Naavi.org

Naavi has been repeatedly pointing out that the Domain Name Registrars are ignoring legal compliance as a matter of routine.

Now the Delhi High Court has published its order of 24th December 2025 setting some guidelines for Domain Name Registrars in India. The case originated on the basis of a petition by Dabur against websites infringing its trademark. (Dabur India Limited Vs Ashok Kumar and ORS,CS(COMM)135/2022)

The case is also related to to Cyber Crime prevention and the “Digital Arrest” Case being now tried at the Supreme Court. It is also related to Trademark infringement involved in registration of domain names.

The decision has taken into consideration views expressed by ICANN, GoDaddy, CERT In, MeitY, MHA and several other relevant parties.

The judgement has considered issues such as prevention of financial frauds, measures to be implemented by the Registrars etc. It also has brought into discussion some sections of DPDPA 2023 and GDPR into the discussion of protection of Privacy of the registrant.

The judgement  is a gold mine of information for all students of domain name law.

This judgement could be considered a landmark judgement on domain names in India.

Refer the copy of the judgement  here

Summary of Conclusions

Naavi has several times objected to the Domain Name Registrars hiding the names of the registrants under the guise of Privacy. The Court has taken note of this practice and held

“The Court was of the view that disabling the privacy protect feature may be essential to ensure that the identity of the Registrants is available on https://www.whois.com database (hereinafter “the WHOIS database”) among others.”

Naavi is of the firm opinion that registering and hosting a website on the Internet is a activity in the public domain and the identity of the registrar should not be considered as “Personal Information” subject to the Right of Privacy. It is an action that has an impact on others and hence is a “Public Activity” and the identity of the registrant should be considered as a “Right of the society to know”.

In summarizing its conclusions  the Court observed

1. Domain Names form the online soul of a business and their distinctive character has to be protected.
2. Misuse of domain names and website content endangers the larger public interest.
3. Stringent action  needs to be taken to maintain the integrity of the domain name system against parties such as Domain Name REgistrants, Registrar, Registry operator, ICANN, Banks, RBI, Telecom Service Providers, Meity and DOT and Law Enforcement agencies.
4. It is imperative for all Banks to implement the Beneficiary Bank Account Name Lookup in case of online payments.
5. It is mandatory for all Banks to cooperate with Law Enforcement Agencies in terms of Central Intelligence and Economic Bureau issued the Standard Operating Procedure dated 31st May, 2024 for processing of requests from LEAs by the banks
6.  Domain Name Registrars (DNR) must implement Rights Protection Mechanism under specification 7  including use of the Trademark Clearing house data base.
7. The DNRs ought to submit registered-name data to the Registry Operator, provide public query-based access to essential WHOIS/RDDS information, make registrant data available for ICANN’s inspection, comply with applicable laws and governmental regulations, avoid registering reserved names, verify and periodically re-verify Registrant contact information, investigate inaccuracies, and act promptly against DNS abuse or illegal activity.
8. DNRs ought to face termination of the accreditation agreement if a Court finds they permitted illegal activity or failed to comply with Court’s orders, or if ICANN determines that the DNRs engaged in bad-faith trademark-conflicting registrations.
9. DNRs  are obliged to follow ICANN’s WHOIS Accuracy Specification, validating address, email, and phone formats, and verifying email or telephone numbers through tool-based authentication, and must suspend or terminate domain names where registrants wilfully provide inaccurate information and fail to correct it within
   15 days.
10. The privacy protect feature extended by DNRs to registrants is acting as a cloak to hide the identity of those perpetrating illegal and unlawful acts on the internet  it is necessary to mandate that all DNRs offering their services in India shall collect the details of the Registrants and perform a e-KYC verification in the manner in which NIXI already mandates in India.
11. DNRs and Registry Operators cannot deny disclosure of Registrant’s details by taking blanket cover under the provisions of GDPR. The applicable privacy law would govern the relevant considerations in each case, and accordingly, the data collected from Registrants in India would be governed in terms of the DPDP Act and its allied Rules All DNRs who offer their domain names registration or ancillary services ought to appoint Grievance Officers who are located in India and publish their email addresses, mobile numbers and other contact details so that they can be contacted for the purpose of obtaining relevant information of the Registrant as also for implementing orders passed by Courts and to provide information to LEAs
12. DNRs who provide extended services including marketing of domain names may, not merely be considered as intermediaries but as complicit in actively enabling infringement.
13. It is a settled position in law in India that registration of an infringing domain name would not be permissible as there is every likelihood that the same could lead to diversion of users from the genuine website to the infringing one.
14. Offering of privacy by default to registrants is one of the reasons for proliferation of illegal domain names. Thus, unless and until a registrant requests for privacy protect, the same should not be offered as a default mechanism
15. The Government and various institutions ought to create their own list of names that can be misused so that such domain names can be placed in the reserved list.

