Data Privacy Day

Dear Friends,
It's my pleasure to write to you on occasion of Data Privacy Day (DPD). Year on year, the privacy landscape continues to get more vibrant. In 2016, we witnessed significant developments in privacy space. Many global organizations faced geographical shut downs such as WhatsApp shut down in Brazil, LinkedIn being blocked in Russia, gaming apps such as ‘Pokemon GO' not getting access in many geographies, etc. Facebook's decision to integrate its services with WhatsApp faced censure from European Regulators. Apple went public against FBI with its position on not compromising privacy of consumers, opposing enablement of access to a locked device. Microsoft won interim court decision against the US government which required them to share personal information of US citizens stored in servers in Ireland. These incidents and more kept privacy discussions fresh and alive across the world.

Cross border data flow agreements are being challenged and undergoing an evolution. After the invalidation of EU-US Safe Harbor agreement in October 2015 by Court of Justice of the European Union (CJEU), the EU Commission and US DoC came up with a revised framework ‘EU-US Privacy Shield', in July 2016, as a legal means to transfer personal information between the EU and US businesses. The legality of Privacy Shield was threatened after it was further challenged for its legitimacy to satisfy concerns around mass surveillance by the US government. Recent executive order by US President Donald J Trump to exclude foreign citizens from scope of Privacy Act of 1974, and exclusion from Data Privacy policies of US government agencies has reinvigorated Privacy concerns by the EU and puts a cloud of uncertainty around Privacy Shield. The Irish Data Protection Authority meanwhile also challenged the legitimacy of Model Contracts as an instrument for cross border data flows.

In 2016, the EU finalized General Data protection Regulation (GDPR) to be enforced starting May 2018. With its stringent requirements and granular prescriptions, Industry is assessing the challenges and cost of doing business in conforming to GDPR. Regular guidelines are being released by Article 29 Working Party on various aspects being discussed in GDPR. Apart from EU, new privacy laws/frameworks are being formulated by many other major geographies and states, such as US FCC adopting privacy rules for Broadband players, Russia updating its status on Data Localization Law, Japan amending its Act on the Protection of Personal Information (APPI) and releasing its enforcement date for May 2017. In order to deal with rising privacy concerns, some of the US states such as Washington, West Virginia, Ohio, Arizona, etc. have started hiring Chief Privacy Officers to ensure safe organizational practices of processing personal data. Numerous surveys have also revealed that individuals, inadvertently or otherwise, continue to compromise their privacy while using certain websites and social media platforms in return for free services and better user experience.

On the Indian turf, a law to regulate use of Aadhaar was enacted. It tries to address privacy related concerns through certain provisions, however many are raising concerns on inadequacy of the provisions. We were also earlier hit by a malware incident impacting debit cards used in ATMs. Towards the end of the year, sudden transition towards a ‘Less Cash' society triggered a slew of digital applications and services made available by not only digital wallet providers, but also nationalized banks. Volume of e-wallet transactions have skyrocketed by 271% in a month; value of such transactions also rising by 267%. It has also fueled the concerns on cybersecurity and privacy risks associated with such transactions, and concerns if security and privacy by design were factored in during application and services design, given the pressure to churn out payment products and solutions rapidly. On the positive side, the Indian service providers are developing the understanding of EU GDPR as to identify their applicability while conducting business with EU organizations. The Indian outsourcing industry is focusing on implementing and operationalizing the applicable clauses of EU GDPR or the ones which may be pushed by EU organizations (data controllers) through contracts after May 2018.

DSCI has been working with Government agencies and industry representatives to strengthen the cyber security and data protection regime of the country. We continuously keep taking initiatives to promulgate privacy and its importance in today's scenario. Some of the large organizations in banking and telecom space have embarked on Data Privacy journey, and are designing and implementing their privacy program based on DSCI Privacy Framework (DPF©).Through our DSCI Certified Privacy Lead Assessor (DCPLA©) and DSCI Certified Privacy Professional (DCPP©) certification and training program, individuals and corporates are getting trained on privacy. The community of certified Privacy Professionals has had an impressive growth last year. To cater to rapidly changing Privacy requirements, we have undertaken curriculum revision to make DCPP© up-to-date and relevant. The privacy community interaction has been phenomenal – some tough questions drawing equally knowledgeable responses from experts. It is the collective knowledge that pushes up our Privacy quotient.

With Industrialization 4.0, IoT getting mainstream and rapid digitization, data generation and processing will increase manifold. Rising expectations on privacy will warrant nation states to adopt laws and regulation to maintain interoperable data flow framework. DSCI is proactively working on elevating the importance of cross border data flows in trade negotiations and continuously advocating enactment of comprehensive Privacy law in India. DSCI also participated and hosted numerous discussions on topics related to data privacy subject across India last year.

