How Sound is DPDPA on Fundamentals

DPDPA 2023 has come into existence as a law on August 11, 2023. In January 2025 MeitY issued a notification of draft Rules and opened it for public comments. However till today the rules have not been notified raising the speculation that Government is not serious about bringing in the law.

However more recently, NeGD jumped into fray by announcing a “Coding Competition” to encourage the private sector to develop a “Consent Management System” which can be integrated into the data fiduciary systems through an open source platform. For the purpose of this competition, NeGD has issued a document called “Business Requirement Document” which outlined some of the expectations of such a system. This document is not an extension of the “Rule” but the fact that NeGD is part of the Digital India Mission, there is a misconception that the BRD is a detailing of the “Consent Management Requirement” under the rules.

It is also reported that MeitY has made a reference to the Attorney General for a clarification on Section 44(3) related to the impact of DPDPA on RTI act.

Additionally, the Digital India Corporation (DIC) has called for appointment of a “Consultant” for developing the digital office of the proposed Data Protection Board.

These developments indicate that the MeitY is actually trying to finalize the rules and notify them at the earliest.

In the meantime there are two questions which have been raised in the professional circles about whether DPDPA has some fundamental flaws in defining the terms “Digital” and “Personal Data”.

As readers of naavi.org are aware, we had published a series of articles under the title “Shape of Things to Come” before DPDPA 2023 was enacted indicating our Wishlist. We have also been discussing on many other aspects of the law on how we can interpret the law for initiating the compliance in the industry.

Without going into a debate on what more could have been done and what has been missed, our approach is that a proper interpretation of DPDPA 2023 can lead to development of Jurisprudence which can take care of many of the perceived short comings.

Hence we restrict our discussion here on the two points of “Definition of Digital” and “Definition of Personal Data” and whether they could weaken the law significantly.

Digital:

According to Section 37(3) the definition of “Information” and “Computer Resource” in the Act shall have the same meaning as in ITA 2000.

Under Section 2(1)(v) of the ITA 2000, “Information” includes “Data” and “Data for this section” includes representation of information in any form which can be processed by a computer and by the definition of “Electronic form” includes any information that is computer generated such as print outs or intended to be processed in a computer etc.

In view of these definitions, the word “Digital” extends to any “Binary expression” and this definition extends to DPDPA so that even quantum pulses or neural data may be considered as “Digital”.

Only those documents which are manually prepared and meant to be manually used for ever are outside the definition of DPDPA as regards “Protection of Privacy”.

Hence adoption of the principle “DPDPA is only for Digital Data” does not significantly affect the Privacy Rights of an individual. Further the law is meant for “Processing of Digital Data by a Data Fiduciary” and hence omission of “Oral data” by a “Data Fiduciary” which is neither recorded nor stored or transmitted on a digital media is of little consequence. It would not be out of place to say that in today’s corporate world, there is no information which is not digital.

The moment any manually collected personal data is converted into digital form, it becomes part of the DPDPA.

Definition of Personal Data

There is a view that Personal data is defined as “Any information about an individual who is identifiable with reference to the data. The objection raised is that if there is any information owned by a person but does not identify the person, it can be used by others without restriction. Also if the data is currently identifiable but later anonymised or de-identified, it can be used and this is argued as unfair.

Here again we need to refer to IPR law which protects data of a person with IPR value whether it is through Copyright or Trademark Rights or Patent Rights. These rights are however linked to the voluntary disclosure of ownership and can be compulsorily opened out if there is public interest.

The personal data on the other hand has two components one of which is the identity and the other “Information without identity”. When an information is de-identified or anonymised, the data which is personal becomes relatively “Non Personal” and useful to the society for statistics or other purposes. This is one of the balancing features of the law that tries to ensure that in the guise of Privacy we restrict the society being benefited.

We must also appreciate that by recognizing the “Right to Nomination”, DPDPA recognizes the ownership of personal data to the individual and then leaves it to his discretion to provide consent for its use in an identifiable form. Derived data in the form of de-identified or anonymous data without affecting the privacy of the individual is outside the scope of this act like the corporate data or environmental data etc.

There are certain issues related to definition of personal data which we have discussed earlier such as

1.Defining Personal Data under Naavi’s theory of Privacy (“Nee Maayeyolago, Ninnolu Maayeyo” )

2. Interpreting “Personal Data” and “Business Contact Data” under GDPR

3. Personal Data should be considered a personal Property

4.Difference between “Personal Data” and “Protected Personal Data” under DPDPA

    Essence of most of these discussions is that “What is personal and What is not personal” is the choice of the individual and hence the definition ultimately gets tied with the “Consent”.

