New DPO Program from Naavi and FDPPI

In anticipation of the release of the rules within this weekend as hinted by the secretary of MeitY a two day physical training program is being contemplated in Mumbai on November 1 and 2. The program will be from 10.00 am to 5.00 pm and held in a hotel in Andheri. (Proposed Venue: Treebo Amber International, Sakinaka, Andheri)

The coverage would be

  1. Legal nuances of DPDPA and the DPDPA  Rules
  2. Classification of DPDPA protected Data (DPD)
  3. ROPA as a strategic tool of Compliance
  4. Governance  Structuring for meeting the obligations under DPDPA by a Data Fiduciary
  5. Technical challenges of Management of Legal Basis for processing and Rights of Data  Principal
  6. AI and its challenges in meeting the obligations
  7. The Roles of DPO and Data Auditor in the DPDPA era
  8. Use of DGPSI as a Compliance Management framework
  9. Discussions and case studies

The training would be priced at Rs 15000/- plus GST. (Total Rs 17700/-)Participants would be provided with participation certificates and 12 hours of CPE.

Registration for examination for Certification would be optional.  The fees for examination would be Rs 10000/- plus GST (Total R 11800/-)

The total fees for those who register together would be Rs 25000/-. plus GST. (Total Rs 29500/-)

An early bird discount is provided for registration upto 15th October 2025

  1. Early bird discount for training Rs 3000/- Net fees Rs 12000/- (Rs 14160/0)
  2. Early Bird discount for Examination: Rs 2000/-. Net fees Rs 8000/- (Rs 9440/-)

Net price of  the training with certification exam with early bird discount is Rs 20000/-. (Rs 23,600/-)

The three books namely “Guardians of Privacy…”, “DGPSI, he Perfect  prescription…” and ” Taming the twin risks of DPDPA and AI with DGPSI-AI” would be the reading material. The kindle versions of all three are now available and are recommended for purchase for preparation for the exam which will be open for the batch after November 20th.

Naavi

PS: In the unlikely event of the DPDPA rules not being notified, a free Virtual session would be conducted subsequently to all the participants.

Registration Process :Please visit here

Posted in Privacy | Leave a comment

Logistics Intermediaries should be held liable for fraudulent E Commerce deliveries

Success in E Commerce is a combination of technology, supplier chain, pricing strategy and delivery efficiency.

Amazon undoubtedly is in the forefront of e commerce companies and other competitors are unable to catch up in the breadth of product range and pricing.

Many users see product advertisements on Facebook but often prefer to buy from Amazon the same products which may be available in the manufacturer’s website also.

One of the hidden reasons for which Amazon has succeeded  in getting this customer confidence is that the frauds of wrong products being delivered by vendors is reasonably controlled.

Recently, I had an occassion to dispute a supply on Amazon which was not the product ordered. The product supplier was perhaps not  prepared to take the return. But Amazon without question refunded the money even though the product  was not returned.

No doubt, Amazon might have suffered a small loss in the transaction but the customer confidence they would have gained is worth more than that.

On the other hand I recently ordered a product based  on a Face Book advertisement from a site called Apwety and the order was fulfilled by Delhivery.  (Product was not available on Amazon). The product delivered was different and when I checked, this was the experience of many others (Details).

What this indicates is that the customer is a noted fraudster and Delhivery was supporting the fraudster by being the delivery agent for the fraudulent company.

In terms of legal liability of a fraud of this kind, the responsibility has to be considered as “Shared”. In a situation where the Delivery partner is a bigger entity and the end  fraudster is a relatively unknown company, the possibility of legal liability being claimed from the delivery partner is high. The question that one is the principal and the other is the agent has minimal impact and depends on whether the agent is a disclosed agent or not. Also it is only a matter of investigation if the products were switched by the delivery partner or at the source itself.

Hence when an FIR is filed, it will have to be filed against both the E Commerce operator and the delivery partner with “Joint and several responsibility”.