Data Privacy Day presents us an opportunity to comprehend the changing scenario, and think about ways of reaching out to consumers and end-users on one hand; and to corporates and policy makers on the other. Chapter meetings pan India have been scheduled and discussions are held on topics relevant to data privacy and other contemporary issues that impact the privacy of individuals.

I look forward to your enduring support in making this day and the whole concept of Data Privacy a success, and getting India recognized as a leader in privacy protection in the world.

Dear Friends,
Happy to connect to you on the occasion of Data Privacy Day 2016. This has been an eventful year from data privacy viewpoint. We witnessed landmark data breaches like the Office of Personnel Management (OPM) and Ashley Madison, among others. With technology platforms expanding, such trends are set to continue in 2016 and businesses and governments will need to respond appropriately. Associated cost of data breaches is rising as the reputational damage and remedial requirements are more serious than the immediate financial loss.

Globally, the data protection regime continues to evolve. Realizing the pressing need, United Nation appointed its first-ever Special Rapporteur on the 'Right to Privacy’. Many countries are enacting Data Privacy Laws, while some are sharpening existing legislations through necessary amendments. There has been a surge in countries implementing mandatory data breach reporting obligations. Citing Privacy concerns, some countries are resorting to 'Data or Infrastructure Localization’, which could prove counter-productive to global economy in the long run. Privacy safeguards have become a regular aspect of Global Trade arrangements like Trans-Pacific Partnership (TPP), Transatlantic Trade and Investment Partnership (TTIP), World Trade Organization (WTO) and more and also in regional arrangements such as Regional Comprehensive Economic Partnership (RCEP).

From Privacy frameworks standpoint, most noticeable development of the year was the invalidation of the long standing Safe Harbor arrangement for personal data transfer between EU-US by the EU Court. This took the technology world by storm. Both sides are required to come up with a solution that can stand scrutiny of the EU Court by this week, else all personal data transfer between parties in these regions would become legally invalid. In a contrasting ruling, EU court also decided in favor of an employer organization stating that companies can monitor workers’ private online chats through their networks, even if it violates right to keep chats private.

Meanwhile, EU also rolled out the General Data Protection Regulation (GDPR) which is enforceable by 2018. The groundwork on GDPR started in January 2012, with EU commission proposing reforms to make Europe fit for the digital age. Rather than modifying the trans-border data flows, GDPR calls for stricter norms for data flow from the EU to rest of the world. On a related note, EU India FTA talks have resumed after a gap of around 18 months, and data protection and personal data transfers continue to be topically debated.

Research firm Forrester highlights that 'Privacy will be to organizations in 2016, what websites were to companies in 2000’. Gartner survey states that organizations are investing in location-based services (31%), wearable IT (31%) and behavioral advertising/digital engagement (29%), clearly hinting at technology becoming invasive. It also states that by 2018, 50% of business ethics violations will occur through improper use of big data analytics. Silver lining is the constant rise in salaries of Privacy executives, as per an IAPP survey. Organizations are recruiting professionals with specific privacy skill sets for all roles, a trend which will not only continue, but will get stronger.

In India, last year UIDAI was challenged on the grounds that the move to collect information from individuals and sharing sensitive personal information without consent is a violation of the right to privacy. The government has so far contended in the court that right to privacy is not a fundamental right under the Constitution.. The court decision will be a potential game changer for privacy regime in India.

DSCI worked with Bureau of Indian Standards (BIS) to host ISO/IEC JTC 1/SC 27 Working Group (WG) meetings during 26-30 October, 2015, in Jaipur. Out of 310 delegates from 32 countries, Indian delegation was the largest with 85 participants. It is important to highlight that Indian delegation proposed formulation of two new standards – 'Privacy in Smart Cities’ and 'Privacy in Smartphone Applications,’ which was well received by the global delegates. Indian experts are also playing important role in development of other privacy related standards at ISO including User friendly Privacy Notices, Privacy in IoT, Privacy in Identity and Access management among others.

Alongside, DSCI capacity building efforts in Privacy has witnessed over 400 professionals certified under DSCI Certified Privacy Lead Assessor (DCPLA©) and DSCI Certified Privacy Professional (DCPP©) and further gaining traction.

We at DSCI are of the firm view that a robust regulatory framework is the need of the hour. We have been working with Government agencies and industry representatives in order to strengthen the cyber security and data protection regime of the country.

I look forward to your enduring support in getting India recognized as a leader in privacy protection in the world.

Coming soon

Dear Friends,

Coming soon