In view of the above, following directions are issued to DNRs.

1.The DNRs and Registry Operators shall, henceforth, not resort to masking of details of the registrants, administrative contact and technical contact on a default basis as an ‘opt-out’ system. At the time of registration of the domain names, a specific option shall be provided for the Registrant and it is only if the said Registrant chooses for privacy protection, that the said service shall be offered as a value added service upon payment of additional charges. The additional charges shall not be made a part of the default package for registration of domain names.

2.  Whenever any entity or individual having legitimate interest, law enforcement agencies (LEAs) or the Courts, request for disclosure of data relating to any infringing or unlawful domain name, the data (such as name of registrant, admin and technical contacts, addresses, mobile numbers, email address and any payment related information  as well as any value added services provided.) shall be disclosed by the concerned DNR as soon as possible but not later than 72 hours in terms of the Intermediaries Guidelines 2021.

3. If any particular domain name is restrained by an order of injunction or has been found to be used for illegitimate and unlawful purposes, the said domain name shall remain permanently blocked and shall not be put in a common pool in order to disable re-registration of the same very domain name by other DNRs. The appropriate steps in this regard shall be taken by the concerned Registry Operator to ensure that all DNRs having an agreement uniformly give effect to the said direction.

4. In the case of trademarks/brands, which are well-known or are invented, arbitrary or fanciful marks, which have attained reputation/goodwill in India, if a Court of Law directs that there would be an injunction on making available the infringing domain name with different extensions or mirror/redirect/alphanumeric variations, the same shall be given effect to by the DNRs and no alternate domain name shall be made available in respect of such brands and marks.

5. Upon an injunction being issued by the Court in respect of any domain name and the same being communicated to the DNRs, the DNRs shall ensure that no alternative domain name is promoted or being suggested to a prospective Registrant. Any promotion of alternative domain names of an injuncted domain name would disentitle the concerned DNR for safe harbour protection under Section 79 of the IT Act

6.In respect of descriptive and generic marks, the restraining/injunction orders would be qua the specific domain name and any extension of restraining/injunction order for other infringing domain names would be with the intervention of the Joint Registrar before whom the application under Order I Rule 10 of Code of Civil Procedure, 1908 along with affidavit shall be filed and the injunction would be extended. Where any party is aggrieved by the order of the Joint Registrar, the application may be moved or placed before the ld.
Single Judge.

7.Upon orders being passed by a Court, the infringing domain name shall be transferred to the Plaintiff/trademark owner/brand owner, upon payment of usual charges

8.Search engines and DNRs shall not provide any promotion or marketing or optimization services to infringing and unlawful domain names

9.All DNRs offering services in India shall appoint Grievance Officers within a period of one month from today failing which they would be held as non-compliant DNRs.

10.  Service by email to the respective Grievance Officer’s details would be henceforth sufficient service for Court orders and any DNRs who insist upon services through MLAT or through other modes of services shall be held to be non-compliant DNRs.

11. In appropriate cases where an entity has repeatedly not complied with orders of the Court, and in the opinion of the Court it is a case where the interest of society at large is being adversely affected, such as cases of frauds, the Court may direct the appropriate authority to block access to the said entity under Section 69A of the Information Technology Act, 2000 read with Information Technology (Procedure and Safeguard for Blocking for Access of Information by Public) Rules, 2009.

