Naavi.org

The confident announcement by the Minister Mr Ashwini Vaishnaw that the DPDPA notification would be released well before the end of this month  has raised the expectations of the industry that at last DPDPA is set to become operational. The draft rules which were published on 3rd January 2025 and it is reported that 6915 public views were received. Copy of the views presented by us is available here. 

Media was more interested in the controversies related to the amendment to RTI act which however was not an issue for the industry in general. Industry was concerned about the date from which the penalties would apply. This required a notification on Section 33 of DPDPA along with Section 44 (2). The draft rules of January 2025 were silent on this aspect. We now look forward to the  new notification to provide clarity on this aspect.

The second most  important missing component in the draft rules was about how organizations will determine if they are “Significant Data Fiduciaries” or not. In the absence of specific guidance, we interpreted that the industry players have to make a self assessment of their risk profile and decide if they are significant data fiduciaries and accordingly decide on the appointment of DPO, Data Auditor , conduct of DPIA etc.

Similarly the draft had its own contradictions related to “Consent Managers” about which the industry is yet to fully get clarity.

FDPPI however provided clarity through the framework DGPSI and has now extended the framework to the use of AI in personal data processing by Data Fiduciaries through the extended framework DGPSI-AI.

As we look for the new notification to provide clarity officially , several privacy advocates are waiting to launch a challenge in the Supreme Court to bring a stay on the Act if possible during the current CJI’s tenure itself and are going to search for some reason to launch the legal battle.

We at FDPPI are however focussed on what the industry should do. Our next interaction with the industry is the IDPS event on September 27, at Chennai in association with MMA, at the MMA Management center in Thousand Lights. We expect that the rules would have been notified by that time.

FDPPI recognizes that in every seminar, the dignitaries on the stage are often at a level higher than the participants and the panel discussions tend to go at a level which leaves many participants impressed but not necessarily wiser. To avoid such a situation when the information about the subject of the discussion is fast evolving, FDPPI has proposed to conduct a Curtain Raiser event virtually on 22nd September 2025 to the members of MMA and other registrants of the program on September 27, to appraise them about the theme of the conclave  namely “Bracing the twin challenges of DPDPA and AI”. In case Meity is able to publish the rules before that time, it will be the first occasion when the new rules would be discussed in such a public forum.

We may recall that the first discussion on DPDPB 2021 was also held in Chennai when on the previous evening of a pre-arranged seminar, the draft Bill was published and we got an opportunity to discuss this in Chennai.

The September 22 event would be  a 90 minute session between 6.00 to  pm 7.30 exclusively for the members of MMA and would also be open to registrants of the September 27 event. (In case you want to register, please register here).

Also Refer:

Naavi

The IDPS 2025, Bengaluru was successfully concluded yesterday, on September 17, 2025.

Some pictures of the event are found below.

Vice Chancellors of Ramaiah University of Applied Sciences, Mr Raina and  Ex Vice Chancellor of Bengaluru University Mr Venugopal, watering the plant as a symbolic gesture for inaugurating the program.

Book titled “Taming the twin challenges of DPDPA and AI with DGPSI-AI”, by Naavi being released by the august guests consisting of Retired Justice Sri Subhash Adi in the presence of Vice Chancellor of RUAS, Mr Raina, Ex-Vice Chancellor if Bengaluru University Mr  Venugopal, and Directors of FDPPI.

Members of Panel 1 in discussion

Members of Panel 2 in discussion (Moderated by Nagaraj BS)

Members of Panel 3 in discussion

Members of Panel 4 in discussion. (Moderated by Naavi)

(More pictures will be posted later)

On September 27, the Chennai leg of IDPS 2025 will be conducted at the MMA auditorium, in Thousands Lights, Chennai. Watch out for further information.

Data Protection Experts discuss the impact of DPDPA and Artificial Intelligence at Bengaluru

M S Ramiah Campus in Mathikere-Yashwantpura will be a witness to an interesting one day seminar on 17th September 2025 under the theme “Bracing the Impact of twin Challenges of DPDPA and AI”
The is event jointly organized with the Foundation of Data Protection Professionals in India (FDPPI) and MSR School of Law and supported by FICCI, Bengaluru. Several industry experts will congregate as speakers and delegates to discuss the impact of the impending notification of the new law namely Digital Personal Data Protection Act 2023 (DPDPA 2023).
With Artificial Intelligence usage sweeping across the industry at the same time, compliance to DPDPA given the unprecedented penalties in the range of Rs 250 crores plus has become a huge challenge.
The event will be inaugurated by Retired Justice Sri Subhash B Adi. Former Vice Chancellor of Bangalore University namely Dr K R Venugopal will give a key note address. Dr Kuldeep Kumar Raina , Vice chancellor MSR University will preside. Dr V Vijayakumar, Advisor MSR School of law will provide an overview of the global environment in data protection.
The event will witness discussions on the current status of the Indian law on Data Protection, the global laws of Data Protection and AI regulation and Technical challenges posed by AI in compliance of DPDPA. The seminar will also discuss the Corporate Governance strategies for compliance, and sectoral challenges.
During the event, FDPPI will present a framework for compliance titled DGPSI-AI for “Taming the Twin challenges of DPDPA and AI”. A book of the same title authored by Naavi, the pioneer in the field will also be released.
The event will be held between 9.00 am and 5.00 pm. More details of the event will be available at www.idps2025.in.

