Understanding the Essence of the DPDP Bill

Read Time:19 Minute

Mr Na. Vijayashankar, Data Governance and Data Protection Consultant & Chairman, FDPPI presented an overview of the DPDB Act 2023 and led the discussion with:

Dr Anirban, Senior Manager Data Compliance – India & AMEA, BT India, Kolkata.

Dr Avinash Dhadhich, Dean, Manipal Law School, Bangalore

Ms Savitha Kesav Jagadeesan, Senior Partner, Kochhar & Co.

Mr Rohan K George, Partner, Samvad Partners

Mr Mahesh Balakrishnan, Associate Director – Security Governance & Compliance, Uniphore

Mr Na. Vijayashankar: On the 11th of August 2023, the Digital Personal Data Protection Act 2023 was passed in India. We have been waiting for this development for many years and we are very happy it has happened, because India needed a law of this nature. The deficiencies of the Act can always be improved. My first question to the panel is: What is the applicability of this Act? Why is it called Digital Personal Data Protection Act?

Mr Rohan K George: All the previous iterations of data protection bills and legislations did not make a distinction between digital data and non-digital data and also did not distinguish between automated processing and non-automated processing of data. However, this Act very clearly limits its applicability to data which is automated. In India, we are moving deeper and deeper into a pure digital governance system and so much of India’s record keeping and documentation is in non-digital form. There are many organizations which still prefer to keep paper registers. Now we have two standards for the protection of data and, more importantly for the protection of individual privacy in situations where the data is digitized and where the data is non-digitized. It also raises a concern for me, because it disincentivises digitization, as people know that as long as they are outside the digitization parameters, they are effectively outside of the applicability of the Act itself.

Mr Na. Vijayashankar: How does this Act address the concerns expressed by the Puttaswamy judgment?

Mr Na. Vijayashankar: We call it as digital because it is applicable to data collected in digital form in India and data which is collected in physical form, but digitized by entering it into the computer. These are the two things which have been covered here. This Act is trying to focus on information privacy and somehow the government has felt that non-information privacy is not a serious concern for the community and that the existing laws will take care of it. We call it personal data. How do we see its applicability to whatever is not personal?

Dr Avinash: It depends on the interpretation of how we define data and the personal dimension of data. We need to understand the objective of this law. Data is useless just like raw oil. It has to be refined, converted into a particular product and that the final product has some commercial value. We have to see this from two dimensions—one from the customer’s or the principal’s point of view and the other from the company’s point of view. For me as an individual, everything is personal, but for a company, everything is not personal. There’s a lot of information which is available in public domain. So, it depends on the interpretation.

Mr Na. Vijayashankar: When we say person, many people are confused as to who this person is. Is the protection limited only to the individuals?

Mr Mahesh Balakrishnan: We talk about all the other clauses in terms of personal definition. But if you look up the definition within that Act, it brings about the juristic aspects of that person. We must know where we get the data from. Are we using it for the defined purposes or complimentary purposes?

Mr Na. Vijayashankar: I see person in two different dimensions—a person whose privacy has to be protected by protecting or managing his personal data. The other is an organization which collects the personal data, which is also a subject of this Act. If the organization fails in its obligation, it can be levied fine to the tune of even 250 or 500 crores. In the business, there are proprietary concerns and partnership firms and we have transactional data between a company and an individual which is a mix of personal and business data. As a data manager, which are the data I can say as personal data and which are not personal data?

Dr Anirban: Indian companies are in a hurry to understand and implement this Act, but what is really important is to understand my data source, from an organizational standpoint, not individual. The second one is to define the type of data, and the third, what I am doing with the data. Am I giving it to a third party or am I processing it? Every organisation must perform the data mapping exercise.

Mr Rohan K George: The Act creates two kinds of actors—one is the person who’s doing the processing of data, which can include all kinds of persons including individuals and then it creates a category of personal data, which is data about an individual. When a person is identifiable by data, you can very easily establish a direct correlation; but when a person is identifiable in relation to data, that creates a very interesting situation where you have certain data points, which need not necessarily directly allow identification of a person, but—when combined with others—will have the effect of being able to identify that person within a certain range. This is a bigger definition of personal data than in previous iterations of the Act. But, at least, it allows us to understand that personal data does not have to only mean name, address, email ID and the like, but can include much more sophisticated data.

Mr Na. Vijayashankar: The DPDP Act defines the role of a person who decides about the purpose and means of processing data as a data fiduciary. It also makes a reference to a significant data fiduciary. Section 43A of ITA2000 spoke of sensitive personal information. Organisations which process a large quantity of sensitive personal information are always considered a high-risk business. Can you tell us how this Act identifies a significant data fiduciary?

Ms Savitha Kesav Jagadeesan: One of the most prominent criteria is what kind of data is being collected. Then comes the volume and sensitivity: what rights are affected and the territoriality of that data. Anybody using a data processor or a processing agent will fall under a data fiduciary. In fact, anybody using a significant amount of data, which affects the territoriality or the sovereignty of a populace, will become a significant data fiduciary.

Mr Na. Vijayashankar: What are additional obligations of a significant data fiduciary?