12.All Registry Operators having valid agreements with ICANN shall take appropriate steps to implement the Trademark Clearing House services and make the same available to all brand owners & registered proprietors of trade marks.

13. All DNRs offering services in India or to customers in India shall undertake verification of Registrant’s details at the time of registration and periodic verification of the same. The verification shall be done in terms of KYC requirements mentioned in Circular No. 20(3)/2022- CERT-In dated 28th April, 2022 issued by Indian Computer Emergency Response Team. This is in line with the NIXI Accreditation Agreement.

14. All DNRs who are enabling registration of domain names which are administered by NIXI as a Registry Operator shall comply and provide requisite registration data to NIXI within one month of this judgment and also update the same on a monthly basis.

The Court has also given the following directions to the Government (Meity/MHA)

1. The Government shall hold a stake holder consultation with all DNRs and Registry Operators offering services in India and explore the possibility of putting in place a framework similar to the one used by NIXI by all DNRs for the purpose of domain name registration
2. Consider nomination of a nodal agency such as NIXI as the data repository agency for India with which all the Registry Operators and the DNRs would maintain details related to Registrants on a periodic basis so that the said details are made available to the Courts, LEAs and the governmental authorities for the purpose of enforcement of
   orders of Courts and for preventing misuse. Alternatively, DNRs shall be directed to localize the data in India for easy access. Irrespective of the decision, it is made clear that processing of personal information would be strictly in terms of the DPDP Act and applicable Rules.
3. In case of a DNR or Registry Operator, which does not comply with the orders of the Courts or with request from LEAs, the offering of services of such DNRs or Registry Operator be blocked by MeitY and DoT under Section 69A of the Information Technology Act, 2000 read with Information Technology (Procedure and Safeguard for Blocking for Access of Information by Public) Rules, 2009.
4. MeitY along with NIXI shall coordinate with ICANN to enable brand owners in India to avail of TMCH facilities on reasonable terms and conditions so that they can receive notifications whenever any conflicting /infringing domain names are proposed to be registered by any third parties across the globe.
5. The CGPDTM (Controller General of Patents, Designs and Trade marks) could also consider publishing the list of well-known marks along with the official and authentic website details of the trademark owners so that if any consumer or user wishes to verify the authentic website, the same would be made possible through the website of the Intellectual Property Office. The same shall also act as sufficient notice to all potential Registrants as to the actual websites
6.  Directions qua grant of ‘Dynamic +’ injunction:  The dynamic + injunction would apply under the following circumstances:
   (i) Wherever the brand/trademark appears as it is in the domain name;
   (ii) Wherever brand/trademark appears with a prefix or suffix which could lead to confusion;
   (iii) Wherever the brand/trademark appears as an alphanumeric variation.
   (xvii) Whenever there is a legitimate Registrant who opposes the suspension of the domain name, if the same is communicated by the said Registrant to the concerned DNR, the DNR may then ask the IP owner to obtain a Court order.

 Also, following directions are issued to Banks.

1. All banks shall mandatorily implement the ‘Beneficiary Bank Account Name Lookup’ facility in terms of the RBI circular dated 30th December, 2024 for all online payments including payment by UPI through applications such as Google Pay, Paytm, etc.
2. All banks shall also abide by the Standard Operating Procedures dated 31st May, 2024 issued by Central Economic Intelligence Bureau for processing and responding to requests received from LEAs.

In toto, this is a very comprehensive and useful judgement which will have a long term impact on the industry.

Naavi

In a move which matches the Karnataka Hate Speech  Bill the producers of the Kannada Movie “45” directed by Mr Arjun Janya with actors such as Shivarajkumar and Sudeep has released a notification that it has obtained an interim order from a court that whoever passes a negative remark or rating of the movie may be arrested.

