Let Us Discuss DPDPA Rules on July 27th

DPDPA will change the course of every company in India. The Rules are here for public debate. Use this opportunity to share your views . We all would be helping MeitY with our suggestions.

Register today at : www.fdppi.in


Posted in Cyber Law | Leave a comment

Tele Communications Act… Notification being rolled out

The Tele Communications Act 2023 which was passed by the Parliament in December 2023 and received presidential assent on December 24, 2023. Some sections of the Act were notified for effect on 26 th June 2024 and More on July 5th 2024.

One of the immediate observation is that instead of designating the TDSAT as the Appellate as the immediate appellate authority after Adjudication, there is another appeal committee in between. Both ITA 2000 and DPDPA 2023 makes TDSAT the first appellate authority after adjudication or DPB inquiry. This has some merit so that matters of technical nature can be handled by the appeal committee and TDSAT will be left to deal only with the advanced legal matters.

Another matter that has been discussed in the past and may surface again is whether the messaging services could come under the Telecommunications Act because the definition of “Telecommunication” is provided as

“Telecommunication” means transmission, emission or reception of any messages, by wire, radio, optical or other electro-magnetic systems, whether or not such messages have been subjected to rearrangement, computation or other processes by any means in the course of their transmission, emission or reception”

Chapter IX of this Act covers offences and could interfere with ITA 2000 offences. Appropriate explanations in the rules may help in resolving the differences between the two Acts.


Posted in Cyber Law | Leave a comment

Editors Guild of India Representation on DPDPA

Following are the objections raised by Editor’s Guild of India on DPDPA which require some comments.

Objections have also been raised on ITA 2000 as follows.

Earlier on February 18, 2024 EGI had sent a more detailed note to MeitY a copy of which is available here

The objections raised were to “Need for Prior Consent”, ” Purpose declaration”, “Withdrawal of Consent” and” power to call for information”. To this the RTI, Surveillance and lack of exemption has been added in the recent representation sent to the leader of opposition.

This could therefore be a point of debate during the Parliamentary session starting from tomorrow and even lead to disruption of this session and walk out by the opposition.

Let us see whether these 7 demands of EGI is justified. Views may differ and EGI has every right to interpret the Act and the proposed rules in a manner that suits their narrative. Our discussion can be more neutral.

Lack of Exemption:

There are hundreds of professions and industries and granting exemption to one industry or class will certainly raise a claim of discrimination. Hence Exemptions have to be handled with circumspection.

It should be noted that Journalists can work for an organization as employees or independently. If they work for another agency, the liability will be on the media. If they work independently they will be data fiduciaries by themselves. They will also be handling information which is sensitive to national security, electoral democracy etc. Hence they would be “Significant Data Fiduciaries”.

There are similar issues in Medical Practitioners who work independently and as employees of a hospital or Lawyers who work for a firm or independently or Charted Accountants and Business Analysts who work for themselves or for other organization’s. All these “Professionals” belong to a common category.

As far as these professionals act for a “Business Purpose” they will not have exemptions.

Currently exemptions are provided under Section 17(2) as follows

(a) by such instrumentality of the State as the Central Government may notify,in the interests of sovereignty and integrity of India, security of the State, friendly relations with foreign States, maintenance of public order or preventing incitement to any cognizable offence relating to any of these, and the processing by the Central Government of any personal data that such instrumentality may furnish to it; and

(b) necessary for research, archiving or statistical purposes if the personal data is not to be used to take any decision specific to a Data Principal and such processing is carried on in accordance with such standards as may be prescribed.

Apart from this Government may notify certain class of data fiduciaries to exempt them from “Prior Notice”, “Right to Access”, “Significant Data Fiduciary requirements” and “Erasure of personal data on withdrawal of consent or expiry of purpose”. However where the processing of data is likely to result in a decision that effects the Data Principal or disclosed publicly, the Government may not like to provide the exemption.

Investigative Journalism and Media Trials are always disputed and carry the risk of counter attack in the form of “Defamation”. In such cases, it is the responsibility of the Courts to come to the assistance of any unfair targeting of journalists and Indian Courts are more than obliging in this respect.

If an exemption is provided, the definition of a “Journalist” comes to a question and whether every YouTuber or Blogger should be treated as a Journalist needs to be resolved. The exemption is likely to be misused by that class of Journalists who are today commercial scribes and not part of the respected “Fourth Pillar of Democracy”. The leading fake news creators in India are funded from abroad and all of them are even registered as Journalists.

