Data PrivacyAdvancing Data Protection through Data Protection Seal

INTRODUCTION

The Data Security Council of India (“DSCI”), a non-profit organization established by the industry body National Association of Software and Service Companies (“NASSCOM”), operates within the domains of cybersecurity and privacy. It interfaces with Governmental entities, agencies, regulators, industry segments, associations, and policy research institutions for advocacy, intellectual leadership, capacity enhancement, and outreach endeavors.

DSCI intends to formulate a Data Protection Seal (hereinafter refereed as “DPS”) to validate and monitor the secure handling of individuals’ data by platforms nationwide. The significance of data protection lies in its ability to safeguard organizational information against illicit activities such as fraud, hacking, phishing, and identity theft. Any organization aspiring to function efficiently must ensure the security of its information through the implementation of a comprehensive data protection framework.

With the escalation in the volume of data collected and generated, the significance of data protection proportionately rises. Incidents of data breaches and cyber assaults can result in severe repercussions. It is imperative for organizations to adopt proactive measures to safeguard their data and consistently enhance their protective mechanisms.

Fundamentally, the paramount principle and significance of data protection  is observed in the preservation and protecting of data against various threats and across diverse contexts.

DATA SEAL

1. DPS under India’s Landscape

On 24.01.2024, Mr. Vinayak Godse, Chief Executive Officer, DSCI, during an interview stated that the DSCI is initiating the DPS project to verify and monitor the secure handling of data by digital applications, websites, and/or platforms (hereinafter refereed as “Products”) nationwide.

The project is at the pilot stage where the testing with collaborative entities aims to inform users about organizations that adhere to basic data privacy standards and securely utilize their data. It is similar to the concept of the ISI mark, signifying compliance of a product with the standards set by the Bureau of Indian Standards.

The DPS will furnish a degree of confidence concerning the adherence of an application, website, or product to privacy standards and responsible conduct, as per the expectations of privacy. This procedure will enable companies to enhance their adherence to the Digital Personal Data Protection Act, 2023 (hereinafter refereed as “DPDPA”)  and any forthcoming regulations.

2. Data Protection Certification under the GDPR

Article 42 of the General Data Protection Regulation (hereinafter referred to as “GDPR”) encourages member states to set up Data Protection Certification granting bodies while the European Data Protection Board (hereinafter referred as “EDPB”) released ‘Europrivacy’ as the first data protection certification at the Union level. A Euro Privacy certificate or an equivalent certificate from the member state’s local certification body will bring the possibility for businesses to request certificates, seals, and marks for data protection. A data protection certification, seal, or mark acts like an official stamp that certifies that the particular business  is compliant of the GDPR rules and regulations.

These are optional and were added to help businesses prove that they are handling personal data correctly. They are especially helpful for businesses in other countries, as having these certifications, along with commitments to protect data, can make it easier to transfer data across borders. These certifications last for up to three years and can be renewed if the business still meets the requirements.

Certification bodies under the GDPR include:

1. The relevant supervisory authority,
2. An accredited organization (public or private), and
3. The European Data Protection Board (hereinafter referred to as “EDPB”).

The accreditation of certificate bodies lasts for up to five years, with the option to renew if they meet the criteria set by the national accreditation body/supervisory authority/the EDPB. If the EDPB approves these criteria, it could lead to a common certification, like the European Data Protection Seal, which aligns with the GDPR’s goal of a consistent approach.

3. European Data Protection Seal

As discussed above, the EPDB granted approval to ‘Europrivacy’ (common certification) as the first ever “European Data Protection Seal”, thereby establishing it pursuant to Article 42(5) of the GDPR.

Such certifications, as delineated in the GDPR, serve as pivotal mechanisms enabling controllers and processors to validate adherence to GDPR provisions. The endorsement by the EDPB signifies the official recognition of Euro Privacy Certificates across all member states of the EU.

It is noteworthy that the certification pertains to a specific process within an organization, rather than the organization in its entirety. In essence, the Euro Privacy Criteria do not facilitate the certification of an organization as compliant under its auspices.

Moreover, it is important to highlight that the Euro Privacy Criteria for certification do not constitute the endorsed certification mechanism stipulated under Article 46(2)(f) of the EU GDPR. Consequently, reliance on this certification as a tool for international data transfers is precluded.

SIGNIFICANCE OF DATA SEAL IN INDIA’S DATA PROTECTION FRAMEWORK

Upon conducting an assessment of the organization or platform’s data processing methods and practices, the seal will be established to ensure transparency regarding the information and implementation of data safety measures on the platform. The seal represents a commitment from DSCI indicating that the application, product, or platform has undergone scrutiny by the organization in accordance with the anticipated standards of data security and data privacy.

Ransomware expansion, attacks linked to multi-factor authentication, and the utilization of artificial intelligence has been highlighted as the primary cybersecurity challenges for the year 2024.

In light of the increasing prevalence of deepfakes, examining each piece of content individually could pose significant challenges. Instead, identifying and mitigating the identities of Internet users responsible for disseminating such content widely would diminish the root of the cause. Assessing the genuineness of content without disclosing it to the platform poses an additional challenge when identifying deepfakes, in order to prevent infringement upon user privacy.

Nevertheless, it is essential to conduct privacy-preserving analysis of deepfake content pertaining to sensitive topics like sexually explicit material or content that could potentially disrupt public order. This approach  can mitigate the proliferation of deepfakes and misinformation in the digital realm.

AMLEGALS REMARKS

In conclusion, the DSCI plays a pivotal role in upholding cybersecurity and privacy standards, collaborating with various entities to promote data protection initiatives. The introduction of the DPS project signifies a pivotal step towards verifying and monitoring the secure handling of data by digital platforms across India. This initiative not only enhances transparency but also fosters confidence among users regarding the adherence of organizations to data privacy standards.

Furthermore, the approval of the Euro Privacy Criteria by the EDPB signifies progress towards establishing a common certification mechanism in the EU, aligning with the GDPR’s aim of fostering a uniform approach to data protection.

The cybersecurity challenges such as ransomware, multi-factor authentication attacks, and the use of artificial intelligence underscore the importance of proactive measures in safeguarding data integrity. Moreover, the emergence of deepfakes poses a new set of challenges, requiring innovative approaches to address privacy concerns while combatting misinformation.

It is imperative for stakeholders to continue collaborating on initiatives like the DPS project and prioritize privacy-preserving analyses to tackle evolving cybersecurity threats effectively. By fostering a culture of data protection and resilience, organizations can mitigate risks and uphold the trust of individuals in the digital ecosystem.

– Team AMLEGALS assisted by Mr. Samarth Sheth (Intern)