Initially the movie made news about a statement given by Mr Sudeep on “Piracy” but now the crew seems to have moved a court and obtained a restraining order which is meant to create a chilling effect and curb comments on the Film. ..similar to the Karnataka Hate speech legislation brought by the Congress Government.

Request all free speech activists to take note and work for remedying the situation.

Refer: https://www.youtube.com/watch?v=WoYuG7SOCJE&t=466s

• Protection Against Negative Content: The notice states that a court has issued a restraining order preventing individuals, organizations, social media accounts, or channels from publishing “defamatory, derogatory, or negative propaganda,” including negative ratings and malicious reviews.
• Removal of Existing Content: The court directed that any such content already published must be removed or deactivated immediately.
• Warning of Legal Action: The film’s team warned that violators could face civil and criminal legal action, including FIRs and potential arrest for contempt of court.
• Anti-Piracy Measures: The notice also emphasizes strict action against piracy, specifically the unauthorized recording or distribution of the film’s HD prints.

The notification goes beyond the concept of “Defamation” where any malicious speech can be dragged to the Court for trial. But a “Blanket Threat” that  a person may be arrested is  an attempt to curb free speech.

The Court was completely wrong in giving such an order and it should be withdrawn forthwith. A criticism on the art saying that the movie is not good or acting is not good cannot be considered as “Defamation”.

The Karnataka High Court should take suomoto cognizance of the public notice issued by the producer as an open challenge against the Right to Freedom of Speech and scrap the order of the lower court.

Legal action should also be initiated against the film producer for holding out such an illegal threat.

Naavi

I recall the earlier article on this issue published on December 6, 2024

The digital arrest scam has now caught the attention of the Supreme Court (Refer the status of the case here:) which has taken Suo Moto cognizance of the  issue and initiated an enquiry. It has directed CBI to investigate and has also appointed a senior advocate Ms Nappinai as Amicus Curiae to submit  a report. Others are requested to submit their views to the Amicus Curieae. (P.S: contact information available in the order)

Naavi has been consistently advocating that the intermediary Banks who facilitate such crimes. In the case of S.Umashankar Vs ICICI Bank, Naavi who argued for the victim under a POA, was able to get orders from the Adjudicator of Tamil Nadu, TDSAT and also the Madras High Court that the liability of the phishing loss had to be borne by ICICI Bank for various reasons including maintenance of the mule account and lack of due diligence.

During the course of the 14 year long fight after the Adjudicator’s decision, Naavi had requested the DGP of Tamil Nadu to take up criminal prosecution against ICICI Bank which they failed to do. After the TDSAT decision, Naavi had visited ICICI Bank headquarters in Mumbai and  requested  the legal head to  settle the matter without going for  further appeal. But the Bank refused. Finally the Bank relented after Madras High Court also upheld the earlier decisions that ICICI Bank as an intermediary was liable under Section 85 of ITA 2000 read with Section 43 (at that time section43A was not available).

The TDSAT had even made an observation that under Section 43(g) of the ITA 2000, the negligence of the Bank could be considered as “Assistance” for contravention. Earlier the adjudicator had also held that “Not using Digital Signature in Bank-Customer email communication” was a material negligence causing the phishing.

Subsequently there have been a few decisions in which Intermediary banks and Mobile service providers have  been held liable for some Bank frauds involving negligence of the intermediaries.

The SC in the current  case on digital arrest has also flagged the role of Bankers who seem to have around 8.5 lakh mule accounts.

During my discussions with ICICI Bank in the Umashankar case, the  Bank official had confided that they cannot agree to settle the case since they had more than 40000/- such cases at that time and it would create a bad precedent if they settle the case in one instance. I am therefore not surprised with the 8.5 lakh mule accounts which are all accounts that are part of the fraud.

It is clear that no monetary fraud whether it is phishing or digital arrest or UPI can succeed except with the collusion of one Banker for the fraudster. Under ITA 2000, they must be considered as intermediaries and  made to take the entire liability without demur.  Even when a remedy is available to the Bank in the form of Cyber Fraud insurance they prefer to litigate since the capability of the customer to fight the long legal battle is low and the premium for the next year may go up if some claims are settled.