Dr Anirban: Three extra obligations. One, you need to appoint a Data Protection Officer or DPO, who will be based in India and his or her contact details will be published in the website of the organization. The second, the organization needs to implement the infrastructure to do Data Privacy Impact Assessment (DPIA) for any change within the organization in regards to processing or collecting personal data, along with any new project or technology that has been built, which will be using or processing personal data. The third one is to appoint an independent auditor to get an audit of all the processing activities or all the compliance against the DPDP Act 2023. The frequency of the audit will be announced in due course by the central government.

Mr Na. Vijayashankar: Who is a consent manager? What kind of data fiduciary is he?

Mr Rohan K George: One of the key obligations of a data fiduciary is to inform the data principal of the right to appoint a consent manager, who can be a layer between the data fiduciary and the data principal.

Mr Mahesh Balakrishnan: When there are third party consent managers, they become significant data fiduciaries. Who is going to manage that?

Dr Avinash: It’s not a very new concept. We are already doing it in the financial sector. But there are a few questions which need to be asked now, like: How many players would be allowed by the government? What would be their market power in this situation? We are going to deal with billions of requests by different people and organizations. So, we need to see the power of the consent manager. The entire objective of this data privacy law is to protect the privacy of the people or give some sense of privacy. When we appoint consent managers in big organisations, what would be their responsibility? Definitely, it will be cleared by subsequent notifications and circulars. But I think their responsibility will be very important. We should not forget that the government will also be a significant data fiduciary under this Act. What happens when there is a conflict of interest between the consent manager and the significant data fiduciary, is a question that comes to my mind.

Mr Na. Vijayashankar: What I see in the Act is that the consent manager will be a special kind of data fiduciary. He will be registered and there will be a set of guidelines that will exclusively define his roles and responsibilities. He will represent the data principal, not the data fiduciary, which means that he will be acting as a trustee. The consent manager which we are presently aware of, in the financial sector is a technology platform. It is working more like an intermediary. The data comes from one end and it goes to the other end. This intermediary or the consent manager doesn’t have access to the data of a person, whereas what this Act envisages is that the consent manager in a big organization may have visibility of the data but he’s expected to protect it by his own methods. The consent manager also needs to take the responsibility for managing visible personal data.

Dr Anirban: What would be the economics of the consent manager?

Mr Na. Vijayashankar: If I am going to use a bank’s safe deposit locker, I pay money to deposit my things. Similarly, if the data principals think that they need to protect their data and when they themselves cannot do it and want somebody to assist them, they can have a data consent manager. How much he will collect from the data principal is a thought worth pondering. A revenue model has to be devised by the consent manager. If I have to do KYC, I have to spend 200 or 250 rupees. The consent manager can have KYC done for a million sets and then tell these companies that each time they don’t have to take money like Cibil does.

Mr Mahesh Balakrishnan: If I’m a data fiduciary, can I go ahead and build a platform to manage the consent of all our data principals? How independent can a data fiduciary be, if they can go ahead and build a platform?

Ms Savitha Kesav Jagadeesan: Building a platform is perfectly fine so long as it fulfils the requirements that have to be provided, which is the notice and what requires to be given in the notice. The consent manager is essentially an additional aspect that has been provided to make it easier for the data principal to provide the consent.

Mr Na. Vijayashankar: There are 44 sections in the Act and they need to be clearly understood. There are complexities and if we are not able to understand this, penalties are there which may extend from 50 crores to 250 crores for different categories, like not reporting the data breach or not having adequate safeguards, not having organizational policies and things like that. If I don’t know that I am a significant data fiduciary and, therefore, I don’t appoint a DPO, my classification error will lead me to not having a DPO and therefore, I am liable for the penalty.

The Act says that it is applicable to digital personal data processed in India. The digital personal data processed in India need not necessarily be of only Indian citizens, it can be of somebody else also. If data is processed outside India, but it is related to some business services to Indian people, that is also covered. But if there is an Indian company which is doing some processing outside India and if that data is not of Indian people, it is not covered under this Act. In that aspect, it is substantially different from GDPR.

Mr Rohan K George: The exemption given for processing of data of non-residents, pursuant to a contract outside India, doesn’t exempt the entity from the entirety of the Act. It exempts them from the obligations, but it does mention that they are still required to generally comply with the Act and it requires them to maintain reasonable security standards and practices. It exempts them from cross-border processing and it exempts them from the data principal. Thus, it is a limited exemption.

Mr Na. Vijayashankar: Yes. Section 17 is not an absolute exemption. Our law focuses on consent being absolutely essential, based on a notice that can be served in 22 languages. The collection of data has to be purpose oriented and unlike GDPR, it doesn’t list out five or six elements. It is all implied in the purpose. If a purpose is over, you’re not supposed to retain that data. The data retention minimization is ingrained in the purpose itself. Data minimization is also part of the purpose. You’re collecting it for a purpose and therefore, the purpose has to justify what you collect.

There are certain legitimate users. There is a section on legitimate use where consent may not be required. Earlier, we used to have something called deemed consent. Now, they call that as legitimate consent. From compliance point of view, an organization must first think, “Am I exempted? If not exempted, am I coming under legitimate use that will minimize my compliance requirements?”

I have always been advocating for compliance by design. I think this Act has taken that suggestion of mine.

Ms Savitha Kesav Jagadeesan: The illustration that they have provided is that of a pharmacy. When you enter the pharmacy, you provide all your personal data and acknowledge the receipt of payment for the purchase. Then that data is processed by the pharmacy and held on. Once you’ve gone to the pharmacy, given the data and finished your transaction, there ends the pharmacy’s use.

