Naavi.org

We had already discussed the petitions of Venkatesh Nayak and Reporter’s Collective related to the DPDPA challenge in Supreme Court in these columns. Now the details of another petition filed by Ms Geeta Seshu has also become available.

Copy of Petition by Geeta Seshu and  Software Freedom Law Center

The prayer in this petition numbered WP(c)275 of 2026 is to  stay the operation of

1. 1. Section 24 read with Rules 17,18 and 21 as well as Fifth and Sixth  Schedules of the DPDPA Rules
   2. Section 17(2)(a) of DPDPA2023
   3. Rule 6
   4. Section 36 read with Rule 23 and Seventh Schedule

and for passing related directions to the Ministries of Law,  IT and Home.

The essential part of the grounds presented are similar to what we have already discussed in the petitions of Venkatesh Nayak and Reporter’s Collective.

Main grounds are

1. 1. Lack of Exemption for Journalistic Purposes
   2. Constitutionality of the Data Processing by the State and the Over Board Powers  to Exempt Instrumentalities of the State
   3. Compensation Vacuum
   4. Lack of Independence  of the DPB
   5. Surveillance

Our Brief Comments are as follows. These are additional to the  comments already presented in our earlier post in which we had listed all the 21 articles related to the earlier petitions along with our suggestions of how the concerns of the petitions could be satisfied .

1. Lack of Exemption for Journalistic Purposes

The “Journalist” of 2026 is no longer the “Fourth Pillar of Democracy” as is often referred to. Most  Media houses today are owned by commercial organizations and most freelancers are funded by international opinion makers who hold their own vested interests. There is a need therefore to “Define” who is a Journalist in the current era of Digital publications, You Tubers and Bloggers.

“Journalism” involves “Reporting of News”. News is a collection of “Facts”.  Predominantly, the content of a news report is “Non Personal Data”.  If any new report has to report a “Fact” that it is a news about an “individual”, then personal data may be involved. However, the “news” is about the occurrence of an event. It need not be “Person Centric”. Over the years, journalism has changed its “News reporting” objective and become “Personality oriented”. The profession needs to correct this approach.

In the news we have facts related to politicians and public figures. This is not to be considered as “Personal Data Protected by DPDPA” since they are the identities in discharge of a public function and its reporting is not barred  by law.

When we discuss that a certain MP said something, the reporting of the name of the MP is not barred  by DPDPA.  If however the journalist  has to report the personal affairs of  an individual because he  thinks it is in public interest, he  has to face the risk of being charged for defamation.

DPDPA only states that there should be a “Legal Basis” for processing of personal data and does  not bar such processing. If the affected individual has a complaint, that has to be addressed by the law as a “Defamation” and the Journalist can defend  the same in public interest. This is an existing law and DPDPA does not curtail such right of a journalist to report any matter which is personal.

The petitioner himself acknowledges that the affected individual (such as the person who claims to have been defamed by the journalist) has no remedy under DPDPA. The petitioner should therefore be happy that DPDPA does not enable the person about whom a reporter files a suspected defamatory report has no remedy under DPDPA. (Remedies if any lie under other laws such as BNS and ITA 2000.)

If we look at the “Journalist” as a “Data Fiduciary”,  the responsibility for publishing “News” lies with a publisher and not a “Reporter”. “Reporter” is an employee or a “Contractual service provider” for the publisher. Only such reporters who run their own blogs and You Tube channels may be considered as “Reporters and Publishers”. In this case, “Publishing” is business and certain risks lie with them as “Intermediaries” under ITA 2000. The individual journalist can be considered only as a part of  the publishing network and if DPB wants to place any penalty, they have the obligation to consider if the penalty is necessary and reasonable. DPDDPA does not say that every reporter who publishes personal information of a member of public should be fined Rs 250 crores.

The decisions of DPB if any are also appeallable to TDSAT and Supreme Court and hence if DPB  does any penalties on a journalist, there is a clear possibility of DPB being questioned if there is any unfair decision. Law can only enable such judicial oversight and cannot speculate whether the DPB members will be honest or corrupt, efficient  or not. The Search Committee has to take the necessary precautions to find the right persons and the members of the search committee are senior bureaucrats who know their responsibility.

It may be interesting for some to take a look at  FDPPI’s recommendations made  to MeitY  on DPDPA Rules (Which was anyway ignored by them).

