AI agents as Virtual Employees

After the Covid times when physical employees were forced to work virtually, the IT world was slowly getting back to “Work From Office” culture. But this transition back to the legacy system is likely to get a jolt from the development of the “AI agents” who may replace the physical workers in due course.

Initially the attempt is to improve productivity by shifting some routine tasks to the AI agents so that humans would focus more on tasks requiring human oversight. But slowly a major part of the corporate wok are likely to be shifted to this AI Agentic Workforce and the composition of the workforce is likely to change sustantially.

Microsoft is preparing to introduce autonomous AI agents shortly These AI-powered virtual employees are designed to handle tasks like client queries, sales lead identification, and supply chain management, as the tech industry looks to prove the practical value of AI advancements. The company plans to release 10 pre-configured AI agents designed for specific functions, such as customer service and supply chain tasks.

Google simultaneously is working on AI Co-Scientist project which is considered as a prototype of the future enterprise AI.

We have already heard of Mika the AI CEO of a Polish Liquor company Now several companies are developing Agentic AI workforce to replace their human work force. Open AI’s Sam Altman has predicted that 2025 will see the growth of AI agents as members of a workforce.

Now AI-CEO.org has introduced a AI-CHRO product for workforce management for the Agentic Future. AI-CHRO is claimed to be capable of autonomously hiring, managing, evaluating and if necessary terminating Agentic Agents.

We are therefore entering a new era of AI-driven agents that take on knowledge work, decision-making, and even innovation, much like human employees.  Such Virtual employees may think like a team and act as a Knowledge generator and not just as an Optimizer.

These developments are likely to result in a quiet erosion of entry level human workers and make the students coming out of our colleges based on the 4 year old syllabus unsuitable for corporate jobs. While some progressive colleges and intelligent students may be able to upgrade themselves quickly, a majority of students will find it frustrating and could land into serious psychological problems.

It is time to reflect where his is going tot end up in terms of regulatory frameworks such as the DPDPA.

Currently, we are treating AI as an agent of a human handler who is legally liable for regulatory implications. It is possible that the work is performed by an AI worker, supervised by an AI-Supervisor and managed by an AI-CEO. It is also possible that some innovative Board may also appoint an AI Agentic DPO and challenge the regulators.

In all such cases, the real human who has to take the regulatory liability is the Board of Directors itself. If they want to delegate the responsibility, they need to designate a “Human Handler” for the AI-CEO or AI-DPO.

If necessary, the Government of India should clarify that “AI remains a Tool and a Handler of AI is always liable for the actions of the AI”.

In practice, the AI tool may be developed by one company and licensed to another company. Hence there will be a handler-developer and a handler-user who have o build a contractual relationship to define inter-se liability.

In terms of DPDPA and DGPSI framework, we shall consider that AIs are represented by their handlers and both handler-developer and handler-user (Or their companies) are considered “Joint Data Fiduciaries”.

In the meantime, Naavi invites “Handler-Users” to contact if their Handler-AI combination has to be certified for C.DPO.DA.

Naavi

Also refer: Can Claude run a Small Business?

Posted in Cyber Law | Leave a comment

Taking Control of Cookies under DPDPA

For DPOs in India, one of the grey areas of compliance to be managed is the “Cookies Consent”.

Normally the Cookies are hosted on the website and the website is managed by the IT department. The content on the website is often written by the marketing department and contains company promotion and product promotion information. The marketing department may have a close watch on the content to ensure accuracy of product information.

The websites also contain the “Privacy Policy” and “Terms of Use” which are typically managed by the legal department.

In the case of listed companies, a part of the website contains investor information which is mandated by SEBI.

It is a tradition to have the “Privacy Policy” of the company displayed on the website along with the “Terms of use” and the contact details of the help desk, the Grievance officer and the DPO or Compliance officer.

For the public, the website is the first contact point for knowing the company and if there is no mention of a DPO or a Compliance officer or a Grievance officer, the inference is that the company is not fully compliant.