Mr Mahesh Balakrishnan: Whose legitimate interest are we talking—the data giver or the data receiver? Unless there is a complementary purpose, we are not supposed to go ahead and use that same data for a different purpose. The question is, are we stopping it? The other thing is, when you talk about personal data, we go ahead and anonymize the data. Once we anonymize it, it becomes a non-personal data. What do we do with that? Contractual compliance talks about receiving the data, storing, processing it and destroying it and giving it back to the organization in a structured or unstructured format.
Mr Na. Vijayashankar: What are the duties of the data principal?

Mr Rohan K George: We were advising an Indian company with GDPR compliance. A new category of litigators has risen in the EU, which is the data troll. What that means is that there are people who go out and hunt down flaws in data, compliance, data privacy and so on. The duties listed are mostly straightforward and some bother me. You don’t want a person who has genuine grievances having his class listed under ‘frivolous.’

Mr Na. Vijayashankar: Let us not think that DPDP will be anti-people.

Dr Anirban: It is culturally very well-defined. We know the challenges we might get from a data principal. The data fiduciaries or the organization need some sort of safeguards. This aspect is taken care of in the Act.

Ms Savitha Kesav Jagadeesan: One of the duties that a data principal must keep in mind is never to give false information.

Dr Avinash: I agree with Savita because when we try to develop a data privacy culture and at the same time, we are imposed 10,000 rupees fine if the board finds that your complaint is not genuine, are we not trying to create terror in the minds of the people that if I go against a big company, I may also be prosecuted?

Mr Na. Vijayashankar: That is for the government and DPDP to ensure that it will not happen.

Q&A

You talked about legitimate use. Organizations undergo change. Today you’re in banking; tomorrow you may be in a pharmacy. Under the financial services, there are many services. If I say legitimate use today is selling a credit card, tomorrow it can be insurance. So, what happens to the data after the transaction, when the relationship has not stopped and it continues?

Mr Mahesh Balakrishnan: You collect the data for one purpose. If you want to go ahead and process the data across your services or your products, then you must provide notification to the data principal. When you seek data, you must clearly define the purpose.

Ms Savitha Kesav Jagadeesan: You can retain the data so long as there’s no withdrawal of consent. When you hold that data, see to it that manipulation of data is not done. The idea is that withdrawal of consent can take place anytime.

In what ways does the Data Protection Act promote accountability and encourage organizations to implement robust data protection measures?

Mr Na. Vijayashankar: The Act says that the company should have organizational and technical measures to be compliant with every provision of this law—Section 1 to 44. Otherwise, the deterrence is in the form of penalty. There is no criminality though. If a breach or a lack of competency to be compliant comes to the knowledge of Data Protection Board, they can impose a penalty. If and when a data breach happens and the DPB questions you, then you should be able to prove that you are in compliance.

When the data has been provided for different purposes, on whom will the responsibility be fixed if a data breach happens?

Mr Na. Vijayashankar: Every data fiduciary is responsible for the data which he/she has collected. If the data has gone to multiple areas, you have to look at the source of data breach and wherever it has breached, that data fiduciary will be responsible.

What measures does the Data Protection Act put in place to ensure sensitive data is adequately protected?

Mr Rohan K George: At present, the Act does not directly address a blanket protection for sensitive personal data. In my opinion, that’s a concern. I’m sure it will be addressed by subsequent regulations. But it addresses two aspects—the first one is children’s data, which is a certain subcategory of sensitive personal data. Here, it calls for verifiable consent of the guardian of a disabled person or a minor. The other aspect it touches is the significant data fiduciaries, which we discussed. The Act does not override the existing regulations, which have been put in place by various financial regulatory bodies, such as the RBI, the SEBI and like, to protect individual financial data.

If we have a fraud control unit in an organization for employment purpose, will it fall under the exemption for consent?

Mr Na. Vijayashankar: The idea of the fraud control unit does not come under the employment purpose, because it will come under a standard operating process (SOP). The exception that has been provided for employment use is with regard to processing your data. There is exemption available for the information security for the interest of the organization, including IPR and trade secrets. There is no protection as far as the employees are concerned as the organization can do surveillance and background verification. In financial service, if there is a default of a loan, after the default has happened, then whatever data that is collected and processed can again be outside the restrictions. To that extent, the interest of companies has been taken into account.

Is the current Act applicable to the NRIs, or only to the citizens of India, irrespective of where the data is processed?

If any foreigners’ data is being processed in India, that doesn’t fall under this Act. But if the data is processed abroad, even if it is an NRI or citizen’s data, and it is to be used in India for a particular purpose, then it falls under the Act.

While taking consent, should we mention the retention periods?

Mr Na. Vijayashankar: Just link it to the purpose and that will automatically take care of the retention period. If the consent is a recurring consent, it may go for a longer time. If it is for a single purpose, it will end there. For instance, for KYC you want to have a video. That is only for the time till you complete the onboarding. Afterwards, retention should not be there.

How do you encourage the organizations to take swift and responsible actions?

Mr Rohan K George: There is a requirement in the notice to include a specific methodology for grievance redressal. In addition to appointing a Grievance Redressal Officer, you must give the data principal a mechanism by which they can address those grievances. Most companies post a certain privacy policy on their websites. This particular legislation makes it a little more granular. The privacy notices have to be tailored for particular purposes.

What role does transparency play in the data protection? How will it empower individuals to have more control over their personal data?

