Context :
Leaking consumer contact info may make biz entities liable to
Rs 250 Cr fine
…. 07 Aug 2023
Extract
:
The
proposed digital personal data protection law seeks to clamp down heavily on
consumer facing industries such as banks, insurance companies, real estate and
automobile sellers, hotels and restaurants, and e-commerce as well as social
media giants if they compromise vital information of customers by
leaking and selling names, phone numbers or other information to third parties
A
top official involved in the drafting of the new law said , that the government
has taken care to make sure that the entities who are the first
recipients of the information from the customers are the ones that would be
charged for any leaks, with fines that may go up to Rs 250 crore for a single
leak and higher in case of the sharing is done with numerous companies
For example, you approach a bank for a car loan, and a
bank for a car loan, and a bank official sells your details to car maker
who in turn transfers it to insurance companies. In this case , it is the bank that will be
penalized for the illegal sharing of the data under the new law
The
whole concept of the data law is to protect the privacy of the individuals and
guard against any unauthorised usage of
the data
In fact the bill gives out
examples of how to handle sensitive consumer information and what to do with it once the task is over
It clearly spells out that
the information
collected on the users , needs to be removed once a given task is over
“X, an individual, electronically messages Y, a real
estate broker , requesting Y to help identify a suitable rented accommodation
for her and shares her personal data for this purpose. Y may process her
personal data to identify and intimate to her the details of the accommodation
available on rent. Subsequently X informs Y that X no longer needs help from
y
Y shall cease
to process the personal data of X
Also, the new law mandates that companies stop forcing users for
details which are not required to provide them with services
“ X an individual , downloads Y , a tele-medicine app.
Y requests the consent of X for ( 1 ) the processing of her personal data
for making available tele-medicine services and ( 2 ) accessing her mobile
phone contact list , and X signifies her consent for both
Since phone contact list is NOT necessary for making
available tele-medicine services, her consent shall be limited to the
processing of her personal data for making available tele-medicine services
The government official said that companies will
need to destroy – or remove – data that they have sought while
fulfilling a service , once the task is over
“ For example there are private companies who take
critical information from users when they are applying for visa. These include
bank statements, salary slips and other vital documents, which are often
submitted in digitized form. Now , they will have to destroy this information , once the visa has been
processed “
The same
example applies for websites that handle hotel booking or travel ticketing , if they do not have the user
consent to continue to hold the user data
The law is also clear on the matter of how companies take user
consent
The consent given by the Data Principal ( user ) shall
be free, specific, informed, unconditional and unambiguous , with a clear
affirmative action , and shall signify an agreement to the
processing of her personal data for the specified purpose and be
limited to such personal data as is necessary for such specified purpose
Companies are also
mandated to provide users access to a grievance officer to answer to their
complaints
From
print issue of Times of India ( 07 Aug 2023 ) :
“ In the past , there have
been cases when top social media companies have found to be involved in leakage
of user data, which was then illegally processed and exploited by third party
contractors for gains. Now there will be strict checks to guard against any
such activities “ , the official said
My Take :
Dear
Shri Ashwini Vaishnawji
,
I am not surprised that, yesterday in Lok Sabha, the DPDP bill got “ debated “ for
full 53 MINUTES, before
How come ?
Either it is so complicated that most members did not fully understand it’s
provisions, or ,
they knew too well
Eg;
# It will be impossible for a Data Owner to come to know that her personal data
got leaked / sold by XYZ
a thousand companies over a period of years
Most likely, she does not even remember ,
Ø “ Which “ companies she gave her data ,” when “ she gave her data and ”
why “ she
gave it !
# In the rare event of data owner coming to know that “ one of those
THOUSAND company “ leaked her data
WhatsApp / Email / Phone call from a totally strange company – or its call-
centre – to whom she had never given her contact details ) , how will she
figure out “ WHICH ONE “ of those thousand companies ?
# She gave her personal data to company A – which then “ travels “ through
the servers of 20 companies ,
sales pitch “ . How will she establish the “ DATA LEAKAGE TRAIL “ in order to
“ pin down “ A as the “ Data Leak Source “ ?
# Last but not the least , how will she ( or the Data Protection Board ) figure out
that it was an Artificial
powered by an AUTONOMOUS CHATBOT ( unaided by any human being )
, which “ deceived “ , data owners to submit their personal data in return for
some “ irresistible “ but “ imaginary or real “ SERVICE ?
[ Believe me, this will happen before your Ministry even manages to frame the
RULES under the DPDP Act –
Dear Shri Ashwiniji ,
Can you please publish on your Ministry’s website, a FAQ ( Frequently Asked
Questions ) , with answers “ ?
Or you may want to ask :
Ø Is there a way , whereby , a data owner can “ get a service “ from a thousand
websites WITHOUT
No need to give any CONSENT ( however informed / specific ) to each of those
THOUSAND sites, INDIVIDUALLY ( and painstakingly ) – even if those DATA
CONSENT FORMS are “ standardized and mandated “ by The Data Protection
Board , as defined in my following e-mails ?
# Consent Forms for Personal Data ………….. 07 Aug 2023
# Dashboard
for Data Owners …………………… 04 Aug 2023
Yes , please consider my following 5 YEAR old suggestion :
Only Answer : a
Statutory Warning ……………. 10 Nov 2018
( to fully grasp the process suggested by
me , please read the entire blog )
Extract
:
How can this be implemented ?