In the instant case, Apwety and Delhivery are therefore jointly and severally responsible for the fraud. On further enquiry it is found that the details on the MCA website about the company representing Apwety has details of promoters which  the registered promoter claims is incorrect since he has sold  his company to another person. This means that Delhivery has not done proper KYC  on their  vendors at the time of their onboarding.

In a parallel case in a Bank scenario, if a customer whose KYC is improper commits a fraud, the Bank  has to take the liability. This is the principle established first with the S.UMashankar Vs ICICI Bank case which was personally handled by me and thereafter several cases in which decisions have been given by the Adjudicator of IT and TDSAT. (In Umashankar case the judgement was endorsed further by the High Court).

Hence if a complaint is formally launched against Delhivery and the E Commerce partner together, Delhivery would be liable to  fulfill the claim and try to recover it from the vendor.

From my experience with Delhivery, an intelligent guess is that there are perhaps hundreds of  fraudulent transactions and scores  of fraudulent customers that Delhivery is supporting. If a formal investigation is launched, it would cause a serious damage to  the company.

The objective of pointing this out  is not to bring disrepute to the Company but to highlight that many companies like this have no understanding of the Risks they run because of the company they keep.

It is in this context that I observed that Delhivery has 8 independent Directors who are expected to be the experts who provide advise to the company on such matters as against three executive directors who may be taking care of Finance, Technology and HR.

This also opens up a thought whether there is any strategy of the entrepreneurs to have 8 non executive independent directors to three executive directors and whether each of the independent directors represent a specific expertise.

Ideally a company should ensure that each of the independent directors take some informal responsibility of managing one area of operations either to assist revenue increase  or  reduce liabilities which are hidden costs.

In today’s world , there are several legal compliance issues that are hidden liabilities for a company and it requires close monitoring. ITA 2000,DPDPA and AI are three such risks that need close monitoring and it  would be a good strategy for organizations to ensure that specific independent directors are assigned oversight responsibilities  to assist the Compliance officer, DPO and the  AI Governance manager.

Naavi

Posted in Privacy | Leave a comment

Can we break out of the shackles of the Big Tech Control of our Policies?

After the Minister of Railways and IT , Mr Ashwin Vaishnav publicly pleaded the Meity Secretary to confirm the date of release of the final rules related to DPDPA, one thought that there will be no turning back.

But it appears that the department still ignored Mr Vaishnav’s soft directive  to release the  rules by September 28th and prioritized the release of the draft rules on the PROGA 2025 which is anyway going to be delayed through a challenge in the Court.

Assuming that the MeitY is not defying their ministerial head, we can presume that the department is working on how the DPDPA rules can be used to give a strong reply to Mr Trump for his Tariff and H1B Visa attacks on India.

Mr Vaishnav has also encouraged  ZOHO and his simple sentence that  he is shifting to Arattai  has created a big wave in favour of ZOHO. We also understand that CHINA is allowing ZOHO to operate in their country to erode Microsoft further.

But so far, Microsoft, Adobe, Google, Meta and Amazon has controlled all narratives of policy in Indian IT. We have many times the practice of sharing proposed drafts of legislation with these US based Tech companies and heeding to their advice. NASSCOM unfortunately is in the control of these giants and hence this consultation with the industry  often means seeking the permission from them to go ahead with our legislation.

We hope at least now MeitY shows its own commitment to Indigenisation by making “Personal Data Localization” mandatory within the next 6 months. We should also ensure that none of the DPB appointments should be based on the recommendations of Meta/Google/Microsoft. Alternatively Data transfer outside India should be subject to a special tariff.

We should also work for reducing our dependencies on the US IT services and encourage ZOHO, Jio, OLA and other Indian entities to take over the work which Meta, Google, Adobe, Amazon, Uber and Microsoft are doing today.

It is high time we create a new independent ministry on IT and appoint a suitable technocrat to head it.

