Naavi.org

In continuation of our discussions on how to maintain independence of the “Independent  Data Auditors” in a DPDPA compliance scenario, we discussed the need for share holders to approve the appointment so that the auditor does not feel obligated to the management which makes the payments.

One other best practice criteria which Naavi would like to suggest is  that no Data Auditor should continue to audit the same company for more than  3 consecutive years. This is also consistent with the norms adopted by the statutory financial auditors.

This will be currently suggested for the empanelled auditors of AIDAI as part of the self regulation of the auditors as an ethical conduct.

FDPPI in its mechanism for regulating the Certification partners who conduct their audits would include this as a requirement so that auditors who donot adhere to this norm may lose the accreditation status.

Currently we shall try to include this in the Code of Conduct for AIDAI empanelled Auditors and try to implement it.

Naavi

We are aware that one of the aspects that supports independence of a financial auditor is because the statutory financial auditor is appointed by the share holders of a company. Hence the Auditors are able to qualify the report if required and also report frauds to the regulatory authorities without feeling obligated to the management which may fix their remuneration.

Naavi would like to propose a similar scheme for Independent Data Auditors. What this practically means is that the Independent Data Auditor appointed by a Significant Data Fiduciary should be approved by the share holders of a company (in the case of public limited companies) or through a Board resolution (In the case of private limited companies) and an appropriate  Governance body in the case of Government agencies.

Initially this will be suggested in the engagement contract which an AIDAI empanelled auditor would like to obtain from the management of a company.

This will be a best  practice suggestion for the drafting of the engagement contract (a suggested model contract of which will be shared in the CIDA training.)

Naavi

A recent news report indicates that Anthropic, the company behind Claude AI, has extended access to its highly restricted cybersecurity-focused AI model “Mythos” to a select group of organizations across several countries, including India.

What makes this development noteworthy is that India appears to be the only major non-US allied nation included in the current group, while China remains excluded. This signals a growing international recognition of India’s role in the global cybersecurity ecosystem.

Unlike conventional AI models designed for general-purpose applications, Mythos is reportedly capable of identifying software vulnerabilities at a scale that rivals or exceeds human security researchers. Such capabilities can help organizations discover weaknesses in operating systems, browsers, and enterprise software before malicious actors exploit them.

The significance of this development extends beyond technology.

First, it reflects confidence in India’s software talent pool, digital public infrastructure, and cybersecurity capabilities. India’s vast digital ecosystem—spanning banking, telecommunications, digital identity, payments, and public services—offers a unique environment for testing and improving cyber defence technologies.

Second, the move highlights the growing geopolitical importance of AI. Advanced cybersecurity AI tools are increasingly becoming strategic assets comparable to cryptographic technologies, advanced semiconductors, and other national-security capabilities. India’s inclusion in this restricted circle suggests that it is being viewed as a trusted participant in the emerging global AI-security architecture.

Third, the development should be of particular interest to Indian regulators, DPOs, cybersecurity professionals, and Independent Data Auditors. As AI systems begin to play a direct role in vulnerability discovery, risk assessment, and cyber defence, questions of accountability, transparency, governance, and compliance will become increasingly important.

For India, access to such technologies can provide a significant defensive advantage. At the same time, it underscores the need to develop indigenous capabilities so that cybersecurity resilience is built on sovereign foundations rather than dependence on foreign-controlled platforms.

Whether Mythos ultimately proves as transformative as its proponents claim remains to be seen. However, the message is clear: cybersecurity is rapidly becoming an AI-driven domain, and India has now been invited to participate in shaping that future.

The challenge before India is not merely to use such technologies, but to build the governance, audit, and assurance frameworks necessary to ensure that AI-driven cybersecurity remains accountable, trustworthy, and aligned with national interests.

Naavi

Yesterday (June 6), FDPPI conducted the First Induction Training for those who had empanelled as Independent Data  Auditors.  The program went on very well and the participants enjoyed the first of its kind program.

The Program started with an introductory talk from Naavi. Then a panel discussion on “Code of Ethics” was held. A second Panel discussion on Role of Independent Data Auditors followed.

Subsequently,  some of the Advisors of AIDAI who were physically present. (Mr Rakesh Maheshwari, Sudarshan Mandyam and Mr Madhava Murthy) shard their valuable views.

Post Lunch, Dr Ramasastry Ambarish, Director of MYRA  shared his thoughts on the involvement of Academic  institutions in the development of Data Auditors. Mr Mahndra, CTO, of MYRA shared his views on some technical aspects of Data Breach management.

Then a third panel discussion on the Challenges of Independent Data Auditors was held. Finally an interesting role play was conduced on the “Case of Ramya”.

During the discussions, several new thoughts emerged and they will be discussed in due course.

An Audio track of the event was taken on record through the Zoom. A clean video recording is under development.

Some important suggestions that came up during the discussions which will be further discussed include

a) whether  the Auditors should be voluntarily rotated after 2 or three years

b) Whether the share holders of a company should approve the appointment.

c) Whether Scoping of an  Audit be done by some body other than the Management and the Auditor

d) Increasing the value of the FDPPI certifications by building Association with other Certification bodies and Academic institutions.

