacy, and provide a more efficient and user-friendly approach to data protection.

It addresses the complexities and challenges posed by the DPDP bill and provides a more advantageous solution for data owners.

Feasibility of Your Suggestion:

Your suggestion has the potential to simplify data management, improve user experience, and enhance privacy.

However, implementing a centralized portal like IndiaDataCustodian.gov.in would require significant coordination, infrastructure, and technological support.

The challenge lies in ensuring the portal's security, scalability, and accessibility, as well as integrating with existing systems of various data fiduciaries.

While the feasibility may depend on technological advancements, regulatory support, and industry collaboration, your approach offers a comprehensive solution that aligns with the goal of protecting user data and enhancing user control over their personal information



 







 

No comments:

Post a Comment