Naavi.org

The draft rules currently under discussion regarding the management of Data Principal’s Rights tries to provide clarity to Sections 11, 12, 13 and 14 of DPDPA 2023.

It is noted that the rules does not make any reference to Section 15 on the duties of the data principal which is a condition precedent to the exercise of Rights and should have been mentioned.

While refering to the requirements, the clause starts with the words,

“(1)For enabling data principals to exercise their rights under Chapter III of the Act, the Data Fiduciary and, where applicable, the Consent Manager, shall publish on her website or app or both, as the case may be,-“

I would like to again point out that the rules refer to the Data Fiduciary or Consent Manager in terms of “her website” as if the Data Fiduciary or the Consent Manager is an “individual”. While the “Data Fiduciary” can be an “individual”, it is not practically feasible for the Consent Manager to be an “Individual” or rather it should not be from the regulatory requirement of business continuity. In fact another rule (yet to be discussed by us) categorically mentions that the Consent Manager shall be a Company.

Hence the use of the word “her” in this context is incorrect and this obsession needs to be avoided. It may lead to un necessary legal issues at some point of time in future. There is a need to go through the entire document and ensure that all references to a Data Fiduciary or Consent Manager shall be changed to “it”or “their” instead of “she” or “her”.

While most of the rules under this clause are a paraphrasing of the Act the lack of reference to the Duties is glaring. The “Rights” guaranteed under the Act is intrinsically linked to the “Duties” both because of the Secton 15 of the Act as well as the Article 19(2) of the constitution restricting the “Right to Privacy” in certain specific contexts.

It is most important to note that under Section 15 of the Act, a Data Principal shall ” comply with the provisions of all applicable laws for the time being in force while exercising rights under the provisions of this Act;”

This has to be highlighted so that no irresponsible attack is mounted on a data fiduciary by motivated data principals who may be encouraged by the competitors or anti nationals.

Similarly, the “Right for Erasure” has to be effectively tempered with the need to ensure through appropriate documentation that there is no need to reain the data because of any other reasons. “Electronic Data” is an evidence for many civil claims and criminal prosecution and irresponsible erasure could become an offence under Section 65 of ITA 200 and also under IPC/IEA.

Compliance officers are unlikely to have adequate appreciation of the laws related to retention of data under other statutes and hence they have to be warned while they try to meet the requirements of the “Right to Erasure”.

Some of these corrections are required in the next draft.

Naavi

One of the important aspects of DPDPA Rules that was being looked upto was regarding the identification of the “Significant Data Fiduciary” since many obligations including the need to designate the DPO emerges from the definition.

It is surprising that the draft rules meant for public discussion seems to be yet undecided in this aspect and requires an urgent correction to incorporate the details of how we can define a Significant Data Fiduciary. Naavi.org has discussed this issue several times (Refer here)

However the current draft of the rules only state the following in regard to the Significant Data Fiduciary.

Measures to be undertaken by the Significant Data Fiduciary.

(1) A Significant Data Fiduciary shall in addition to the measures provided under the Act undertake the following measures , namely:-

(a) Ensure that its Data Protection Officer shall be the point of contact for answering on its behalf, the questions, if any, raised by the Data Principal about the processing of her personal data

(b) Include in the business contact information to be published under rule 9 a toll-free telephone number issued in India and an e-mail address for Data Principals to contact its Data Protection Officer: and

(c) Undertake the periodic Data Protection Impact assessment and the perioidic audit under the provisions of the Act at least once in every year.

(2) In this rule, the expression “every year” in relation to a Data Fiduciary, shall mean every period of one year reckoned from the date on which

(a) these rules come into force or

(b) such data fiduciary becomes a significant data fiduciary, whichever is later.

For some reasons this clause appears to be poorly constructed and requires urgent revision.

Firstly there is a need to define a “Significant Data Fiduciary” u/s 10(1) so that organziations can start preparing for designating a DPO and instituting measures for audit etc.

Secondly the responsibility of DPO cannot be stated as “Answering the questions of Data Principal”. It should be a responsibility to resolve the disputes of the data principal at the level of the Data Fiduciary and to be a point of contact for the DPB and to also be responsible for any inadequacies for compliance.

The current version of the rule appears to reduce the importance of the DPO to that of a help center manger. This is not keeping with the spirit of the Act and needs to be changed immediately before further discussion of the rules in the public domain.

Naavi

While the DPDPA 2023 was gazetted on 11th August 2023, the notification of the date of its effectiveness has been awaited. Presently the draft rule is ready for public comments and the industry is eagerly waiting to know which provisions of the Act will become effective immediately and which will take time.

The current thinking in the Meity seems to be a two stage implementation with about 6 rules to be notified for effect immediately and the remaining around 14+ rules to be effective at some point of time later.

The six rules that may be notified for immediate effect could be

The other rules to be notified on a later date are as follows:

It is expected that the setting up of the DPB may take about 3 months and the remaining rules may come into effect subsequently.

There are a few more rules that are yet to be finalized and perhaps they may come up in the third set.

The exact time schedule for implementation is yet unclear and we may have to wait for the Government to complete the constitution of the DPB before a more specific time schedule can be expected.

Naavi

It is amusing to observe that while draftng the rules of DPDPA, MeitY has gone over board to use the feminine gender in the law which was considered a unique aspect of the drafting of the law.

