Naavi.org

By Advocate Sri M G Kodandaram , IRS

Introduction

India’s e-commerce sector has experienced significant growth in recent years, establishing itself as a crucial contributor to economic development. However, despite this remarkable progress, the sector has long struggled with a lack of a comprehensive regulatory framework due to its fragmented and unorganized structure. This has led to various issues, including consumer deception and fraud resulting from inadequate compliance with consumer protection laws. Added to this, the frequent personal data breaches have created risks to consumers, as no dedicated regulation or Authority currently exists to safeguard personal data.

To establish order and accountability, the Ministry of Consumer Affairs, Food, and Public Distribution enacted the ‘ Consumer Protection (E-Commerce) Rules, 2020’ . While these regulations laid the groundwork for consumer rights and business accountability, they did not offer an all-inclusive governance model, leaving critical areas such as fair-trade practices, data security , which include personal data security , and ethical business conduct insufficiently addressed. Recognising this gap, the Bureau of Indian Standards (BIS) has circulated a ‘ Draft Indian Standard ‘E-Commerce – Principles and Guidelines for Self-Governance’ (herein after ‘ Guidelines ’ for brevity), which provide a structured approach to addressing the sector’s evolving challenges, for feedback from the stake holders. These Guidelines aim to enhance consumer confidence by ensuring transparency, preventing unfair business practices, and aligning e-commerce operations with existing data protection laws. Moreover, they emphasize self-regulation, thereby allowing businesses to implement responsible practices while reducing the need for stringent government oversight.

Significance of DPDP Act

In today’s digitally interconnected and rapidly evolving cyber society, safeguarding personal data has become a critical legal, ethical, and operational challenge for businesses, governments, and societies. Inadequate management of personal information often leads to unauthorized access, data breaches, identity theft, and misuse of sensitive data, which can be exploited for fraudulent activities or even sold on the dark web. Recognizing the significance of data security, governments across the globe are implementing comprehensive data protection laws to regulate the collection, processing, storage, and usage of personal information.

An important development in this regard is India’s Digital Personal Data Protection Act, 2023 (DPDP Act), which received presidential assent on August 11, 2023. The Draft DPDP rules 2025 are being circulated for necessary Public Consultations. The primary objective of this legislation is to establish a structured compliance and regulatory framework that governs the handling of digital personal data while ensuring transparency and accountability. Organizations handling Indian consumers’ data must reassess their internal policies, operational structures, and data governance frameworks to align with the new regulatory landscape.

The DPDP Act reflects the growing public consciousness regarding privacy rights and the ethical management of personal data. Compliance with this law is no longer a mere legal formality but a strategic necessity for businesses operating in India, particularly those in the e-commerce sector and other digital marketplaces.

This article critically examines whether the ‘ Draft Indian Standard Guidelines for Self-Governance ’ effectively integrate the important provisions of the DPDP Act and evaluates their strategic implications for shaping a robust e-commerce ecosystem. By doing so, it aims to provide insights into how companies can proactively adapt to the evolving data protection regime and establish trust-based digital ecosystems.

Draft Indian Standard -E-Commerce – Guidelines

As the e-commerce sector expands rapidly, it brings immense opportunities but also challenges related to consumer trust and protection. Establishing clear governance guidelines are essential for promoting fairness, transparency, and ethical business practices while preventing fraudulent activities. Recognizing this need, the BIS has circulated the drafts guideline standards to regulate online transactions effectively. These Guidelines define core principles applicable to various stages of an e-commerce transaction – pre-transaction, contract formation, and post-transaction responsibilities. Their primary aim is to nurture consumer confidence, ensure seller accountability, and maintain fair competition. By addressing critical areas such as seller verification, transaction security, product listings, grievance redressal, and anti-counterfeiting, these Guidelines provide a structured framework for ethical and transparent e-commerce operations in India.

Basic Regulations in the Guidelines

The pre-transaction phase emphasizes rigorous seller verification, requiring platforms to authenticate business credentials through Know Your Customer (KYC) procedures. Additionally, platforms must disclose their contact details and clearly define policies on cancellations, exchanges, and refunds, ensuring informed purchasing decisions.

