Naavi.org

Naavi has been repeatedly requesting Niti Aayog to clarify that registration of Section 8 companies is not mandatory for all Section 8 Companies. Unfortunately NITI Aayog does not respond to the query and prefers to remain silent.

In the meantime some REs like PayU and Razor Pay consider that registration on Darpan Portal is mandatory for Section 8 company and are not completing the KYC process.

It is highly irresponsible for Niti Aayog and RBI not to make a proper announcement that Darpan Registration is not mandatory for KYC. At the same time it is disappointing to note that companies like PayU and Razor Pay are unable to complete KYC ignoring the Darpan portal Registration.

Further registering a Section 8 company like FDPPI in Darpan Portal is not possible and the portal returns error page every time.

Further registering a Section 8 company like FDPPI in Darpan Portal is not possible and the portal returns error page every time.

I hope some senior person like Mr Amitabh Kant looks into this issue and set right this anomaly.

Naavi

I am informed that spam mails are being sent from the optimum.net server to many using the email Vijayashankar Nagarajarao (archer83@optimum.net).

Kindly ignore them and if possible file a complaint with abuse@optimum.net.

I don’t use any service from optimum.net and the email archer83@optimum.net does not belong to me. This scam seems to originate from a compromised optimum.net server which is extracting emails of contacts from the customers and using it for spamming.

Naavi

It is observed that UIDAI website is experiencing some serious technical issues. It is downloading aadhaar cards of persons other than for which a request is submitted and OTP is authenticated.

Though the downloaded file is protected by the password, this is a serious flaw which needs to be corrected.

UIDAI has recognized the bug and has posted a message on the website. I hope it would be set right soon.

This could be considered as a “Potential Data Breach” and needs to be addressed as such under ITA 2000/DPDPA

Naavi

One of the queries I have received on Linked in by a discerning Privacy Professional is

” As we observe, organizations have begun aligning with the Digital Personal Data Protection (DPDP) Act in India. However, several provisions remain ambiguous, awaiting further clarification through governmental rules. For instance, the practical implementation of roles like the Consent Manager is still not fully defined.​

In light of these uncertainties, how can organizations proactively work towards compliance? What preliminary steps can be undertaken even before the complete regulatory framework is established?”

Let me try to provide my feedback on this.

Compliance to DPDPA is a cost that any organization have to absorb. Even conduct of a DPDPA Gap assessment will need a budget. If an organization is a Data Fiduciary of some responsibility, the costs are likely to be higher since they have to immediately take the decision to designate a new senior position of the Data Protection officer with a team of his own. Once the DPO is in place, he will demand an “Implementation Plan” which includes in house measures such as drawing up of policies which may need external consultancy of expert organizations like FDPPI which also requires investments. Then comes the bigger investment and a decision about acquisition of software for compliance which is a long term higher level investment.

The CFOs, CEOs and the Board members of any organization would naturally take their time to commit on these expenses and would like to take as many excuses as possible not to sign on the DPDPA implementation budget. However this “Judicious Contemplation” should not turn into procrastination and policy paralysis.

The first action required for any responsible corporate entity is to pass a resolution at the Board level to the effect

“The Board has taken note of the passage of DPDPA2023 and the imminent release of detailed rules and

a) has resolved to conduct and document a Business Impact Analysis on the passage of DPDPA 2023 on our organization immediately.

b) resolved that a committee of Directors consisting of …….., ….. and ….. is formed with immediate effect under the chairmanship of the independent Director ……………, to consult relevant experts and report to the Board by the next Board meeting on further actions to be taken.

c) resolved that the following shall be the terms of reference shall be addressed by the Committee

i) To determine when should the Company start a DPDPA Gap assessment program.

ii) To determine if we designate a “DPO” for our organization

iii) To determine the budget to be allocated for the next quarter and the current year for DPDPA Compliance

The above actions are necessary and can be implemented immediately by the Company Secretary who is drafting the minutes for the next Board meeting. If an organization has already passed through this stage, they may encounter the questions raised in the query above. This needs to be discussed by the committee and their views presented to the Board. In that process, they can take into account the following thoughts.

Ambiguity of provisions

DPDPA is a law and the law is by nature meant to provide broad principles which are to be interpreted in the context of its implementation.

Rules are expected to provide the procedural guidelines and cannot re-interpret the law. Rules cannot therefore be expected to provide “Legal Clarity” where the law has failed to do so.

