Why Deny Adequacy Status To India?

Why Deny Adequacy Status To India?

It’s surprising that India has not been granted adequacy status under GDPR since long and our entire Industry is satisfied that it is due to India not having strong Data Protection Laws in place.
An adequacy decision is crucial from business perspective because adequacy status permits cross-border data transfer outside the EU, or onward transfer from or to a party outside the EU without further authorisation from a national supervisory authority and in turn boosts the economy and could provide advantage to Indian companies dealing with EU. The Adequacy status will boost Indian economy further and will make dream of Hon Prime Minister regarding India becoming 5 trillion economies in coming future, a reality.
I strongly believe that India’s case for Adequacy was not properly argued on merits and Industry left it to the mercy of EU authorities for granting such status rather than commanding the same.
Let us first check relevant provisions of GDPR for adequacy.
Art. 45 GDPR speaks about Transfers on the basis of an adequacy decision
1A – transfer of personal data to a third country or an international organisation may take place where the Commission has decided that the third country, a territory or one or more specified sectors within that third country, or the international organisation in question ensures an adequate level of protection.
India is having Information Technology Act in place since 2000 and section 43A was introduced after amendment in 2008. Section 43A was more than sufficient of fulfilling this requirement of adequate level of personal data protection.
Section 43A – Compensation for failure to protect data. –
Where a body corporate, possessing, dealing or handling any sensitive personal data or information in a computer resource which it owns, controls or operates, is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person, such body corporate shall be liable to pay damages by way of compensation to the person so affected.
“Reasonable security practices and procedures” were defined as security practices and procedures designed to protect such information from unauthorised access, damage, use, modification, disclosure or impairment, as may be specified in an agreement between the parties or as may be specified in any law for the time being in force and in the absence of such agreement or any law, such reasonable security practices and procedures, as may be prescribed by the Central Government in consultation with such professional bodies or associations as it may deem fit.
(iii) “Sensitive personal data or information” means such personal information as may be prescribed by the Central Government in consultation with such professional bodies or associations as it may deem fit.
So careful reading of section 43A reveals that requirement of GDPR regarding adequate level of protection was already catered. The organisations were mandated to follow the reasonable security practices either framed by Government of India or Best practises in the industry. Also, by defining Sensitive Personal Data there was no ambiguity in understanding what was the focus of the provision. The focus was to provide adequate protection to sensitive personal data by organisations who were involved in handling/procession or storing of that data. Additionally, the Indian Law has made provision for monetary compensation in case any organisation failed to protect the data and hence the provisions for data protection were properly and adequately addressed.
It was also clarified by GDPR that when assessing the adequacy of the level of protection, the Commission shall take account of the following elements:
1) The rule of law 2) Respect for human rights and fundamental freedoms 3) Relevant legislation, both general and sectoral, including concerning public security, defence, national security and criminal law 4) The access of public authorities to personal data, as well as the implementation of such legislation 5) Data protection rules 6) Professional rules 7) Security measures, including rules for the onward transfer of personal data to another third country or international organisation which are complied with in that country or international organisation 8) Case-law, as well as effective and enforceable data subject rights and effective administrative and judicial redress for the data subjects whose personal data are being transferred.
If these additional 8 principles are also analysed, in my views India does not fall short in complying with all these requirements. Being largest democracy in world and its track record for last 75 years shows that Rule of Law in supreme in India. India is also a signatory to the Universal Declaration of Human Rights. The Indian constitution is greatly influenced by the Universal Declaration of Human Rights, 1948.
As regards availability of sectoral and general regulations, The Information Technology Act was in place since 2000 and Section 43A, which specifically addressed Data Protection was present since 2008. Section 69,69A and 69B dealt with interception of messages, decryption of messages for Public Safety and National Security.
Section 43A was adequate to provide Data Protection framework. The Information technology (Reasonable security practices and procedures and sensitive personal data of Information) Rules, 2011 added more provisions for Data protection and hence the IT Act became more stronger as regards to Data Protection.
The Adjudicating Officers as well as appellate authorities in form of TDSAT were well placed and hence judicial framework was also in place.
So, it can be well argued that as regards to Adequacy Status, India has fair or comparatively higher chances to attain the same.
As regards to the existence and effective functioning of one or more independent supervisory authorities in the third country or to which an international organisation is subject, with responsibility for ensuring and enforcing compliance with the data protection rules, including adequate enforcement powers, for assisting and advising the data subjects in exercising their rights and for cooperation with the supervisory authorities of the Member States, I see no reason why this procedural requirement could not be complied for?
Had India offered the EU Commission for Adequacy assessment, I am sure that India would have and can still attain the same. And even after its assessment, there could be some suggestions regarding the adequacy level of protection which could have been easily implemented.
So, it’s my humble submission that Indian I T Industry has not made out a strong case for Adequacy Status, for reasons best known to them only.

