Naavi.org

Continued

In developing a DGPSI-Data Valuation framework in support of DGPSI-Full version, let us now explore some globally prevailing thoughts on Data Valuation.

In 1999, two Australian researchers Daniel L Moody and Peter Walsh published a paper  “Measuring the value of Information An asset Valuation Approach”. In this paper they discussed what are referred to as the “Seven Laws of Data Valuation”. This concept covered the following nature of data that could contribute to its valuation

1. Data Is infinitely shareable
2. Value increases with Use
3. Information is perishable
4. Value increases with Accuracy
5. Value increases with synergy
6. Value of data increases with more data upto an overload  point but  may trip later.
7. Information is self generating.

Moody and Walsh also described how Data Can be “A raw material” which when used with Software and hardware as plant and equipment produces an information as the end product.

In this concept, Software itself is an asset  which like a catalyst works with input data to produce an output data while it remains unchanged. The self learning AI algorithm is a distinct category of data which cannibalizes the output data to transform itself as it evolves as a tool.

“Data” as software represents  an asset like a “Fixed Asset” in the user organization while it could be a “Finished Data Product” in the software company.

When “Data” is used in 3D printing, data as input (3D scan of the object) combines with data as software for 3D printing and physical raw material (The component that is printed as an object) to result in the Physical Object as  an end  project. The software remains as a re-usable element  for the next production of a different product. The data used for the design also remains as a by product which can be re-used if a similar object has to be printed once again.

There is another kind of Data which is also used as a “Fixed Asset”. It is the “Content” that is used to generate value by subscription or carrying advertisements. The advertisement  revenue or the subscription revenue depends on how good is the content and how it is itself promoted. An advertising “of the content” advertises “the content” where other “advertisements” are embedded. The valuation of such assets need to take this into account. Such assets are also amenable for depreciation and sensitive to time and accuracy of the content.

Valuing such content needs to take into account these complex web of revenue generation possibilities with time value. They are better suited for the Discounted Cash Flow (DCF) or Net Present Value (NPV) method of valuation than the Cost of Acquisition method.

Hence some data assets are more amenable to Cost of Acquisition (COA) method while some are more amenable to DCF/NPV method.  Some may require frequent adjustments of time value of content to the extent that a “Revaluation Method” is more  acceptable.

Naavi has earlier propounded a “Theory of Data” from which  many of the above 7 laws can be implied. Naavi’s theory had been built on three hypothesis namely “Data Is in the beholder’s eyes”, “Data has a reversible life cycle” and “Changes in the Value of data  during the life cycle belongs to different  contributors).

In the Puttawamy Judgement, Justice Chandrachud remarked that “Data is non-rivolrous” to mean that it can be duplicated. It can change hands without depriving its use to the earlier  person. However, when we look at the valuation of data we are confronted with two conflicting valuation dilemmas.

Firstly in case of “Confidential” information, the sharing of data dilutes the value. Some times it destroys the value of the data completely. For example “Password” is one data which when shared will destroy its value completely.

On the other hand, some data such as “News”  or “Education” increases in value when it is available for access by many. Hence a Data Valuer needs to classify the data properly before assigning the value to the data under this law.

The second law “Value increases with use” is reflected in the type of content mentioned above.

For example if no body knows that there exists a certain data, it cannot have a value. A Classic example is the DGPSI framework which is today known only to a few in India and its value is limited to the recognition of this set of people. If it is known to more number of people, its value would correspondingly increase. This is because it is a “Data Asset” which is meant to be used by other data users like a software.

The third law that “Information is perishable” is relevant for Personal Data valuation and has been used in the DVSI model because the permission to use the data by the Data Fiduciary is dependent on the Consent or legitimate use. The utility value of the data vanishes once the consent expires. In the data category of “News” the data may become stale for the news reader while for an investigative researcher, there may be a premium value in the “Forgotten Data”. A classic example is some of the articles on naavi.org which may be 25+ years old but for some body who wants to track the legislative history of Cyber Laws in India, it is a treasure.

This principle that the value of data may depend on the context and the audience is part of the first hypothesis of Naavi’s theory of data that “Data Itself is in the beholder’s eyes” and therefore the “Value of Data also in the beholder’s eyes”.

This means that the valuation of data has to be tagged with a “Context” weightage.

The fourth law that value of information increases with accuracy is from the context of its usage. There can be some instances such as the “Anonymised Data” where accurate data is masked for a specific purpose  and though the accuracy of the data is deliberately reduced, the value may be preserved or even enhanced because the data can be used for  purposes other than to which the accurate data could have been used.