In the Umashankar case we had made the Chairman of ICICI Bank, Bank  managers of two Banks and the CISO a parties responsible  for negligence. But the Courts as well as the Police did not take proper cognizance of their role as conspirators by negligence.

Now in the Digital Arrest case the losses have been astronomical and has rightly attracted the attention of the Supreme Court. We need to bring  a final solution to prevent the Bankers and the RBI creating a fertile ground for cheating without assuming  responsibility.

In  the Uma Shankar case, I had visited RBI head office to request that the license of the branch which colluded in the fraud should be cancelled. Unfortunately the RBI officials did not consider the request.

Even now RBI is not concerned on the frauds and we have pointed out that opening digital banking account for Minors is another new door opened for frauds.

I had suggested that these Digital arrest scams happen because the victims are subjected to a kind of Cyber hypnosis induced by fear and hence are not liable for the loss even if they had themselves handed over the money. It is like the case of armed dacoity where a victim does things at the behest of the robber for fear of life.  Law recognizes that such acts are void ab-initio and hence the fraudulent transactions are to be reversed.

In the recent days a few instances of alert Bankers preventing the frauds by properly advising the customers have come to the fore indicating that if only Bankers were vigilant they could have prevented most of these digital arrest frauds.

Currently Police are not handling things properly and are actually harming more innocent persons through the wrongful freezing of accounts creating one more problem.

I wish the Supreme Court takes a holistic view of the case and initiates the following procedure.

1. In all cases where the police cannot establish a fraudulent link between the victim and the beneficiary of the fraud, he must be presumed innocent
2. In all cases of presumed innocence of the victim, the Bank from which payment has been made to the fraudster should be considered as primarily liable.
3. The Bank from which customer has lost money must demonstrate its  own vigilance and ensure stop payment of the distribution at the destination banks as soon as it becomes aware of the complaint.
4. RBI should ensure that in both  UPI, Internet Banking transfers, the right to stop payment prevails to the last second before which the payment is made at the destination.
5. Whenever the victim’s Bank fails to act on the complaint stating that an FIR is required etc., the Bank must be held jointly and severally liable for the loss.
6. Whenever any fraudulent telephone account is involved as in the case of all Digital Arrest scams, the Mobile Service  Provider must be held accountable for having  issued SIM cards to the fraudsters without proper verification.

I hope this petition would lead to some lasting improvements in the Digital Banking Systems.

Naavi

After the notification of DPDPA rules on November 13, 2025, there is a new awareness flowing through the industry on the need to be compliant with DPDPA 2023. The potential fine  of upto and  beyond Rs 250 crores is motivating the companies to recognize and take steps in mitigating the financial risks.

One school of thought is that penalties under DPDPA 2023 apply only to “Data Fiduciaries” and not “Data Processors”. Hence those who classify themselves as “Data Processors” think that they need not be compliant with DPDPA 2023.

This is however a huge fallacy.

One reason to call this a fallacy is because every organization which is not a single man organization and has “Employees” is a Data Fiduciary to the extent of processing of the “Employee Information”. Employment also includes “Recruitment” where personal data of non employees are processed and sub contractors are hired for background verification. There is also disclosure of employee information under legitimate use basis to statutory authorities as well as handling of personal information of ex-employees after their termination and information of the family of the employees for various welfare measures including insurance.

As a result of this requirement, there is no organization (other than single man entities) which escapes the need to comply with DPDPA 2023 or face the penalty risks. Indian DPB may not be as irrational as the  GDPR authorities who impose fines even on individuals who process personal data for their personal safety issue (Refer the Tesla Car owner case here). However, it is a fact that every entity with employees is exposed to the DPDPA Risk and has to take steps in documenting a Risk Assessment and a “Compliance by Design” program.

Some of the small entities which come under the category of SMEs may handle sensitive assignments such as servicing a defence establishment or establishments of national importance and the information of their employees can even be considered as “Sensitive” to a certain extent.

