Naavi.org

EU is embarking on another expedition of a regulation about which a brief summary is being provided here.

This act is called “The Data Act on harmonized rules on fair access to and use of data”. It should be implemented from 12th September 2025.

This act has been also adopted as UK’s” Data (Use and Access) Act 2025″ in UK and received the royal assent on June 19, 2025

This law builds upon existing data protection laws but focuses on enabling responsible data sharing, promoting innovation, and enhancing public services. 

The objective of the regulation is to ensure that users of a connected product or related service can access, in a timely manner, the data generated by the use of that connected product or related service and that those users can use the data, including by sharing them with third parties of their choice.

It imposes the obligation on data holders to make data available to users and third parties of the user’s choice in certain circumstances.

It also ensures that data holders make data available to data recipients under fair, reasonable and non-discriminatory terms and conditions and in a transparent manner.

This Regulation adapts rules of contract law and prevents the exploitation of contractual imbalances that hinder fair access to and use of data.

This Regulation also ensures that data holders make available to public sector bodies, where there is an exceptional need, the data that are necessary for the performance of a specific task carried out in the public interest.

In addition, this Regulation seeks to facilitate switching between data processing services and to enhance the interoperability of data and of data sharing mechanisms and services.

This Regulation should not be interpreted as recognising or conferring any new right on data holders to use data generated by the use of a connected product or related service.

Currently the GDPR like laws recognize “Personal Data” and impose restrictions on its sharing by Consent or legitimate interest etc. The “Data covered under this regulation” is what we have been recognizing as “Transactional Data” which belongs “Jointly” to the individual (User) and the organization (Data Fiduciary). Naavi has been insisting that such personal data does not exclusively belong to the data principal (data subject) and its disposal can be governed as a joint contract.

It appears that this new regulation may shed little more light on this concept and validate what we have adopted as “Jurisprudence”.

We can perhaps view this legislation as an extended rule on “Personal Data Disclosure”.

But as is customary, EU/UK have made it an elaborate law by itself with 49 articles in the EU version and 200 provisions in the UK version and it will be analysed ad nauseum in the days to come.

Penalties under EU version can reach up to €20 million ( £17.5 million for UK law) or 4% of a company’s total annual worldwide turnover, whichever is higher. 

Besides financial penalties, the Data Act also allows for non-monetary measures such as warnings, reprimands, temporary or permanent bans on data processing, and orders to rectify, restrict, or erase data. Enforcement is primarily at the national level within each EU member state, though data protection authorities (ICO for UK) retain jurisdiction for violations involving personal data.

If an organization outside the EU/UK provides goods or services to individuals within the EU/UK, they may need to comply with the EU Data Act. If deemed applicable, organizations should implement necessary measures to comply with the Act’s requirements, such as establishing procedures for data access requests, data portability, and data sharing.

The EU/UK Data Act may also have implications for international data transfers, requiring organizations to ensure compliance with the Act’s provisions when transferring data outside the EU. 

Watch out for more discussions on this.

Naavi

In the recently reported data breach penalty issue in South Korea, Ewha Women’s University server was hacked and more than 80000 data sets are reported to have been leaked.

According to the University, data was related to the students who had entered the school from 1982-2002 and included names, resident registration numbers, phone numbers, email, home address and school records.

The penalty imposed by the PIPC (Data Regulatory Authority of South Korea” was approximately $250000. The cost of the data compromise was therefore estimated at around $3 per data set.

The penalty was a deterrent for not securing the data and not the value of the data itself. However, we can presume that the penalty should have some reasonable relationship to the value of the asset compromised and the loss cumulatively suffered by the data owners.

Since data protection authorities are accepting “Reasonable Security” as a principle, the data controllers/fiduciaries also should expect that the fines are “Reasonable”.

I am not sure if 20-40 year old student data (University claims that the grading data was not compromised) was worth anything close to the value of the fine. But unfortunately there is no valuation guideline with which we can challenge the fine.

When Indian DPB considers any fine for non compliance of DPDPA, we will be debating in greater depth whether the penalty amount was “Reasonable”.

If we assume that a similar compromise of data had occurred in an Indian University, what would be the value of the data. It would be almost zero. Hence the penalty should be only nominal and should be not more than say Rs 1 per data set lost.

If industry does not move in to develop some norms for data valuation, they will have to face situations where the notional value of data compromised assumed by the DPB may be unrealistically high.

Naavi has been suggesting that every data fiduciary should have a valuation for its data assets and this is one of the requirements under DGPSI. If there was a documentation within the organization that the value of such student data depreciates year after year, there would be some base value to discuss with the regulators under the “Voluntary Undertaking” discussions.