During the contract formation phase, explicit consumer consent is mandatory, with pre-selected checkboxes prohibited. Secure payment mechanisms are crucial, ensuring compliance with financial regulations and transparency in service fees.

The post-transaction phase focuses on consumer protection, requiring compliance with the Consumer Protection Act, 2019. Platforms must establish a grievance redressal system accessible through multiple communication channels. Real-time order tracking via SMS and email is essential, along with strict return and refund policies, particularly for counterfeit goods.

Beyond transactions, the Guidelines enforce ethical e-commerce practices. Fair competition, counterfeit prevention, and transparent sponsored content are prioritized.

Addressing Digital Personal Data Security

The rapid expansion of e-commerce and the digital transformation necessitates a robust framework to ensure consumer protection, data security, and transaction integrity. The BIS draft guidelines are aimed at safeguarding digital personal data security. These guidelines outline a structured approach to consumer consent, transaction records, payment security, subscription transparency, data protection, and commercial communication.

• Express Informed Consent (Para 4.3.1): A fundamental principle of digital commerce is ensuring that consumers have control over their purchasing decisions. The BIS draft mandates that e-commerce entities must obtain explicit, informed consent from consumers before recording their agreement to purchase goods or services. Automatic consent mechanisms, including pre-ticked checkboxes, are strictly prohibited. This provision enhances consumer autonomy and prevents inadvertent purchases, thereby fostering a fair and transparent online marketplace.
• Transaction Record Maintenance (Para 4.3.4): Accountability in e-commerce transactions is critical for both consumers and businesses. The BIS draft requires e-commerce platforms to maintain complete, accurate, and durable records of all transactions. Consumers should have access to these records and be able to retain copies for the duration specified under applicable law. This measure ensures traceability, dispute resolution, and compliance with regulatory requirements, thereby strengthening consumer confidence in digital transactions.
• Payment Principles (Para 4.3.5): Secure and transparent payment processing is vital to the integrity of online commerce. The BIS draft mandates that e-commerce platforms must offer diverse payment methods, including credit/debit cards, mobile payments, e-wallets, and bank transfers, ensuring inclusivity for all users. Additionally, platforms must disclose all associated costs, such as processing fees, before the consumer finalizes the transaction. Security remains a top priority, with platforms required to implement encryption, two-factor authentication, and other fraud prevention measures.
• Recurring Charges and Subscription Transparency (Para 4.3.7): The BIS draft stipulates that e-commerce platforms must provide comprehensive disclosure on the duration, intervals, and exact amounts related to recurring payments. Consumers must also have a straightforward process to opt-out or cancel subscriptions at any time. In cases where terms and conditions, including pricing, are altered during the subscription period, consumers must be pre-informed, and continued service must require their express consent.
• Data Protection Measures (Para 4.5.2): The BIS draft establishes stringent data protection norms to ensure that consumer data is used exclusively for transaction facilitation or other explicitly disclosed purposes with consumer consent. E-commerce platforms, acting as data custodians (called as data fiduciary in DPDP Act) are prohibited from misusing data for commercial or alternative purposes. This reinforces consumer privacy and mitigates risks associated with unauthorized data exploitation.
• Unsolicited Commercial Communication (Para 4.5.3): The prevalence of unsolicited commercial communication has raised concerns about consumer privacy and digital harassment. The BIS draft mandates that all communication from e-commerce entities to consumers must be based on explicit consent or directly related to a transaction. Non-transactional communication must require an express opt-in from the consumer and include an option to cease such messages at any time. These provisions aim to curtail spam and intrusive marketing practices, ensuring that consumers retain control over their digital interactions.

For above specific guidelines refer Appendix to this article.