Naavi

Posted in Privacy | Leave a comment

Draft Rules for PROGA 2025

While all of us were waiting for the Final Rules for DPDPA to be released, Meity came up with “Draft Rules” for public comments related to Promotion and regulation of Online Gaming Act 2025 (PROGA2025).

Details of the notification are available at www.proga2025.in

The public comments can be submitted by 31st October 2025 by email to ogrules.consultation@meity.gov.in

The draft rules can be accessed here: 

Explanatory notes for the rules can be accessed here

The essential aspect of the rules is the formation of a regulatory body with a Chairperson and Five other members. Three members  will represent the ministries of Information and Broadcasting, youth Affairs and Sports and financial services. Out of the other two one would be a person having special knowledge of and experience in law. The regulatory body may take the assistance of experts as may be necessary.

It is proposed that any online  game service provider intending to seek recognition and registration of an online game as an “Online Social Game” or “E Sport” may on his own volition make an application.

The authority may “Suo moto” or on the basis of application made determine whether an online game is an online money game or otherwise. If a service is considered an “Online money game”, the service shall be stopped immediately and further action may be initiated by the Government.

Naavi

Posted in Privacy | Leave a comment

Fraud by Apwety in connivance with Delhivery

I am enclosing the different comments of people on Facebook related to the fraud being committed by the company Apwety in connivance with Delhivery.

https://www.facebook.com/groups/1384918328774124/posts/1624552254810729/ 

The despatch was made in the name of Plasto Creative Solutions Pvt Ltd. and one Mr Prateek from this company has stated that Plasto Creative Solutions Pvt Ltd was his company which he has now transferred to another person. However Mr Prateek has not been sharing the information of the person who according to him is in control of the company.

Delhivery support has stated that they are only delivery agents and cannot take responsibility for the product. However they are responsible for assisting a fraudulent company and therefore can be held liable. 

I have tried to contact Mr Sahil Barua the  CEO of Delhivery and he is yet to respond. 

Apwety contact details available are 

Company Name: Yiwu Kangli Trading Co., Ltd. First Floor, Unit 2, Building 31, Qingkou South District, Jiangdong Street, Yiwu City, Jinhua City, Zhejiang Province: E-mail: support@dedseov.com: Tel: +917806800166

Plasto Creative Solutions  has the following contact details

B 128, First Floor, Sector-2, Noida, Gautam Buddha Nagar, Noida, Uttar Pradesh, India, 201201:  +91-9784540371:  admin@plastocreatives.com

Registered office: E-22 Sector A-5/6 TDS city (Tronica city)NA-Ghaziabad-Uttar Pradesh-201102-India

Delhivery has its headquarters at

Gurugram: Plot 5,sector 44 Gurgaon, Haryana – 122001 and has offices in many other cities.

Mr Deepak Kapoor  is the Chairman and Non-Executive Independent Director and  Mr Sahil Barua is the Managing Director.  The Company seems to have only “Independent Directors” and Mr Sahil Barua, Suraj Saharan and Kapil Bharati are the other non-independent Directors. This structure of designating every body as “Independent Directors” itself indicates avoidance of liability.

All the three companies  are jointly and severally liable for the fraud and I request police in UP to file a suomotu case on all the three companies so that this Chinese Company and  its agents in India are brought to book. 

MeitY also should consider blocking this website dedseov.com as a “Fraudulent Domain”.

The domain dedseov.com has been registered by Godaddy who is hiding the fraudster’s identity. By holding back the information of the registrant, Godaddy.com is also collaborating with this Chinese company and is co-responsible for the fraud. Send your complaint to abuse@godaddy.com

I request some body in UP to file a complaint with the Police so that the intermediaries who are assisting the Chinese company in this e-Commerce fraud are made to pay for their complicity.

Naavi

Posted in Privacy | Leave a comment

Who should configure Guardrails for AI?

FDPPI has published a framework of compliance of DPDPA in the AI  environment titled DGPSI-AI. This is a framework which extends the basic DGPSI framework meant for DPDPA compliance taking into account the increased risk when a Data Fiduciary is exposed to the risk of AI. The basic objective of DGPSI-AI is to ensure that risks of possible DPDPA non compliance when an AI driven software is used for processing of personal data is adequately mitigated.