CISOs recognize that website is exposed to the public and hence could be a source for cyber attacks some of which may have reputational damage by defacement or more seriously, implanting of malware in the source code of the website. There have been many instances of content being manipulated, images being substituted or invisible spamming activity occurring through hidden pages on the website. Domain name re-directions, domain name squatting, etc are also considered security risks and hence a continuous monitoring of all pages of the corporate website is required to be monitored by the Information Security department for any modification.

The “Domain Name” and the website is also considered an important “Financial Asset” of a Company, and has IPR value. The CFO also has a stake on the brand value value of the domain and the value of the content as well as the traffic.

Thus, the website of a company serves many purposes and there are multiple stakeholders who are responsible for the content and directly or indirectly create liabilities for the organization.

Governance of a website is therefore an important corporate activity.

However, it is a common practice for most companies to register domain names and host the website with an external agency. Many of them use Cloud applications managed by different agencies. The hosting companies suggest statistical analysis and profiling of visitors. They also suggest certain monitoring of the visitors from the point of view of enhancing the user experience. Additionally the marketing companies try to use Google Analytics or other agencies to plant their own trackers and generate insights. With the use of AI in the background, we never know exactly how the information of the users may be used by these background agencies.

It is in this context that managing “Cookies Consent” assume importance. If the cookies collect any personal information of the visitors of the website, then the provisions of data protection laws may become applicable. The problem with a website is that anybody in the world including from over 140 countries which have specific data protection laws, may visit the website and the cookies may be collecting various information from them.

Currently DPOs donot consider it essential to treat the “Web hosting” company as a “Data Processor” and handle the data protection obligations. If the hosting is outside a country, there may also be a “Cross Border Data Transfer” issue to be resolved.

It is time for DPOs to get details of Cookies including what data each cookie collects, how long the information is stored and what is the purpose of each of the data elements that is collected.

If a Cookie is tagged as “Essential” or “Functional”, there is no need for it to be a persistent cookie nor to have the personal information such as the email address or name of the person even if it is available at log in. Every cookie that collects “Personal Information” is essentially a “Profiling tool”. The profiling itself may have a “Security Purpose” or a “Marketing purpose”. “Security” may be considered as a legitimate purpose but “Marketing” may not be.

Hence the Consent management has to understand and distinguish the type of data each cookie collects and display it on the website and not restrict the cookie information only to the “Name of the cookie” and its classification as “Analytical”, “Marketing” or “Functional”.

The DPO s need to take control of the Cookies and “No cookie should be installed on the website without the specific permission of the DPO”. If there is any “Profiling” of the visitors, then it has to have a proper legal basis with “consent” for marketing. “Security Profiling” of visitors may be considered as “Legitimate Use” but it has to be ensured that “Security profiling” is not converted into “Marketing profiling” either through ignorance or design.

I recall my own experience captured in the article “Union Bank and RSA Fiasco”, where I have highlighted that a “Security Scanning” may be mis understood if the security team is blindly following automated systems of profiling

I therefore urge DPO s to start exercising greater control on the web hosting and planting of cookies and obtaining the cookie consents as part of their compliance exercise. The current method of Cookie Consents which are followed under GDPR regime which simply asks for consent on the basis of a declaration such as “Accept All Cookies” or “Accept Functional Cookies only” etc., are insufficient. The Cookie consent has to list out each cookie, indicate the data elements collected, the purpose of collection and retention periods and obtain consent in a more informed manner.

Comments are welcome.

Naavi

Posted in Cyber Law | Leave a comment

The D-Day

This is just to record the night of 21/22nd June 2025, IST as an important day of our generation when we might have seen the closest to a World War 3 scenario.

India successfully conducted the Sindhur operations a few weeks back and hit Pakistani nuclear facilities significantly. But inside these facilities the US was hurt and moved into force a ceasefire before the final assault.