Fusion of DPDP Act Provisions in the Guidelines

Under the DPDP Act 2023, all e-commerce entities who process digital personal data qualify as data fiduciaries and are required to comply with its provisions. A review of the guidelines clearly indicates that they emphasize integrating the fundamental principles of the DPDP Act into business operations in India. Some of these key provisions are summarised below for reference.

• Data Collection and Consent Mechanisms: The BIS draft Guidelines emphasise the necessity of obtaining explicit user consent before collecting personal data, aligning with Section 6 of the DPDP Act, 2023, which mandates that consent must be free, specific, informed, unconditional, and unambiguous. E-commerce platforms must ensure that consumers are fully aware of how their data will be used, stored, and shared. The guidelines advocate for opt-in mechanisms where users must actively provide consent rather than relying on pre-checked consent boxes, mirroring the affirmative consent requirement under the DPDP Act.
• Data Storage and Protection Measures: The BIS guidelines require e-commerce platforms to adopt robust data security measures, which correspond with Section 8 of the DPDP Act, emphasizing the duty of data fiduciaries to implement appropriate security safeguards to prevent unauthorized access, data breaches, or misuse. Platforms must incorporate encryption techniques, secure cloud storage, and stringent access controls. Furthermore, the guidelines encourage businesses to store personal data within India, in alignment with Section 16, which outlines data localization norms to ensure better oversight and security.
• Consumer Rights and Data Access: The BIS draft guidelines support consumers’ rights to access, modify, and delete their personal data, in accordance with Section 12 of the DPDP Act, which grants individuals the right to correction, erasure, and access to their personal information. E-commerce platforms must provide user-friendly mechanisms that allow consumers to review their data and exercise their rights easily. This provision enhances transparency and ensures that users have greater control over their information, reinforcing the principle of data ownership under the DPDP Act.
• Third-Party (Processors)Data Sharing Regulations: Given the frequent data exchanges between e-commerce platforms and third-party entities like advertisers, service providers, and analytics firms, the BIS guidelines impose strict data-sharing regulations. These align with Section 6 of the DPDP Act, which mandates explicit user consent before sharing personal data with third parties. Moreover, under Section 8, data fiduciaries must ensure that third-party recipients (processors) adhere to the same data protection obligations as the primary data fiduciary. This prevents unauthorized data processing and ensures a uniform standard of data protection.
• Data Breach Notification and Response Mechanisms: To minimize the impact of data breaches, the BIS draft guidelines require e-commerce platforms to follow stringent notification protocols. This requirement corresponds to Section 8(6) of the DPDP Act, which obligates data fiduciaries to notify affected users and the Data Protection Board in case of a personal data breach. Additionally, businesses must establish incident response mechanisms, including risk assessments and remedial measures, to prevent future breaches and ensure accountability.
• Grievance Redressal Mechanisms: To enhance consumer trust, the BIS guidelines mandate that e-commerce platforms establish effective grievance redressal mechanisms, reflecting Section 13 of the DPDP Act, which requires the appointment of a grievance officer to handle user complaints. Companies must set up dedicated customer support channels such as helplines and online portals and resolve complaints within a time-bound framework, ensuring swift action on data security and service-related grievances.

Enhancing Data Security Under Guidelines and DPDP Act

To ensure the seamless implementation of the BIS draft guidelines and strengthen digital personal data protection, some of the following strategic measures can be adopted:

• Stakeholder Engagement and Industry Collaboration: Actively involving industry leaders, consumer advocacy groups, and policymakers can help refine the guidelines and address practical challenges in implementation.
• Leveraging Advanced Technologies for Data Security: Promoting the integration of artificial intelligence, blockchain, and other emerging technologies can enhance data protection frameworks and minimize security risks.
• Regular Audits and Compliance Monitoring: Conducting periodic audits, risk assessments, and compliance checks will ensure continued adherence to regulatory norms under Guidelines and DPDP Act and boost consumer trust.
• Consumer Awareness and Digital Literacy Programs: Both the government and private sector should undertake initiatives to educate consumers about their data rights, security practices, and responsible digital behaviour, promoting a culture of data protection.

