Naavi.org

Rule 7 of the draft DPDPA Rules prescribe that on “becoming aware of any “Personal Data Breach” , the Data Fiduciary shall to the best of its knowledge intimate to each affected Data Principal the information of the breach. Similarly the DPB shall be informed without delay and subsequently before 72 hours more details of the breach.

It is necessary to recognize that there are cases of false alarms and incidents which may be whistle blowing reports which if confirmed may become breaches but could turn out to be false.

Hence the report to be submitted immediately should be termed as “Provisional”. The confirmed report filed within 72 hours may be called “Personal Data Breach Report”.

Further some “Personal Data Breaches” recognized as such as per the definition under DPDPA 2023 may involve infringement of Data Principal Rights and not exfiltration or “Loss” of personal data from the custody of the data fiduciary. (eg: when data access is compromised within the organization from one employee to another).

These are not as harmful as the data breaches involving exfiltration of data or modification of data.

This has to be factored in to the definition of “Personal Data Breach”.

Hence there is a need to recognize three categories of personal data breaches namely

1. Provisional Data Breach
2. Personal Data Breach not resulting in exfiltration or modification of data
3. Personal Data Breaches resulting in exfiltration or modification of data

The rules should treat these differently.

It is necessary to recognize that every personal data breach involving loss or damage to data creates a liability under Section 43 of ITA 2000 and is also a data breach reportable under CERT IN guidelines even after the repealing of Section 43A.

There should be a process where the DPB and CERT IN act in harmony dealing with the Personal data breach report. Since CERT IN has an infrastructure to provide technical guidance of remediation, there is no need to duplicate the efforts at DPB. Regulatory investigation of technical nature if required should be left to CERT IN and adopted by DPB. For  this purpose, a “DPB-CERT IN Data Breach investigation policy” should be created by MeitY which may specify that the ITA 2000 Compliance Manager and DPDPA Compliance Managers designated by MeitY shall jointly resolve Personal Data Breach related conflicts between CERT IN and DPB if any.

Alternatively, changes should be notified under ITA 2000 stating CERT IN would refrain from investigating such cases which are taken up for investigation by the DPB under DPDPA 2023. This would however require additional technical investigation capabilities to be built up by DPB.

There is a need to recognize that DPB would be more interested in identifying noncompliance of law which may affect the rights of the data principal and hence would like to track even such personal data breaches which do not result in exfiltration of data that causes irreversible damage to the data principal. On the other hand, CERT IN is more interested in prevention of Cyber Crimes and hence focussed on data breaches involving exfiltration of personal data.

Hence there is a need for a simultaneous change in the CERT IN rules related to data breach while these rules are being notified.

Additionally, there is a need to build a knowledge base of Data Breaches occurring in India so that DPB is aware of how the industry is addressing the issue. Hence under the powers of Section 36, MeitY may gather information on data breaches already occurred though no penalties may be imposed on them.

In view of the above, the following suggestions may be made.

1. Provisional Personal Data Breach shall be reported only to DPB  immediately on being aware. Confirmed data breach involving exfiltration or modification of personal data  shall be reported to the data principal as soon as the data fiduciary becoming aware of the “Confirmed Data Breach”
2. All Data Breaches recorded since 11th August 2023 may be reported to DPB under the powers of Section 36 of DPDPA 2023
3. Detailed Report within 72 hours or as extended shall be submitted as proposed to the DPB.
4. A notification of the report sent to DPB on the website of the Data Fiduciary  should be mandatory.

A link to the detailed report should be sent to the Data Principals through e-mail or SMS where available

The Privacy Mitra Yojana of FDPPI intends to work on both dimensions of creating a Privacy Culture amongst the Indian Citizens and Compliance Culture amongst the Data Fiduciaries.

In India Privacy is a new concept. At present only the elite speak of Privacy. For others the “Right to Privacy” is still not a priority. While people understand the adverse effect of a Cyber Crime, they do not fully comprehend the adverse impact of Privacy infringement.

There is therefore a need for building a Privacy Culture in the society for the intentions of DPDPA to succeed.

At the same time, Corporates are also complacent because compliance has a cost and every body is short of resources for compliance. Most companies therefore think that they can wait till some body else gets fined to understand how DPB is likely to function.

In the midst of the reluctance of the companies to take Compliance seriously, and inability of data principals to fight for their rights, the DPDPA as a law has the danger of becoming a paper tiger.

FDPPI therefore considers that it is its responsibility as a full service agency to create the awareness of Privacy in the community, build a compliance culture in the companies before they can deliver their training programs, Certifications, implementation consultancy, audit and assessment.