In the law, the data principal who is an individual was referred to as “She” or “her” instead of the normal use of the term “he” or “him” used in other laws.

Now those who drafted the rules have gone a step further to depict even the organziations in a feminine gender.

For example, while indicating the rules regarding the publishing of the business contact information of a Data Protection Officer, the draft rules meant for discussion states,

(1) A Data Fiduciary shall-

(a) publish on her website or app or both as the case may be and

(b) intimate the data principal through in-app notification and every piece of correspondence with her, the business contact information of a person who is able to answer on behalf of the Data Fiduciary, the questions, if any raised by the Data Principal about the processing of her personal data.

(2) If the Data fiduciary is a significant Data fiducairy, the business contact information published under sub-rule (1) shall be that of its Data Protection officer,

(3) The business contact information to be published under sub-rule (1) shall be published in like manner as is provided in sub-rule (2) of rule 5 (Ed: on the home page).

In majority of cases, the Data Fiduciary is an organziation and the appropriate use of pronoun would have been “It” or simply the Data Fiducairy.

There is one benefit however that has arisen on account of this unatural use of the pronoun “her” to a “Data Fiducairy”. It has focussed on the fact that even an individual can be a “Data Fiduciary” in the context of processing of personal data for “Non Domestic use”. Hence theoretically a Data Fiduciary can also be an individual and therefore the use of the pronoun “Her/she” can be justified.

Leaving this minor observation, this rule is important from the perspective of an indirect admission that “Business Contact Information” is actually “Personal Information” which the data principal out of his “Choice” decides to use for business use.

There are many who consider Naavi9 @gmail.com as personal information and refuse to accept it in some forms. On the other hand naavi @naavi.org is considered as an acceptable business use. This is in my view incorrect since it is the prerogative of naavi to hold out naavi @naavi.org as a business address or personal address and naavi9 @gmail.com as personal email address or business email address.

Under DGPSI framework we have been always recommending to leave the choice of declaring if any e-mail or mobile number is a personal information or business information and many companies have started accepting this argument and incorporating this in their personal information gathering exercise.

I hope after the use of the “her/She” to Data Fiduciary and business contact information of a DPO as “her” information confirms that “Business Contact Information” can contain personal name as part of the e-mail.

…..More discussions will follow.

Naavi

Data Breach Notification is an important aspect of compliance of any data protection law. DPDPA 2023 also requires a notification both to the DPBI and the Data Principal in the event of a data breach.

The DPDPA 2023 act had simply stated that in the event of a personal data breach, the Data Fiduciary shall give the Board and each affected Data Principal, intimation of such breach in such form and manner as may be prescribed. Now the the DPDPA rules expands the requirement.

The rules prescribe that as soon as the Data Fiduciary becomes aware of the data breach, one intimation has to be sent immediately to the DPBI with preliminary information including

(a)a description of the breach, including its nature
(b)the date and time when the Data Fiduciary became aware of the breach
(c)the timing or duration of occurrence of the breach
(d)the location where the breach occurred
(e)the extent of the breach, in terms of the nature and quantum of data involved and
(f)the potential impact of the breach  

Within the next 72 hours the Data Fiduciary needs to file a second report with details of the breach. DPBI is expected to provide suitable submission forms on its website for the purpose. In this second report the broad facts related to the events, circumstances and reasons leading to the breach need to revealed along with the remedial measures taken.

Additionally information has to be given to the data principal also which should contain the information about the breach as it affects the specific data principal. The rule seems to avoid specifying the time period within which the intimation has to be provided to the data principal.

Perhaps MeitY has to indicate either the 72 hour time limit specified for intimation to the DPBI as also the time limit for data principal or specify a longer duration.

In case there is a need for more time to report the breach because of the need for a detailed investigation, data fiduciary may seek additional time from the DPBI after the second report.

As of now, every data breach under DPDPA is also a data breach under ITA 2000 and hence the need to report to CERT IN as per the CERT IN guidelines will also be required.

Naavi

According to DPDPA 2023, consent is to be obtained even for applicable personal data collected by a Data Fiduciary before the commencement of the Act as per the notification. Hence identifying such data and issuing notices to such data principals is one of the key activities of data fiduciaries.

The proposed rules is expected to indicate for this purpose,

Notice to inform of Processing done where the Data Principal has given consent before commencement of Act:

(1) Where a Data Principal has given her consent for the processing of her personal data before the commencement of the Act, the data fiduciary shall as soon as it is reasonably practicable, give to the Data Principal a notice, in the following manner, namely:-

(a) The notice shall be made in like manner as is provided for a notice to seek consent and shall be understandable independently of any other information that has been made available by such data fiduciary; and

(b) The notice shall inform, in clear and plain language, the details necessary to enable her to exercise the Rights of the Data Principal, including-

(i) Such minimum details as are required in respect of a Notice to seek consent; and

(ii) description of the goods or services (including the offering of any service) that were provided or the users that were enabled, as a result of such processing

(2) A Data Fiduciary may use a Consent Artifact for thee purpose of giving the notice to inform of processing done.

The rule is silent about how the Data Fiduciary has to handle situations where the notice cannot be given for lack of contact information, or when the notice is returned undelivered or when the recipient is silent on whether the processing can continue.

Under DGPSI, we prescribe that appropriate measures should be built into the Consent artifact itself to meet these contingent possibilities.

It would be interesting to see how other frameworks (if any) address this issue.

Naavi