Hence providing “Exemption” does not seem to be a good idea. Government may still do it since it may not want to displease the Journalist community. This can be done easily through the rules where exemptions for “Research” may be defined as including “Journalistic Research”.

When journalists interview public and take their views, it can be considered as “Voluntary Provision of Data” and a “Legitimate use”. There are always situations where the source may request for anonymity and it is the duty of the journalist to provide it. Similarly when there is a “Withdrawal of Consent”, if the data has not yet been disclosed it can always be anonymised as media do at present. If it has already been published it has been my view that it becomes part of history and should not be tampered with. If there is a wrong reporting, it can be corrected with a counter view rather than tampering with a published information.

Other Objections

The other objections on surveillance, Censorship, RTI etc are political comments and can be ignored.

The objections on the “Fact Checking” are false and it was unfortunate that Bombay High Court went with the claim that the notification was meant to exercise power to curb genuine news. The Fact Checking unit was only to flag the fake news so that a Court may consider a complaint without the protection under Section 79 ITA 2000. It did not by itself penalized any organization.

Further the Government has given an option to Social media to create its own self regulatory mechanism to resolve complaints before it is escalated. Without using the provision, media is only complaining that their freedom has been affected.

The Right to erasure is subject to other laws and a journalist can always exercise his right to retain the data until his legal interests are not threatened. If we consider that after the data is made public through any disclosure through a journalist it would amount to making data publicly available, there would be no reason to worry. Let us remember that a journalist can always withhold the personal data (anonymise or pseudonymise) and release a news worthy story. If the information released is of a crime, it is for the law enforcement to take necessary action under due process of law.

I suppose no journalist has a right to suppress criminal information under his journalistic privileges since his basic commitment is to public good and protecting the identity of criminals is certainly not for “Public Good”

I therefore feel that the EGI’s contentions are borne out of mis conceptions and distrust of the regulation and there are ways and means to handle the concerns. For this purpose, Journalists should move towards self regulation.

Self Regulation

When FDPPI offered Bangalore journalists for creating a self regulatory body under the ITA 2000, there was no response and the Guild preferred to go to Court to get the notification itself scrapped. Even now FDPPI invites representatives of Press to join hands with FDPPI in creating a Special Interest Group (SIG) to discuss the impact of the Act and the Rules on the Journalists and be a part of the “DPDPA Advisory Group for the Media industry”.

FDPPI is inviting a discussion on DPDPA Rules on July 27 to form such SIGs for multiple industry segments and an invitation has been sent to EGI also to participate. An attempt has been made to invite some media persons in Bangalore through the Press Club and let us see if they respond.

Not doing anything when required and complaining later is the common problem with most of the professionals and I hope Journalists will be an exception.


Posted in Cyber Law | Leave a comment

DPDPA and Journalism

An interesting debate has ensued about the impact of DPDPA on the Journalists. The Editors Guild of India (EGI) has sent a representation to the Minister Mr Ashwini Vaishnav noting its objections on the Act which was passed more than an year back in August 2023 .

The objections have been well articulated by MediaNama in its article here. The article also provides a link to the copy of the representation made by EGI. Many other websites and NGOs have started stating “Press Freedom at risk”(Citizens for Justice and peace), “Concern over impact..” (greaterkashmir.com) etc.

The letter essentially says

“The fundamental role of the press and its ability to ensure transparency and accountability would be severely undermined by the data principal’s ability to simply refuse consent to the processing of their data.” Accordingly, the EGI has sought exemption to data fiduciaries undertaking processing for journalistic purposes .

We must appreciate that as a representative body of the Journalists, EGI has every right and perhaps even a duty to represent their concerns.

In fact, FDPPI has actually organized the event “Voice of the Industry on DPDPA Rules” on July 27 to keep industries informed about the upcoming DPDPA Rules and how they should be prepared to meet the regulations. This event is also expected to collate the views of the industry on the proposed rules and present it to MeitY with an object of getting proper clarifications where required or to suggest solutions where required. (eg: The solution to the Age-gating problem presented in yesterday’s article)

The main issue that confronts the implementation of DPDPA is that it is a regulation for the whole canvas of “Digital Personal Data Collectors, Processors and Disclosers”. It includes Journalists as well as every other profession including Medical Doctors, Law firms, Chartered Accountant firms etc. It includes the State Bank of India or the Apollo Hospital chain as much as the street side co-operative bank or my family doctor.

Some of the professionals like Journalists work as part of an organization in which case the organization will be a Data Fiduciary and the professional would be an employee. But when such a professional sets up his own business then he himself will become the “Data Fiduciary” and cannot escape liabilities.

