Naavi.org

While deliberating on the DPDPA rules, I have been suggesting that the Government needs to set up a “National Personal Data Archive” so that “unclaimed personal data” and “personal data under dispute” may be shifted out of the custody of the Data Fiduciary so that they can be retrieved if required on a later date subject to an appropriate legal process.

One of the prime benefits of this system is that when the processing of data with a data fiduciary has completed the process for which the data was collected but the consent may not be renewed after DPDPA 2023 becomes effective either because the contact cannot be established with the data principal or the data principal cannot be properly identified or the transfer back is legally disputed for some reason, the data fiduciary can get rid of the custody of the data instead of carrying the dead burden which he cannot use nor delete.

When I discuss this proposition with experts many have expressed distrust with a Government machinery having control of such data because it can be misused for surveillance. Though the Government will have the power to call for any information for National Security purpose which includes certain basic level of surveillance, the fear that the data may be misused by the corrupt system cannot be ruled out.

We may however discuss separately if it is more safe to leave the data with the private sector data fiduciary even after he no longer requires the data for processing but would like to holds onto it under some excuse, than transfer it to the sovereign state which any way is the owner of all unclaimed properties.

For the time being we may however discuss and elicit the views of the experts on whether there is no way that a data base of Personal Data of Citizens can be kept secure against misuse.

In the past, we have discussed a concept of “Regulated Anonymity” . With the advent of DPDPA 2023 every personal data store manager is also a data fiduciary with his own responsibilities which also applies to a Government managed national archive of personal data. The central idea of the suggestion was “Distributed Ownership of Custody” of a data base.

This concept has been well developed in the ICANN system of both Internet Governance and Domain Name Root Server administration.

Refer : https://www.cloudflare.com/en-gb/learning/dns/dnssec/how-dnssec-works/

A similar system can be managed to secure this National Archive of Personal Data. This system requires

a) Strong Encryption of Data at rest

b) Distributed key control with an administration team

c) Administration team to consist of non Government persons

d) Some of the members of the administrative team to be elected by digitally identified Netizens through a democratic process.

I want experts to debate on creation of such secure data base and put pressure on the Government to introduce the National Personal Data Archive.

Naavi

Rule 7 of the draft DPDPA Rules prescribe that on “becoming aware of any “Personal Data Breach” , the Data Fiduciary shall to the best of its knowledge intimate to each affected Data Principal the information of the breach. Similarly the DPB shall be informed without delay and subsequently before 72 hours more details of the breach.

It is necessary to recognize that there are cases of false alarms and incidents which may be whistle blowing reports which if confirmed may become breaches but could turn out to be false.

Hence the report to be submitted immediately should be termed as “Provisional”. The confirmed report filed within 72 hours may be called “Personal Data Breach Report”.

Further some “Personal Data Breaches” recognized as such as per the definition under DPDPA 2023 may involve infringement of Data Principal Rights and not exfiltration or “Loss” of personal data from the custody of the data fiduciary. (eg: when data access is compromised within the organization from one employee to another).

These are not as harmful as the data breaches involving exfiltration of data or modification of data.

This has to be factored in to the definition of “Personal Data Breach”.

Hence there is a need to recognize three categories of personal data breaches namely

1. Provisional Data Breach
2. Personal Data Breach not resulting in exfiltration or modification of data
3. Personal Data Breaches resulting in exfiltration or modification of data

The rules should treat these differently.

It is necessary to recognize that every personal data breach involving loss or damage to data creates a liability under Section 43 of ITA 2000 and is also a data breach reportable under CERT IN guidelines even after the repealing of Section 43A.

There should be a process where the DPB and CERT IN act in harmony dealing with the Personal data breach report. Since CERT IN has an infrastructure to provide technical guidance of remediation, there is no need to duplicate the efforts at DPB. Regulatory investigation of technical nature if required should be left to CERT IN and adopted by DPB. For  this purpose, a “DPB-CERT IN Data Breach investigation policy” should be created by MeitY which may specify that the ITA 2000 Compliance Manager and DPDPA Compliance Managers designated by MeitY shall jointly resolve Personal Data Breach related conflicts between CERT IN and DPB if any.

Alternatively, changes should be notified under ITA 2000 stating CERT IN would refrain from investigating such cases which are taken up for investigation by the DPB under DPDPA 2023. This would however require additional technical investigation capabilities to be built up by DPB.

There is a need to recognize that DPB would be more interested in identifying noncompliance of law which may affect the rights of the data principal and hence would like to track even such personal data breaches which do not result in exfiltration of data that causes irreversible damage to the data principal. On the other hand, CERT IN is more interested in prevention of Cyber Crimes and hence focussed on data breaches involving exfiltration of personal data.