In this note we had recommended the following for DPB Constitution

DPB Constitution

This rule refers to Section 19 of DPDPA 2023 and the following comments are recommended.

a) The minimum number of members (excluding the chairman) shall be Six and Maximum shall be Twenty.

b) DPB shall commence its operation with the minimum number of members and MeitY shall review the requirement of the DPB once in a year and increase the number of members as required.

c) The Search Committee may function for one year at a time and shall review the functioning of the DPB annually and submit a report to the MeitY before a new Search Committee is set up for the following year.

d) The respective Search Committee shall be responsible for evaluating any complaints received against the Chairman/Members or observations recorded during the monitoring of the activities of the DPB and recommend disqualification if required

e) The Search Committee shall meet each quarter or as often as otherwise required to review the activities of the DPB and recommend corrective action if necessary.

f) The external members of the search committee may be paid remuneration as may be determined by the Ministry for the services rendered including sitting fees for meetings.

g) The external members of the Search Committee shall retire each year and shall not be eligible for re-appointment for a continuous second term.

It may be observed that our suggestion was to make the  Search Committee  itself as an oversight committee. I am not sure if the essence of the  recommendation was really understood by the Meity.  Maybe now they will see reason why Naavi/FDPPI came with such suggestions. Even now we will be happy to assist MeitY to make corrections to the Rules that will satisfy all the petitioners to be satisfied.

In the recent note on the other petitions we have suggested a “Registration of Researchers” who can be the investigative journalists and others and they can use both the legitimate use and exemption facilities available under DPDPA.

Our recommendation in this regard has been as follows

 On Exemption for Journalists

DPDPA has so far not made any specific exemptions for any category of data principals including SMEs, Educational institutions, Charitable Institutions, Religious Institutions, Professions like Advocates, Chartered Accountants or Doctors. All exemptions and Legitimate use is based on purposes. Exemptions are available for Startups  (On notification), Companies for mergers and acquisitions after court approval, Financial institutions after default etc. Further exemptions are also empowered for specific purposes  and an official would be designated for the purpose of granting such exemptions. Those journalists or organizations of journalists who conduct Social Audits or public  interest research may be given specific conditional permissions with obligations of purpose specific use, with data minimization, retention minimization and accountability.

For this purpose a “Register of Approved Journalists for Research” may be created by the Ministry of Information and may include all Social media bloggers as  “Digital Journalists”.

Other aspects of the petition have already been addressed and I will refrain from repeating the same.

Naavi

Naavi and FDPPI are conducting several Certification programs on DPDPA. Naavi’s Cyber Law College has been providing Certification in Cyber Laws (ITA 2000) since October 2000. Subsequently, it started providing HIPAA and GDPR training on apnacourse.com platform.

In the recent years, we have been conducting three programs CDPP-I, CDPP-Module G and C.DPO.DA.

Considering the changes that  have been occurring in the DPDPA space, Naavi/FDPPI have now decided to introduce the the four specific training programs mentioned above.

All programs will be on hybrid  mode with part of the coverage through recorded videos and part by either live virtual interaction or physical interaction.

Details of fees and schedule will be finalized in due course.

The Global Track will cover GDPR compliance both through ISO 27701  and DGPSI-GDPR.

The training programs will be initially conducted by Cyber Law College and later will be rolled out through empanelled independent trainers. FDPPI will introduce online examination modules for each of these modules and provide its Certification.

Individual trainers who are interested in empanelment may contact Naavi/FDPPI through e-mail.

Naavi

Earlier on March 5 we had summarized the discussions on the DPDPA Petitions in the 16 different articles in this blog.  Now we are  adding the following 5 subsequent articles .

The entire set of articles that we have discussed in the last fortnight on the DPDPA Challenge petitions in the Supreme Court are  available here.

I request law students to study these articles and create a document of reference to aid  the Supreme Court in deciding about the petition.

Naavi

As part of the narrative being built up, an article has appeared in livelaw.in under the credit of Mr Udhav Gupta and R Sathvik with the title “Regulatory Blind Spot in India’s Digital Personal Data Protection Framework”.

Let us examine some of the comments made there in and address the question whether there is a flaw in DPDPA.

Secondary Data Fiduciary

The point of contention in the article is that DPDPA has deliberately excluded coverage of non-digitized data to reduce administrative and financial burden on the country. The article goes on to state that this gives raise to a “Secondary Digitized data derivative fiduciary” which is an entity which obtains non-digitized data from another entity and digitizes the data.

This is an interesting nomenclature of an entity as “Derivative  Fiduciary”. The authors argue that “Since the data was never “collected digitally” from the individual, the Fiduciary operates under the assumption that they owe no duty to the Data Principal, rendering the individual’s rights to correction or erasure unenforceable.

However Section 3(a)(ii) of DPDPA states that the Act is applicable for

“processing of digital personal data within the territory of India where the personal data is collected in non-digital form and digitised subsequently”

Hence the question of the secondary fiduciary thinking that  he does not have an enforceable duty under the Act is completely illusionary.

When personal information collected in nondigital form is used in non digital form only through out the life cycle of its usage, it is out of scope of DPDPA. In every other instance where in any part of the lifecycle of processing it is digitized, DPDPA will apply.

Yet another interesting aspect which the authors have missed is the definition of an “Data” under ITA 2000.

