Naavi.org

Mr Donald Trump who has already struck a few ups and downs in his policy drive now has entered the AI regulation domain.

What is termed as a Draft Big Beautiful Bill (OBBB) bans all state-level AI regulations for the next 10 years.

There is an expectation that this would have a “Freedom first” approach to US-AI laws (Refer here). Given the fickleness of Mr Donald Trump, I donot think this would turn out to be an “freedom to innovate”. It could only be a different approach to AI regulation in USA.

OBBB does not mean that AI will not be regulated in USA. It only means that the US Federal regulations will be the only regulatory agency for AI. This is an attempt to Centralize the AI regulation in USA.

OBBB also does not mean that Indian businesses can use any AI algorithm without responsibility. Any user of AI in India will have the vicarious obligation under ITA 2000 and DPDPA 2023 and will have to absorb the Risks. If the Risk is “Unknown” because US sheds the ethical AI development model, the users will be considered as “Significant Data Fiduciaries” and “High Risk Intermediaries” and could have more liability under law than what they may recognize.

Let us remember that Indian companies are regulated by Indian laws..not US or EU laws when it comes to operating on Indian data. Hence the responsibility for ITA 2000 and DPDPA Compliance remains paramount and if unregulated AI is dumped on India, Indian user organizations have to be more careful than they were before to ensure compliance of Indian laws. Taking refuge that US does not need “Disclosure” or “Transparency” or “Accountability” does not help Indian “Intermediaries” or “Data Fiduciaries” with compliance of Indian laws.

Since OBBB would directly affect the federal nature of the US , it could face a challenge in the Courts but beyond this internal clash between Republic states and the Democrat states, this is unlikely to have any impact on the global scenario as some predict.

US did have the confusion of 50 states each having different regulations in the Privacy area and if there were 50 AI regulations also, it would have been a problem to the world. This unification of regulations is therefore welcome since the world does not see the State of California as different from the State of New York.

Hopefully there would be more such unification of laws related to “Internet Economy”.

Naavi

There are many services in the FINTECH arena where the service provider tries to assist the account holder to make payments of pending bills. For this purpose the service provider takes the permission to view the SMS of the account holder and periodically reads the SMS.

Under DPDPA, this permission is mandatory and is covered under the DPDPA consent regulations. This consent is purpose specific and has to be considered as closed once the purpose is served.

I recently have come across such “Bill Alerts” from CRED on the CRED application linked to my mobile number. These bills were not related to me and had I mistakenly clicked “Pay Now”, the payment could have been effected.

I therefore consider the message as an “Attempt to induce me to make payment to a third party” which is an offence under ITA 2000 and BNS.

last time, CRED had indicated that the message could have been picked up from my SMS store and I also presumed that the mistake might have been at the HESCOM side in wrongly linking my mobile with another account.

I am now given to understand that the mobile number associated with the account in HESCOM is not my mobile. However, I have received the CRED alert again today. I am not able to view the corresponding SMS in my SMS inbox.

Under the circumstance, I feel that CRED has picked up the bill from a source other than my SMS inbox.

If so, the mistake lies with CRED and not HESCOM. If this is true, I owe an apology to HESCOM and I am duty bound to apologize. I am yet to get the confirmation but my advance apologies to HESCOM if the mistake lies with CRED.

We can now surmise that CRED has my account as well as the account of the individual whose bills are coming to my CRED account. Perhaps CRED has mis configured the accounts or their technical system is sending bills of one client to another. Alternatively, it is possible that HESCOM has corrected its mistake but there is a Cache maintained by CRED where the bills related to another account are getting diverted to my account.

I have raised a query with CRED now and am expecting a reply.

Once DPDPA 2023 penalties kick in, these are mistakes for which RS 250 crore penalties may be applicable. Until then remedy is under ITA 2000 which is even more serious. I hope corporate entities do understand their responsibilities when they take “Data Access permissions” particularly if they are not capable of managing the data collected.

While I have used the example of CRED here because it is out of my personal experience. this could be happening with others also including Banks.

Looking forward to get more information on this case.

Naavi has been repeatedly requesting Niti Aayog to clarify that registration of Section 8 companies is not mandatory for all Section 8 Companies. Unfortunately NITI Aayog does not respond to the query and prefers to remain silent.

In the meantime some REs like PayU and Razor Pay consider that registration on Darpan Portal is mandatory for Section 8 company and are not completing the KYC process.

It is highly irresponsible for Niti Aayog and RBI not to make a proper announcement that Darpan Registration is not mandatory for KYC. At the same time it is disappointing to note that companies like PayU and Razor Pay are unable to complete KYC ignoring the Darpan portal Registration.

Further registering a Section 8 company like FDPPI in Darpan Portal is not possible and the portal returns error page every time.

Further registering a Section 8 company like FDPPI in Darpan Portal is not possible and the portal returns error page every time.

I hope some senior person like Mr Amitabh Kant looks into this issue and set right this anomaly.

Naavi

I am informed that spam mails are being sent from the optimum.net server to many using the email Vijayashankar Nagarajarao (archer83@optimum.net).

Kindly ignore them and if possible file a complaint with abuse@optimum.net.

I don’t use any service from optimum.net and the email archer83@optimum.net does not belong to me. This scam seems to originate from a compromised optimum.net server which is extracting emails of contacts from the customers and using it for spamming.

Naavi

It is observed that UIDAI website is experiencing some serious technical issues. It is downloading aadhaar cards of persons other than for which a request is submitted and OTP is authenticated.

Though the downloaded file is protected by the password, this is a serious flaw which needs to be corrected.

UIDAI has recognized the bug and has posted a message on the website. I hope it would be set right soon.

