As usual , I asked BARD what it thinks about my suggestion
Following is BARD's reply :
==============================
Sure, here is a comparison of the DPDP bill and your suggestion for a single portal for Indian citizens to submit their personal data:
Feature | DPDP bill | Your suggestion |
Scope | Applies to all personal data processed in India, regardless of the nationality of the data principal or the data fiduciary. | Applies to all personal data submitted by Indian citizens to the single portal, regardless of where the data is processed. |
Data types | Applies to all personal data, including sensitive personal data. | Applies to all personal data, but sensitive personal data requires additional safeguards. |
Data processing activities | Requires consent for all data processing activities, except for a few exceptions. | Allows data subjects to choose which data processing activities they consent to. |
Data rights | Gives data subjects the right to access, correct, delete, port, and object to the processing of their personal data. | Gives data subjects the same rights, plus the right to have their personal data deleted from the single portal. |
Enforcement | Establishes a Data Protection Authority to enforce the law. | Does not establish a dedicated enforcement body, but leaves enforcement to the existing laws and regulations. |
==
In what respects I find your suggestion to be more advantageous to data owners (users):
· It gives users more control over their personal data.
· Users can choose which data processing activities they consent to, and they can have their personal data deleted from the single portal at any time.
·
·
· It is more secure.
· The single portal would be a centralized repository for personal data, which would make it easier to protect from unauthorized access and misuse.
·
·
· It is more efficient.
· Users would only have to submit their personal data to the single portal once, and then they could use it to interact with any number of different organizations.
·
·
I think the feasibility of your suggestion is high.
The technology exists to create a secure and efficient single portal for personal
data, and the government has the resources to implement it.
However, it is important to get buy-in from the private sector, as they would be the
ones using the single portal to collect and process personal data.
Overall, I think your suggestion is a good one that would give Indian citizens
more control over their personal data
I hope the government will consider it as they implement the DPDP bill
.=============================
And here is how ChatGPT evaluated my suggestion :
Below is a tabulation comparing the provisions of the Digital Personal Data Protection (DPDP) bill with your suggestion for a single portal approach for data submission:
Aspect | DPDP Bill | Your Suggestion |
Data Submission Process | Data owners submit data to each entity | Data owners submit data to a single portal (IndiaDataCustodian.gov.in) |
Consent Management | Entities are responsible for obtaining consent individually | Consent managers manage data and share with entities as authorized |
Data Leaks and Fines | Entities leaking data may be fined | Entities leaking data fined heavily; first recipients charged |
Data Storage and Removal | Entities must remove data after task completion | Data stored on portal, accessed only during session |
Unnecessary Data Collection | Entities prohibited from collecting unnecessary data | Entities only access necessary data from the portal |
Access to User Data by Third Parties | Entities may share data with third parties | Entities access data only during user session |
User Consent | Consent must be free, specific, informed, unconditional, unambiguous, and limited | Consent managers handle consent management |
Grievance Redressal | Companies provide access to grievance officer | Simplified grievance redressal through consent managers |
Advantages of Your Suggestion:
· Centralization:
· Data owners submit their data to a single portal, simplifying the process and reducing repetition.
·
· Consent Management:
· Consent managers streamline consent handling, reducing the need for users to give consent to each entity.
·
· Data Leak Management:
· Entities are penalized for data leaks, and fines are imposed on the first recipients of data, holding them accountable.
·
· Unnecessary Data Collection:
· Entities access only necessary data from the portal, minimizing unnecessary data collection.
·
· Data Removal:
· Data is removed from the portal after a session, reducing the data retention period.
·
· Privacy Protection:
· User data is accessed only during a session, enhancing privacy and security.
·
· Ease of Grievance Redressal: Grievance redressal is simplified through consent managers.
·
Your suggestion aims to streamline data submission, enhance user privacy, and provide a more efficient and user-friendly approach to data protection.
It addresses the complexities and challenges posed by the DPDP bill and provides a more advantageous solution for data owners.
Feasibility of Your Suggestion:
Your suggestion has the potential to simplify data management, improve user experience, and enhance privacy.