The fifth law that the value of information increases when combined  with other information is well noted not  only because data from one division may be useful for another  division in an organization but also because the entire Data Engineering and Data Analytics industry revolves around the synthesis of data  and generating new insights.

However in a personal data context, where permissions are “Purpose limited”, use of data collected for one purpose may not be automatically usable for another purpose and this may conflict with this observation of Moody and Marsh. It is however fine with non personal data.

The sixth law that  there is a “Overload Pont” after which “more data is not necessarily better” since “Data Fatigue” may set in. Where laws are different for different scales of operation (eg: “Significant” social media intermediary or “Significant Data Fiduciary””, beyond a overload point, new obligations may come in changing the usage pattern of the data.

The seventh law “Information is not depletable”  is an interesting observations since the more we use a certain data, the usage pattern itself becomes additional meta data that enriches the core data. Again this has to be seen along with the “Data usage license” such as a Digital Library license which is number of use based (from the user perspective) or expiry of permission or “limitation of use under law”.

Thus the seven laws of data valuation indicated by Moody and Walsh is an interesting study which can be compared with the implications of Naavi’s theory of data and the DVSI model.

Request academicians to study this relationship further.

Naavi

…continued

P.S: This is a continuation of a series of articles on Data Valuation.  Discussing Data Valuation is mixed up with Data Monetization and could cause serious conflicts with the concept of Privacy and Data Protection. These are ignored   in the current context and we continue our discussion with the belief that these conflicts can be effectively managed both legally and ethically.

“Measure your Data, Treasure your Data” is the motto underlying in the DGPSI framework of compliance “. There are two specific “Model Implementation Specifications” (MIS) in the framework (DGPSI Full Version with 50 MIS) which are related to data valuation. (DGPSI=Digital Governance and Protection Standard of India)

MIS 9: Organization shall establish an appropriate  policy to recognize the financial value of data and assign a notional financial value to each data set and bring appropriate visibility to the value of personal data assets managed by the organization to the relevant stakeholders.

MIS 13: Organization shall establish a Policy for Data Monetization in a manner compliant with law.

Recognizing the monetary value of data provides a visible purpose and logic for investment  in data protection. It is not recommended to create reserves and distribute. Similarly “Data Monetization” is not meant to defeat the Privacy of an individual but to ensure that the revenue generation is in accordance with the regulation.

Leaving the discussion on the Privacy issues of data monetization to another day, let us focus on the issue of “Data Valuation”.

Data can be both personal and non personal. It can also be “Quasi” personal in the form of pseudonymised data and de-identified data. It can also be “Anonymised personal data”. For the purpose of DGPSI for DPDPA/GDPR compliance, we recommend “Anonymised” data to be considered as “Non Personal Data”. At the same time in the light of the Digital Omnibus Proposal, pseudonymised or de-identified data may also be considered as outside the purview of “Personal Data” for GDPR/DPDPA compliance in the hands of the controller/fiduciary who does not possess the mapping  of the pseudonymised/de-identified data with the real identifiable data.

Data can be further enriched through data analytics and it may become an “Insight”. Such “insights ” can be created both from Non Personal Data as well as permitted Personal Data. Such data will have an IPR component also.

The “Possibility” of  conversion with the use of various techniques where by a pseudonymised, de-identified or anonymised personal data to an identifiable personal data is considered as a potential third party cyber crime activity and unless there is negligence on the part of the controller who discloses the data in the converted state with the belief that it is not identifiable, he should be absolved of inappropriate disclosure.

Further, even personal data with “Appropriate Consent” should be considered as data that can be monetized and therefore have value both for own use and  for marketing. (P.S: Appropriate Consent in this context  may mean “Witnessed or Digitally Signed Contractual document without any ambiguity”…to be discussed separately). Such data may be considered as “Marketable Personal Data”. Just as “Data can be “Sensitive”, “Consent” can be “Secured”. (Concept of Secured Consent is explained in a different context).

For the purpose of data valuation, both personal and non personal data is relevant. The K Goplakrishnan committee (KGC) did explore a mechanism to render non personal data be valued and exchanged in a stock market kind of data exchange. However in the frenzy for the Privacy Protection, the data protection law was limited to personal data and the KGC report was abandoned.