AIDAI will consider adopting some of  these provisions into their activities.

Naavi

More photos of the event available here

Yesterday, in an order from the Chief Commissioner of the Central Consumer Protection Authority of India (CCPAI) passed an order fining “Physics Walla Limited”  and “McAfee Software India Private Limited“, imposed penalties for using “Dark Patterns” in their digital platform.

PhysicsWallah has been fined ₹5 lakh, while McAfee has been fined ₹1 lakh. Both companies have been directed to remove such practices from their platforms and ensure that consumers are able to make informed choices without pressure or manipulation.

  Refer: Press release from PIB

Copy of the order

Also refer Naavi.org article on the Relevance of Consumer Act for Privacy

The action has been taken under the Consumer Protection Act, 2019, the Consumer Protection (E-Commerce) Rules, 2020, and the Guidelines for Prevention and Regulation of Dark Patterns, 2023.

The CCPAI could have not only imposed civil fines upto Rs 10 lakhs which it has invoked, but could have also invoked prosecution under Section 89 of CPA 2019. It could have also barred the service for upto 2 years.

Under Section 89,  of CPA 2019: Any manufacturer or service provider who causes a false or misleading advertisement to be made which is prejudicial to the interest of consumers shall be punished with imprisonment for a term which may extend to two years and with fine which may extend to ten lakh rupees; and for every subsequent offence, be punished with imprisonment for a term which may extend to five years and with fine which may extend to fifty lakh rupees.

In the instant case, the CCPAI has stopped at imposing  a fine and not proceeded with prosecution that could have imposed criminal penalties.

Nevertheless, this  has been a good case study on how “Use of Dark Patterns” which is also part of the “Prevention of harm to data principals as defined under DPDPA 2023” is a “Risk” under DPDPA to be mitigated.

The contravention was recognized because Physics Walla had used a pre-ticked box to collect Rs 10 as donation (Basket Sneaking), also used an emotional messaging that discouraged users from removing donation (confirm shaming) and also forced action in requiring users to share personal information before accessing courses advertised as free.

This could also have invoked penalties under DPDPA 2023 if it was fully effective today. (we are 339 days from the day when DPDPA 2023 will become fully effective).

In the case of Mcafee, CCPAI observed that the subscription process did not provide a neutral choice before deciding whether  to renew their subscriptions. The options provided were “Renew Now” and “Accept Risk”, portraying non-renewal as a risky decision.

Those who are watching the Privacy space will realize that similar mistakes are committed by hundreds of companies and all of them should consider this instance  as a warning.

When lawyers invoke DPDPA charges  against such companies, they will quote this order to say that they were fore warned.

All “Independent Data Auditors” should take note of this incidence as a risk under DPDPA.

Also Refer here for other instances where CCPA-I has given orders on dark patterns. Please note that each of such cases could be cases under DPDPA and escalate the penalties upto Rs 250 crores.

Naavi

Watch the Audio Review of the above post in the link :Naavi Academy

Also see the video review here:

DPDPA the law that protects the rights of Data Principals and defines the responsibilities of a Data Fiduciaries who collect and process Personal data in India (or for providing any services to Indian Data Principals), is now in place.

The Data Protection Board is under formation. Companies are scrambling for finding Data Protection Officers.

Quietly, FDPPI is ushering in the era of Independent Data Auditors who are as important as DPOs. Every Significant Data Fiduciary in India needs a DPO and also an Independent Data Auditor. Hence in terms of opportunities, there will be as many opportunities for Independent Data Auditors as DPOs. Additionally every DPO and every Independent Data Auditor will require professionals to assist them.

FDPPI has recognized this need and is creating the eco system to build Independent Data Auditors in India through the Association of Independent Data Auditors of India (AIDAI).

AIDAI has already empanelled Auditors in the category of Accredited IDAs, Certified IDA s and also Probationary IDA s. Today the first induction program for the entrants to this profession is being organized in Bangalore. (Check www.aidai.org.in or www.fdppi.in for details)

The Independent Data Auditors or IDA s will be the Guardians of Data Accountability who will audit Data Fiduciaries and also be the eyes and years of the Data Protection Board. True “Independence” does not come externally. It is in the minds of the Auditors who have a sense of Ethics and responsibility to protect the objectives for which the law has created this profession.

An “Inner Engineering” is required for those who are good enough to be DPOs  by knowledge to be IDA s. Let us begin our journey externally and internally to acquire both the expertise and also develop the attitude. The  starting point is the induction program planned by FDPPI.

Let us pray to God Vigneshwara to lead us to a prosperous future of IDA s.

Having recognized the importance of this profession and having recognised that in the upcoming AI world every Data Fiduciary would be dependent on the AI and absorbing  its unknown risks rendering them “Significant Data Fiduciaries”.  Hence there should be a need for a large number of Significant Data Fiduciaries in India.

Though there is a concerted effort from certain sections of the industry to dilute the implementation  mechanism by exploiting the conflict that MeitY has in implementing regulation for the IT industry which it is responsible for development, there are enough vigilante entities  in India to prevent  such a happenning.

The revolution of IDA s is therefore already taking shape with FDPPI at the forefront.

Welcome aboard.

Naavi