Even the Insurance companies need such valuation guidelines to fix a premium or settle a claim.

I would like readers to check the Data Valuation Standard of India (DVSI) for preliminary concepts of personal data valuation.

In the instant case of an educational institution where students enrol themselves for a course of say 5 years, the data set related to the student may carry one basic value for the duration of the course during which the data gets enriched with the grading, performance, extra curricular achievements etc and finally the certificate of graduation. The value therefore keeps on appreciating through the years until around 2-3 years after graduation after which it should start depreciating. By 20 years the value should be very low and by 40 years assuming that even the working life of the student ends, the value is almost worthless.

The institution can store the data in two sets one containing the demographic data filed at the time of admission (Which is the data compromised in the Ewah case) and the second which represents the data added during the course by the institution (on which it may have some rights of creation). The demographic data does not appreciate and only depreciates right from the first year since the address, email, phone number may all change over a period of time. The grading data may be considered more valuable and also sensitive and it adds year after year until the final graduation certificate and there after it stagnates for some time and start depreciating later.

Hence the personal data valuation system applicable in such cases is complicated but is not beyond our capability of computation.

I urge the industry and the community to start thinking in this direction.

Naavi

Two Universities in South Korea have been fined for Personal Data Breaches with penalties amounting to $459000 (Jeobunk National university) and $253 million (Ewha University) following personal data breach .

On July 28, 2024, the personal information of over 320,000 students and graduates of Jeonbuk National University was leaked. The university said that the names, phone numbers, email addresses and other details of students and graduates had been exposed in the breach. The cause was traced to lack of adequate information security measures including not implementing appropriate data retention measures based on existence of legal basis for processing.

In a similar case, the personal information of over 83,000 students and graduates of Ewha Womans University, also including RRNs, was leaked on Sept. 3, 2024.

On top of imposing monetary penalties, the data protection authority of South Korea ordered the two universities to make their violations public by making official announcements on their websites, inspect their information security systems and establish round-the-clock monitoring systems.

Last year the South Korean agency had also imposed fines on Kyungsung University (KRW 42.8 million) and Soonchunhyang University (KRW 193 million) highlighting the vulnerabilities of such organizations.

The news papers report that the commission also advised additional penalties to the personnel in charge.

These incidents highlight the risks that Indian educational institutions in India also run. Most of these institutions hold enormous data not adequately secured. Not many of them have thought of any implementation of DPDPA.

It is time for such organizations to wake up…and be ready for DPDPA.

Naavi

Organizations in India are debating on what are the credentials of a DPO who is emerging as one of the senior most executives in an organization reporting directly to the Board. Many companies would like to have a trusted person within the organization to be elevated to this coveted post.

Often such discussions lead to CISOs and CTOs being considered for filling up the post.

It is however time to discuss if the CHRO is also a person who should be considered for elevation as DPO. Every company small or big has HR functions and every such company needs to be considered as a “Data Fiduciary”. The CHRO is therefore almost always required to manage DPDPA compliance for employees whether there is a designated DPO or not in the company. Hence a CHRO can implement DPDPA for employees and gradually emerge as the DPO material himself/herself. If a legal person without technical knowledge or a Technical person without legal knowledge can become a DPO, it is necessary to ask why a HR specialist cannot become a DPO.

Let us discuss this in today’s interaction at greyt HR community.

Naavi

India has been trying to get the “Privacy Protection Act” since around 2006 when the Personal Data Protection Bill 2006 (See here) was first presented in the Parliament along with the Information Technology Amendment Bill 2008 which later became a law. The initial demand was entirely from the industry which sought such a law since EU was indicating that they would not transfer data related business to India unless there is a corresponding data protection law here.

The Government yielded to the pressure from the industry and introduced the bill in 2006 which however could not be converted into law. Then again it was in 2017-2018 that the first PDPB 2018 saw the light of the day following Justice Srikrishna’s efforts. Since then we saw a two more versions PDPB 2019 and DPA 2021 before the current DPDB 2022 was born as a bill and later converted into an act on August 11, 2023. The blame has always been placed on the Government though it is part of the industry which is also consistently opposing the Bill for one reason or the other.

Ultimately Mr Rajeev Chandrashekar pushed through the current version by simplifying the law and trying to make a law which was acceptable to all parts of the society including the Big Tech and the Government.

However the Privacy activists continue to oppose the current law either because it is being moved by the Modi Government or because they want only a law to beat the Government with litigations every day.