Dr Anirban: For any business or organization, it is really important that they are honest and open with their customers, or in this case with the data principal. The data fiduciary must stick to the legitimate interest while processing the data. If there is a change in the purpose or means of processing, the relevant user consent is required and that’s where the transparency comes in.

In what ways will this Act address the challenges posed by the emerging technologies like AI, Biometrics and IoT?

Mr Mahesh Balakrishnan: The source of the data is important. If I get an answer to where my data source comes from, the next aspect is, once they process that data, what happens to the personal as well as non-personal data? I can question my team on my source of data and how they build the algorithms and the models and how effectively my privacy and security are taken care of.

Mr Rohan K George: Every organization must definitely discover their data sources and do an extensive gap analysis to identify where the organization is and where they need to be.

With the rise of global data flows, how is the DPDP Act aligned with the international data protection standards and regulations like GDPR?Mr Na. Vijayashankar: GDPR is a different law applicable to the EU data. DPDP Act is a different law applicable to the Indian data. The two are different and will stand on their own. We have to develop our own standards for being in compliance with this and that is what FDPPI is doing with the personal data protection compliance standard of India.

India’s IT Revolution-The Maverick Effect

Read Time:13 Minute

MMA-KAS organised a discussion on the theme of the book: ‘India’s IT Revolution – The Maverick Effect,’ authored by Mr Harish S. Mehta. Mr N R Narayana Murthy, Founder & Chairman Emeritus, Infosys addressed the participants during the event. Mr Rajesh Nambiar, CMD and President, Digital Business & Technology, Cognizant, led the conversation on the theme ‘Trillion Dollar Digital Economy’ with the special invitees Mr Harish S Mehta, author, Mr K V Ramani, Founder and Chancellor, Sai University and Mr Lakshmi Narayanan, Managing Trustee, Chennai Mathematical Institute & Former Chairman, ICT Academy.

Excerpts from the talk by Mr Nr Narayana Murthy

For India to become the Sone kee chidia or the golden bird that Harish Mehta talks in his book, the country needs intellectual liberation. But we must remember that cultural transformation must precede intellectual liberation. The cultural transformation must result in Indians becoming honest, disciplined, transparent, accountable and hard-working. We must learn to put the interests of our institutions, our community, and our country ahead of our personal interests. It requires us to elect the best qualified and the most honest people to lead us. It requires our government to become a true catalyst in removing every hurdle for our citizens and our businesses. It requires us to introduce an educational system that enhances curiosity, critical thinking and problem-solving abilities of our children. It requires us to move from our tendency to gloat about our past, to thinking and acting quickly to solve the future problems of our nation.

Role of Nasscom

What is the role of Nasscom in contemporary India? The primary role of Nasscom in the early 90s was forming a cohesive group of leaders of competing software service businesses to accept competition. Such a group worked as a unified team to hold dialogue with the government on early issues like tax exemption, the availability of bandwidth and installing an IPR regime. Nasscom is currently occupied with issues like IT for public governance, cyber security, privacy and upskilling. Late Shri Dewang Mehta played an important role in the first decade of its journey. However, the initial successes would not have been possible without the effort of the CEOs of several large companies today, as well as, without dedicated individuals like Harish Mehta (the first elected Chairman of Nasscom), K V Ramani, Ashank Desai, Vijay Srirangan and Saurab Srivatsava. Dewang’s successors as Presidents of Nasscom and the successive chairman’s councils have also played productive roles in the later years. Of course, this chain of successes would not have even started if we did not have the support of India’s finest pro-business bureaucrats like Shri N Vittal, ably supported by late Dr N Seshagiri, Shri N Gopalaswamy and late Dr Varadan. In a parallel thread, Harish Mehta, in his book, traces the idealistic journey of a young couple—Harish and his wife Shaila returning to our country from the US and playing their role in creating new dreams, new adventures and new opportunities. This narration will serve as a good template for any NRI to follow in the footsteps of Harish and Shaila. Harish is a good example of optimism, positivism, teamwork and energy. Shaila personified compassion, friendliness and generosity.

Four Strategic Challenges for Nasscom

What is the main lesson from Nasscom that other industry associations can emulate? To me, it is enabling competition among fiercely competing companies in engaging with the government for better policies, for the growth of the industry. What are the current challenges of our industry and what can Nasscom do about it? There are many. Our future objective is to obtain a bigger share of the global services market, to add value to the domestic market and to become recognized globally in the software product market. I will mention about four strategic challenges in our way to achieve these and how to overcome them.

Revamping Education System

Our first challenge is to revamp our education system to enhance curiosity, critical thinking and proactive problem-solving amongst our youngsters. This will perhaps help many services companies to enhance their per capita revenue productivity. It will also help some member companies to succeed as product companies in the global market.

It will help services companies to transform themselves from reactive problem solvers to proactive problem definers and solvers for their global and Indian customers. The new education policy of my friend Dr Kasturi Rangan has made many useful recommendations. Nasscom therefore has a seminal role in exalting our higher education institutions to implement these recommendations with a sense of alacrity.

Champion English Language

English is the universal language of digitalization. English is also the language for mobility of IT professionals, going from one state to another in India. I am told that the maximum percentage of local people in a company is generally not more than 60%.

Therefore companies have to hire about 40% of professionals from other states. These professionals want schools in a pan-Indian, globally valued language like English for the education of their children. Therefore Nasscom has its role cut out as a champion for English.