Currently when the Comptroller and Auditor’s General (CAG) advised PSU s  to recognize a fair valuation of its “Data Assets”, it has become necessary to value both personal and non personal data as part of the corporate assets.

This will enable PSU s to realize value at least for Non Personal Data (NPD) and “Marketed /Monetized Personal Data (MPD)” .

While there are many ways by which Data can be valued, one of the practical methods would be the Cost  of Acquisition method. This is a simple “Cost Accounting” based method and least controversial.

In this method we need to identify the “Data Asset”, trace its life cycle within the organization and assign cost to every process that is involved in acquiring or creating it.  Such data asset can be “Bought” as a finished product from a Data analytics company or acquired in a “Raw” state and converted into a “Consumable State” with some in-house processing into a “Consumable State” which is like a “Finished Product”. If this is consumed entirely within the Company and also stored for future use within the Company, it remains a valuable data asset which generates “Income” for the organization.

In this scenario, there can be a valuation method based on income generation under the well known Discounted Cash Flow or Net Present Value method which can be used to  refine the cost of acquisition based valuation.

If the organization would like to transfer the consumable finished data product to another organization, a real market value could be recognized either as a cash inflow or as a transfer price.  Then the market value could also be an indicator for refining the value of the data held as an asset by the organization.

With these three methods valuation of data can be refined with appropriate weightages being assigned to the different values that arise for the same data set.

In the case of “Personal Data”, we had already addressed some valuation issues in the DVSI (Data Valuation Standard of India) which was a primitive attempt to generate a personal data valuation model where the data protection law could add a potential “Risk Investment” on the data. It recognized the value modifications arising out of the depth and age of the  data. For the time being let us consider them as refinements  that can be made to the “Intrinsic Value” assigned on the basis of “Cost of Acquisition”.

Hence we consider “Cost of Acquisition” as the fundamental concept of Data Valuation and the emerging cost would be considered as the “Intrinsic Cost” of the data. We shall proceed from here to consider a “Data Valuation Framework” as an addendum to DGPSI framework and leave the refinement  of data valuation to a parallel exercise to be developed by more academic debate.

Naavi

…Discussion Continues

The DGPSI (Data Governance and Protection Standard of India) as a framework for DPDPA Compliance adopted the Principle that Data as an asset must be recognized with monetary value which should also be rendered visible. Accordingly, one of the implementation specifications adopted by DGPSI framework (Full Version) was

“Organization shall establish an appropriate  policy to recognize the financial value of data and assign a notional financial value to each data set and bring appropriate visibility to the value of personal data assets managed by the organization to the relevant stakeholders.”

The concept of the DGPSI framework was first born as PDPSI or Personal Data Protection Standard of India in 2019. It was supported by the “Naavi’s Theory of Data” which recognize a “Value” for Data which could vary during the lifecycle of the data processing and different owners could be recognized for different value parts of the data. It also recognized that Data value is linked to the capability of the user since “Data is in the beholder’s eyes”.  By 2021, a model for Data Valuation evolved  for professional discussion.

The industry however was not ready to take cognizance of the Data Valuation as a Governance principle and the DGPSI provision remained only a suggestion.

The year 2025 has been a momentous year in India with the notification of DPDPA 2023 setting a time line for its implementation. Now the industry has taken DPDPA 2023 seriously and is trying to work towards compliance. The DGPSI framework has been a leading Governance tool of compliance which can be used for implementation as well as audit and assessment.

In the meantime, it is the PSUs which seem to have taken the first step in documenting the value of the Data Assets thanks to the initiative taken by the CAG. CAG has realized that there is no point in merely raising a slogan that “Data is the New Oil” and there is a necessity to recognize the financial value of data and make it visible in the accounting system.

We fully endorse this view. and in the year 2026 have taken a New Year Resolution that we shall work towards a movement to popularize the concept of Data Valuation and help the industry to arrive at a reasonably acceptable methodology for making this possible.

“Measure Your Data, Treasure Your Data” will be the motto that will drive this movement and add a new life to the DGPSI framework.

Join hands with  Naavi and FDPPI to make this movement a grand success.

One of the first activities under this would be  Round Table in Bangalore… watch out for the date…and participate.

Naavi

To

The Chief Justice of India
Honourable Supreme Court
New Delhi

From:

Naavi (Na.Vijayashankar)
Cyber Law and Data Protection Consultant
Founder: www.naavi.org
31st December 2025

Dear Sir

As a person following Cyber Laws in India since 1998, I am happy that the Supreme Court of India has taken Suo-Moto Cognizance of the “Digital Arrest Scam” and is trying to develop some guidelines to mitigate the hardship of the victims. This is a great opportunity to improve the digital eco system in India and we need to make full use of this opportunity.