Hence if there are any ambiguities in the law as we perceive, we need to live with it. As regards the Consent Manager the law is clear and it is the Draft rules that are creating complications. But “Consent manager” is not “mandatory” for implementation of DPDPA by an organization and hence organizations need not wait for this ambiguity on “Consent Manager” if any to be cleared.

Consultants like FDPPI and the Frameworks like DGPSI has provided a “Jurisprudential Interpretation” of all aspects of DPDPA 2023 and unless a company wants to ignore them, there is no reason to delay the start of implementation waiting for further clarification from the Government.

Government cannot provide a clarification that is not in tune with the Act and if they do so by a mistaken interpretation, there is a possibility of the law being challenged in a Court of law.

The current mood of the Supreme Court which in the past has been aggressive in taking on the executive’s role of drafting rules for the Act and adding its own interpretations to the laws is not to pass any “Stay” on the operation of the law. If therefore any “Andolan Jeevies” challenge the specific provisions of the law as “Ambiguous”, the issues will be taken up for discussion but no decision is expected immediately.

We therefore consider that it is not wise for companies to keep waiting for clarifications from the Government.

Our view on this is clear as follows:

1.DPDPA 2023 is an expansion of Section 43A of ITA 2000 and is therefore considered as “Due Diligence” under the current law which is ITA 2000.

2. DPDPA 2023 provides a detailed clarity on the concept of “Reasonable Security Practice” under Section 43A of the ITA 2000.

3. The limitation of applicability of Section 43A of ITA 2000 to “Sensitive Personal Information” has now lost the meaning since there is no specific definition of Sensitive personal information under DPDPA and it is the responsibility of all Data Fiduciaries to determine the harm likely to be caused to a Data Principal on account of their processing and take appropriate action to protect their interests.

4. Since the “Data Fiduciary” is a “Fiduciary”, he is self responsible for determining what is the harm likely to be caused and accordingly expected to develop the compliance.

5. While section 43A is limited to the provision of compensation to a data principal, it does not bar the Adjudicator under ITA 2000 to impose any penalty on the Data Fiduciary.

6. Section 43A of ITA 2000 remains in tact till Section 44 of DPDPA 2023 along with the penalty section 33 is not specifically notified. Till then, Penalty under Schedule I of DPDPA 2023 may be considered only as a “Legislative intent” and the Adjudicator under his powers to pay compensation upto Rs 5 crores can provide compensation to the affected victim and also exercise its Suo-Moto powers to impose deterrent penalties as well as recommend action under Section 43 and Section 66 of ITA 2000.

7. Ambiguity if any on the role of a “Consent Manager” may be ignored. If any organization has the intention of registering themselves as “Consent managers”, they may do so after the Data Protection Board is set up.

8. When in doubt, the Company may obtain and document an opinion from an appropriate management consultant or a legal consultant. Such opinion may be a Legal Opinion from a law firm or a Management Advise from a Management consultancy firm.

I suppose this provides a reasonable response to the query raised. Further comments are welcome.

Naavi

The ongoing discussion on Linked in has brought a query which I thought could be answered in greater detail here.

Query:

“I would really love to hear your thoughts on why India is adapting the path of “data should not be transferred to certain countries, which is completely a different approach from GDPR wherein they have taken a positive approach of transferring data to the listed countries who has adequate safeguards”. Do you think this is the right approach?”

The provision under Section 16 of DPDPA 2023 states that

“the Government may by notification restrict the transfer of data by a Data Fiduciary for processing to such country or territory outside India as may be so notified”.

It goes on to further state

“Nothing contained in this section shall restrict the applicability of any law for the time being in force in India that provides for a higher degree of protection for or restriction on transfer of personal data by a Data Fiduciary outside India in relation to any personal data or Data Fiduciary or class thereof.“

Under the draft rules proposed, it is stated that “transfer of personal data within India or outside shall meet such requirements as the Central Government may, by general or special order, specify in respect of making such personal data available to any foreign State, or to any person or entity under the control of or any agency of such a State.”

The minister has made a statement publicly that the Meity will form a committee which from time to time review the requirements and suggest what restrictions should be applied and under what context.

The provisions read together is flexible and will cover the provisions of EU GDPR under article 45 as well as 46,47,48 and 49.