Guide Private Companies

Most large Indian companies derive about 5% to 10% of their revenue from the domestic market. Very little of even this small revenue is from digitalization effort of public governance systems at the state and the central level. Most of these revenue, definitely during my time, but I am told even now, is either loss-making or at very low margins. There are many reasons why it is so. I will not go into the reasons here. Nasscom can prepare a recommendatory methodology for private companies to prepare talent for successfully executing government projects in India on time, within budget and with the requisite quality. Nasscom can also produce a manual to help governments in India to plan a digitalization project, to prepare a proper bid, to select the right vendor, to detail the requirement definition and to manage time, cost, productivity, quality, security, privacy and disaster recovery in developing and maintaining and operating large application projects for digitalization.

Improving Per Capita Revenue Productivity

The fourth issue is that the per capita revenue productivity of the Indian software services companies in a global hard currency like the US dollar has remained almost the same during the last 22 years. I hope I am wrong. It used to be at least so till 2014 when I was at Infosys. The depreciation of the Indian rupee from 45 rupees per US dollar in 2000 to rupees 78 per US dollar today has helped the Indian service companies to manage inflation and the increasing cost to some extent and to protect their operating margins.

Improving per capita revenue productivity in US dollars is clearly a company level issue. The focus of service companies has to shift from competing on price to competing on value to our customers. Our companies will have to bring innovations to increase the business value leverage. We must focus on BVA: the ratios of value delivered to customers to price paid by customers, which is called BVA (Business Value Addition). It is easy to see that the price can be higher if the business value to the customer is higher. This will also move our companies away from our tendency to commoditize markets and compete only on cost. Nasscom can create a group to share innovative ideas in this effort. We at Infosys have always believed that sharing ideas will only make the ideas better. In any case, the success of an idea is determined primarily by how well and how quickly you can execute it.

Excerpts from the Panel Discussion:

Rajesh Nambiar: Why do you call our IT industry’s growth as a revolution?

Harish Mehta: A thousand years of downward spiral of India was changed by the IT industry. When you arrest the downfall of the country’s economy, I call it a revolution. Today, we have a flywheel of around 60,000 startups. The original flywheel that was built by the IT industry has created positivity and optimism in the country.

Rajesh Nambiar: Tell us about the early days of Nasscom and what it should do today, according to you?

K V Ramani: Nasscom today is a glorious institution. It did not happen overnight. In the mid-eighties, we used to participate in the Software India shows arranged by the Dept. of Electronics. We used to have half a day seminars and we were not even allowed to put our logos in the slides when we made presentations. None of us was allowed to talk about our companies. We were only allowed to talk about ‘software in India.’ The audience and speakers were Americans. We were allowed to meet them only during lunch and thereafter, we had to seek personal meetings with them.

We were usually a group of 25 delegates and there would be fierce competition in meeting the American clients. But during the seminar, we were completely cohesive and put up a unified show and talk about India in one voice. Those days, some of the clients have even asked me, “Where is software in India? We’ve heard of only cows and saints on the roads in India.” One more client asked me, “Tell me frankly. Have you come here to buy software or to sell your software?” That was the state of our software industry then.

Today, 35 years later, even if you are a startup in San Jose and go to an investor, the first question they ask you is, “What’s your tie-up with India?” They say, “Get India into your startup. Then only, we will come here for funding.” That has been our transformation. Of course, we had many challenges. There was diversity of views but we all stayed together.

In the mid-80s, import duty on software was 235%. Year by year, it got reduced and we were also increasing the turnover. At one point, we picked up momentum and the Indian IT elephant started flying beyond even our own wildest imagination. Going forward, Nasscom has to take multiple avatars, because the industry has become more complex.

Rajesh Nambiar: Lakshmi, can your share your thoughts about Nasscom?

Lakshmi Narayanan: To those IT companies that started later, Nasscom was there to share the industry best practices and guide them not to make the mistakes which the veteran companies made in the beginning. It was not easy to learn from individual organisations but an industry organisation like Nasscom helped us greatly, as it collated information across IT industry. Many new companies, thanks to Nasscom, could emulate the successes of previously started big companies. When Nasscom said something, people were willing to listen as they knew that Nasscom had no individual agenda and that they were not promoting any individual company. Its reports had credibility and were based on a lot of data analysis and research.

We have today great IT products used by the government like Unique identity, FASTag, Co-Win, the Income Tax system and Passport system which can be used by populations around the world and not just in India. These promote ease of transactions and ease of doing business. Nasscom must focus on export of these products.

The other aspect is the technology itself and Nasscom is a key contributor to government’s policy making in technology area. Another strength of Nasscom is that it does not take more than it can chew. Though there were many requests to Nasscom to take on hardware also in its domain, it has consistently stayed away from it, saying ‘no’ to the proposal.

Rajesh Nambiar: Mr Murthy, what would it take for India to take up the cause of hardware, just like Nasscom has done for software?

Narayana Murthy: The reality according to me is that India missed the bus of hardware industry as early as 1975. Fifty years ago, our bureaucracy, made it so difficult for the hardware manufacturers to set up shop and succeed in India. In certain cases, the duty on raw materials was higher than that of the finished goods. I do not pass any judgements on them and they were all well-intentioned. It is now too late for India to pick up speed in hardware. 12 years ago, Intel came to India. They asked for some facilities. Our bureaucracy did not accept their request. As result, they moved to Vietnam. For India to succeed big in hardware, it will lead to a lot of friction.