    As long as some information cannot damage the personal reputation of an individual nor create a mental disturbance if it is in the hands of another person, the issue of “Privacy” should not arise. If there is any value in the information without identity, that should be protected under IPR laws. If there is a misuse of de-identified information, there can be action under ITA 2000 as a Cyber Crime.

    Hence it is my view that the lack of a detailed definition of “Digital” or “Personal Data” or “Ownership of Personal Data” is not a significant fundamental flaw that can be held to criticise DPDPA 2023.

    On the other hand, DPDPA 2023 adopting the principle of “Data Fiduciary” vs “Data Controller” makes it a hugely superior law than GDPR since every data processor needs to ask himself whether he is a “Data fiduciary” and more so whether he is a “Significant Data Fiduciary” and ensure not only the obligations specified but also the duties specified in the law for both the data fiduciary and the data principal whether the processing is done by the data fiduciary or his agents.

    No law can be drafted as “Perfect” less so a law that has to balance the “Undefined Right called “Privacy” with “Business interests” and “Governance and Security of the nation” . The interpretations will emerge initially through professionals and later through Courts and subsequently through further amendments.

    We need to be patient and let the law run.

    Naavi

    Posted in Cyber Law | Leave a comment

    “Role Based Data Access Management” needs to be redefined for DPDPA Compliance

    “Role based Data Access Management” (RBDAM) is a common principle in Data Access Management. In a properly structured RBDAM, access permissions to data is configured based on the functional role of an individual rather than an administrative designation such as “Manager” or “Vice President” etc.

    However for an efficient management of DPDPA responsibilities, it is essential that the “Personal Data Access” is restricted to those who manage the process related to the “Purpose” for which a “Consent” has been provided by a Data Principal”.

    “Role” in this context should mean “Purpose” of processing. The “Purpose” is closely linked to “Consent” except in the cases where “Legitimate use” or “Exemption” is used as the legal basis for processing. Hence Role Based Data Access Control (RBDAC) should mean “Purpose Based Data Access Control” (PBDAC). This concept is better understood if we term it as “Consent based Data Access System”. In the case of Legitimate Use or Exemption based process, the “Consent” is from the legal department or top management of the Company which the process owner may still consider it as “Consent as far as he/she is concerned”.

    Constructing PBDAC

    Personal Data in an organization originates for two basic purposes namely “Marketing” and “HR”. Means of processing may be functionally managed by the IT team assigned with the processing of Data. DPDPA recognizes “Data Fiduciary” status based on the determination of “Purpose and Means” and some times this responsibility may be shared by multiple organizations who may be all Joint Data Fiduciaries.

    The means of obtaining the Personal Data required for HR is directly handled by them as a part of the recruitment process. The collection may however be predominantly handled through external agencies for short listing of candidates or Background verification. Independent Background verifying agencies may be “Joint Data Fiduciaries” in most cases.

    The means of obtaining Personal Data for Marketing is mostly dictated by the Technology of scrapping the information from different sources, processing them for profiling the people behind the information before they are converted into “Identified Target for Advertising”. The means of such collection is often driven by the R&D or Data Analytics departments in the organization.

    Many other departments of a Company such as Finance or Purchase etc handle personal data of a different kind namely “Business Contact Data” where the information is declared as usable for Business Contact. Whether “Business Contact” is a purpose similar to “Marketing” or “HR” or is to be considered as “Not Personal Data” in DPDPA sense which originates from the concept of “Privacy as a human Right” as is a moot point. We shall leave this discussion to another day.

    In order to set up a Data Access System based on “Roles” and be also compliant with DPDPA, we need to understand that “Roles” are not related to “Administrative Roles” such as Chairman, MD, VP, GM etc.. Nor such roles should be indirectly recognized with a hierarchy of CEO, CTO, CFO,CMO etc.

    For effective DPDPA Compliance, the role definitions should be recognized at a more granular level. For example, if CxO s are policy makers, they donot need access to “Identified Personal Data” but only “Categorized and grouped data”. The CEO therefore need not have access to identified personal data with the organization except of the group of CxOs that he directly monitors. The CEO log-in to corporate data base need not therefore have access to the customer data handled by marketing department nor the personal data of all employees.

    If the CEO has limited access to identified personal data, the possibility of data breach through his laptop or mobile being compromised or lost is lesser.

    In evolved organizations, this “Modified Role Definition” delinking the administrative role may be already in practice at least at one level. Accordingly, a security analyst may configure a firewall but may not be able to view customer data, while a sales rep can see customer data but can’t touch firewall settings.

    However this discretion may or may not be carried through to the level of the CEO or Directors who may be having a complete access to the system by default even though they may not have time or inclination to use such an access. Similarly, the “Admin” may some times have access to all identified personal data at the granular level though he has no need to access them.