These measures, aligned with the DPDP Act, 2023, will contribute to a more secure and privacy-centric e-commerce ecosystem in India.

Conclusion

The BIS draft Guidelines for e-commerce align closely with the DPDP Act, 2023, reinforcing digital personal data security, transparency, and consumer rights. By addressing key aspects such as data collection, storage, third-party sharing, and breach response, these guidelines lay the foundation for a more secure and ethical digital marketplace. While challenges in implementation remain, proactive collaboration between regulators, businesses, and consumers will be crucial in ensuring compliance and cultivating trust. As India continues to refine its digital data protection framework, these guidelines serve as a critical step toward responsible and sustainable e-commerce growth.

Mr. M. G. Kodandaram,

Appendix: Extracts from Draft Indian Standard (WC Draft) (For comments only) E-COMMERCE- PRINCIPLES AND GUIDELINES FOR SELF-GOVERNANCE

Para 4.3.1 Express Informed Consent

Every e-commerce entity shall only record the consent of a consumer for the purchase of any good or service offered on its platform where such consent is expressed through an explicit and no such entity shall record such consent automatically, including in the form of pre-ticked checkboxes.

Para 4.3.4 Transaction Record

E-commerce entities shall maintain a complete, accurate and durable record of every transaction carried out on its platform and shall enable the consumers to access and retain a copy of their particular record for such time as required under applicable law.

Para 4.3.5 Payment Principles

E- commerce platforms shall strive to offer a variety of payment methods that are accessible to all users irrespective of the type of product or seller chosen by the user, including credit/debit cards, mobile payments, e-wallets, and bank transfers. While choosing the mode of payment all the associated costs including processing charges, shall be disclosed to the consumer.

E-commerce platforms shall ensure that payment transactions are secure and protected from fraud and other security breaches through the use of encryption, two-factor authentication, and other security measures. E-commerce platforms shall comply with all relevant laws and regulations related to payment processing, including data protection and privacy laws, anti- money laundering regulations, and other financial laws.

Para 4.3.7 Recurring Charges and Subscriptions

Any payment option or transaction involving a specified recurring charge, automated repeat purchases, transaction renewals or a subscription contract ‘Recurring Obligations’, shall carry a full disclosure on the specific duration, intervals, and exact amount in relation to the Recurring Obligations, as well as information, and a clear, accessible process to opt-out from or cancel such Recurring Obligations at any time before or during the tenure/currency of such subscription.

If a customer has subscribed for a stated period, any changes in the terms and conditions including any changes in price, quantity, service conditions shall be pre-informed to the consumers and shall be continued after the express consent of the consumer. In case the consumer seeks to discontinue the subscription due to a change in the terms and conditions, he shall be permitted to do so. Any subscription services provided by the E-commerce platform shall be the responsibility of such platform.

Para 4.5.2 Data Protection

E-commerce entities shall ensure that it complies with all applicable laws in relation to data protection. Specifically, they shall ensure the following:

1. All personal data collected from a consumer, at any time, shall be used solely for the purpose of facilitating transactions on the platform, and for such other purposes that are disclosed to the consumer at the pre-transaction stage and for which he has given express consent; and
2. As a custodian of the data, every marketplace platform shall ensure that there is no misuse of data for any other commercial or alternative use.

Para 4.5.3 Unsolicited Commercial Communication

E-commerce entities shall ensure compliance with all applicable law pertaining to commercial communications, including the following:

1. All communication originating from the e-commerce entity to the consumer shall be made only with the express consent of the consumer, or in relation to a transaction made by the consumer on the platform.
2. All non-transactional communication originating from the e-commerce entity to the consumer shall be on the basis of an express opt-in by the consumer and shall be accompanied with an option to silence or cease such communications.

Today I received a query on DPDPA 2023 on Linked In. Since this could be interesting for others as well, I thought of answering this here in detail.

The query was ..