Rajesh Nambiar: What should India do to stay relevant in creating technology talent, especially with some new technology coming up every day?

Lakshmi Narayanan: Open innovation is a big thing that has happened. The idea travels so fast. So, research talent and capability is available, though not in the numbers that we want. The key people are there in India. To scale up open innovation, we need more and more talent. I know children in the age group of 14 to 18 who learn computer languages, AI models, neural links, etc. I am confident that people have the capability and capacity to learn and make a progress. I believe we have cracked the problem of developing talent for the problems of today and the immediate future. Where we need to focus is developing talents for the future that lies much ahead.

Harish Mehta: I have two out-of-the box ideas. One, at a very young age, make learning chess compulsory. It is a very low cost device and even the poorest of the poor can learn and start developing certain abilities as a child. Two, make coding and artificial intelligence compulsory for every student, right from the early years.

K V Ramani: We are in the 75th year of our independence. Yet, not even one educational institution of ours, finds a place in the Top 100 of Times ranking or QS ranking. Even the IITs rank between 125 and 150. They do a great job, no doubt. I feel that it is a matter of policy. We have been too busy, focussing on literacy and primary education, which could be at a demand at the country level. But simultaneously, we failed to invest in higher education, technical education and research. Most private universities in our country are beyond 700 in international rankings.

Every year, nearly 3.5 lakh students are going from India to overseas, primarily the US, for undergraduate education. If they go for PG for a specialisation, we can understand. Each student or their parent pays 30 lakhs a year. Imagine the impact on our national economy. Why is it that we have not ramped up our UG education to a level that we can meet with others? The new education policy is an outstanding document. We need to make the political, parental, student and academic community to buy into it. This is the basis on which I started the SAI University. We want to be the first international university in India.

Narayana Murthy: Ramani’s crusade is extremely praiseworthy. One thing that we Indians lack is discussing our problems openly. Unless we do this, we will not be able to solve them. It is in our culture not to discuss our problems in the open.

I used to take part in customer surveys and analyse them very carefully for 33 years—between 1981 and 2014. The general consensus was that our people were excellent in doing what they were told to do. “But your people would not tell us if there was a problem in our business process and how they can suggest us to make it better,” was the feedback, by and large. That is why I talked about the importance of Business Value Addition (BVA). AI or programming is the easy part. What is important is moving from a reactive problem solver to a proactive problem definer and solver. They are a few good universities coming up which are trying to arouse curiosity, analytical thinking and proactive problem solving. That is what this country needs.

A nation becomes vibrant when there are independent thinkers. Late Robert Kennedy once said, borrowing the words of George Bernard Shaw, ‘Some men see things as they are, and ask why. I dream of things that never were, and ask why not.’ That, to me, should be the purpose of our education system.

Recent Trends in Cyber Crimes

Read Time:13 Minute

MMA-KAS in partnership with Digital Security Association of India (DiSAI) organised a discussion with Mr V Rajendran, Chairman, DiSAI; Mr Amaraesh Pujari, IPS, Director General of Police, Cyber Crime Wing, TN; and Mr Shiva Balaji, Cyber Security Professional and Founder CEO, Bitlock Online Solution Pvt Ltd. The following are excerpts from the talk by Mr Amaraesh Pujari.

We live in an age where the success of our economy, our internal security, our defence and indeed the entire gamut of our existence relies on the power of IT and how efficiently we are able to harness the incredible and huge potential of IT resources. The efficient harnessing of IT resources has transformed the destiny of our nation, making India one of the most notable economic, technological and military powers in the world today. But unfortunately the same IT resources also make us hugely vulnerable to a whole plethora of risks. This is because the entire edifice of IT infrastructure was not designed so much for security, but mainly for ease of operation, efficiency and interoperability—the driving forces behind the evolution of the huge globally interconnected cyber space, within which the nations, industries, companies and individuals function. Every day, our critical infrastructure comes in the crosshairs of inimical forces. Every day, thousands of our innocent people become unfortunate victims to cyber criminals who are out there, just to make a fast buck. It is quite unfortunate that these tidal waves of cyber crimes that threaten to engulf us go unabated. Fortunately, we didn’t, as yet, have had a situation faced by a nuclear reactor in Natanz in Iran: the Stuxnet worm stopped the nuclear reactor operating there. But we should be alive to the threat of weaponisation of the malware. What we are facing today is primarily a wave of cyber financial frauds. We have a national portal to report cyber crimes; not that every crime cyber gets reported, but a bulk of them get reported. Even with less than 100 percent reporting of the cyber crimes, every day we get 2,000 to 3,000 cases reported. In India, cybercriminals make 12 crores every day. That makes it to more than 4,000 crores every year. 80 websites are hacked every day. It is estimated that 2 lakh mobile numbers are active in our country that are out to scam the people. Ransomware is making its presence felt. You would have heard the case of attack on Oil India quite recently. More and more such cases are coming to our notice. This is just a snapshot of the gravity of the situation that stares us. Let me touch a few recent trends which keep us busy in the crime detection and prevention.