Towards this goal, FDPPI is now traying to build an all India cadre of committed Privacy enthusiasts to work both in the public front and the corporate front.

In particular FDPPI invites academic institutions to come forward to get their student community take up social projects involving creation of awareness of What is Privacy, Why is it important and How data principals need to be vigilant to protect the Privacy Rights granted to them by DPDPA as a law.

We invite volunteers to join the movement in large numbers to develop the Privacy Compliance Market in India which is good for the society and also create new opportunities for employment and business.

Be in touch with FDPPI and contribute your thoughts in this regard.

Naavi

Recognizing the need for a nationwide movement on creation of awareness about Privacy and DPDPA Compliance, FDPPI has initiated a new project called Privacy Mitra Yojana (Friends of Privacy Project) to build an army of young volunteers to spread the knowledge of Privacy.

Students from law colleges as well as professionals are invited to register themselves at FDPPI

Educational Institutions, and Professional Bodies, Companies and Individuals who are interested in this National Privacy Mission of FDPPI are invited to contact FDPPI.

Let Us together build a Privacy Conscious society in India

Naavi

The Draft DPDPA rules were published by MeitY with time for public comments upto 18th February 2025.

While discussions continue in public space and FDPPI in association with Trust Law has organized a discussion on February 8 with invited audience in Bangalore, Naavi.org has prepared a draft of comments to be submitted to MeitY. Before 18th there will be other discussions also and public may form more views on the submission of Comments either directly or through other organizations.

In order to stimulate thoughts on this regard, we are sharing a copy of the draft comments prepared by Naavi.org and submitted for discussion to FDPPI. If any comments are received here, they will be considered for inclusion.

General Comments:

The law of DPDPA 2023 is already in place and is immutable at this point of time. It is noted that the current exercise is only for fine tuning of the published draft rules.

Hence our comments presume that the law as it has been notified stands as the fundamental document of reference and the comments are only related to the draft rules as are considered feasible under the enacted law.

It is recognized that in the event of any rule exceeding the basic character of the provision of the law to which it refers to, there could be a challenge on the legal validity of the rules as being ultra-vires the law.

For the same reason, it is expected that  the rules may be brief, precise and only cover the essential clarifications without the detailing like a Check list or recommending  any specific tool or technology for implementation.

It is understood that the industry would exercise due diligence in implementing  the law along with the minimum detailing available in the rules. If and when the industry is negligent and does not observe due diligence, the consequences would reflect in the decisions of the inquiry following a registration of a complaint or a suo-moto inquiry.

Clause By Clause Comments

Detailed Clause by Clause comment on all the 22 rules are presented in the form of a separate document here:

Draft Comments on DPDPA Rules from naavi.org

Naavi

In implementing the DPDPA 2023, and cleaning up the past unregulated collection of personal data by organizations, the Act has prescribed that “Consent should be obtained even for the legacy personal data collection of a data fiduciary. In such cases there could be a large number of data principals who may not return either a valid consent to continue processing or a decision to withdraw consent. Such personal data are “Orphaned for lack of consent” and needs to be purged within a reasonable time.

While ITA 2000 implies that such data should be deleted within one year, DPDPA Rules 2025 seem to indicate possible retention for 3 years in specific cases such as large Social Media Intermediaries, Gaming Intermediaries or E Commerce entities.

There are specific legal requirements for retention of data for long periods after its processing because of other legal provisions such as in Banking or Health sector. In such cases simply remains in the storage to be retrieved only on very exceptional circumstances. However during this period the data remains vulnerable to be stolen and misused creating a burden to the data fiduciary . Additionally data in the hands of a data fiduciary may also be an “Evidence” in a legal proceeding and therefore cannot be deleted till the disputes are settled in the Court.

The retention of data by a data fiduciary when it is no longer required for processing is a security burden and hence it would be good to ensure that such data is deleted.

When data is required for research purpose they may be anonymized or de-identified or pseudonymised.

In all other cases the data remains as a potential risk for the data fiduciary and has to be encrypted and kept safely.

Some times data of deceased persons with or without nomination may also remain “Unclaimed”.

In order to address all such instances, it is considered necessary for the Government to create a “National Archival of Personal Data” and enable depositing of all deleted personal data by the data fiduciaries. Part of this may be “Unclaimed Personal Data” and part of it may be “Required for Legal necessities”.

Such data should be properly indexed and should be retrievable on a later day if the data principal wakes up from slumber and claims it as his lost property.

This archive will ensure that “History is not destroyed” in the guise of “Right to Forget” or “Right to Erasure” and that the nation preserves the value of all data created in India for whatever it is worth including supporting the Indian AI development.

Comments are welcome

Naavi