The Committee can take a decision like “Biometric data will not be transferred to any country including USA or EU Countries” and ignore the claim that in that country there is a stringent data protection law. On the other hand Committee may allow transfer of data for a social media company handling non-sensitive information to most countries. Committee can also decide that a particular Data Fiduciary is in defence sector and it shall not transfer data anywhere even within the country and the data centres of the company shall reside in premise.

Thus We have taken a fair and flexible approach. EU approach cannot be called “Positive” just because they give 11 countries out of 193 plus UN members, the status of adequacy and consider other 182 countries as “Prohibited countries”. Even GDPR adequacy has a restricted sectoral permissions within the adequacy countries. EU thinks that it has the right to decide what are “Adequate Security Safeguards” and suggests that other countries should follow its norms. India thinks that it is a sovereign country and we decide which processing outside the company is safe and should be allowed and which should be prohibited.

From the practical perspective, instead of hardcoding a list of countries, the committee reserves the right to make decisions from time to time.

Let us hope that the Committee will do its duty properly and if so it would be a better proposition than what GDPR proposes. It also gives us an opportunity to create our own “Data union/Trusted Counties for data transfer” as Naavi had proposed to MeitY during the JPC discussions on PDPB.

Naavi

Recently we saw that RBI came up with a circular (Refer TOI article here). RBI had in its earlier circulars (Refer here) starting from 1976 had indicated that the purpose of opening minor accounts was to encourage the habit of “Savings” at an early age. That was the time when there was no digital banking and not digital banking risks. The minors were allowed to open the account with the consent of the natural guardians and there was a limit to the transactions and no third party cheques could be issued. The minor could only come to the bank and withdraw or deposit the money.

Now the old guidelines are repealed and the new guidelines state that Banks are free to issue ATM/Debit Cards, Chequebook facility etc based on the risk management policy of the Banks. There is no limit on the balances.

In this context I want to ask the RBI officials including the Governor whether they are out of their minds? Are they aware of the Risks to Banking system because of this new grand gesture?

Today, Banks are no longer interested in promotion of “Savings”. They are as greedy as a commercial organization like Google or Meta or Amazon and today every account is seen as a profit center. They are also completely ignorant of the Banking law and through this circular RBI has also demonstrated that they donot respect Banking law.

I want to discuss here few specific issues for which I demand that RBI has to answer.

1. Banks are ignorant of the Banking law and donot understand the Banking Customer relationship not the ITA 2000 while applying “Debit Freeze” and “KYC Freeze” on the accounts.
2. Banks are not respecting the RBI’s own circular on “Zero Liability”
3. Minor Accounts

Banker Customer Relationship

It is an age-old Banking law that recognizes the Banker-Customer relationship as a “Debtor-Creditor” relationship where a Bank is a debtor who has borrowed money from the depositor and has the power to use it as he decides. The depositor is not the owner of the money deposited and is only a creditor who can claim the money bank as per rules and if not returned can sue the Bank. Bank deposit is not “Property” and is not in the control of the depositor once it passes onto the control of the Bank.

As a result, whenever a Bank fraud takes place, the money lost is not that of the customer but is of the Bank. If a customer observes that money ahs vanished from his account, his right to withdraw has been curtailed and like filing a complainant of any cognizable offence is expected to report the crime.

The RBI has rightly held that if the customer disputes any debit the Bank is obliged to repay the same instantly.

Indus Ind Bank does not care for RBI Circular

I came across a case of Indus Ind Bank Thane Branch recently where I filed an e-mail complaint to Mr. Dickson Baptista , Head – Customer Care OPUS Center 47, Central Road, Opp. Tunga Paradise Hotel MIDC Andheri (East) Mumbai 400093  pointing out a customer’s dispute of two transactions which ought to be refunded. This email was sent on 8th April 2025 and there is no response till date.

I am charging the Bank of “Denial Of Access” under Section 43 of ITA 2000 and read with Section 66 of ITA 2000 it is a report of a crime.

Does RBI have any answer to the impunity with which Bank refuses to even acknowledge the e-mail?

Is this post which is a public notice not sufficient for the vigilance department of both Indus Ind Bank and RBI to seek action?… Let me see how they react.

I fought the case of S Umashankar Vs ICICI Bank for 14 years before got a refund from the bank for a phishing fraud where Mr Umashankar was a victim. After the Zero liability circular came into effect many cases might have been settled without such a dispute resolution going through Adjudication, Appellate Tribunal and the Courts. But still there are many Banks who consider that their Fraud Customer is more valuable than the Victim customer and try to protect and shield the fraud by making it difficult for the victims to recover their losses.