The Loan Apps

Taking advantage of the downturn of the economic situation of many people due to the pandemic, loan apps have mushroomed in our Play store. These apps provide you with a loan of a few thousand rupees with exorbitant interest rates. One is not bothered about the interest rate when one needs a few thousand rupees immediately. The daughter of one of our family friends went to a restaurant with three of her student friends. She was short of just 500 rupees. One student had a brilliant idea and said, “Let’s download a loan app and get a thousand rupee loan.” They downloaded the app and immediately thousand rupees got credited to her account. They paid the bill and came out. Immediately, a phone call came that she had to pay ten thousand rupees within one hour, though the time given in the app was three days. When she protested, the caller threatened to dial all the people on her contact list and morph her profile photo. How do you think this happened? While downloading the app, we say, ‘yes, yes,’ to all the permissions that are asked for. We hand over our entire life, on a platter, to the fraudster. She didn’t believe it at first, but when she started getting phone calls from her relatives and friends that somebody was telling lot of negative things about her and her family, she got alarmed and informed her dad. After that, we solved the case. This is the menace of the loan apps, which are all illegal. We have busted 79 such apps so far. We wrote to Google and we have taken them out, but more loan apps keep mushrooming.

Phishing Links

Quite often, we get SMS or email informing us that we have won crores of rupees in a lottery. If you click their links or start engaging with them, you will get conned. The most prominent one among them is getting a phone call. They deliberately target rural areas where awareness is not much. But in my service, I have seen that even the best of educated people have been conned, including those in the banking and IT industry. You may get a phone call, supposedly from a banker that a 2 lakhs cheque issued by you, is going to be presented. The fraudster might get your name from TrueCaller. You say that you have not given the cheque. The fraudster says, “Then you can lodge a complaint at the police station. Or else, I will send you a link. It will be either—Yes or No, that is: pass my cheque or don’t pass my cheque.” The fraudster puts pressure, and you click the link and select the ‘No’ option. Within ten minutes, Rs 40,000 may get debited from your account. We see also see a lot of cases asking people to click a KYC link, provide details for KYC or update the Aadhar number. If people don’t respond, they threaten that the account might be closed. To issue a new ATM card, they will request you to click a link. Again, within minutes of your clicking the link, your money will be gone.

Job frauds and other scams

Then there are a lot of job frauds. Fraudsters exploit the unemployment scenario. People are bombarded with fake job offers. The catch is, you have to deposit some money and that money never returns. Another kind of a scam that we are noticing is the search engine scam. Suppose you get into a problem during netbanking, you try to reach the helpline of a bank through Google. It could be a fake helpline where you reveal all your sensitive details and get conned. We come across many cases of social media impersonation. A professor known to me called me frantically one day saying that he just transferred Rs 40,000 to his Vice Chancellor because the latter had met with an accident and he got a message, “I am not in a position to speak. Please transfer 40,000 rupees. I am in this hospital. I will return the money in two days after I get discharged.” The professor requested me to put in a word to the hospital authorities for his treatment. I said I will be very happy to do so but asked him if he was sure that his Vice Chancellor sent him the message. The professor said that the message carried the VC’s profile photo. “Anyone can put your photo as their profile photo.” He later realised that his VC was hale and healthy and that he was defrauded of Rs 40,000 by a scamster.

Sometimes, you may get a call that there is an IT refund for you and you have to enter some details by downloading a new app that the IT department has come out with. When you download that app, whatever you enter gets mirrored to the fraudster including the password that you enter. Another type of scam is that you may get a message that Rs 40,000 got deposited in your account. You may wonder who gave you this money. Within minutes, you will get a call from a person that he wrongly deposited the money in your account, maybe because he entered one digit wrongly. As he needs the money urgently, he will request you to transfer that money to his account. As a good citizen, you also transfer that money from your account, only to realise that Rs 40,000 was never deposited, the message was fake and you have transferred from your account balance. Therefore, please be very careful. Never download suspicious apps or suspicious QR codes or click any unknown links. You have to save yourself. You don’t have to believe the unknown caller.

1930: The Magical Number

Government of India has taken a lot of steps. A National Critical Information Infrastructure Protection Centre has been created under 17A of the IT Act to safeguard our critical infrastructure that houses companies and their offices. Another very good initiative is the Cybercrime Coordination Centre. This is the main coordination centre that operates under GOI’s Ministry of Home Affairs. Now, a National Cyber Crime Reporting portal has been created. Anybody affected by cybercrime should upload the details in this portal: https://www.cybercrime.gov.in/

Most importantly, one cyber helpline number has been created. It is 1930. You may take a lot of precautions, but in spite of that, suppose you fall victim to one of the cyber fraudsters and lose some money, is it gone forever? If you report to 1930, the money lost by you can be frozen by the banks and returned to you eventually. Just like we talk of the golden hour in case of medical emergencies, here also, we have the golden hour. If you report within one hour of the cyber crime, there are very high chances that the siphoned off money will be safely returned to you. Please store this number in your mobile as Cyber Crime Emergency Helpline and share this widely with people in your circle. Your 1930 call will land in our control room which is connected to the banks. Then a message goes to the concerned bank to freeze that amount. Your transaction will be frozen and with the help of the bank, you will get back your money. Banks prefer that fraudulent transactions should be reported to them within 72 hours, but don’t wait for 72 hours. The criminal can encash your money through some ATM or other means. Then it becomes a cost prohibitive exercise to send a team to another state because most of the criminals are located remotely. So the best way is to reach us is within one hour of the occurrence.

