Naavi.org

In implementing the DPDPA 2023, and cleaning up the past unregulated collection of personal data by organizations, the Act has prescribed that “Consent should be obtained even for the legacy personal data collection of a data fiduciary. In such cases there could be a large number of data principals who may not return either a valid consent to continue processing or a decision to withdraw consent. Such personal data are “Orphaned for lack of consent” and needs to be purged within a reasonable time.

While ITA 2000 implies that such data should be deleted within one year, DPDPA Rules 2025 seem to indicate possible retention for 3 years in specific cases such as large Social Media Intermediaries, Gaming Intermediaries or E Commerce entities.

There are specific legal requirements for retention of data for long periods after its processing because of other legal provisions such as in Banking or Health sector. In such cases simply remains in the storage to be retrieved only on very exceptional circumstances. However during this period the data remains vulnerable to be stolen and misused creating a burden to the data fiduciary . Additionally data in the hands of a data fiduciary may also be an “Evidence” in a legal proceeding and therefore cannot be deleted till the disputes are settled in the Court.

The retention of data by a data fiduciary when it is no longer required for processing is a security burden and hence it would be good to ensure that such data is deleted.

When data is required for research purpose they may be anonymized or de-identified or pseudonymised.

In all other cases the data remains as a potential risk for the data fiduciary and has to be encrypted and kept safely.

Some times data of deceased persons with or without nomination may also remain “Unclaimed”.

In order to address all such instances, it is considered necessary for the Government to create a “National Archival of Personal Data” and enable depositing of all deleted personal data by the data fiduciaries. Part of this may be “Unclaimed Personal Data” and part of it may be “Required for Legal necessities”.

Such data should be properly indexed and should be retrievable on a later day if the data principal wakes up from slumber and claims it as his lost property.

This archive will ensure that “History is not destroyed” in the guise of “Right to Forget” or “Right to Erasure” and that the nation preserves the value of all data created in India for whatever it is worth including supporting the Indian AI development.

Comments are welcome

Naavi

Mapping of Section 40 to the Draft  Rules notified on January 3, 2025

It may be observed that all the rules notified may be mapped to one of the sub sections of Section 40. While some of the rules have schedules for more details, some rules are just a reproduction of the specific section of the Act.

Rule 6 about “Reasonable Safeguards” Rule 14 about Transfer of data outside India” and Rule 22 about officials to be appointed for certain purposes are linked to “Any other matter”. Out of this there could be some grumblings whether “Data localisation” is being brought in through the rules. This is one of the sensitive aspects of the rule since industry wants a free hand to transfer personal data collected in India outside the country including for AI learning and targeted advertising. However Section 16 of the Act can be considered as supporting this aspect.

The Schedule under Rule 22 provides for the means to declare any data fiduciary as a “Significant Data Fiduciary” and covers one of the gaps in the earlier draft version of the rules.

All the 22 rules may perhaps be considered “necessary”. We may continue to comment on each of the rule as to whether the detailing is “Sufficient or Excessive”.

Naavi

Ever since the Government of India notified the draft rules for DPDPA on January 3, 2025, there have been hectic discussions in the industry circles about understanding the rules and also suggesting changes. It is understood that more than 6000 comments have already been received by the MeitY and obviously many more will be received before 18 th February 2025, which is the last date fixed for filing of public comments.

Under these circumstances, the demand of one section of the industry that more time is required for filing the comments and the last date for submission should be extended is meaningless. We therefore hope that the consultation process will end on 18th February 2025 and MeitY will release the final version of the rules shortly thereafter.

A large number of discussions in industry fora tend to demand that the MeitY should give a checklist of how to comply with the law so that the compliance can be simplified and automated. Industry which is bitten by the AI bug wants a DPDPA Compliance algorithm which at the click of a button will generate a DPDPA Compliance structure for their company. While the new generation of AI tools can generate a well drafted DPDPA Compliance policy for an organization at the click of a button, since DPDPA Compliance is a “Legal Compliance”, automation will have its own limitations in arriving at a human like compliance structure.

Further, “Compliance” does not end with the generation of some 20-30 policies which is taken on record by a company. They have to be converted into practice for which the “DPDPA Compliance Culture” is required to be developed across all the members of the workforce of an organization and its business associates. Hence human intervention in compliance would be essential and this does not happen with “Automation”.

At present, companies are using al their clout to convince the MeitY to convert the rules into a “Check List” so that they can make their compliance work easy. The public consultations where there are representatives of the Meity are therefore often used as a means of convincing the Government that a point by point “To Do List” is released as the Rules.

The Government seems to be well aware that if it falls into this trap there will be possibilities of some rules being termed as “Ultra-Vires the Act” and a potential legal challenge may emerge to the entire set of rules. The Big Tech which is in the forefront of such litigations are perhaps already in the process of drafting their objections whether on the infeasibility of the “Verifiable Parental Consent” or ” Data Localization” or any other provisions to claim that the rules are “Vague”, “Impractical”, “Killing innovation”, “Causing a Chilling effect on the industry” etc.

It would therefore be wise for the MeitY to avoid the trap by the “Risk Avoidance” strategy and release only such rules as are necessary and mandated by the DPDPA 2023 and nothing more. Just as we say that data should be shared on “Need to Know basis” to reduce the risk, it is recommended that Meity may notify only such rules that fit the criteria of “Need to Notify” and avoid excessive clarification.

Since what ever notification or advisories that come from the MeitY directly will be considered as “Subordinate Legislation”, they will be used in Courts to defend disputed compliance.