The latest version of this opposition is now seen in the move to oppose DPDPA 2023 on the ground that it dilutes the RTI act. This has resulted in the Government delaying the notification of the rules and seeking further clarification from the AG.

In our view the opposition is not necessarily valid for the following reasons.

By its inherent nature, a law for protecting Privacy is in contradiction with the law of freedom of speech or national security. Privacy cannot have a free hand if it violates the national security interests or even the rights of another person to maintain his dignity. Hence we can always find contradictions in the Privacy law with any effort to balance it with the “Right to Freedom of Speech” or “Right to Security”.

The Constitution itself has recognized that Right to Privacy even as a Fundamental Right has several reasonable exceptions provided in the Article 19(2) of the Constitution. This article includes national security (interests of the sovereignty and integrity of India, the security of the State, friendly relations with Foreign States,) as well as other issues such as “public order, decency or morality or in relation to contempt of court, defamation or incitement to an offence”.

DPDPA, under Section 17(2)(a) has used the Article 19(2) to provide exemptions to the Government and notified instrumentalities of State in respect of only the national security and maintenance of public order or preventing incitement to any cognizable offence relating to any of these. It may be noted that the DPDPA does not claim exemption in respect of “Contempt of Court”, “Defamation” and restricts the “Incitement to an offence” to only those which relate to the national security and maintenance of public order.

In other words, the Government has been circumspect in using the Article 19(2) exceptions and not provided all the benefits which our constitution had provided to exempt the Government from the requirements of the DPDPA obligations.

The exemption available for “Prevention, detection, investigation or prosecution” is restricted to “Chapter II other than Sections 8(1) and 8(5), Chapter III and Section 16. Here again an attempt is made to use less of privilege than what the constitution had provided.

Now coming to the controversial amendment to the RTI act, it is proposed as follows.

Current provision under Section 8(1)(j) states

“(j) information which relates to personal information the disclosure of which has no relationship to any public activity or interest, or which would cause unwarranted invasion of the privacy of the individual unless the Central Public Information Officer or the State Public Information Officer or the appellate authority, as the case may be, is satisfied that the larger public interest justifies the disclosure of such information:”

The amended section now reads: ”   “(j) information which relates to personal information;”

However the persons opposing the amendment are forgetting that if there is any public interest involved in the information which is being refused to be provided under the amended provision, it can be covered under Section 8(2) of the RTI act which states

“(2) Notwithstanding anything in the Official Secrets Act, 1923 (19 of 1923) nor any of the exemptions permissible in accordance with sub-section (1), a public authority may allow access to information, if public interest in disclosure outweighs the harm to the protected interests.”

Though this provision says “May” instead of “Shall” it is still available for the activists to prove the existence of public interest and claim the information under section 8(2) instead of 8(1)(j).

Hence the hue and cry raised by all the activists has only a marginal justification. Hence there is no need for any Court to intervene and impede the notification of the Act.

Further, the Draft Rules 2025 is currently silent on notification of Section 44 and hence has no bearing on the controversy. As has been already pointed out by us, there is a need to notify at least Section 44(1) and Section 44(2) giving effect to the amendment to the Telecom Act and ITA 2000 even if notification of Section 44(3) is further deferred.

It is our sincere desire that the Government proceeds with the release of the Draft rules with the additional notification of Sections 44(1) and Section 44(2) and wait for the AG’s clarification on Section 44(3). This would enable the industry to go ahead with the implementation since the RTI issue does not affect the private sector.

Naavi

DPDPA 2023 has come into existence as a law on August 11, 2023. In January 2025 MeitY issued a notification of draft Rules and opened it for public comments. However till today the rules have not been notified raising the speculation that Government is not serious about bringing in the law.

However more recently, NeGD jumped into fray by announcing a “Coding Competition” to encourage the private sector to develop a “Consent Management System” which can be integrated into the data fiduciary systems through an open source platform. For the purpose of this competition, NeGD has issued a document called “Business Requirement Document” which outlined some of the expectations of such a system. This document is not an extension of the “Rule” but the fact that NeGD is part of the Digital India Mission, there is a misconception that the BRD is a detailing of the “Consent Management Requirement” under the rules.

It is also reported that MeitY has made a reference to the Attorney General for a clarification on Section 44(3) related to the impact of DPDPA on RTI act.

Additionally, the Digital India Corporation (DIC) has called for appointment of a “Consultant” for developing the digital office of the proposed Data Protection Board.

These developments indicate that the MeitY is actually trying to finalize the rules and notify them at the earliest.

In the meantime there are two questions which have been raised in the professional circles about whether DPDPA has some fundamental flaws in defining the terms “Digital” and “Personal Data”.