    The challenge therefore is to identify a set of personal data, associate it with a “Purpose” for which it is being processed in the organization and provide access only to such persons who need to carry out the purpose. Every body else should be shut off by default though they may be given access on request from time to time for a specified purpose.

    Some companies may have taken a re-look at the corporate designations themselves avoiding the traditional designations such as VP, GM etc and use a technology oriented designation such as a “Process Head” or “Process Group Head” etc. This could be adopted by others also as it clarifies in the designation itself the “Purpose”.

    Under DGPSI, (Data Governance and Protection Standard of India) it is suggested that an organization’s business is broken up into multiple “Processes” and each process is assigned a “Purpose”. Any personal data which the “Purpose” requires is provided access through a gateway open only to that purpose. All the workforce who are required to process the data for that purpose need to be provided access through the single gateway so that they will get access to only such data that are part of the process.

    It is possible that the “Data Store” may contain all sets of “Personal Data” and each set of personal data may contain several personal data parameters all of which are not required for one process. In such cases the process handlers are expected to have access only to the parameters of personal data required for fulfilling the purpose. Hence instead of giving the access to “Data of Mr X” , access is given only to “Part of the Data of Mr X” that is relevant for the purpose.

    This architecture requires a “Personal Data Store” with “Groups of Data Elements in each personal data set” being identified with a “Purpose/Process tag”. Such sub groups will have their own “Consents” from the data principals with specific conditionalities which need to be monitored separately. The Personal Data set identity has to therefore be configured with an ability to allocate sub identities for the sub groups each of which is assigned to a purpose.

    Ultimately the “Role Based Access” has to recognise that the “Role is linked to the Purpose specific process” and use the “Consent” as the basis for defining the “Role Based Access”.

    In the processing of “Personal Data”, it is the Data Principal who provides consent for a “Purpose”. The IT team structures the system for a specific “Process” to meet the requirement of the “Purpose”. Access can only be provided to those people ( or AI Agents) who need to have access.

    The “Role Based Access System” therefore needs to be structured along with a compatible Data Storage system and Data Parameter tagging system. The Access control is jointly managed by the Data Principal” and the IT team along with the Process manager and HR team.

    I hope technology tool creators keep this DGPSI principle of “Process Based Organizational Data Structure” in mind when they design the architecture for Personal Data Storage and access.

    (PS: I have tried to present here a complicated thought on technical architecture of a Personal Data Management system. I wish I could have provided better clarity. Hopefully, I will be able to expand this thought in a different forum. )

    Naavi

    Posted in Cyber Law | Leave a comment

    Digital India Corporation to assist MeitY in setting up of the Digital office of DPB

    In an interesting development Meity appears to be taking further steps to implement DPDPA 2023 at the earliest.

    In this direction, the Government has sought an opinion from the AG regarding the conflict with RTI Act.

    NeGD has also taken the following two steps to support MeitY.

    a) Initiated a Code development competition to invite private sector to develop an open source Consent Management system

    b) Initiated steps to recruit a consultant for setting up of a Digital Office for Data Protection Board.

    We shall keep the audience informed of any further developments in this regard.

    Naavi

    Posted in Cyber Law | Leave a comment

    Posted in Cyber Law | Leave a comment

    The legal challenges triggered by the incident in Infosys

    Since last two days, there has been a serious discussion in the media about the incident in Infosys Bengaluru where an employee has been accused of filming a female employee in a washroom. The person committing the crime has been arrested for offences under Sections 77 of BNS and 66E of ITA 2000. Under both sections the offence of “Watching” or “Capturing” of a picture under the subject circumstances and has a possible imprisonment upto 3 years. It will be considered cognizable. (The police may not however be able to use both sections in the prosecution without the risk of “Double Jeopardy”.)

    It is interesting to note that the press report states “When confronted, . …was quickly apprehended by two HR executives who responded to the victim’s cries for help. HR personnel found incriminating video evidence on his phone and took screenshots before deleting the video.”

    While we fully support stringent action to be taken against the accused and commend the bold action initiated by the victim in filing a Police complaint it is necessary to point out the short comings of the administration in handling the incident after it came to their notice. This represents the corporate ignorance of Cyber laws in India.

    The incident happened on 30th June 2025. The complaint was not filed by the Company though a “Cognizable offence” had occurred within the premises of the company. It appears that the next day, the victim and the husband filed the complaint with the Police and thereafter the company released a statement .

    It is regrettable that the officials of the Company failed to respond properly to this incident and require to learn how to respond to such situations. There is clearly a lack of understanding of laws applicable which has placed the company in a situation where they could themselves become liable to be charged under criminal sections of ITA 2000/BNS.