It is often seen in the ITA 2000 disputes that the defendant companies say “I have a certificate of ISO 27001 certification and hence I am in deemed compliance of Section 43A of ITA 2000 and hence should not be held liable for any negligence”. Similarly any announcements of MeitY through the notified rule or an advisory that certain compliance may be achieved by XYZ method, they become a subordinate legislation.

For example, if MeitY says that Personal Data may be anonymized with the use of Technology A, then Technology A becomes the “Deemed Compliance” for anonymisation and used in defence at the Courts even though it might have failed to protect a given data breach.

Hence one of the first principles that the MeitY should adopt is that “Law is already there and the Rules can only be made as required under the Law” and nothing more. It is for the industry to find ways of complying with what the law intends and defend it’s means in the Courts when a dispute arises.

The outer boundary of rules should therefore be Section 40 sub sections (a) to (z).

Let us explore in the next article, these 26 sub sections of Section 40 as what the Law prescribes as limitations to the rule making and try to map it with the 22 rules presently notified and see where there is a risk of the rules being “Ultra-Vires”.

Naavi

It is a common perception that Privacy and Personal Data Monetization cannot co-exist. GDPR is normally considered as the extreme left of centre approach to Privacy and would have a strong view against Personal Data Monetization. The US is a slightly liberal approach more favourable to industry with permitted data brokers and selling of personal data.

India needs to find a midway and the solutions have to be found within the framework of DPDPA 2023 and the forthcoming rules.

While we are set to discuss this topic in today’s seminar in Bengaluru as part of the International Data Privacy Day celebration at Infosys, some brief thoughts on the topic are shared here.

Monetization as a Concept may be defined as “Conversion of Data into a monetary value in cash or kind and includes processes preparatory to conversion of data into a financial reward for an organization”.

In other words the term “Monetization” is not limited to “Sale of a set of Personal Data” for cash. Even profiling of an individual which may be later used for advertising by the same organization should be considered as “Monetization”. If the advertising is provided as a service to other organization, it is obviously equivalent to “Monetization by Sale”.

In view of this use of Google Ads itself is to be termed as “Monetization”.

However most of the Advertising is done on the basis of “De-identified” or “Anonymised data principal” in which case there may be a debate if we need to be liberal and not consider “Anonymised profiling” as monetization. This view will hold if we are prepared to agree that “Meta Data” without the associated identify of a data principal is not “Personal Data”. This also is a debatable view particularly with the GDPR mindset.

We must understand that “Monetization” has to be viewed as part of a legitimate business as long as there is no infringement of Privacy. However for targeted advertising the identity of the data principal is required and hence anonymous profiling and advertisement based on such anonymised profiling would not suffice.

On the other hand, given a proper consent, a data principal should be capable of permitting the use of his personal data for marketing with or without consideration. Without such freedom, the exploitation of privacy will continue surreptitiously and as “Dark Patterns”. Transparent disclosure followed by an explicit consent is therefore the solution to “DPDPA Compliant Monetization”.

This sort of “Consent to Monetize” is recommended under DGPSI framework supported by a “Data Monetization Policy”. Such consent can also be considered as “Special Consents” and along with “Consent for discovery of purpose” can be mandated with a higher degree of diligence such as “Witnessing the Consent”.

Technology solutions may not be available at this point of time for “DPDPA Compliant Consent” but they are under development in the Naavi laboratory itself and will be released in due course.

Let us discuss these and other global practices during the seminar today…

Naavi

With the International Privacy Day today being celebrated in many professional fora in India, it has been a busy week for Naavi and FDPPI.

As we just completed the three day C.DPO.DA. training in Mumbai from 24th to 26th January along with a Republic day celebration in the Mumbai hotel and rushed back to Bangalore, we had the International Privacy event with the European Federation of Data Protection Officers on AI.

Today we have an event at Infosys in Bangalore followed by a virtual session in the evening organized for global professionals .

More to follow on 3oth…

It has been a virtual flood of events related to Privacy indicating the buzz that the publication of draft DPDPA Rules has created.

Interesting days are ahead of us…

Good wishes to all Privacy and Data Protection professionals on this International Data Privacy Day.

In a case of significant importance, like the Meta and Google, Open AI has become one more global tech company to challenge the sovereignty of Indian laws. It is disturbing to note that Open AI is supported by Microsoft.

Open AI is facing a legal battle in Delhi Court where ANI has accused it of violating Copyright laws by lifting content from its published sources.

Open AI has given several defences one of which is that it is not subject to Indian jurisdiction.

As per this article in Times of India, in an interesting defence, Open AI states that it is unable to remove it as demanded because it is required to retain it under the US law. In other words, it admits that it may have data which is infringing the copyright but since it is bound by the laws of US and not India, it is not obliged to meet the demand of the petitioner.

The argument is nothing different from that of a thief who says “Don’t question my possession of stolen property because my mafia wants it to be retained.”

In a way Open AI has admitted to the copyright infringement which in fact is an international obligation to which US is also a party. We should recall the aggressive pursual of the Dmitry Sklyrov case on Adobe E Book software where US courts arrested the Russian software professional. There are many cases on Jurisdiction where US has fought and held that “If a local resident of USA is adversely affected, the courts in USA can exercise jurisdiction”

The European Courts are already of the opinion that ChatGPT violates EU Privacy law.

In terms of operation, Chat GPT may also be forced to remove the disputed data from the active engine and archive it for the US law purpose.

Hence the argument of ChatGPT is untenable and must be rejected.

Naavi