“I want your insight on how relationship between data fiduciary, consent manager and data principal would prevail (how is consent manager approached and by whom) under DPDP Act, 2023?“

The short answer to the above is that the Consent Manager is also a data fiduciary and provides certain services related to “Giving”, “Managing”, “Reviewing” and “withdrawing” of consent on behalf of the data principal to the principal data fiduciary. We may consider him as a “Joint Data Fiduciary”. To the data principal he is an agent. Ideally he is approached by the data principal for the services. The data fiduciary is only the user of the services rendered by the consent manager in behalf of a data principal. Consent Manager is not an agent of the Principal Data Fiduciary nor an employee.

However, in view of the confusion that prevails in the community and my own disagreement with the interpretation of the MeitY itself on this aspect, I would like to expand my answer and invite a debate. I also invite the MeitY to consider these views and make necessary corrections in the rules to justify their current interpretation.

P.S: I think this is a moment similar to my Jurisprudential interpretation related to Section 65B of Indian Evidence Act when ITA 2000 was introduced where for 14 years I held and justified a contrarian opinion to the community until it was validated by the Supreme Court judgement in the case of P V Anvar Vs P K Basheer case. My views expressed here as well as earlier on the status of Consent Manager may be validated some time in the future or DPDPA 2023 may be amended to prove my interpretation wrong.

Roles of different entities

DPDPA 2023 has indicated the roles of Data Fiduciary (including Significant Data Fiduciary), Data Processor and Consent Manager for entities besides “Data Principal”.

Data Principal is always an individual whose personally identifiable digital data is the subject matter of collection, processing, transmission, disclosure and destruction in India or in connection with offer of services to individuals in India. Out of such data, data publicly made available by the Data Principal or caused to be made publicly available by authorities under law as well as data used by an individual for personal and domestic purposes are outside the scope of the other regulatory restrictions. In many other contexts, personal data is selectively exempted from some or all the provisions of the Act.

Data Fiduciary is the entity (includes an individual processing personal data for business purpose) who determines the purpose and means of processing of personal data. He may act individually or in conjunction with another (who we refer as Joint Data Fiduciary). Naavi also uses the term “Super Data Fiduciary” when a data fiduciary lends his name for collection and processing of personal data but permits an agent to determine the purpose and means of processing as in the case of “Brands”.

Data Processor is the entity who does not determine the purpose and means of processing but processes the DPDPA protected data (DPD) on behalf of another data fiduciary who undertakes the responsibility for compliance.

Processing may happen in India or outside India. When personal data belongs to non Indians and is processed in India under a contract with an entity outside India, DPDPA exempts such data from the operation of DPDPA to some extent.

Consent Manager is a special kind of data fiduciary who determines the purpose and means of processing of data as a representative of a data principal in transactions with the other data fiduciaries who use the personal data of the data principal.

The data principal needs to maintain an account with the consent Manager and provide him the authority to give, manage, review or withdraw consent.

A Consent Manager to be pre-registered with Data Protection Board and will be accredited based on certain eligibility criteria and accepted obligations duly audited and certified. This means that the Consent Manager is approached by the data principal for an account even before he approaches a data fiduciary for a service for which he may use the services of the Consent manager to “give” his personal information. It is possible that a data principal might have already opened a service account with a data fiduciary and later becomes a customer of a consent manager in which case prospective aspects of “Giving further consent”, “Managing, monitoring or reviewing or withdrawing” of further consent may be routed by the data principal through the consent manager.

The above is a jurisprudential interpretation of DPDPA 2023 as it exists today and may be interpreted (or should be interpreted) by Courts in future.

Under our interpretation of the law, Consent Manager is an entity which is empowered like a Power of Attorney holder by the Data Principal to not only “Give” consent for data requested by a data fiduciary but also “Review” and “Monitor” the data given. Review and Monitoring may include withdrawing consent if required. Whether the Consent Manager is expected to only observe and inform the Data Principal for seeking further instructions or can act on his own is a matter of conjecture.