AI Risk is basically “Unknown” and “Unpredictable”. If we consider the various instances of AI hallucination in recent days, it appears that the developers of AI models have either not configured them properly or AI is inherently not amenable to elimination of hallucination risk.

The safety measures that one can take to mitigate what are what are referred to as “Guardrails” and are embedded into the system to modify the behaviour.

In our previous article, we categorized AI from its behavioural perspective to three types namely  adaptive, Creative and Rogue. Each of these behavioural traits could mean that the risk management measures to be taken by a deployer needs to be different for each of these behavioural traits.

These are the behavioural expressions in the usage context irrespective of whether  the AI was created as an Ethical, Responsible, Transparent and Accountable model and takes into account the risk that an AI may behave in a manner  not necessarily how it was meant to work like.

Obviously, a user and perhaps even the developer would not like the “Rogue” behaviour. But the other two modes “Adaptive” and “Creative” are two types which are both useful in different contexts and perhaps should be configurable.

Guardrails are to be created initially by the developer and if he embeds some open source LLM, should take care that guardrails created by LLM developer also are preserved and  enhanced.

What we need to further discuss now is whether  the responsibility for guardrails rests only with the Developer but also extends to the deployer and the end user.

What we mean by “Adaptive” in this context is a “Deterministic” behaviour where the AI strictly responds within a defined pre-trained data environment or a defined operational data environment. Such AI can be placed under a strict leash with the supervision of a human so that it can be adapted to the  compliance requirements without the risk of its hallucinating instincts to deviate from the pre determined behavioural settings.

If the  pre-training of a Generative AI model is based on a training data different from the user data environment, then there is a possibility that the AI model may still exhibit “Bias” and could therefore still be considered as “Unreliable”.  The developer may place his own guardrails including using AI outputs under strict human oversight so that no output is directly exposed to an external customer. In such cases all risks of inappropriate outputs are absorbed by the human  supervisor who authorizes the release of the output to the public.

In DGPSI-AI it is mandatory for every AI deployer (also AI Developer)  to designate an accountable “Human Handler” along with an “Explainability Statement”.

In such a context the AI is used in the traditional format of a software tool used by humans and the “Unpredictable” risk becomes an “Absorbed Risk” of the Deployer.

However, it is still possible that the AI is used in an Agentic AI form or with prompting from a user while it is being invoked.

In the case of the Agentic AI mode, the definition of AI agent and the workflow includes the human instructions and hence the person who configured the Agent should bear the responsibility and accountability for its behaviour. If there is any guardrail for the Agent, then it should be part of the Agentic AI functional definitions.

On the other hand, if we are using an AI with prompting  at each instance, the responsibility to ensure that available guardrails are not bypassed or existing guardrails are reinforced lies with the user who is prompting the model. The responsibility for guardrails is therefore with the end user of the model.

The summary of these discussions is that “Guardrails” are not the sole responsibility of the developer but is also the responsibility of the deployer, creator of the Agentic AI (who may be part of the deployer) and the end user.

Similarly the Kill switch is the responsibility of the developer but should not be overridden by the deployer or the end user in his prompts.  This is not only an issue of “Ethical use” but also the responsibility of designing of the Kill switch.

DGPSI-AI expects that apart from the deployer taking the responsibility for implementing his own guardrails, the developer should configure the Kill Switch in such a manner that it cannot be overridden by prompt. Ideally the Kill Switch should be configured to be an independent component and not accessible to the AI itself and incorporate a self destruction capability in case of an attempt to override the kill switch (or a mandatory guardrail) is recognized.

These are the expectations of the DGPSI-AI on behalf the Compliance auditor in the interest of the data principal whose personal data is processed by an AI. I would welcome the views of the technology experts on this matter.

Naavi

Posted in Privacy | Leave a comment