As readers of naavi.org are aware, we had published a series of articles under the title “Shape of Things to Come” before DPDPA 2023 was enacted indicating our Wishlist. We have also been discussing on many other aspects of the law on how we can interpret the law for initiating the compliance in the industry.

Without going into a debate on what more could have been done and what has been missed, our approach is that a proper interpretation of DPDPA 2023 can lead to development of Jurisprudence which can take care of many of the perceived short comings.

Hence we restrict our discussion here on the two points of “Definition of Digital” and “Definition of Personal Data” and whether they could weaken the law significantly.

Digital:

According to Section 37(3) the definition of “Information” and “Computer Resource” in the Act shall have the same meaning as in ITA 2000.

Under Section 2(1)(v) of the ITA 2000, “Information” includes “Data” and “Data for this section” includes representation of information in any form which can be processed by a computer and by the definition of “Electronic form” includes any information that is computer generated such as print outs or intended to be processed in a computer etc.

In view of these definitions, the word “Digital” extends to any “Binary expression” and this definition extends to DPDPA so that even quantum pulses or neural data may be considered as “Digital”.

Only those documents which are manually prepared and meant to be manually used for ever are outside the definition of DPDPA as regards “Protection of Privacy”.

Hence adoption of the principle “DPDPA is only for Digital Data” does not significantly affect the Privacy Rights of an individual. Further the law is meant for “Processing of Digital Data by a Data Fiduciary” and hence omission of “Oral data” by a “Data Fiduciary” which is neither recorded nor stored or transmitted on a digital media is of little consequence. It would not be out of place to say that in today’s corporate world, there is no information which is not digital.

The moment any manually collected personal data is converted into digital form, it becomes part of the DPDPA.

Definition of Personal Data

There is a view that Personal data is defined as “Any information about an individual who is identifiable with reference to the data. The objection raised is that if there is any information owned by a person but does not identify the person, it can be used by others without restriction. Also if the data is currently identifiable but later anonymised or de-identified, it can be used and this is argued as unfair.

Here again we need to refer to IPR law which protects data of a person with IPR value whether it is through Copyright or Trademark Rights or Patent Rights. These rights are however linked to the voluntary disclosure of ownership and can be compulsorily opened out if there is public interest.

The personal data on the other hand has two components one of which is the identity and the other “Information without identity”. When an information is de-identified or anonymised, the data which is personal becomes relatively “Non Personal” and useful to the society for statistics or other purposes. This is one of the balancing features of the law that tries to ensure that in the guise of Privacy we restrict the society being benefited.

We must also appreciate that by recognizing the “Right to Nomination”, DPDPA recognizes the ownership of personal data to the individual and then leaves it to his discretion to provide consent for its use in an identifiable form. Derived data in the form of de-identified or anonymous data without affecting the privacy of the individual is outside the scope of this act like the corporate data or environmental data etc.

There are certain issues related to definition of personal data which we have discussed earlier such as

1.Defining Personal Data under Naavi’s theory of Privacy (“Nee Maayeyolago, Ninnolu Maayeyo” )

2. Interpreting “Personal Data” and “Business Contact Data” under GDPR

3. Personal Data should be considered a personal Property

4.Difference between “Personal Data” and “Protected Personal Data” under DPDPA

Essence of most of these discussions is that “What is personal and What is not personal” is the choice of the individual and hence the definition ultimately gets tied with the “Consent”.

As long as some information cannot damage the personal reputation of an individual nor create a mental disturbance if it is in the hands of another person, the issue of “Privacy” should not arise. If there is any value in the information without identity, that should be protected under IPR laws. If there is a misuse of de-identified information, there can be action under ITA 2000 as a Cyber Crime.

Hence it is my view that the lack of a detailed definition of “Digital” or “Personal Data” or “Ownership of Personal Data” is not a significant fundamental flaw that can be held to criticise DPDPA 2023.

On the other hand, DPDPA 2023 adopting the principle of “Data Fiduciary” vs “Data Controller” makes it a hugely superior law than GDPR since every data processor needs to ask himself whether he is a “Data fiduciary” and more so whether he is a “Significant Data Fiduciary” and ensure not only the obligations specified but also the duties specified in the law for both the data fiduciary and the data principal whether the processing is done by the data fiduciary or his agents.

No law can be drafted as “Perfect” less so a law that has to balance the “Undefined Right called “Privacy” with “Business interests” and “Governance and Security of the nation” . The interpretations will emerge initially through professionals and later through Courts and subsequently through further amendments.

We need to be patient and let the law run.

Naavi