Debit Freeze

In the above case of Indus Ind Bank, while the Bank has not acted on the refund of the disputed transactions, they have put a debit freeze on the balance. What should we say on the intelligence of the Indus Ind Bank to have considered that the victim should be further inconvenienced by such a debit freeze on the balance remaining after the fraudsters have withdrawn part of the money? (In the Umashankar case I did not have the problem since the fraudster had cleaned out the entire account)

I now ask the RBI whether their “Debit Freeze” applies to the balance remaining in an account where some fraudulent debits have occurred. If Banks are allowed to get away unpunished for this action, there will be a chilling effect on Cyber Crime victims and they will be hesitant to report frauds. As it is we the consultants tell victims that if the amount lost is small, then forget it since Police donot have time. Now we need to even consider that if there is a balance of one lakh in my account and there is a UPI fraud and there is a fraudulent debit of Rs 1000 and I report it to the Bank, Bank may classify the account as “Involved in a Cyber Crime and put a debit freeze.

Is RBI aware of this possibility? Will it take any action?

The debit freeze is defended under Section 106 of Bharatiya Nagarika Suraksha Samhita 2023 (BNSS 2023) as the power to seize “Property” .

In the context of the “Banker Customer Relationship” does the “Bank Balance” represent “Property”? What we claim today as “My Bank Balance”, is it not a “Right to withdraw money lent to the Bank”? Is it not an “Actionable Claim”. Is this not the argument under which Banks some times refuse premature closure of deposits even when the Bank is considered an insolvency risk?

Now in the case of digital banking, how can the binaries that show up on my computer withing the banking application as “Balance” be considered as “Property”?

If there is a debit freeze, the debit freeze is legally treated as “Denial of Access” which is an offence under Section 66 of ITA 2000.

Neither the RBI nor a Police officer wrongly using Section 106 of BNSS can cause denial of access under an excuse that he is trying to investigate a crime.

I want the Ministry of Home Affairs to confirm if this is part of the “Nagarika Suraksh” that they want to achieve under the new Act? Is it not a “Police Excess” using powers to investigate the criminal being applied to harass the victim?

I want lawyers who are fighting such cases to argue this with the Courts since even Courts have forgotten the concept of “Debtor-Creditor” relationship and make police, Banks and RBI answerable to the harassment that is going on in the name of Cyber Crime prevention?

The same denial of access charge is also applicable when Banks put a debit freeze on accounts for non updation of KYC which is randomly asked by the Bank from time to time. Banks think “Know Your Customer” is not satisfied when they “Know the Customer” in one account but not in “Another Account” and request multiple documentation for the same customer. The non Banking REs like the payment gateways also have their own ignorance and often refuse to update KYC for companies for lack of Aadhaar of a company.

I recently had an observation that my account with ICICI Bank in the Bengaluru urban area was inoperative for KYC non updation for more than 15 days and even after updation of the KYC, the papers remained in the drawers of an ignorant staff who had no clue to what is KYC. The manager confessed that the quality of staff are today so inadequate that it is difficult to get work done by them. In our times it was difficult to get work done by Bank staff because of Union problems but today it is the lack of awareness that is hurting the Bankers.

The MeitY/Ministry of Finance have their own share of ignorance when they declare such Banks as “Protected Systems under Section 70 of ITA 2000” and “Too Big to fail”.?

Is Meity imposing the restrictions envisaged under Protected System Security on Banks like ICICI Bank, HDFC Bank, Union Bank etc whom they have royally declared as “Protected Systems” as if it is a feather in their cap.

Minor Account

At this point of time what on earth makes RBI think that Bankers are capable of handing the “Minor’s” account in digital form?

As per the latest RBI circular, if Minors are allowed to issue cheques to third parties, what will be the impact on the rights of the beneficiary of the cheque? or more importantly the endorsee of the Cheque who is a “Holder in Due Course”? How will Courts determine the liability of the drawer of the cheque under Section 138?

Similarly since there is no upper limit on the balances on these accounts, are these minors not exposed to Cyber Frauds and Digital Arrest frauds? Will RBI take responsibility when some minors either commit suicides or start stealing from their own parents on the basis of teachings by fraudsters?