In this context, I would like to place before you the following suggestions  for consideration and request you to provide suitable directives to  the relevant parties.

1. We need to identify and apply corrections to the root cause.
2. Consider introduction of a new Law for Neuro Rights Protection
3. Bring changes to our Banking practices by directing RBI and the Bankers avoiding collateral damage of innocent persons.
4. Bring Technical improvements to the Telecom and Mobile service providers

I will try to elaborate each of these suggestions.

1. Root Cause and it’s Rectification

The first thought that occurs to every one of us is how is that educated and otherwise mature persons fall into the trap of the Digital Arrest scam to the extent they take out crores of rupees of their savings and hand it over to the fraudster. This is continuing even after the Prime Minister himself addressed the awareness requirement in one of his “Man Ki Baat” episodes. While “Awareness” continues to be necessary, it is obviously not sufficient.

The modus operandi indicates two reasons why people are falling into a trap which is apparently irrational. The modus operandi is to make a fake phone call, threaten action by law enforcement agencies and suggestion that certain amount may be deposited temporarily in a Government account pending enquiry.

The irrational action of the victim in this context is induced by

a) Fear that even if they are innocent, law enforcement agencies may harass them
b) A False sense of security that the Government agencies where the money is sought to be parked can be trusted to return it since they are any way innocent.

Thus the fraudsters cleverly exploit both the “Fear” and the “Trust” and mesmerizing the victims through their talking. We may recall that some times back, the “Blue Whale” game was prevalent where fraudsters drove innocent children to harm themselves through suggestions.

The psychological analysis of this situation is that the victims got into a “Hypnotic State” where they lost their rational decision making process and blindly followed the suggestions of the fraudster. This is a sophisticated “Cyber Hypnosis” strategy.

We can observe such behaviour also in situations where people “Freeze” at the sight of a real or toy gun for the fear of harm that may occur. The so called “Stockholm syndrome” is also a manifestation of a defence mechanism that follows the initial state of obedience through fear.

Law recognizes that actions taken under threat, coercion, mistaken impression and when a person is not under control of his mental faculties as “Void” under law. Hence the act of “Handing over of money voluntarily” which is used as a defence by Banks to avoid their responsibility is not legally sustainable.

Therefore, the liability for the digital arrest scam, cannot be held against the victim even if it looks foolish for the victim to act in the manner in which he did.

The solution to prevention of this “Fear” and “Blind trust” together placing the victim in a terrorized state of mind and blind compliance is to increase public knowledge on institutions like CBI, ED and RBI on what they do and what they do not do.

Also a single point PR contact should be available at all these institutions to provide clarifications when required. A direction to this effect must be issued.

Academic institutions should work on creating “Cyber De-addiction Websites” which try to remove the misconceptions about social media that whatever comes on the Internet is true and reliable. People should be made aware that after the AI based synthetic content spreading across the Internet, no information is reliable unless it is cross verified from a reliable source. Availability of public contact points with law enforcement agencies is the first step in this direction.

Government agencies such as Meity should be directed to invest in measures to publicize the lack of reliability of information on the Internet and the dangers of synthetic content. Such investments should be mandated as a security measure along with investments for technology promotion.

2. New Neuro Rights Law

If we recognize that these frauds are occurring because the mind of the victim is manipulated, we should recognize that this is an offence. This is part of “Dark Patterns” under the Consumer Protection Act. It was also a part of the earlier versions of the Data Protection Bill which was omitted in the latest version of DPDPA 2023.

“Manipulation of Human Mind” with either devices or communication should be considered as a violation of “Neuro Rights” and should be protected either as an extension of the “Right to Privacy” or “Right to Free Choice” or through a separate law.

3. Changes in Banking Policies

It is noted that in a few instances where vigilant Bankers have identified the problem and prevented the customer from going through the payment. This indicates that in other cases, Bankers have been negligent.

In all the successful digital arrest fraud instance, the Bankers both at the end of the victim and at the end of the beneficiary along with the Mobile Service Provider who issued a SIM to the fraudster should be considered as co-conspirators to the fraud and must be jointly and severally liable.