High Court on 10th September 2025  directed the State government to establish a fully functional and empowered Cyber Command Centre (CCC) to address the menace of digital crimes. It is stated that cyber crime complaints are now about 20% of the complaints  received by the Police in Karnataka.

This has been a long felt need often recommended by the undersigned in the early years of Cyber Crime Police station and now the Court under Justice Nagaprasanna has issued an order to set up the  centre and also added that the officials posted in this centre should not be frequently transferred.  Court has also mentioned that political interference should be  avoided.

The Court directed that all Cyber Crime investigations should be consolidated with the CCC to ensure uniformity, expertise and accountability. The control of CCC will rest with a separate DIG and move away from CID. For the time being  it will function from the CID premises but all the 43 Cyber Crime Police stations in the State.

Following the order, the government has re-designated a senior IPS officer of 1994 batch – DGP, Internal Security Division (ISD), Police Computer Wing (PCW) and Cyber Crime & Narcotics (C&N), Pronab Mohanty as DG, Cyber Command. This will be the first such unit in India.

The CCC will have four  wings namely

1. Cyber Crime Wing – Handles complaints, registers cases, and investigates cyber fraud, financial scams, and hacking incidents.
2. Cyber Security Wing – Tracks and prevents hacking of bank accounts, social media, and critical software systems.
3. IDTU Wing (Information, Detection, Tracking Unit) – Focuses on tracing cybercriminals through IP addresses, geolocation, and data sourced from social media platforms.
4. Training, Capacity Building & Awareness Wing – Provides advanced training for cyber officers, enhances technical skills, introduces new technologies, and runs public awareness programs for citizens and students.

These developments followed a petition filed in December by a company, Newsspace Research and Technologies Pvt. Ltd., against some of its former employees  for allegedly stealing the confidential data.   In the past there have been several such complaints but the Judge in this case, honourable Justice Nagaprasanna and set up an SIT for investigation which has now evolved as the CCC.

The credit goes to the Judge and not to the political leadership of the State.

We suppose such CCCs will emerge in all other states and eventually, a National CCC should evolve taking Cyber Crime investigation and prosecution to a different level.

Hope Mr Amit Shah takes note of this developments and encourages  other states to follow the example.

Naavi

Every day we get some new development in the AI world. We are all enthusiastic about the potential of AI in increasing the productivity of our  organizations. Many SMEs/MSMEs and perhaps even the bigger organizations are restructuring their manpower  to use AI for reducing the costs. Some believe that AI agentic force can replace whole teams of employees for a given task.

The capability of AI is certainly visible in accomplishing some of our routine tasks in fraction of seconds.

However another risk which we are viewing is the tendency of some of the employees to jump the gun and start using AI tools for improving their personal productivity creating their own personal AI agents. Some employers may be encouraging this and some may not even be aware.

This BYOAi or Bring your own AI tendency which is some times referred to as Shadow AI is a new threat vector for organizations.

While we at  FDPPI are launching DGPSI-AI as an extended framework of DGPSI to assist organizations to mitigate the AI risk, it is necessary to first appreciate the extent of AI risks that is silently overcoming us.

In a recent compilation by an  AI enthusiast Mr Damien R Charlton, more than 358 legal cases involving AI hallucinations were tracked . This included 227 cases in USA, 28 each in Israel and Australia. At a  time when many were arguing that Courts can be replaced with AI and the AI tool is more honest than the dishonest Judiciary, the recent developments in observed hallucinations and rogue behaviour of AI have driven home a sense of caution.

A detailed analysis of these 358 cases is required to be attempted separately. But monetary sanctions have been indicated in many cases though the amount is only in thousands and not reached the millions and billions of dollars seen in GDPR and Competition Acts around the world. There have been public reprimand and warnings in most cases.

The highest penalty appeared to have been levied in the “Crypto open patent Alliance v Wright” amounting to 100,000 GBP stating “documents, which .. bore the stamp of having been written using an AI engine, contained a series of falsehoods,”

There were several other penalties such as  GBP 24727 imposed in the Bandla V Solicitors Regulation Authority  ,( UK High Court, 13th May 2025) , USD 31100 in USD in Lacey V State Farm General Insurance  (California District Court, 6th may 2025)  7925  In re Boy, Appellate, ( Court of Illinois, July 21, 2025) both for filing fabricated case laws.

These indicate that AI does lie and fabricate outputs and develops content which is not reliable in responsible usage. Hence placing reliance on  AI is extremely risky and replacing humans with AI an unwise move.

It is for this reason that DGPSI-AI considers AI risk is an “Unknown” risk and should be considered as Significant risk. All users of AI for personal data processing should be considered as “Significant Data Fiduciaries”. They need to designate DPOs, Do a DPIA and organize an annual data audit.

Considering these developments and unstoppable growth of AI, data auditors in India need to equip themselves with not only the knowledge of DPDPA but also of AI to some extent atleast to detect the use of AI and collect evidence of human oversight, possible hallucination etc. The data auditors need to also verify if any of the employees or their own use AI. In the Ethical declarations signed by employees, a disclosure of such usage should also be considered mandatory.

Naavi