State Cyber Command Centre

In Tamil Nadu, we have opened a State Cyber Command Centre. I invite you to visit it sometime. We have opened one cyber crime police station in each of the districts. Tamil Nadu was the first state in the country to open a dedicated cyber crime police station in each district. Going a step ahead, we are opening a cyber cell in each police station. If your complaint is non-financial in nature, for example, somebody is morphing your photo and misusing it, then you can upload it in the NCCRP portal: www.cybercrime.gov.in. It will reach the concerned police station. The Kavalan-SOS app also has a facility to report cyber crimes. I urge all of you to download this app because it is very useful. It has dozens of citizen services that the Tamil Nadu Police offers to the citizens. In fact, the necessity to go to a police station is more or less obviated, if you have this kind of app in your mobile phone. This is not only for your safety but it is a crime prevention tool. For example, you may want to verify your domestic help that you have hired or your tenant. You want to buy a vehicle and check if was involved in a crime case or not. All these can be done through the app.

What more needs to be done?

Are we really able to control cyber crimes? Well, not to the extent that ideally I would have liked it. Much more needs to be done. I believe that banks have a central role in preventing financial cyber crimes. Only with the cooperation of banks, these crimes can be prevented. Here are a few suggestions:

In any money debit messages, banks can include the wordings- ‘If you suspect any fraud, please call cyber crime helpline number 1930.’
The KYC system needs to be made stronger.
Many financial crimes happen on weekends. Banks may tighten slacks, if any, normally found during the weekends.
When an account is opened with the bank, banks should give the customers a white list consisting of three or four numbers, only through which, the banks will contact them. Other numbers are to be considered as ‘unauthorised’ or ‘fraudulent.’
People call with fictitious numbers. The telephone companies can work with IT departments and ensure that the KYC number of the person is also displayed with the call.
When OTP is sent, add details such as your OTP for withdrawal of Rs 10,000 is….. and so on. Some banks are doing this and this may be practised by all banks.
TrueCaller must be updated with all scamster numbers, so that their calls are marked as ‘scamster.’
Using CSR funding, banks must build awareness against cyber crimes.
Catch people young. Make cyber security as part of the school syllabus.

Tips on Using the Mobile Securely

Mr Shiva Balaji shared tips on using the mobile phone carefully:

In India, there are many people who do not even know how to use an ATM card, especially in rural areas. They need to be educated.
Remember, more than you using the mobile phone, the phone is using you more.
Be wary of your mobile camera during usage. People carry the mobile to all the places including bathrooms. With the camera enabled, there are chances of the phone being hacked, in which case, not only the one who carries the phone but also those who are near that person may also be watched or under surveillance.
Hackers manage to give fake ad to Google and by the time, Google realises about it, it could be 10 to 12 hours, by which time a lot of damage can be done.
Check for fake websites. There will be some difference between the original and fake. Validate every website and look closely for any spelling mistakes or odd things in the website.
There are many cases of sextortion. If you come cross such cases, please confide in your parents and report them to the police. If you yield to sextortionists, you can never come out of the threats. Multiple students have contacted me to bail them out as they have been hacked during video calls.
Banks must look at possible technical issues and review if the protocols in place are adequate. For instance, we could demonstrate a case of a bank account being opened in a person’s name and debit card issued, without the person being aware of it.
Be careful before giving various permissions to apps. Review the permissions.
Do not download any app by clicking a link. Download apps only from Play Store.
If you suspect that your phone is being hacked, format it to factory settings, after ensuring back up of your photos and contacts. Do not take back up of Apps. After formatting, download the apps that you need from Play Store.
There are many job offer scams. The scamsters not just look for money but also for information. Do not share your sensitive information to unauthorised or suspicious persons.

Teens use apps to keep secrets?

Cras accumsan elit augue, sit amet vestibulum turpis fringilla nec. Etiam eu dictum tortor. Sed feugiat lacus non ultricies pulvinar. Nam ac mauris ut nisi euismod tempus. Mauris molestie vel diam et imperdiet. Interdum et malesuada fames ac ante ipsum primis in faucibus. Curabitur varius condimentum risus nec efficitur. Integer porta a justo eu porta. Pellentesque sed ultricies risus, eu porttitor est.

Fastest plane in the world

Donec mattis aliquet justo ac commodo. Donec quis viverra leo. Donec sed condimentum orci. Cum sociis natoque penatibus et magnis dis parturient montes, nascetur ridiculus mus. Nulla ullamcorper sed diam quis tempor. Integer lacinia maximus est in vestibulum. Proin a interdum metus, eget egestas leo. Sed ultricies turpis ut lectus ultrices, id fermentum ligula interdum. Aenean nulla neque, accumsan nec consectetur et, viverra et est. Aenean blandit purus et ante condimentum ullamcorper. Suspendisse et interdum felis. Nulla at leo quis urna maximus ornare.

Wireless Headphones are now on Market

Nam sed mi fermentum, laoreet erat sed, volutpat ante. Phasellus eget placerat urna. In ullamcorper sem id tellus tristique dignissim. Aliquam et facilisis leo. Nulla nec porta felis, pretium lobortis urna. Maecenas mi purus, sollicitudin nec arcu at, aliquet iaculis arcu. Curabitur fringilla neque non condimentum mollis. Suspendisse eu leo est. Donec ultrices nulla ut mauris maximus tristique. Vestibulum vitae pulvinar neque. Curabitur mauris ligula, lacinia at pharetra sed, placerat non velit.