It would be difficult to provide wholesale exemptions in which case the law will be amenable to abuse. We have already raised our voice against the concessions that are likely to be provided to organizations like Face Book and Google which will dilute the implementation. Similarly, we need to ensure that because of the “Fear of the Soros Media Group”, Government should not yield and start making concessions without proper application of mind.

Instead the DPB can ensure that while imposing penalties if any, the status of the Data Fiduciary would be taken as a key input.

While we acknowledge the concerns expressed by the EGI, it is necessary to point out that the “Voluntary Provision” and “Legitimate use” provisions are good enough to provide the freedom to the Journalists to go about their journalistic duties. The EGI will definitely be required to ensure that Journalists are properly informed and educated on how to navigate the DPDPA.

I invite the EGI to send their representative to the FDPPI’s event of July 27 at Bengaluru where they can share their concerns and also understand that this is not the exclusive problem of Journalists but it affects several others who are trying to find solutions and not escape from the responsibilities. (visit www.fdppi.in for details on the event)

Posted in Cyber Law | Leave a comment

Is there no solution for Age-gating?

India provided legal recognition to electronic documents through the Information Technology Act 2000 (ITA 2000). This gave legal recognition to electronic documents. ITA 2000 also introduced the Digital Signature and later on the Electronic Signature (e-Sign) as a means of authentication of an electronic document. The two together enabled “Electronic Offer and Acceptance to conclude an Electronic Contract valid in a Court of law” subject to exclusions in Section 1(4) of ITA 2000 and the Schedule I of ITA 2000.

Now the DPDPA has been enacted and the “Issue of a Notice and obtaining Consent” in a legally valid form has become relevant. The “Consent” as per Section 6 of DPDPA 2023 is expected to be an agreement meant to be enforced in law by a Data Principal against a Data Fiduciary.

The need for a legally acceptable online Consent Contract poses the following legal challenges.

1.Consent needs to be authenticated by a Digital/Electronic Signature and a mere Click-Wrap consent may be disputable.

2. If Consent is a Contract, its validity after the death of a data principal is disputed and hence the “Nomination” clause may be disputed.

3. If Consent is a Contract the validity of consent provided by minors or mentally disabled persons for whom a Court has granted a legal guardian may also be disputed and it is necessary to establish that every consent was given by a person of above 18 years of age and every consent of a person less than 18 years of age (or a mentally disabled person) was given by his guardian.

We now need to find a solution to each of these problems while implementing DPDPA 2023 and formulating DPDPA Rules.

In this connection, I draw the attention of readers to two of my earlier writings on this topic indicating that I have been trying to find a solution to this issue for a long time and the thoughts expressed in the underlying articles need to be pursued by the Government.

1.What is an “Adult Pass”? – naavi.org (July 13, 2005)

2.“Personal Digital Age” needs to be given a legal recognition (February 20, 2023)

A few days back, in a discussion between MeitY and the Face Book/Google representatives on DPDPA Draft Rules, the press reports have emerged to the effect that the meeting concluded that no solution is acceptable to the industry in this regard and they should be given the freedom to determine their own method to identify “Minors”. They have also asked for exemption on regulating “Behavioural Monitoring and Targeted advertising” of minors.

In summary the Face Book and Google have asked for complete exemption on any regulation of their activities on Minors and the Government seems to be yielding to this demand. Without the acceptance of the draft rules by Face Book and Google, they are unlikely to be adopted by the Government.

In this context I also draw the attention of the readers to the article in Mint published on 23rd November 2023 (Link here) which provides useful information on the use of Social Media by minors in India. According to this article about 35 % of users are minors and spend more than 3 hours per day. I leave it to the sociologists to quantify the adverse impact of this with the development of the minors which the busy parents of the day are unable to control. The article also records that more than 73% of the parents do prefer to exercise control through parental consent but the services donot enable them. As a result, it is not only the adult content but unauthorized E Commerce purchases, possible drug purchases, possible crime information etc are also easily accessible to minors causing a threat to the society.

Regulating content to Minors is therefore a social responsibility of the Government and there is no need to tune the regulations to protect the commercial interests of Face Book or Google. It is even more surprising that these same organizations are in the forefront of litigating against the Government whenever they donot like the law. It would have been fair if the Government had kept them at a distance till the cases they have filed against the Union of India in respect of ITA 2000 rules are not withdrawn instead of seeking their consensus on the proposed DPDPA rules. The reason why a more robust PDPB 2018/PDPB 2019/DPB 2021 was replaced with the DPDPA 2023 was the objections of these organizations and now they are not allowing the Government freedom to make the regulations also.

