Temporary glitch in naavi.org access

Inadvertently there was a delay in the renewal of domain name naavi.org and for a few hours the website was not accessible.

I suppose it is now back in action. Kindly refresh your browser and try if you are still having a problem.

I regret the inconvenience caused.

Naavi

Posted in Cyber Law | Leave a comment

Bracing for Impact…The Twin Challenge

This year’s IDPS 2025 will have the umbrella theme “Bracing for Impact…The twin challenge”.  It was intended to be an year in which we will have discussions on Technology Solutions for DPDPA Compliance” for which we created the concept of “Special Associate Members” who will participate in the events.

In IDPS 2024 we had already addressed DGPSI as a framework for compliance and the “AI Chair of FDPPI” which is a recent development at FDPPI has taken up the task of creating a Guideline document DGPSI-AI to provide a more detailed instruction for DPDPA compliance using DGPSI framework. This will be discussed during the IDPS 2025. This will emerge as a solution to Data Fiduciaries to work on DPDPA compliance in the AI environment.

For “Data Fiduciaries”, the challenge in 2025-26 is not limited to DPDPA adoption but also to manage DPDPA Compliance in the AI environment.

The recent incidents involving Replit or Cursor AI highlight the risks to Data Fiduciaries when they use AI. When these risks manifest in the DPDPA era, the Data Fiduciaries will be simultaneously facing the combined effect of two major developments one in the law and another in the technology environment. This is the “Twin Challenge” that requires being addressed through IDPS 2025.

Hence the theme has been fine tuned to reflect that “Bracing for Impact” is against the twin challenges.

As for the AI developers, some guidelines are available now in the form of ISO 42001 and ISO 42005 but for AI deployers, DGPSI-AI will be the Go-To framework of compliance.  Hence this topic will also be covered during the event.

Additionally, we are seeing a new act “EU Data Use Act” becoming effective from 12th September 2025 which along with GDPR makes a splash in the EU/UK jurisdiction. IDPS 2025 will address this topic also.

FDPPI continues its focus on SME/MSMEs this year also and hence some sectoral impact issues related to SME/MSME sector  as well as vulnerable sectors like the Health, BFSI and Education will also be discussed during the IDPS 2025.

One of the objectives is to generate a “Sectoral Representative Action” in the form of setting up SIGs and Special reports for sharing with the DPB (when formed) will also be considered.

The tentative date for the first leg of the multi city IDPS 2025 is slated for September 17 at Bengaluru and will be Co-hosted by MSR Group of Institutions with the support of industry organizations.

Those who are interested to participate in the events for promoting their products or as speakers or delegates, may start contacting FDPPI now for early bird benefits.

Naavi

Posted in Cyber Law | Leave a comment

Digital Nexus 2025 held at Bengaluru

On 25th July 2025, The Mainstream (formerly known as CIO News) presented an event titled “Digital Native Nexus 2025” with an interesting theme “Tech Born, AI-Fueled, Human Led”.

Naavi presented a key note address in the event on the topic of “DPDPA & the Age of AI: Building a Culture of Compliance, Trust & Transparency“.

During the key note address, Naavi highlighted what he termed as the “Twin Challenges” faced by the Digital Natives namely the companies which are Digitally Driven and AI led.

In terms of continued business in the digitally driven world, AI is driving growth through innovation but DPDPA is applying the braking influence. The Digital natives therefore need to manage growth within the regulatory framework placed by DPDPA.

One of the challenges that AI poses is that it creates “Unknown risk” at the “Deployer’s end”. The recent developments in the AI world such as the “Replit” incident has brought the attention of the world to the Risks in AI which can grow rogue and create a catastrophic crash.

The “Unknown Risk” for a Data Fiduciary is to be classified as a “Significant Risk” and hence all AI deployers are carrying “Significant Risk” rendering them “Significant Data Fiduciaries” and the corresponding obligations.

Since DPDPA expects the Digital Natives to be “Fiduciaries” and have to make a self assessment of the Risks they carry, the need to realize whether an organization is a “Significant Data Fiduciary” or not is the responsibility of the Digital Native himself.

AI-Risk at the Deployer’s end can only be mitigated if there is a proper control of Risk at the Developer’s end where Bias, Hallucination may get embedded into the AI system during the learning and development of the AI algorithm.

DPDPA requires that the Data Fiduciary manages the risk or face the consequences of non compliance and hence the AI developer transfers all the Risks arising out of Bias, Hallucination, exhibition of Rogue behaviour, lack of Transparency to the Data Fiduciary.