This could be considered as a “Potential Data Breach” and needs to be addressed as such under ITA 2000/DPDPA

Naavi

One of the queries I have received on Linked in by a discerning Privacy Professional is

” As we observe, organizations have begun aligning with the Digital Personal Data Protection (DPDP) Act in India. However, several provisions remain ambiguous, awaiting further clarification through governmental rules. For instance, the practical implementation of roles like the Consent Manager is still not fully defined.​

In light of these uncertainties, how can organizations proactively work towards compliance? What preliminary steps can be undertaken even before the complete regulatory framework is established?”

Let me try to provide my feedback on this.

Compliance to DPDPA is a cost that any organization have to absorb. Even conduct of a DPDPA Gap assessment will need a budget. If an organization is a Data Fiduciary of some responsibility, the costs are likely to be higher since they have to immediately take the decision to designate a new senior position of the Data Protection officer with a team of his own. Once the DPO is in place, he will demand an “Implementation Plan” which includes in house measures such as drawing up of policies which may need external consultancy of expert organizations like FDPPI which also requires investments. Then comes the bigger investment and a decision about acquisition of software for compliance which is a long term higher level investment.

The CFOs, CEOs and the Board members of any organization would naturally take their time to commit on these expenses and would like to take as many excuses as possible not to sign on the DPDPA implementation budget. However this “Judicious Contemplation” should not turn into procrastination and policy paralysis.

The first action required for any responsible corporate entity is to pass a resolution at the Board level to the effect

“The Board has taken note of the passage of DPDPA2023 and the imminent release of detailed rules and

a) has resolved to conduct and document a Business Impact Analysis on the passage of DPDPA 2023 on our organization immediately.

b) resolved that a committee of Directors consisting of …….., ….. and ….. is formed with immediate effect under the chairmanship of the independent Director ……………, to consult relevant experts and report to the Board by the next Board meeting on further actions to be taken.

c) resolved that the following shall be the terms of reference shall be addressed by the Committee

i) To determine when should the Company start a DPDPA Gap assessment program.

ii) To determine if we designate a “DPO” for our organization

iii) To determine the budget to be allocated for the next quarter and the current year for DPDPA Compliance

The above actions are necessary and can be implemented immediately by the Company Secretary who is drafting the minutes for the next Board meeting. If an organization has already passed through this stage, they may encounter the questions raised in the query above. This needs to be discussed by the committee and their views presented to the Board. In that process, they can take into account the following thoughts.

Ambiguity of provisions

DPDPA is a law and the law is by nature meant to provide broad principles which are to be interpreted in the context of its implementation.

Rules are expected to provide the procedural guidelines and cannot re-interpret the law. Rules cannot therefore be expected to provide “Legal Clarity” where the law has failed to do so.

Hence if there are any ambiguities in the law as we perceive, we need to live with it. As regards the Consent Manager the law is clear and it is the Draft rules that are creating complications. But “Consent manager” is not “mandatory” for implementation of DPDPA by an organization and hence organizations need not wait for this ambiguity on “Consent Manager” if any to be cleared.

Consultants like FDPPI and the Frameworks like DGPSI has provided a “Jurisprudential Interpretation” of all aspects of DPDPA 2023 and unless a company wants to ignore them, there is no reason to delay the start of implementation waiting for further clarification from the Government.

Government cannot provide a clarification that is not in tune with the Act and if they do so by a mistaken interpretation, there is a possibility of the law being challenged in a Court of law.

The current mood of the Supreme Court which in the past has been aggressive in taking on the executive’s role of drafting rules for the Act and adding its own interpretations to the laws is not to pass any “Stay” on the operation of the law. If therefore any “Andolan Jeevies” challenge the specific provisions of the law as “Ambiguous”, the issues will be taken up for discussion but no decision is expected immediately.

We therefore consider that it is not wise for companies to keep waiting for clarifications from the Government.

Our view on this is clear as follows:

1.DPDPA 2023 is an expansion of Section 43A of ITA 2000 and is therefore considered as “Due Diligence” under the current law which is ITA 2000.

2. DPDPA 2023 provides a detailed clarity on the concept of “Reasonable Security Practice” under Section 43A of the ITA 2000.

3. The limitation of applicability of Section 43A of ITA 2000 to “Sensitive Personal Information” has now lost the meaning since there is no specific definition of Sensitive personal information under DPDPA and it is the responsibility of all Data Fiduciaries to determine the harm likely to be caused to a Data Principal on account of their processing and take appropriate action to protect their interests.

4. Since the “Data Fiduciary” is a “Fiduciary”, he is self responsible for determining what is the harm likely to be caused and accordingly expected to develop the compliance.

5. While section 43A is limited to the provision of compensation to a data principal, it does not bar the Adjudicator under ITA 2000 to impose any penalty on the Data Fiduciary.

6. Section 43A of ITA 2000 remains in tact till Section 44 of DPDPA 2023 along with the penalty section 33 is not specifically notified. Till then, Penalty under Schedule I of DPDPA 2023 may be considered only as a “Legislative intent” and the Adjudicator under his powers to pay compensation upto Rs 5 crores can provide compensation to the affected victim and also exercise its Suo-Moto powers to impose deterrent penalties as well as recommend action under Section 43 and Section 66 of ITA 2000.

7. Ambiguity if any on the role of a “Consent Manager” may be ignored. If any organization has the intention of registering themselves as “Consent managers”, they may do so after the Data Protection Board is set up.

8. When in doubt, the Company may obtain and document an opinion from an appropriate management consultant or a legal consultant. Such opinion may be a Legal Opinion from a law firm or a Management Advise from a Management consultancy firm.

I suppose this provides a reasonable response to the query raised. Further comments are welcome.

Naavi