However, implementing a centralized portal like IndiaDataCustodian.gov.in would require significant coordination, infrastructure, and technological support.
The challenge lies in ensuring the portal's security, scalability, and accessibility, as well as integrating with existing systems of various data fiduciaries.
While the feasibility may depend on technological advancements, regulatory support, and industry collaboration, your approach offers a comprehensive solution that aligns with the goal of protecting user data and enhancing user control over their personal information
Subject: Stopping Data Leakage ?
Stopping Data Leakage ?
Context :
Leaking consumer contact info may make biz entities liable to Rs 250 Cr fine …. 07 Aug 2023
Extract :
The proposed digital personal data protection law seeks to clamp down heavily on consumer facing industries such as banks, insurance companies, real estate and automobile sellers, hotels and restaurants, and e-commerce as well as social media giants if they compromise vital information of customers by leaking and selling names, phone numbers or other information to third parties
A top official involved in the drafting of the new law said , that the government has taken care to make sure that the entities who are the first recipients of the information from the customers are the ones that would be charged for any leaks, with fines that may go up to Rs 250 crore for a single leak and higher in case of the sharing is done with numerous companies
For example, you approach a bank for a car loan, and a bank for a car loan, and a bank official sells your details to car maker who in turn transfers it to insurance companies. In this case , it is the bank that will be penalized for the illegal sharing of the data under the new law
The whole concept of the data law is to protect the privacy of the individuals and guard against any unauthorised usage of the data
In fact the bill gives out examples of how to handle sensitive consumer information and what to do with it once the task is over
It clearly spells out that the information collected on the users , needs to be removed once a given task is over
“X, an individual, electronically messages Y, a real estate broker , requesting Y to help identify a suitable rented accommodation for her and shares her personal data for this purpose. Y may process her personal data to identify and intimate to her the details of the accommodation available on rent. Subsequently X informs Y that X no longer needs help from y
Y shall cease to process the personal data of X
Also, the new law mandates that companies stop forcing users for details which are not required to provide them with services
“ X an individual , downloads Y , a tele-medicine app.
Y requests the consent of X for ( 1 ) the processing of her personal data for making available tele-medicine services and ( 2 ) accessing her mobile phone contact list , and X signifies her consent for both
Since phone contact list is NOT necessary for making available tele-medicine services, her consent shall be limited to the processing of her personal data for making available tele-medicine services
The government official said that companies will need to destroy – or remove – data that they have sought while fulfilling a service , once the task is over
“ For example there are private companies who take critical information from users when they are applying for visa. These include bank statements, salary slips and other vital documents, which are often submitted in digitized form. Now , they will have to destroy this information , once the visa has been processed “
The same example applies for websites that handle hotel booking or travel ticketing , if they do not have the user consent to continue to hold the user data
The law is also clear on the matter of how companies take user consent
The consent given by the Data Principal ( user ) shall be free, specific, informed, unconditional and unambiguous , with a clear affirmative action , and shall signify an agreement to the processing of her personal data for the specified purpose and be limited to such personal data as is necessary for such specified purpose
Companies are also mandated to provide users access to a grievance officer to answer to their complaints
From print issue of Times of India ( 07 Aug 2023 ) :
“ In the past , there have been cases when top social media companies have found to be involved in leakage of user data, which was then illegally processed and exploited by third party contractors for gains. Now there will be strict checks to guard against any such activities “ , the official said
My Take :
Dear Shri Ashwini Vaishnawji ,
I am not surprised that, yesterday in Lok Sabha, the DPDP bill got “ debated “ for
full 53 MINUTES, before being approved
How come ?
Either it is so complicated that most members did not fully understand it’s
provisions, or ,
they knew too well that these provisions are just UN-IMPLEMENTABLE !
Eg;
# It will be impossible for a Data Owner to come to know that her personal data
got leaked / sold by XYZ company , considering that she has given this data to
a thousand companies over a period of years
Most likely, she does not even remember ,
Ø “ Which “ companies she gave her data ,” when “ she gave her data and ”
why “ she gave it !