The comments/ debates are welcome for better understanding of one and all.

Dr Mahendra Limaye
The author is having Doctorate in Law and practices in specialised domain of Cyber Litigation and is FDPPI certified Daat Privacy Professional.

What is Cyber Forensic

In today’s interconnected world, where digital technology permeates every aspect of our lives, the need for cybersecurity has never been more pressing. As businesses and individuals increasingly rely on digital platforms and data storage, the potential for cyber threats and criminal activities has grown exponentially. In this landscape, cyber forensics emerges as a vital tool in the fight against cybercrime. This blog explores the significance of cyber forensics, its methodologies, and its crucial role in safeguarding digital environments.

  1. Understanding Cyber Forensics: Cyber forensics, also known as digital forensics, is the process of collecting, analyzing, and preserving electronic evidence to investigate and prevent cybercrime. It involves the use of specialized techniques and tools to uncover digital trails left by cybercriminals, helping law enforcement and cybersecurity professionals understand the nature of an attack and identify those responsible.
  2. Key Objectives of Cyber Forensics:
    • Incident Response: Cyber forensics plays a pivotal role in responding to cybersecurity incidents. It helps organizations identify the source and extent of a breach, enabling them to contain the incident promptly.
    • Evidence Collection and Preservation: The proper collection and preservation of digital evidence are crucial for legal proceedings. Cyber forensics ensures that evidence is admissible in court and maintains its integrity throughout the investigation process.
  3. Cyber Forensics Methodologies:
    • Live Analysis: Examining active systems and networks to gather real-time information about ongoing cyber threats.
    • Static Analysis: Analyzing digital artifacts in a controlled, non-active environment to identify patterns and anomalies.
    • Network Forensics: Investigating network traffic to trace the source and impact of cyber attacks.
    • Memory Analysis: Scrutinizing the volatile memory of a system to uncover malicious activities that might not be stored on disk.
  4. Challenges in Cyber Forensics: Despite its critical role, cyber forensics faces various challenges, including encryption, anonymization tools, and the rapid evolution of cyber threats. Staying ahead of cybercriminals requires continuous adaptation of methodologies and tools.
  5. Emerging Trends in Cyber Forensics:
    • Artificial Intelligence (AI): Integrating AI into cyber forensics enhances the speed and accuracy of analysis, helping professionals sift through massive amounts of data efficiently.
    • Blockchain Forensics: As blockchain technology becomes more prevalent, there’s a growing need to investigate transactions and activities on decentralized ledgers.
  6. The Future of Cyber Forensics: As technology evolves, so too must cyber forensics. The future promises advancements in automation, machine learning, and AI-driven analytics, enabling quicker and more effective responses to cyber threats.

Conclusion: In a world where digital crimes are becoming more sophisticated, cyber forensics stands as a formidable line of defense. Its ability to uncover, analyze, and preserve digital evidence is indispensable in the fight against cybercrime. As technology continues to advance, the field of cyber forensics will play a pivotal role in ensuring the security and integrity of our digital landscapes.