Visibility of Data

Our interpretation is that he should be considered as a “Data Fiduciary” since he determines the purpose and means of use of personal data under his authority to give, monitor, review and withdraw consent. As a Data Fiduciary he is obliged to ensure compliance of DPDPA 2023 which includes section 4(1) and 8(1) under which he is obligated to ensure that personal data is processed only for lawful purposes and in accordance with the provisions of DPDPA 2023.

To fulfil this duty, Consent manager requires “Visibility” to the data that is processed by a data fiduciary to whom consent is passed on by the Consent Manager.

The Data Fiduciary requires to enable his “consent acceptance mechanism” to accept instructions from a Consent Manager on behalf of a data principal. This means that the consent form should have an option to select provision of the details through the consent manager (similar to but not equivalent to completing the form through Google or Facebook). When the data principal choses this option, the requested data elements would be populated by the query processed by the Consent Manager so that when the form is submitted, it carries the validation from the data principal.

Alternatively the data may be consumed without being displayed on the form in which case there will be no validation by the data principal to the data fiduciary and he needs to depend on the deemed validation from the consent manager who himself is blind to the data.

Currently Meity has implied in its draft rules that this obligation of a consent manager can be fulfilled without visibility of the data elements similar to the status of “Account Aggregators” under DEPA architecture. Many technology firms think that they have products to support this “Data Blind” consent provision.

In our considered view, this interpretation is incorrect since the responsibilities of a Consent Manager includes “Review”, “Monitoring” and “Withdrawal of consent”. These responsibilities require visibility of data by the Consent Manager.

It is agreed that in the “Data Blind” architecture, each decision is conveyed by the Consent Manager to the data principal and his concurrence obtained, this means that the data principal while seeking the service and sitting in front of the consent form presented by the data fiduciary has to provide consent on pop ups that may come concurrently from the cosnent Manager who will be scouting for authorised sources from which different data elements can be sourced.

If the Consent Manager does not have the reference data resources previously approved by the data principal or if the data principal has approved more than one data resources where the data do not synchronize or is incorrect, he will have to admit that some data elements are to be separately collected by the data fiduciary directly from the data principal.

The law envisaged the Consent Manager as an expert who can act as an advisor to the data principal to manage the processing of personal data by a data fiduciary and prevent misuse of data either by collecting/processing it with a misrepresentation. He could understand the privacy notice better and compare it with the needs of the processing and contest of the data fiduciary exceeds his authority.

In our view, MeitY has diluted this provision and rendered the Consent Manager to be a worthless burden on the system who only acts under the instructions of the data principal and every time acts as a post office sending and receiving instructions from him without the ability to assist him. Unless the MeitY changes its view while notifying the rules, there is no useful role for a “Consent Manager” in the system.

Consent Manager under this system will be giving a deemed confirmation of data elements about which he himself is blind. It is like a blind man directing a person with normal vision to cross the road.

Some Data Fiduciaries loosely use the word “Consent Manager” even to their own employees or data processors who handle the responsibility of issuing notice, collecting and preserving the consent”. This is not a “Consent Manager” under the Act. Even the Google verification etc is not a Consent Manager since they are not registered with the DPB for this purpose and have their own vested interest in the data.

There is however a caveat to the above.

The law was framed by MeitY which is also taking on the responsibility for publishing rules from time to time through gazette notifications. They need to be placed before the Parliament and are also subject to scrutiny of the Court. What MeitY or any of its authorized officers publish as a notification therefore acquires a quasi legal status though they may be held incorrect later when questioned in a Court of law.

At present, there is an indication that MeitY has a view of the role of a Consent Manager which is not correct and which may not be in tune with the legislative intent that can be inferred from the law. (It is open to a Court to read down the law and give an alternate view of the role of a consent manager as expressed here in).

The draft rules published for public comments prescribe stringent conditions for accreditation of a Consent Manager all of which is redundant if a Consent Manager is not having visibility of data and acts only as a post office. It would be relevant only if the Consent Manager had visibility to the data. Hence Meity is itself in- consistent in its approach and exhibit confusion.