In view of this viewpoint, FDPPI belongs to that school of thought that every organization in India which is processing data in some form or the other is potentially a data fiduciary and needs to be compliant with DPDPA 2023.

FDPPI has already introduced frameworks such as “FDPPI-Lite”, “FDPPI-Full” and “FDPPI-AI” to address the requirements of data fiduciaries.

There is however one class of manufacturers for B2B market who deal with employee data and business contact data only. There are also one class of organizations which provide sub contracting services for HR functions (eg background verification or conduct of Pre recruitment medical examination and Pre recruitment aptitude test etc) who often manage “platforms” that are licensed for operation to the recruiter and remain in the background. Most of them consider themselves to be  “Data Processors” today.

Further, every organization has different processes associated with personal data in which some divisions of a data fiduciary directly handle data processing contracts for third party data fiduciaries as if they are a different companies.  In such cases “Governance of Risk” suggests that division wise (Process wise) risks may be different and strategies to segregate them as “Data Processors” instead of “Data Fiduciaries” or “Joint Data Fiduciaries” needs to be explored. Similarly in case of platform service providers and SaaS providers, there may be some contracts in which an entity could be only a data processor and some in which they are joint data fiduciaries.

Additionally there are entities who process Indian data along with data from EU and they need to be compliant with DPDPA 2023 as an organization while also being GDPR compliant as a Data Processor or a Data Controller or a joint Data Controller. In case they have signed standard contract clauses agreement, they would have taken  voluntary responsibilities to be liable under GDPR.

Considering these different types of organizations that are in the market, FDPPI has tried to customize its DGPSI Framework for bringing more focus in compliance as well as simplifying it to some extent based on the activity of the entity.

Accordingly, the DGPSI framework has now become a “Family of Frameworks” with multiple frameworks for multiple types of organizations.

For example, DGPSI Full with DGPSI-AI would be the core framework for data fiduciaries who use AI and needs to cover compliance of related laws such as ITA 2000,  DGPSI-Lite would be a simplified DPDPA 2023 only compliance framework.

DGPSI-GDPR is a framework which addresses the requirements of a GDPR processing division where the organization in India processes EU data as a Controller or Joint Controller.

Additionally DGPSI-HR tries to focus on organizations who donot handle B2C business and their data principals are the employees only.

Further DGPSI-Data Processor is a framework which is meant  primarily for  Data Processors who service Data Fiduciaries in India who need to be  compliant with DPDPA 2023 and wants to present themselves as an organization which is aware of its responsibilities, empathizes with the data fiduciary and is empowered and considers itself as voluntarily undertaking  a responsibility as if they are “Deemed Data Fiduciaries”.

Entities who comply with this framework voluntarily  are in a way “Enlightened”, Empowered” and “Emancipated”. They possess a strategic competitive edge over other processors who may be competing for business with the Data fiduciary.

If the Data Fiduciary factors-in the DPDPA Risk as part of the business risk, he would prefer to work with such enlightened, empowered and  emancipated data processors and even would be willing to  pay a premium for their services.

FDPPI therefore recommends every organization in India, big  or small, whether they consider themselves today as Data Fiduciaries or Data Processors, to explore  being compliant with DPDPA under a relevant DGPSI Framework.

By understanding the needs of different entities and introducing appropriate frameworks of compliance under the DPGSI umbrella, FDPPI is proving that DGPSI is a framework which can be called the “Vishwa Guru” of compliance frameworks. When the members of FDPPI expand DGPSI-GDPR to  other jurisdictions and develop DGPSI-Singapore, DGPSI-California etc, DGPSI family will be  engulfing the global Data Protection Compliance regime.

This may take a decade but  is definitely the vision of DGPSI.

Naavi

In the recent days, the raise in the Gold prices in India has attracted attention on the reasons behind the unprecedented raise in the price of Gold and Silver. It is clear that many Governments including India, China and Russia are buying Gold in anticipation of a global change in the financial system.