The KYC norms and the RBI instructions on adaptive authentication make it mandatory that an account is monitored and any “Unusual” transactions are flagged for elevated authentication checks. Unfortunately Banks donot follow this norm. The beneficiary Banks donot check the known sources of income of their customers with the unusually large amounts that are credited. This is a blatant omission of the RBI norms.

In the TDSAT judgement on S Umashankar Vs ICICI Bank, the Tribunal considered that not following reasonable security practices by the Banker was a violation of Section 43(g) of ITA 2000 and makes them liable directly along with criminal consequences of Section 66.

This needs to be put into a direction by the Supreme Court.

At the same time, the Banks and the Police often mis interpret the RBI guidelines and when some stray funds are found in the account of innocent account holders proceed to freeze the entire account. Law is very clear that if there is any disputed credit in the account there can be a lien only on that amount and not the entire account. However many Police personnel issue directives to freeze entire accounts and Bankers oblige them. De-freezing of such account will be delayed unless pals are greased. This obnoxious practice must be stopped.

We request Supreme Court to give a clear direction to all Banks that unless a Court has indicated an amount on which a garnishee order is issued, no amount in excess should be frozen. Also the Garnishee order should apply to money due and payable as on the date of the receipt of the garnishee order and not future receipts. Hence the practice of Banks freezing the account is completely illegal and Banks should be suitably penalized for following such practices. Police issuing notices without indicating the amount under dispute also needs to be stopped. RBI itself should modify its “Freezing” provision and adhere to the known principle of a “Garnishee Order” and not create new provisions of law expanding their powers.

Further, the Court should direct that in all instances where the Bank cannot establish a conspiracy between the victim and the beneficiary, it should be presumed that the liability for the digital arrest payment lies entirely on the Beneficiary’s Bank or jointly by the Beneficiary’s Bank and the Victim’s Bank.

Further it is noticed that when the victim reports to his bankers about any fraud the Banker does not act immediately to stop payment in transit. This is contravening the established Banking practice of “Stop Payment”. Even in the case of Credit card transactions, RBI has taken an untenable stand under which Banks prioritize payments to the acquiring Bank instead of the Credit card owner and refuse charge back requests.

Supreme Court may kindly direct the Banks to honour “Digital Sop Payment” and initiate immediate action to inform the destination Bank whenever a victim reports a fraud or the Bank observes an “Unusual Transaction” so that the destination Bank “Exercised Caution”. These established practices which were prevalent before the advent of Digital Banking have been given up in the new digital banking era and must be restored.

4. Technical Improvements

Since “Collection of Electronic Evidence” is an important requirement for any legal defence, the Telecom operators should be advised to

a) Follow the suggestion of TRAI to display the caller ID linked to the KYC in respect of all calls so that impersonation can be identified
b) Introduce a “Hot button” on the mobile where at the click of a button the screen recording can be silently activated and deposited with a repository at the end of the call so that it is available for evidence. Currently “CEAC drop box” is a service that is available for voluntary deposit of electronic documents for evidentiary purpose. A similar service can be managed either by the law enforcement/MeitY or by a consortium of approved service providers. The user may subscribe to any of the free or paid services so that the evidence can be collected without a problem.

This has no “Privacy” bar since a “Conversation” is a data that belongs jointly to the caller and the called and hence each should be considered to have the right to record particularly when it has to be presented in legal defence of one of the parties. DPDPA 2023 also exempts collection of data for self legal defence.

These technical measures can also be directed to be introduced by the Mobile Service Providers along with a strict directive to ensure KYC for SIM card issue.

Yours sincerely

Na.Vijayashankar

Naavi
(Na.Vijayashankar)

P.S: We have placed this in public domain so that any victim or member of public can respond and add his views. This can be read along with our earlier article.

Under DGPSI as the framework of Data Governance and Protection for compliance of DPDPA 2023, it is suggested that every organization should ideally be able to recognize a “Financial Value” for its data assets.

DGPSI recommends “Identification of the financial value of a Personal Data Asset and showing it as part of the balance sheet as a below the line item”

-to provide visibility to the importance of Data Governance and  Protection in an organization.

-to enable provision of appropriate resources for Data Protection including appropriate compensation to the DPO

Though most organizations have not yet adopted this “Model Implementation Specification”, there is an increasing acceptance that this is a necessity as we go forward.