In Kannada there is a proverb “ಬೇಲಿಯೇ ಎದ್ದು ಹೊಲ ಮೈದರೆ ಕೇಳೋರ್ಯಾರು?” ( BEliye edhdhu hola maidare KEloryaru?) meaning: who will listen when the fence itself eats the crop?

Currently RBI has allowed “Freezing of Bank accounts” which itself is illegal. It is allowing Minor accounts which is illegal. Banks continue to support fraudster customers against victim customers. Police not Courts come to assist the victims and they are more concerned with their own interests. Even Supreme Court is supporting the Bitcoins and fraudulent Judges instead of the innocent citizens.

The situation has become so bad today that fraudsters are using this as a threat to genuine customers to say ” I will get your account frozen if you donot do this…”. A threat of this nature was received by a professor in Bangalore recently. This was a case where an unknown person had called and said I have wrongly credited some amount to your account and you should transfer it back. As most of us know this is one of the standard modus operandi for UPI frauds and the alleged recipient is advised not to act on such requests. In this case when the account holder has refused to talk to the person, he has threatened that he will get the account frozen.

We all know that these criminals have their supporters even in the Police Stations and it is not difficult to get a letter issued to the Bank for freezing the account. The Police should not have the power to issue such “Garnishee” orders in the first place and neither the RBI nor the Bank seem to mind. The Ministry of Home Affairs also does not mind such illegal practices.

How will RBI react to this new “Weaponization of debit freeze” by fraudsters?

I have been an ex-Banker and am aware that once the power to freeze bank accounts were only through “Garnishee Orders” from a Court. Today such powers are being exercised by all law enforcement agencies including a Police inspector and is therefore amenable for abuse. I refer to an article in manupatra which speaks of the Section 102 of CrPC or 106 of Bharatiya Nagarika Suraksha Samhita which states as under

106. Power of police officer to seize certain property.

(1)Any police officer may seize any property which may be alleged or suspected to have been stolen, or which may be found under circumstances which create suspicion of the commission of any offence.(2)Such police officer, if subordinate to the officer in charge of a police station, shall forthwith report the seizure to that officer.(3)Every police officer acting under sub-section (1) shall forthwith report the seizure to the Magistrate having jurisdiction and where the property seized is such that it cannot be conveniently transported to the Court, or where there is difficulty in securing proper accommodation for the custody of such property, or where the continued retention of the property in police custody may not be considered necessary for the purpose of investigation, he may give custody thereof to any person on his executing a bond undertaking to produce the property before the Court as and when required and to give effect to the further orders of the Court as to the disposal of the same:Provided that where the property seized under sub-section (1) is subject to speedy and natural decay and if the person entitled to the possession of such property is unknown or absent and the value of such property is less than five hundred rupees, it may forthwith be sold by auction under the orders of the Superintendent of Police and the provisions of sections 503 and 504 shall, as nearly as may be practicable, apply to the net proceeds of such sale.

It is clear that this section will hold only if we accept that Bank Balance in digital form is “Property”. I think this is not feasible unless the Courts forget the nature of Banker Customer relationship and treat it not as Debtor-Creditor relationship but as Bailor-Bailee relationship.

Concluding Remarks

It is a pain to attack several Government agencies in this one blog and watch the deterioration of RBI and Banks to a state that customers are the last of their priorities. I have in the past appreciated RBI for some of their bold stand against Bitcoin as well as the Zero liability circular. But it seems that the management has now changed and the new crop of Governors and Deputy Governors are not committed to the principles under which RBI was functioning so far. It is necessary for them to be reminded of the reports of the SR Mittal working group, Gopala Krishna working group and Damodaran Committee which appear to be a past golden era in Indian Banking.

The current generation of the society need to think Banking as “E Commerce” and either spread their risks or disable internet Banking in most of their accounts. In today’s regulatory scenario in Banking I am afraid that we are not ready for he “UPI Revolution”.

If there are any genuine souls in RBI who still respect the Banking customer, I want them to respond to the concerns expressed here. Minimum restrictions suggested to be mandated by RBI are:

1. Limit the balance to a maximum of Rs 25000/-
2. Cheques to be pre-printed as “Self Cheques,Not to be endorsed” and “Minor Account”
3. No RTGS, NEFT, IMPS or UPI
4. Debit card drawing limit fixed at Rs 5000/- per day

Naavi