Mr Donald Trump is now in partnership with Pakistan  in a Crypto Currency project and it could be part of a global scam in the making.

USA which is high on international debt  of nearly $37 trillion is trying to get recognition to Bitcoin and Stable Coin so that their prices can be jacked up and the US dollar debts can be converted into Crypto Currency denominated debts at an advantage. For example if Stable Coins get a value of US dollar 2, then the US debt will come down from 37 trillion to 16.5 trillion stable coins. If stable coins can be acquired today in exchange of a jacked up Bitcoin, there will be a possibility of the  US debts denominated in Stable Coins at  less than the  US $37 trillion.

Mr Trump appears to be working on this and hence trying to promote Stable Coins on one Stable Coin to One US dollar today but later value Stable Coin to a basket that includes Bitcoins and there by inflate the Stable Coin value to more than USD 1 per Stable Coin.

India currently has a dwindling mind on Bit Coins and it can succumb to this Trump’s game and agree for an international monetary system where Stable Coins can be a reserve currency as an alternative to US Dollars and forcefully convert all current USD reserves to Stable Coin denominations. Subsequently when the Stable Coin valuation gets aligned with the inflated bitcoin value, the debt of 37 trillion will shrink.

It appears that already 63% of Stable Coin holdings are related to criminal activities and soon, like Bitcoins, the entire stock of Stable  Coins will be tainted as “Laundered Money”.

I hope India tightens up its regulatory ban  on Crypto currencies and support the gold (with a possible addition of silver in the basket)  backed currency system.

(Views from Financial experts welcome)

Naavi

Recently there was an interesting Austrian Supervisory authority decision imposing a fine of Euro 600 on a owner of Tesla Car . The car owner had installed seven cameras which could film when the car was parked recognizing possible threats. The argument of the Supervisory authority was that it could film people who were not threats and the data subject was not informed about the filming.

This decision indicates that the “Security” of the individual was considered subordinate to the principle of “Privacy”. Secondly it did not matter that the Car owner had no way to filter the recording to only those persons who were considered threats and delete those who were not.

There is no doubt that this decision is one of those crazy decisions for which GDPR supervisory authorities are known. However the new Digital Omnibus Proposal could change things here since the owner of the cameras has no identity of the persons whose pictures have been captured and hence the data will not be considered as “Personal Data”.

If the persons in the camera are identified, it would be through an  additional process of matching of the faces with a facial recognition software and who so ever uses this process would be liable for infringement  of privacy and obtaining consent. The Car owner who has  recorded the video and does not distribute it or sell it for exploitation should be free from liability.

Further, if the data is  captured by the cameras and is over written automatically, and  referred only when there is a security incident, then the capture automatically get deleted within a reasonable time and hence should not be a violation of privacy principles.

Further the car owner should consider that it is Tesla which perhaps has failed to provide appropriate guidelines for the Car users on how to handle the captures  without violating GDPR. Tesla should perhaps indemnify the car owner.

One more point to debate is that if the Car is parked in a public place, the captures would be of the public space. Hence if any body else expose themselves in front of this camera, they would perhaps be also considered as being in public place. It is our view that when a person enters a “Public Space” he is voluntarily exposing himself to public and  should not commit any activity which he would like the privacy law to protect.

Further, to consider  an individual car owner trying to protect  his property as a Data Controller and imposing him the liabilities of GDPR  Compliance is simply crazy. By this standard, all “Dash board Cameras” and “Reverse Parking Cameras” are also violating GDPR because any body can come in front of such cameras.

The decision is unacceptable  and  should be considered as an aberration.

The case opens up many academic points for debate. Comments are welcome.

On the lighter  side, now the potential for GDPR Compliance training is open  to all individuals who may be considered as “Data Controllers” whenever they use their mobiles to take pictures in public or install CCTV cameras anywhere!

It was alarming to see that there were 210 decisions from different supervisory authorities since 2020 where GDPR authorities have fined individuals. This requires a debate of its own.

Naavi

Ref: https://www.enforcementtracker.com/ETid-2975