    The company’s statement referred to the incident as a “violation of the Company’s Code of Conduct” and not as a “Cognizable Offence under law”. This shows lack of appreciation of the responsibility of the company in recognizing that any “Offence” which needs to be “Prosecuted” has to be reported to the law enforcement. It cannot be buried as a “Misconduct”.

    Secondly, it is stated that the HR executives deleted the pictures and videos from the accused mobile. These were evidences for the offence and earlier conduct of the accused and are huge evidences for pursuing the complaint.

    While the Police may forensically recover the data and retrieve the evidence, the act of deletion was itself an offence under Section 65 of ITA 2000. The HR Executives and the department head/Company (by vicarious implication)may have to bear the responsibility for deleting “Evidence”. They may plead “Ignorance” and “Lack of guilty mind” but it can be only a defence in the trial stage, unless the Police also feign ignorance of Section 65 of ITA 2000 and not record the offence.

    The screenshots taken become new evidence and the HR executives and their phones become part of the witness/evidence. The recovered data from the victim’s phone has to be supported by Section 63 (BSA) with its own complications adding challenges to the prosecution.

    We wish that this incident is not an issue of Company reputation and there should be no attempt by the company to brush the issue under the carpet. I recall the 2004 case of Suhas Katti where Chennai police took a much lesser crime seriously and pursued the case to possible conviction (with the assistance of the undersigned who presented the Section 65B certified evidence).

    Now it is time for Bengaluru police to prove that they are capable of bringing conviction in this case.

    Naavi

    Posted in Cyber Law | Leave a comment

    AI agents as Virtual Employees

    After the Covid times when physical employees were forced to work virtually, the IT world was slowly getting back to “Work From Office” culture. But this transition back to the legacy system is likely to get a jolt from the development of the “AI agents” who may replace the physical workers in due course.

    Initially the attempt is to improve productivity by shifting some routine tasks to the AI agents so that humans would focus more on tasks requiring human oversight. But slowly a major part of the corporate wok are likely to be shifted to this AI Agentic Workforce and the composition of the workforce is likely to change sustantially.

    Microsoft is preparing to introduce autonomous AI agents shortly These AI-powered virtual employees are designed to handle tasks like client queries, sales lead identification, and supply chain management, as the tech industry looks to prove the practical value of AI advancements. The company plans to release 10 pre-configured AI agents designed for specific functions, such as customer service and supply chain tasks.

    Google simultaneously is working on AI Co-Scientist project which is considered as a prototype of the future enterprise AI.

    We have already heard of Mika the AI CEO of a Polish Liquor company Now several companies are developing Agentic AI workforce to replace their human work force. Open AI’s Sam Altman has predicted that 2025 will see the growth of AI agents as members of a workforce.

    Now AI-CEO.org has introduced a AI-CHRO product for workforce management for the Agentic Future. AI-CHRO is claimed to be capable of autonomously hiring, managing, evaluating and if necessary terminating Agentic Agents.

    We are therefore entering a new era of AI-driven agents that take on knowledge work, decision-making, and even innovation, much like human employees.  Such Virtual employees may think like a team and act as a Knowledge generator and not just as an Optimizer.

    These developments are likely to result in a quiet erosion of entry level human workers and make the students coming out of our colleges based on the 4 year old syllabus unsuitable for corporate jobs. While some progressive colleges and intelligent students may be able to upgrade themselves quickly, a majority of students will find it frustrating and could land into serious psychological problems.

    It is time to reflect where his is going tot end up in terms of regulatory frameworks such as the DPDPA.

    Currently, we are treating AI as an agent of a human handler who is legally liable for regulatory implications. It is possible that the work is performed by an AI worker, supervised by an AI-Supervisor and managed by an AI-CEO. It is also possible that some innovative Board may also appoint an AI Agentic DPO and challenge the regulators.

    In all such cases, the real human who has to take the regulatory liability is the Board of Directors itself. If they want to delegate the responsibility, they need to designate a “Human Handler” for the AI-CEO or AI-DPO.

    If necessary, the Government of India should clarify that “AI remains a Tool and a Handler of AI is always liable for the actions of the AI”.

    In practice, the AI tool may be developed by one company and licensed to another company. Hence there will be a handler-developer and a handler-user who have o build a contractual relationship to define inter-se liability.

    In terms of DPDPA and DGPSI framework, we shall consider that AIs are represented by their handlers and both handler-developer and handler-user (Or their companies) are considered “Joint Data Fiduciaries”.

    In the meantime, Naavi invites “Handler-Users” to contact if their Handler-AI combination has to be certified for C.DPO.DA.

    Naavi

    Also refer: Can Claude run a Small Business?

    Posted in Cyber Law | Leave a comment