If Meity believes that a Consent Manager can function in a “Data Blind” manner, then there is no need to impose conditions equivalent to “Fit and Proper” criteria adopted for Financial regulated entities. The personal data in the custody of the Consent Manager would be only the name, email address and perhaps the phone of the data principal. Whenever other details are to be transmitted, he is expected to instruct one or more other data suppliers authorized by the data principal. In fact those data fiduciaries will be having access to what data has been requested by the data principal for a new service he is likely to avail. These reference sources are designated by the data principal and the data with them itself may be unreliable.

When the data fiduciary receives the data through the consent Manager, if the form is populated in front of the eyes of the data principal, for validation, then the same data is visible to the consent manager also. The consent Manager may however avoid visibility if he triggers the transfer of data and immediately disconnects himself so that he does not “View” the completed form. The system can also have the API call for data elements of the data fiduciary executed below the visible internet environment like a transmission of a https message. This however leaves the data principal to the mercy of vagaries of technical errors or even man in the middle attacks since the consent manager does not validate the data.

Hence the “are not readable” clause in the DPDPA Rules is impractical. (Refer Annexure IB, para 2)

While we have advocated and continue to advocate the Meity to change this rule related to Consent Manager, we are not confident that it would be modified. On the other hand, it is likely that the rule related to consent Manager may be deferred indefinitely. In the case of Section 65B, it took 14 years for the community to accept my view, in this issue of the role of a consent manager, I anticipate that the law itself may be amended to justify the current stand of MeitY.

I invite detailed debate on this aspect from professionals.

Naavi

Today a friend of mine pointed out to an article on peabea.substack.com indicating how apps installed on our mobile phones spy on what other apps are running on the mobile. He specially pointed out how the “AndoriodManifest.xml” file which he extracted for Swiggy APK indicated the presence of the following 154 package names allowing the Swiggy app to query those apps on the phone.

I have not personally checked the APK file on my mobile. I invite professionals to check the AndroidManisfest.xml files of different apps and try to establish the need why Swiggy should need to know if naukri app or dacthalon app is on my mobile.

If the above observation is correct, then there is a need for us to keep such apps on privacy watch so that we can raise the issue with DPB when it is in place.

I also want any of the apps present in the list above have permitted Swiggy to extract any information about the activities of their apps. Also if Swiggy or other apps like Zepto quoted the article have any counter view, we request them to respond.

The article also points out that one of the Loan apps namely Kreditbee watches 860 apps on a mobile.

It is obvious that the apps are developed with no concern on “Purpose Based Information Collection” and each of these companies can face the penalty of Rs 250 crore plus from DPB and the consolidated fund of India would be enriched.

I invite the attention of Mrs Nirmala Seetharaman to take this revenue potential into consideration and push MeitY to establish DPB without further delay so that they can start sending our inquiry notices to all these apps.

I welcome your views.

Naavi

The AI Chair of FDPPI has already announced one project on studying the “Impact of AI on the mental health of Children” . We are in the process of creating a planning committee with representations from different segments such as AI specialists, Neuro Science Specialists, Child Psychologists and Privacy Specialists etc to take the plan ahead.

A second project which is more related to Technology is also being planned for the development of a DPDPDA compliance solution based on DGPSI.

We shall constitute a separate Project committee for this project based on volunteers.

Naavi

It is reported that the Press club of India has called for a meeting of like minded organizations in Delhi on April 21 to express their concern on DPDPA 2023.

It appears that the objective of the meeting is to raise objections on DPDPA 2023 and seek deferment of its implementation on some ground or the other. Probably they would cite Section 44(3), the amendment proposed to RTI act providing that “Disclosure of information is subject to the protection of the Right to Privacy” of an individual.

Not withstanding the interpretations provided by the journalists it appears that the meeting appears to have been inspired by the George Soros club of paid journalists interested in delaying the implementation of DPDPA 2023.

The meeting is organized as a physical meeting in Delhi and hence the participation would be limited to the Delhi group of journalists.

Let us watch and see what this meeting proposes. It would be better if they webcast the meeting live so that all of us can at least view the proceedings.