# In the rare event of data owner coming to know that “ one of those
THOUSAND company “ leaked her data ( may be she received a SMS /
WhatsApp / Email / Phone call from a totally strange company – or its call-
centre – to whom she had never given her contact details ) , how will she
figure out “ WHICH ONE “ of those thousand companies ?
# She gave her personal data to company A – which then “ travels “ through
the servers of 20 companies , before a company Z sends her an unsolicited “
sales pitch “ . How will she establish the “ DATA LEAKAGE TRAIL “ in order to
“ pin down “ A as the “ Data Leak Source “ ?
# Last but not the least , how will she ( or the Data Protection Board ) figure out
that it was an Artificial Intelligent generated ( FAKE ) website ,
powered by an AUTONOMOUS CHATBOT ( unaided by any human being )
, which “ deceived “ , data owners to submit their personal data in return for
some “ irresistible “ but “ imaginary or real “ SERVICE ?
[ Believe me, this will happen before your Ministry even manages to frame the
RULES under the DPDP Act –A case of Dead on Arrival ? ]
Dear Shri Ashwiniji ,
Can you please publish on your Ministry’s website, a FAQ ( Frequently Asked
Questions ) , with answers “ ?
Or you may want to ask :
Ø Is there a way , whereby , a data owner can “ get a service “ from a thousand
websites WITHOUT providing to those 1,000 websites, her personal data ?
No need to give any CONSENT ( however informed / specific ) to each of those
THOUSAND sites, INDIVIDUALLY ( and painstakingly ) – even if those DATA
CONSENT FORMS are “ standardized and mandated “ by The Data Protection
Board , as defined in my following e-mails ?
# Consent Forms for Personal Data ………….. 07 Aug 2023
# Dashboar d for Data Owners …………………… 04 Aug 2023
Yes , please consider my following 5 YEAR old suggestion :
Only Answer : a Statutory Warning ……………. 10 Nov 2018
( to fully grasp the process suggested by me , please read the entire blog )
Extract :
How can this be implemented ?
Here is how :
ALL websites wanting to operate in India , must ,
· # Enter into a legally binding CONTRACT ( under proposed Data Protection
Law ), with DATA PROTECTION REGULATOR – DPR, as suggested
in “ A Matter of Motive
· # Prominently display this CONTRACT NUMBER on their home pages
· # Carry on its home page , following STATUTORY WARNING
[ Web sites which fail / refuse to enter into such CONTRACT , will be banned ]
· This web site has entered into a CONTRACT with India’s Data Protection Regulator
and has been allotted “ Contractor No : 061139 “
· By clicking on this “ Contractor No “ link , a visitor can get to see,
# The nature of SERVICES being offered by this site to its users
# Nature of “ User Data “ that we will access
from www.IndiaDataCustodian.
· A visitor who has registered on
www.IndiaDataCustodian.gov.in
can get the services of this web site by just entering on this web site :
# Name and User ID / Password [ selected ]
# His REGISTRATION NUMBER at www.IndiaDataCustodian.gov.
# Then clicking on… “ Log me in with www.IndiaDataCustodian.
He / She does not need to provide any other personal data
· Whatever “ PERSONAL DATA “ this site requires about an user for delivering its
SERVICES , will be “ accessed “ from www.IndiaDataCustodian,
per the terms of the contract
· A user logging into this web site would have deemed to have granted the
necessary permission to this web site to contact ,
and access his / her data , as per the multiple selections that he has made of the
“ DATA LEVELS “ detailed there
This website undertakes to use the “ User Data “ strictly for the purpose of
delivering the promised service and for no other purpose
This web site further undertakes to prevent access to the User Data to third
parties and further agrees to compensate the users for any breach / leakage of
such personal data , as stipulated in its contract with the Indian DPR
This web site uses a user’s PERSONAL DATA accessed
( from www.IndiaDataCustodian.
only during the USER SESSION
This web site does NOT store on its servers, any USER DATA at any other time ,
nor engage in any MIRRORING – CLOUD STORAGE – CROSS BORDER
MIGRATION of user data
No comments:
Post a Comment