In this context we can draw attention to the Policy on Data Governance and Data Security issued by the Comptroller and Auditor General of India (CAG). This document tries to define the broad contours of how the CAG intends to pursue the objectives of Data Governance and Data Security in the light of DPDPA 2023. The Policy prescribes a mechanism for oversight and monitoring of our personnel who have been entrusted with the tasks of collectioń, storage analysis and dissemination of personal data.

This is translated into instructions for audit of Public Sector organizations which are bound  by DPDPA 2023. This therefore becomes part of the FDPPI’s audit guidelines under DGPSI where applicable.

In its recent “Revised Directions for Statutory Auditors”, CAG has advised the auditors to verify amongst other things

“Whether the Company has identified its data assets and whether it has been valued properly”?

The data auditors under DGPSI framework should therefore take note of this requirement.

Naavi had already released a document “Data Valuation Standard of India” which has been under discussion for some time in select fora. The subject of “Data Valuation” has already been dealt with in the Course on Data Protection in IIM Udaipur as an introduction to the management students. Now the time has come to explore this further.

FDPPI/Naavi is launching a new program for “Certified Independent Auditors” in 2026 and one of the topics that we  intend discussing is the “Valuation of Data Assets”. Naavi is developing an approach paper for Valuation of Data Assets as a guidance document under DGPSI and it should be useful in meeting the requirements of Auditors of PSUs under the CAG guideline.

Simultaneously, Naavi under Ujvala Consultants Pvt Ltd would start offering “Data Valuation” as a service. More details about this service would be released in due course.

Naavi

Also Refer:

PursuIT journal edition on Data Protection rom iCISA

Policy on Data Governance and Data Security (IA&AD)

Policy on Data Governance and Data Security (October 2024)

Naavi’s DVSI Model

July 21 copy of DPJI

Earlier article on DVSI model

Naavi has been repeatedly pointing out that the Domain Name Registrars are ignoring legal compliance as a matter of routine.

Now the Delhi High Court has published its order of 24th December 2025 setting some guidelines for Domain Name Registrars in India. The case originated on the basis of a petition by Dabur against websites infringing its trademark. (Dabur India Limited Vs Ashok Kumar and ORS,CS(COMM)135/2022)

The case is also related to to Cyber Crime prevention and the “Digital Arrest” Case being now tried at the Supreme Court. It is also related to Trademark infringement involved in registration of domain names.

The decision has taken into consideration views expressed by ICANN, GoDaddy, CERT In, MeitY, MHA and several other relevant parties.

The judgement has considered issues such as prevention of financial frauds, measures to be implemented by the Registrars etc. It also has brought into discussion some sections of DPDPA 2023 and GDPR into the discussion of protection of Privacy of the registrant.

The judgement  is a gold mine of information for all students of domain name law.

This judgement could be considered a landmark judgement on domain names in India.

Refer the copy of the judgement  here

Summary of Conclusions

Naavi has several times objected to the Domain Name Registrars hiding the names of the registrants under the guise of Privacy. The Court has taken note of this practice and held

“The Court was of the view that disabling the privacy protect feature may be essential to ensure that the identity of the Registrants is available on https://www.whois.com database (hereinafter “the WHOIS database”) among others.”

Naavi is of the firm opinion that registering and hosting a website on the Internet is a activity in the public domain and the identity of the registrar should not be considered as “Personal Information” subject to the Right of Privacy. It is an action that has an impact on others and hence is a “Public Activity” and the identity of the registrant should be considered as a “Right of the society to know”.