Naavi

The Society is discussing the impact of AI on the professional front such as whether it will replace jobs, if so what kind of jobs and how should we brace for the impact. Organizations have already realized that the days of having software developers who have software coding skills only is over.

Today software coding has been entirely taken over by AI and the surviving software engineers are only those who have demonstrated their ability to use AI to develop codes automatically. At the ground level the number of employees will dwindle and soon will become negligible. The days AI will take over many tasks in the Advertising and Marketing are not far behind.

In the filed of Finance the operations are already automated to the extent that we are totally dependent on software for every aspect of finance. AI can only worsen the things. We are already seeing this in the Banks where we have “Zombies” as counter clerks who know nothing but pushing keys on the key board and know little of Banking.

Legal Research is the domain of AI and lawyers feel comfortable in using AI to draft petitions and prepare argumentative notes. Teachers will soon have to shift to teaching AI as everything else will be taken over by AI.

While these developments are easy to recognize, what has not yet caught the attention is the psychological impact of AI development on humans particularly in the development of human brains.

We have discussed the concept of “AI Cult Syndrome” , “Cyber hypnotism” , “Impact of Binaural Beats”, need for “neuro rights protection “ at different points of time on this website. (Please check with Vishy for more information). Now it is time to also discuss the impact of AI on human brains and more particularly on “Developing Brains” of children.

As humans make AI more and more intelligent, will AI make humans more and more zombies with no independent thinking ability. We are aware that our memory power has been adversely affected with the increased use of computing devices with search assistance. (Eg; We cannot remember phone numbers as we used to do a few years back and want our phones to remember them. We cannot remember street maps mentally and want Google maps). Now as we start using AI to think for ourselves, there is a real danger of us as humans using less and less of our core abilities of the brain and gradually degrade them to the status of “Let me ask my AI Assistant”. Where to draw the boundaries for the “Assistant” and retain our own native intelligence will be a challenge.

To this, I am adding a new dimension on “Im[act of AI learning on children’s mental development”. As we start teaching mobile and computer to children we have seen the growth of “Addiction”. We have seen the behaviour of Children of today who cannot eat without watching cartoons on the mobile. Experts recognize that this is due to Chemical changes induced in the brain as a result of their experiences on the screen. This is leading to a mental health issue which we today club under a single category of “Addiction”.

Psychologists observe the following:

1.The dopamine feedback loop created by screen use is a key neural mechanism underlying this addiction-like behavior

2.Excessive screen time during critical periods of brain development can alter the structure, function, and connectivity of neural circuits, especially those involved in reward processing and impulse control

3.There is emerging evidence that screen dependency disorders (SDDs) in children are associated with changes in neural tissue and function, and may even influence gene expression related to brain development

4.Children’s brains are more plastic and vulnerable than adults’, making them more susceptible to these changes

5.Some children may have genetic predispositions (such as certain dopamine receptor variants) that make them more vulnerable to developing screen dependency and related behavioral issues

6.Dopamine release from screen use mimics the reward pathways activated by addictive substances, reinforcing screen-seeking behaviors

7.Structural and functional brain changes can occur with excessive screen use, particularly in developing brains, potentially leading to long-term issues with impulse control, attention, and emotional regulation

8.Behavioral patterns such as needing screens to eat are reinforced by habit and the strong association between digital content and pleasurable experiences

9.Physical and mental health consequences include disrupted sleep, increased sedentary behavior, unhealthy eating habits, and higher risk of anxiety and depression

10. Limiting screen time and encouraging screen-free mealtimes are important steps to protect children’s neurological and overall health.

In this context when we start teaching AI skills to Children either through gamification or otherwise, it is not clear what would be the impact on the human brain development at an early age.

The AI-Chair of FDPPI would like take this up as a project and start gathering information on this critical subject. We also invite large corporations to sponsor research activity in this aspect and some academic institution can take it up as their project. FDPPI’s AI Chair would like to assist in such a project.

We look forward to receiving public comments on this proposition.

Naavi