India that is Bharath is waiting for the elections to be over and for Mr Modi to come back with a thumping majority. The DPDPA 2023 which was notified with presidential assent needs to be activated within the 100 days plan for which we wish that Rajeev Chandrashekar will be back as the IT Minister.
We can expect that just as the work in progress rules was leaked some time back some body in MeitY is working on the rules.
It is our duty to bring to the notice of the team working on the rules some of our concerns and suggestions.
As per Section 40, at least 25 new rules need to be formulated. Out of these the following 5 rules appear to be of key importance. We would like to propose our suggestions regarding the above.
Legacy Data:
Since it is expected that a large number of legacy data principals may not be reachable and may not respond to the new notice, the rules should prescribe the “Reasonable Period” after which the permission is deemed as “Withdrawn”.
The Act now simply states…
“the Data Fiduciary may continue to process the personal data until and unless the Data Principal withdraws her consent.”
This is not in consonance with the spirit of the Act and it cannot be construed that the data can be used for an indefinite period under the excuse that the data principal did not withdraw the consent. It will also be in conflict with the obligations under Section 8(3) to ensure that the data used for processing is “Complete” and “Accurate”.
Also the principle under ITA 2000 is that any privacy policy needs to be renewed not later than one year which therefore becomes an expiry period for the consent in the absence of any other parameter.
The period of 1 year however appears unreasonable in the context of DPDPA 2023. A more reasonable period has to be prescribed and in our view it should not be more than 3 months.
Significant Data Fiduciary
The definition of “Significant Data Fiduciary” could be by far the most important rule to be notified and it is necessary that the Government thinks seriously of the suggestions made in our precious article.
The essence of this suggestion is that the “Tag of Significant Data Fiduciary” is not to be associated with an enterprise as a whole but to specific processes. Under DGPSI, we group processes based on the sensitivity and this should also determine the Significant Data Fiduciary status.
The operating part of the suggestion is to add the following explanation in the rules:
“The term ‘class’ under Section 10(1) of the Act for the application of this rule also applies to any class of personal data process/es that an entity may use where the risk, sensitivity and volume of personal data processed exceeds a specified threshold”
Nomination
If “Nomination” is considered as “Transfer of ownership of an asset on the death of a person” and applied to personal data as a property, then it will be difficult for the Data Fiduciaries to obtain consent through electronic means. We are aware that law does not consider “Nomination” as “Transfer of property” and hence the rights of legal heirs is not affected by the presence of nomination in favour of a person who is not a legal heir. However common people may not be aware of this and may consider “Nomination” as “Bequeathing of property”. If this concept is recognized then electronic consent form cannot be used to register “Nomination” because of Section 1(4) of ITA 2000.
To honour the legal principle that “Nomination” is a procedural convenience adopted by an asset owner to transfer the property to a trusted agent of the property owner for further transfer to legal heirs, an explanation needs to be added as follows.
” Nomination for the purpose of Section 14 of DPDPA 2023 means transfer of custody of personal data and associated digital property in the hands of a data fiduciary to a person designated by the data principal for eventual distribution to the legal heirs. The data fiduciary shall be considered as discharged from his liability of disposal of the digital assets if the custody is properly handed over to the designated nominee”.
A separate procedure for claim settlement can be prescribed for this purpose (Refer to earlier articles in Naavi.org on digital data of deceased.
Consent Manager
The definition of “Consent Manager” is another area where the Meity may be stuck to their current DEPA framework and needs to think differently. This aspect has also been discussed by Naavi.org earlier and a case has been made out that “Consent Manager” under the Account Aggregator concept is different from the “Special Data Fiduciary concept of a consent manager” used in DPDPA. There is also a need for a very strict application of “Fit and Proper” criteria for registering Consent Managers.
If this aspect is neglected, we can see a major scam of theft of personal data for which the negligence of rule makers would be responsible.
Data Auditor
The rules regarding the credentials of a “Data Auditor” is another area of concern where vested interests can play havoc.
I would welcome Meity to introduce its own accreditation of Data Auditors through an open examination and should refrain from using the terms “All Cert In Accredited Auditors shall be considered as deemed to be qualified to be data auditors under the DPDPA 2023”.
Meity can use the guidance available under FDPPI’s C.DPO.DA. Certification course or DGPSI as a framework to structure the accreditation examination for Data Auditors.
The model adopted by MCA in accrediting Independent Auditors or the Law department in accrediting Patent lawyers can be followed for this purpose. The essence of these models is that the Government has a certain norm of an examination and trainings are conducted by different private bodies and not restricted to any one agency as a “Deemed Expert”.
Naavi