In Iran however, the same USA has moved in to neutralize the nuclear capabilities of Iran. Though the blow could be crippling, the counter action could create lot of problems to US in the form of terrorist attacks the way India has been bled for decades by Pakistan.

Neutralization or debilitation of terrorist forces anywhere in the world is welcome and as responsible global citizens we need to take note of this day as one of the most important day of our life.

Naavi

Posted in Cyber Law | Leave a comment

Free DPDPA Evaluation for Select Companies

DPDPA Compliance is a complex process which requires discovery of personal data to which the act is applicable, Classifying it appropriately, understanding how the different sections of the Act apply to the data and determining what risks of non compliance exists, what Governance and Technical measures are to be initiated to mitigate the risks.

Many companies might have already initiated some measures in this regard. Many companies are developing products and services to assist the companies for compliance.

In this scenario, FDPPI as the apex organization promoting DPDPA Compliance has initiated a project to provide One free assessment of DPDPA Compliance for any Company in India per week (Till the scheme is withdrawn at its discretion).

The assessment requires one online session of around 90-120 minutes with the DPO or equivalent senior management person who may be assisted by others in the company. During the session, Naavi will conduct an online evaluation interview with appropriate questions and record the answers.

Based on the answers provided, an evaluation report would be issued.

The evaluation would be based on the celebrated DGPSI system used by FDPPI.

There are no strings attached to this free offer which is a near substitute for a Gap Assessment which would normally cost a few lakhs for any company.

The offer is based on requests received and on first cum first served basis. Once the requests are received, the interviews would be scheduled appropriately. Initially around 12 bookings would be accepted for the next 3 months and a decision will be taken on its continuance.

We invite interested DPOs to contact through email to Naavi . Kindly use the subject line “Free DPDPA Assessment”.

Naavi

P.S: I have received a query about why FDPPI is giving this assessment free even if it is for one company per week.

I would like to state that there are two objectives.

  1. To remove the fear about DPDPA Compliance.
  2. To prevent companies being mislead.
  3. To provide an indication for Cyber Insurance readiness for DPDPA risk

Naavi

Posted in Cyber Law | Leave a comment

Name “Air India” attracts Risks of its own

The Air India crash has a distinct signature of what experts call as a near improbable total two engine failure. However this also significantly increases the possibility of an “Electronic Sabotage” which could have caused the fuel cut-off or hydraulic failure etc which the experts indicate as a possible reason.

Though Air India is no longer a national carrier and is as much private as any other airline, the perception is that its reputation good or bad is linked to the reputation of India. Hence the enemies of India both within the country or outside target the airline to indirectly bring down the reputation of Air India. Hence Air India faces an “Enemy Risk” which other airlines donot face.

Since today’s aircrafts are all controlled by electronics, the safety of the aircraft is very much dependent on the safety of the electronic systems just like controlling a large computer network. It appears that there needs to be a CISO for every aircraft.

The more we think Air India is the nation’s pride, the more attention we would attract of Pakistani terrorists.

One of the Risk management strategies for the airline now is to change its name though it would be a sad decision to take.

Naavi

Posted in Cyber Law | Leave a comment

Valuation of Data upheld by a Court

In an interesting decision of the UP State Consumer disputes redressal Commission, WhatsApp has been considered as a “Paid Service” with the payment having been received in the form of personal data shared by the account holder.

(Refer: article the420.in)

Naavi has been advocating the “Data Valuation” as one of the essential features of Data Management in a company and valuing of data and its disclosure is a recommended procedure under the DGPSI (Data Governance and Protection Standard of India) framework of compliance.

The exact value of the data may be under dispute but the fact that data has a a value is indisputable. In this case, the value of the data has not been specified in rupee terms but whatever is the benefit used by WhatsApp is to be treated as the consideration passed.

Hope Income Tax and GST is not applicable !

Naavi

Posted in Cyber Law | Leave a comment