Under these circumstances the giving up of the age-gating regulations is not a wise move and needs to be re-visited.

It is not correct to say that there is no solution or that any solution is not scalable etc (Refer here) . These are the same agencies who have filed objections to the ITA rules on identification of “Originator of a WhatsApp Message” on unsustainable technical excuses. Their views are not final and Government needs to honestly try alternatives even if they serve the purpose partially.

Some of the solutions that can be tried are indicated below.

1.Use of “Age Certificates” to be issued by UIDAI to every Aadhaar holder which can be produced for every consent.

This will also serve the purpose of curtailing fake accounts in social media.

There will be the “Privacy Objections” but as long as release of identifiable data behind the Age Certificate is subject to valid legal process, there is no violation of Privacy principles.

This is the easiest and most effective manner and only India can do this and perhaps not USA.

Aadhaar information of a minor is also associated with the name of the parent which can be used for matching the name declared by the minor. There may be exceptions when a mother wants to provide consent instead of the father whose name is in the Aadhar but such exceptions can be handled through escalation of the requests.

It is for UIDAI to confirm if they are not able to meet the scaling requirements and what should they do to use the services of subsidiary agencies to scale up the requirements.

“Age Pass” and “Guardian Pass” can be two ancillary services that can be issued by UIDAI and would be of great use to the community. As long as the link to identity is regulated by a proper legal process, this should be acceptable to Supreme Court also though an initial objection would definitely be filed by the “Andolan Jeevies”.

2. DPDPA has introduced the concept of “Consent Managers”. These consent managers can maintain a KYC of their customers and hence age-gating responsibility can be undertaken by them. There can be specialized Consent Managers to manage Minor’s consents who may be Authorized User Agencies of UIDAI.

3. Another method of partial satisfaction of confirming whether a consent giver is an adult or not is through the TRAI and the OTP system. Whenever an OTP is given through a number X, TRAI can ensure that the owner of the OTP authenticating SIM is an adult and his name is so and so… which can be matched with the name of the guardian stated by the minor.

4.The problem of legal guardians of mentally disabled persons is different. I am not aware if Aadhaar has a system of recording this information and if not, it needs to be introduced. Secondly the Courts have to develop a data base of legal guardianship certificates issued by any Court across India and make it available to authorized agencies like UIDAI or an accredited Consent Manager of DPDPA.

5. MeitY can also check with RBI if Banks will be willing to issue an ID Card “I am Not a Minor” or “I am a minor till ….. and my guardian is …….”

I would also urge the Ministry of Consumer Affairs to incorporate some of these suggestions as a part of the regulation of E Commerce Transactions by minors. Regulating e-commerce transactions of minors can also be attempted with the cooperation of RBI by creating a “Minor Payment Card” associated with any Credit/Debit card which the Banks can issue after a KYC process.

I invite suggestions from others to improve the above thoughts.

If MeitY authorizes, Naavi would be working with some of the technology partners to develop a prototype for one or more of the above suggestions.

I reiterate that there is a solution for Age-gating and we only need to discover it with some effort. If MeitY can assure that they will stand by the principle, technology players can invest their time and effort to find a solution.

If however, the “Minor Consent system” is ruled by the Face Book and Google, then no Indian technology company may be interested in investing for such development. The ball is now in the court of MeitY whether they want indigenous efforts to be invested in fining a solution to the Age-gating problem.


Posted in Cyber Law | Leave a comment

Is Crowdstrike outage an AI Failure?

The failure of Crowd strike security software causing global chaos will be analysed by experts in Due Course.

In the immediate, it appears that there could be a failure in the Artificial intelligence based automated response which has generated a false alarm.

The appearance seems to be related to update issue. But probably it is a false report. Or the fault has been triggered in the updated version recognizing the update itself as an act of Cyber threat.

This should be a wakeup call for all those who think AI makes things more reliable. It was amusing to know that many airports are shifting to manual mode to tide over the crisis.


One of the suggested work around is:

  1. Boot Windows into Safe Mode or the Windows Recovery Environment.
  2. Navigate to the C:\Windows\System32\drivers\CrowdStrike directory.
  3. Locate the file matching C-00000291*.sys and delete it.
  4. Boot the host normally.

Terrorists have been found to use a second bomb blast after some time in the same location to smoke out victims from the first blast and kill them with the second.

A similar risk could be there in this case. It is said that the workaround will disable some security features. Attackers may be planning to hit in this time window.

Organisations should be careful.


Posted in Cyber Law | Leave a comment