In summarizing its conclusions  the Court observed

1. Domain Names form the online soul of a business and their distinctive character has to be protected.
2. Misuse of domain names and website content endangers the larger public interest.
3. Stringent action  needs to be taken to maintain the integrity of the domain name system against parties such as Domain Name REgistrants, Registrar, Registry operator, ICANN, Banks, RBI, Telecom Service Providers, Meity and DOT and Law Enforcement agencies.
4. It is imperative for all Banks to implement the Beneficiary Bank Account Name Lookup in case of online payments.
5. It is mandatory for all Banks to cooperate with Law Enforcement Agencies in terms of Central Intelligence and Economic Bureau issued the Standard Operating Procedure dated 31st May, 2024 for processing of requests from LEAs by the banks
6.  Domain Name Registrars (DNR) must implement Rights Protection Mechanism under specification 7  including use of the Trademark Clearing house data base.
7. The DNRs ought to submit registered-name data to the Registry Operator, provide public query-based access to essential WHOIS/RDDS information, make registrant data available for ICANN’s inspection, comply with applicable laws and governmental regulations, avoid registering reserved names, verify and periodically re-verify Registrant contact information, investigate inaccuracies, and act promptly against DNS abuse or illegal activity.
8. DNRs ought to face termination of the accreditation agreement if a Court finds they permitted illegal activity or failed to comply with Court’s orders, or if ICANN determines that the DNRs engaged in bad-faith trademark-conflicting registrations.
9. DNRs  are obliged to follow ICANN’s WHOIS Accuracy Specification, validating address, email, and phone formats, and verifying email or telephone numbers through tool-based authentication, and must suspend or terminate domain names where registrants wilfully provide inaccurate information and fail to correct it within
   15 days.
10. The privacy protect feature extended by DNRs to registrants is acting as a cloak to hide the identity of those perpetrating illegal and unlawful acts on the internet  it is necessary to mandate that all DNRs offering their services in India shall collect the details of the Registrants and perform a e-KYC verification in the manner in which NIXI already mandates in India.
11. DNRs and Registry Operators cannot deny disclosure of Registrant’s details by taking blanket cover under the provisions of GDPR. The applicable privacy law would govern the relevant considerations in each case, and accordingly, the data collected from Registrants in India would be governed in terms of the DPDP Act and its allied Rules All DNRs who offer their domain names registration or ancillary services ought to appoint Grievance Officers who are located in India and publish their email addresses, mobile numbers and other contact details so that they can be contacted for the purpose of obtaining relevant information of the Registrant as also for implementing orders passed by Courts and to provide information to LEAs
12. DNRs who provide extended services including marketing of domain names may, not merely be considered as intermediaries but as complicit in actively enabling infringement.
13. It is a settled position in law in India that registration of an infringing domain name would not be permissible as there is every likelihood that the same could lead to diversion of users from the genuine website to the infringing one.
14. Offering of privacy by default to registrants is one of the reasons for proliferation of illegal domain names. Thus, unless and until a registrant requests for privacy protect, the same should not be offered as a default mechanism
15. The Government and various institutions ought to create their own list of names that can be misused so that such domain names can be placed in the reserved list.

In view of the above, following directions are issued to DNRs.

1.The DNRs and Registry Operators shall, henceforth, not resort to masking of details of the registrants, administrative contact and technical contact on a default basis as an ‘opt-out’ system. At the time of registration of the domain names, a specific option shall be provided for the Registrant and it is only if the said Registrant chooses for privacy protection, that the said service shall be offered as a value added service upon payment of additional charges. The additional charges shall not be made a part of the default package for registration of domain names.

2.  Whenever any entity or individual having legitimate interest, law enforcement agencies (LEAs) or the Courts, request for disclosure of data relating to any infringing or unlawful domain name, the data (such as name of registrant, admin and technical contacts, addresses, mobile numbers, email address and any payment related information  as well as any value added services provided.) shall be disclosed by the concerned DNR as soon as possible but not later than 72 hours in terms of the Intermediaries Guidelines 2021.

3. If any particular domain name is restrained by an order of injunction or has been found to be used for illegitimate and unlawful purposes, the said domain name shall remain permanently blocked and shall not be put in a common pool in order to disable re-registration of the same very domain name by other DNRs. The appropriate steps in this regard shall be taken by the concerned Registry Operator to ensure that all DNRs having an agreement uniformly give effect to the said direction.

4. In the case of trademarks/brands, which are well-known or are invented, arbitrary or fanciful marks, which have attained reputation/goodwill in India, if a Court of Law directs that there would be an injunction on making available the infringing domain name with different extensions or mirror/redirect/alphanumeric variations, the same shall be given effect to by the DNRs and no alternate domain name shall be made available in respect of such brands and marks.

5. Upon an injunction being issued by the Court in respect of any domain name and the same being communicated to the DNRs, the DNRs shall ensure that no alternative domain name is promoted or being suggested to a prospective Registrant. Any promotion of alternative domain names of an injuncted domain name would disentitle the concerned DNR for safe harbour protection under Section 79 of the IT Act

6.In respect of descriptive and generic marks, the restraining/injunction orders would be qua the specific domain name and any extension of restraining/injunction order for other infringing domain names would be with the intervention of the Joint Registrar before whom the application under Order I Rule 10 of Code of Civil Procedure, 1908 along with affidavit shall be filed and the injunction would be extended. Where any party is aggrieved by the order of the Joint Registrar, the application may be moved or placed before the ld.
Single Judge.