Hence there is a need for a simultaneous change in the CERT IN rules related to data breach while these rules are being notified.

Additionally, there is a need to build a knowledge base of Data Breaches occurring in India so that DPB is aware of how the industry is addressing the issue. Hence under the powers of Section 36, MeitY may gather information on data breaches already occurred though no penalties may be imposed on them.

In view of the above, the following suggestions may be made.

1. Provisional Personal Data Breach shall be reported only to DPB  immediately on being aware. Confirmed data breach involving exfiltration or modification of personal data  shall be reported to the data principal as soon as the data fiduciary becoming aware of the “Confirmed Data Breach”
2. All Data Breaches recorded since 11th August 2023 may be reported to DPB under the powers of Section 36 of DPDPA 2023
3. Detailed Report within 72 hours or as extended shall be submitted as proposed to the DPB.
4. A notification of the report sent to DPB on the website of the Data Fiduciary  should be mandatory.

A link to the detailed report should be sent to the Data Principals through e-mail or SMS where available

The Privacy Mitra Yojana of FDPPI intends to work on both dimensions of creating a Privacy Culture amongst the Indian Citizens and Compliance Culture amongst the Data Fiduciaries.

In India Privacy is a new concept. At present only the elite speak of Privacy. For others the “Right to Privacy” is still not a priority. While people understand the adverse effect of a Cyber Crime, they do not fully comprehend the adverse impact of Privacy infringement.

There is therefore a need for building a Privacy Culture in the society for the intentions of DPDPA to succeed.

At the same time, Corporates are also complacent because compliance has a cost and every body is short of resources for compliance. Most companies therefore think that they can wait till some body else gets fined to understand how DPB is likely to function.

In the midst of the reluctance of the companies to take Compliance seriously, and inability of data principals to fight for their rights, the DPDPA as a law has the danger of becoming a paper tiger.

FDPPI therefore considers that it is its responsibility as a full service agency to create the awareness of Privacy in the community, build a compliance culture in the companies before they can deliver their training programs, Certifications, implementation consultancy, audit and assessment.

Towards this goal, FDPPI is now traying to build an all India cadre of committed Privacy enthusiasts to work both in the public front and the corporate front.

In particular FDPPI invites academic institutions to come forward to get their student community take up social projects involving creation of awareness of What is Privacy, Why is it important and How data principals need to be vigilant to protect the Privacy Rights granted to them by DPDPA as a law.

We invite volunteers to join the movement in large numbers to develop the Privacy Compliance Market in India which is good for the society and also create new opportunities for employment and business.

Be in touch with FDPPI and contribute your thoughts in this regard.

Naavi

Recognizing the need for a nationwide movement on creation of awareness about Privacy and DPDPA Compliance, FDPPI has initiated a new project called Privacy Mitra Yojana (Friends of Privacy Project) to build an army of young volunteers to spread the knowledge of Privacy.

Students from law colleges as well as professionals are invited to register themselves at FDPPI

Educational Institutions, and Professional Bodies, Companies and Individuals who are interested in this National Privacy Mission of FDPPI are invited to contact FDPPI.

Let Us together build a Privacy Conscious society in India

Naavi

The Draft DPDPA rules were published by MeitY with time for public comments upto 18th February 2025.

While discussions continue in public space and FDPPI in association with Trust Law has organized a discussion on February 8 with invited audience in Bangalore, Naavi.org has prepared a draft of comments to be submitted to MeitY. Before 18th there will be other discussions also and public may form more views on the submission of Comments either directly or through other organizations.

In order to stimulate thoughts on this regard, we are sharing a copy of the draft comments prepared by Naavi.org and submitted for discussion to FDPPI. If any comments are received here, they will be considered for inclusion.

General Comments:

The law of DPDPA 2023 is already in place and is immutable at this point of time. It is noted that the current exercise is only for fine tuning of the published draft rules.

Hence our comments presume that the law as it has been notified stands as the fundamental document of reference and the comments are only related to the draft rules as are considered feasible under the enacted law.

It is recognized that in the event of any rule exceeding the basic character of the provision of the law to which it refers to, there could be a challenge on the legal validity of the rules as being ultra-vires the law.

For the same reason, it is expected that  the rules may be brief, precise and only cover the essential clarifications without the detailing like a Check list or recommending  any specific tool or technology for implementation.

It is understood that the industry would exercise due diligence in implementing  the law along with the minimum detailing available in the rules. If and when the industry is negligent and does not observe due diligence, the consequences would reflect in the decisions of the inquiry following a registration of a complaint or a suo-moto inquiry.

Clause By Clause Comments

Detailed Clause by Clause comment on all the 22 rules are presented in the form of a separate document here:

Draft Comments on DPDPA Rules from naavi.org

Naavi