According to section 2(o) of ITA 2000,

“Data” means a representation of information, knowledge, facts, concepts   or instructions which are being prepared or have been prepared in a formalized manner, and is intended to be processed, is being processed or has been  processed in a computer system or computer network. ,.and may be in any form   (including computer printouts magnetic or optical storage media, punched  cards, punched tapes) or stored internally in the memory of the computer;

If therefore the first Data fiduciary (like the hospital or a bank referred to in the article) intends to process the manually collected data in digital form during the lifecycle of the data, the data becomes “Digital Data” ab-initio.

In case the first data fiduciary has collected personal data manually for a certain purpose and completed that purpose, he needs to consider the permission for collection as exhausted and delete the data.

If the first data fiduciary wants to use the data collected manually for a subsequent process either by himself or by a sub contractor, the permission should be available while collecting the data in the manual form since it is “Digital Data” ab initio.  If he had no such decision in the beginning and it is an after thought to sell the data to another entity, it is a violation of the  DPDPA and eligible for penalty. If there is any way of anonymizing the data by obfuscating the identity like the form being collected with two parts one containing personal data and the other the non personal additions and the portion containing the personal data be removed before sharing the other portion with any other researcher or data storage entity for future use, it can be justified as sharing of anonymised or de-identified data for research or other legitimate purpose.

Hence there is no “Severance of Data Provenance”  as feared by the authors. There is also no “Outsourcing loophole” as claimed in the article and possible monetization of the data by the secondary data fiduciary without the permission  of the original data principal.

The secondary data fiduciary having identifiable data in digital form after scanning the physical data is therefore simply a “Joint Data Fiduciary”. If he does not have the identifiable data, he could be a “Data Processor”.

Going further the authors claim that Puttaswamy Judgement propounded a “Doctrine of Proportionality” under which the Government failed to recognize that part of the data in the universe is collected in manual form and such part is significantly high to say that an  Act which covers only digital data fails any “Proportionality doctrine”. Here the concept of “Proportionality”  is being applied wrongly to law making.

Puttaswamy judgment only declared that Privacy is a fundamental right. It said that the M P Sharma judgement which prevailed as the Supreme  Court judgement till then needed to be considered as incorrect. Otherwise the orbiter dicta associated with the judgement only argued that the need to consider Privacy as a fundamental right is high in the current era of digitization. It did not say that the Government has to make a comprehensive law to protect the Privacy of an individual. In fact the judgement did not  even define the word “Privacy” and hence the question of the Government defining “Privacy”  in digital and non digital form did not arise at all. The judgement only re-iterated the position under the constitution and both the Government as well as the Private Sector (By virtue of the Kaushal Kishor Vs UP Government) are obligated to protect privacy with or without a new law.

Our rural population today uses digital communication and even when a manually collected list of phone  numbers  are used by a data fiduciary to call people on a digital phone, the  manual data gets converted into digital data. Hence the amount of data which is generated and maintained in non digital form through out the lifecycle is insignificant in India. The argument of “Proportionality” between digital personal data and non digital personal data is therefore non existent.

Considering the risks that personal information in digital form presents, DPDPA recognized a “Right to protect personal Data” and went on to draft the DPDPA  as a law to make data fiduciaries take pro active steps to protect the personal data. Further, there was Section 43A of ITA 2000 which already had an obligation applicable to “Body Corporates” and “Sensitive Personal Information” which was no expanded to cover the Government and even individuals who use personal data for non domestic (business) purpose and to all personal data without restricting it to sensitive personal data only.

Hence there is no “Proportionality Challenge” under  Puttaswamy Judgment which has been deliberately bypassed.

In conclusion the authors argue that there is a need to redefine the concept of Data Principal to include “Original Source” and aligning the definition to an “Affected Party” under CrPc (BNSS) like laws.

This is considered un necessary since no “blind spot” exists. Personal data is the  property of a data principal and it is his right to transfer it to the  data fiduciary with or without the further right to transfer or monetize etc. It would be the responsibility of such data fiduciary to be responsible for  the compliance through out the life cycle of the data. He does not have any right of transfer of personal data to a secondary data fiduciary who is enabled use of the data without the permission of the data principal.  The concept of “Original source ” is embedded in the way we understand who is a “Data Principal”. As regards the “Affected party” definition, it  is relevant in the ITA 2000 and not in DPDPA. DPDPA does not provide any remedy to the data principal in financial terms. It only protects certain “Rights of the Data Principal” and requires the Data Fiduciary to initiate steps for such protection failing which the penalties would be applicable. Simultaneously the Data Principal can approach  the Adjudicator of ITA 2000 as an “Affected Party” and claim whatever compensation is possible. Simultaneously the prosecution can move udner ITA 2000 or BNS and take criminal action on whoever “Affected” the data principal adversely.

In summary the arguments presented in the Livelaw.in article are not correct .

Naavi