7.Upon orders being passed by a Court, the infringing domain name shall be transferred to the Plaintiff/trademark owner/brand owner, upon payment of usual charges

8.Search engines and DNRs shall not provide any promotion or marketing or optimization services to infringing and unlawful domain names

9.All DNRs offering services in India shall appoint Grievance Officers within a period of one month from today failing which they would be held as non-compliant DNRs.

10.  Service by email to the respective Grievance Officer’s details would be henceforth sufficient service for Court orders and any DNRs who insist upon services through MLAT or through other modes of services shall be held to be non-compliant DNRs.

11. In appropriate cases where an entity has repeatedly not complied with orders of the Court, and in the opinion of the Court it is a case where the interest of society at large is being adversely affected, such as cases of frauds, the Court may direct the appropriate authority to block access to the said entity under Section 69A of the Information Technology Act, 2000 read with Information Technology (Procedure and Safeguard for Blocking for Access of Information by Public) Rules, 2009.

12.All Registry Operators having valid agreements with ICANN shall take appropriate steps to implement the Trademark Clearing House services and make the same available to all brand owners & registered proprietors of trade marks.

13. All DNRs offering services in India or to customers in India shall undertake verification of Registrant’s details at the time of registration and periodic verification of the same. The verification shall be done in terms of KYC requirements mentioned in Circular No. 20(3)/2022- CERT-In dated 28th April, 2022 issued by Indian Computer Emergency Response Team. This is in line with the NIXI Accreditation Agreement.

14. All DNRs who are enabling registration of domain names which are administered by NIXI as a Registry Operator shall comply and provide requisite registration data to NIXI within one month of this judgment and also update the same on a monthly basis.

The Court has also given the following directions to the Government (Meity/MHA)

1. The Government shall hold a stake holder consultation with all DNRs and Registry Operators offering services in India and explore the possibility of putting in place a framework similar to the one used by NIXI by all DNRs for the purpose of domain name registration
2. Consider nomination of a nodal agency such as NIXI as the data repository agency for India with which all the Registry Operators and the DNRs would maintain details related to Registrants on a periodic basis so that the said details are made available to the Courts, LEAs and the governmental authorities for the purpose of enforcement of
   orders of Courts and for preventing misuse. Alternatively, DNRs shall be directed to localize the data in India for easy access. Irrespective of the decision, it is made clear that processing of personal information would be strictly in terms of the DPDP Act and applicable Rules.
3. In case of a DNR or Registry Operator, which does not comply with the orders of the Courts or with request from LEAs, the offering of services of such DNRs or Registry Operator be blocked by MeitY and DoT under Section 69A of the Information Technology Act, 2000 read with Information Technology (Procedure and Safeguard for Blocking for Access of Information by Public) Rules, 2009.
4. MeitY along with NIXI shall coordinate with ICANN to enable brand owners in India to avail of TMCH facilities on reasonable terms and conditions so that they can receive notifications whenever any conflicting /infringing domain names are proposed to be registered by any third parties across the globe.
5. The CGPDTM (Controller General of Patents, Designs and Trade marks) could also consider publishing the list of well-known marks along with the official and authentic website details of the trademark owners so that if any consumer or user wishes to verify the authentic website, the same would be made possible through the website of the Intellectual Property Office. The same shall also act as sufficient notice to all potential Registrants as to the actual websites
6.  Directions qua grant of ‘Dynamic +’ injunction:  The dynamic + injunction would apply under the following circumstances:
   (i) Wherever the brand/trademark appears as it is in the domain name;
   (ii) Wherever brand/trademark appears with a prefix or suffix which could lead to confusion;
   (iii) Wherever the brand/trademark appears as an alphanumeric variation.
   (xvii) Whenever there is a legitimate Registrant who opposes the suspension of the domain name, if the same is communicated by the said Registrant to the concerned DNR, the DNR may then ask the IP owner to obtain a Court order.

 Also, following directions are issued to Banks.

1. All banks shall mandatorily implement the ‘Beneficiary Bank Account Name Lookup’ facility in terms of the RBI circular dated 30th December, 2024 for all online payments including payment by UPI through applications such as Google Pay, Paytm, etc.
2. All banks shall also abide by the Standard Operating Procedures dated 31st May, 2024 issued by Central Economic Intelligence Bureau for processing and responding to requests received from LEAs.

In toto, this is a very comprehensive and useful judgement which will have a long term impact on the industry.

Naavi