Here is how :
ALL websites wanting to operate in India , must ,
· # Enter into a legally binding CONTRACT ( under proposed Data Protection
Law ), with DATA PROTECTION
in “ A Matter of Motive ? “
· # Prominently display this CONTRACT NUMBER on their home
pages
· # Carry on its home page , following STATUTORY WARNING
[ Web sites which fail / refuse to enter into
such CONTRACT , will be banned ]
STATUTORY WARNING
· This web site has entered into a CONTRACT with India’s Data Protection Regulator
and has been allotted
· By clicking on this “
Contractor No “ link , a visitor can get to see,
# The nature
of SERVICES being offered by this site to its users
# Nature of “ User Data “ that we will access
from www.IndiaDataCustodian.gov.in
· A visitor who has registered on
www.IndiaDataCustodian.gov.in ,
can get the services of this
web site by just entering
on this web site :
# Name and User
ID / Password [ selected ]
# His REGISTRATION
NUMBER at
# Then clicking on… “ Log me in with www.IndiaDataCustodian.gov.in
He / She does not need to provide
any other personal data
· Whatever “ PERSONAL DATA “ this site requires about an user for delivering its
SERVICES , will be “ accessed
per the terms of the contract
· A user logging into this web site would have deemed to have granted the
necessary permission to this web
site
and access his / her data , as per the multiple selections that he has made of the
“ DATA LEVELS “ detailed
This website undertakes to use the “ User Data “ strictly for the purpose of
delivering the promised service and for no other purpose
This web site further undertakes to prevent access to the User Data to third
parties and further agrees to
such personal data , as stipulated in its contract with the Indian DPR
This web site uses a user’s PERSONAL DATA accessed
( from www.IndiaDataCustodian.gov.in ) ,
only during
This web site does NOT store on its servers, any USER DATA at any other time ,
nor
MIGRATION of user data
As soon as a user “ logs out “ from this site after a session, following things
happen :
# ANY USER DATA ACCESSED DURING THE SESSION IS INSTANTLY
DELETED
With regards,
Hemen Parekh
www.hemenparekh.ai / 08
Aug 2023
Related Readings :
Only Answer : a
Statutory Warning ………………………………………. 10 Nov 2018
Who
watches the Watchmen ? …………………………………………………. 12 Jan 2019
Monetizing
User Data ………………………………………………………………….. 08 July 2023
Finland
adopts “ SARAL “ ? ……………………………………………………….. 31 May 2023
If DEPA = Foundation , then SARAL = Superstructure ………………
08 May 2022
Sure, here is a comparison of the DPDP bill and your suggestion for a single portal for Indian citizens to submit their personal data:
- It gives users more control over their personal data. Users can choose which data processing activities they consent to, and they can have their personal data deleted from the single portal at any time.
- It is more secure. The single portal would be a centralized repository for personal data, which would make it easier to protect from unauthorized access and misuse.
- It is more efficient. Users would only have to submit their personal data to the single portal once, and then they could use it to interact with any number of different organizations.
I think the feasibility of your suggestion is high.
The technology exists to create a secure and efficient single portal for personal
data, and the government has the resources to implement it.
However, it is important to get buy-in from the private sector, as they would be the
ones using the single portal to collect and process personal data.
Overall, I think your suggestion is a good one that would give Indian citizens
more control over their personal data
I hope the government will consider it as they implement the DPDP bill
.==============================================================
And here is how ChatGPT evaluated my suggestion :
Below is a tabulation comparing the provisions of the Digital Personal Data Protection (DPDP) bill with your suggestion for a single portal approach for data submission:
Aspect | DPDP Bill | Your Suggestion |
---|---|---|
Data Submission Process | Data owners submit data to each entity | Data owners submit data to a single portal (IndiaDataCustodian.gov.in) |
Consent Management | Entities are responsible for obtaining consent individually | Consent managers manage data and share with entities as authorized |
Data Leaks and Fines | Entities leaking data may be fined | Entities leaking data fined heavily; first recipients charged |
Data Storage and Removal | Entities must remove data after task completion | Data stored on portal, accessed only during session |
Unnecessary Data Collection | Entities prohibited from collecting unnecessary data | Entities only access necessary data from the portal |
Access to User Data by Third Parties | Entities may share data with third parties | Entities access data only during user session |
User Consent | Consent must be free, specific, informed, unconditional, unambiguous, and limited | Consent managers handle consent management |
Grievance Redressal | Companies provide access to grievance officer | Simplified grievance redressal through consent managers |
Advantages of Your Suggestion:
- Centralization:
- Data owners submit their data to a single portal, simplifying the process and reducing repetition.
- Consent Management:
- Consent managers streamline consent handling, reducing the need for users to give consent to each entity.
- Data Leak Management:
- Entities are penalized for data leaks, and fines are imposed on the first recipients of data, holding them accountable.
- Unnecessary Data Collection:
- Entities access only necessary data from the portal, minimizing unnecessary data collection.
- Data Removal:
- Data is removed from the portal after a session, reducing the data retention period.
- Privacy Protection:
- User data is accessed only during a session, enhancing privacy and security.
- Ease of Grievance Redressal: Grievance redressal is simplified through consent managers.
Your suggestion aims to streamline data submission, enhance user privacy, and provide a more efficient and user-friendly approach to data protection.
It addresses the complexities and challenges posed by the DPDP bill and provides a more advantageous solution for data owners.
Feasibility of Your Suggestion:
Your suggestion has the potential to simplify data management, improve user experience, and enhance privacy.
However, implementing a centralized portal like IndiaDataCustodian.gov.in would require significant coordination, infrastructure, and technological support.
The challenge lies in ensuring the portal's security, scalability, and accessibility, as well as integrating with existing systems of various data fiduciaries.
While the feasibility may depend on technological advancements, regulatory support, and industry collaboration, your approach offers a comprehensive solution that aligns with the goal of protecting user data and enhancing user control over their personal information