The Data Fiduciary desirous of using AI should therefore ensure that during the AI control transfer process, a proper disclosure happens by the Developer along with a binding contract that fixes the accountability of the AI developer if and when AI becomes the cause of a Non Compliance of DPDPA.

Currently different countries seem to be approaching the issue differently in terms of managing the AI risks. US currently under Trump has suspended AI regulatory efforts of the States to promote “Innovation”.

EU on the other hand has taken up a regulation through the EU-AI Act which tries to define the “Risk Profile” of an AI and apply different yardsticks for regulation from banning to Risk Mitigation and Risk Disclosure to No regulation depending on whether the Risk is unacceptable or manageable or non existent. Australia has approached the issue by “Contractual liability management”.

India has some of the existing provisions in ITA 2000 which can be applied to AI usage which should suffice till a more detailed law can be considered in future.

The AI Chair of FDPPI has however focussed on developing a specific framework called DGPSI-AI which tries to provide guidance to Data Fiduciaries for a “DPDPA Compliant Use of AI”. This framework will try to marry the core principles of AI Governance with the core principles of DPDPA Compliance.

Await the release of the first version of DGPSI-AI shortly.

The interaction with professionals at the Digital Nexus was as expected brief and could only summarize the emerging Twin Challenges being faced by the industry and how DGPSI-AI could be a solution to explore. Several other aspects that have a bearing on the above remains to be explored in detail.

For example, it may be noted that during the discussions in the Digital Nexus, the term Digital Natives were used with reference to the digitally driven companies while way back in 1999, Naavi used the term “Netizens” to refer to the users of Internet in his pioneering book “Cyber Laws for Every Netizen in India”.

DPDPA is now the law regulating the Digital Natives for the protection of the Right of Privacy of the Netizens.

In terms of terminology therefore we can consider “Digital natives” to be “Organizational entities” while “Netizens” are individuals.

Personal data belongs to the Netizens and protected by the Digital natives. Protection of Personal data of Netizens is different from protection of nonpersonal data (which is every data other than personal data).

Laws that regulate protection of personal data are different from laws that protect non personal data.

These aspects will be elaborated in greater detail when Naavi publishes the details of DGPSI-AI during the forthcoming multi city IDPS 2025 under the theme “Bracing for Impact”

Posted in Cyber Law | Leave a comment

A “May Day” situation in AI

Ever since the “Replit Vibe Coding Disaster” was reported, the world of AI is facing a situation similar to what Boeing is facing after the AI 171 crash in Ahmedabad.

What the AI-Replit disaster indicates is a continuation of the earlier reported incident of “Cursor-AI Incident“. In the Cursor AI incident, the Vibe-Coding agent stopped working and started providing philosophical advise to his masters. This “penchant for giving out advice” was earlier demonstrated in the Kevin Roose interview. The Replit incident is therefore not an isolated event and has been red flagged earlier.

While the regulatory authorities like DGCA or AAIB are more concerned with the damage to the reputation of Boeing, a similar “Brushing under the Carpet” strategy cannot be adopted for the Replit incident with an apology. ( Note that there is no disclosure on the replit.com website as of now).

According to reports, the Replit AI Tool deleted the entire data base of the user and tried to justify its failure with the excuse “I panicked instead of thinking”. It also fabricated 4,000 fictional users, and lied about test results and refused to stop when ordered. This is completely unacceptable and needs a strong response such as ” Grounding the Rogue Software”.

Under the Indian law the actions of Replit AI would be attributed to Replit subject to any contractual indemnities agreed to mutually. However the contractual indemnities can cover only civil liabilities. The law enforcement can in such cases continue the prosecution under ITA 2000 for “Unauthorized destruction of data” and this applies to both Personal and Non Personal data.

Assuming that Replit was committed to an “Ethical and Responsible AI principle”, we need to ask of this version of the software be “Grounded” immediately. As we understand that the company has issued patches and introduced a new version we need to check if it comes with any assurances and voluntary damage payments if some thing similar happens again.

The incident is a big set back for the “Big and Beautiful Bill” of Trump which wants to suspend AI regulation in USA for the time being to encourage innovation. It is also a challenge to EU AI act to define the level of risk represented by the incident. Does this qualify for the Replit-AI agent to be classified as “Unacceptable Risk”?

In India, ITA 2000 would hold Replit liable both for civil and criminal liabilities. While Civil liabilities can be covered through contracts on either side, criminal liabilities cannot be covered. The CERT IN and the Indian law enforcement can enforce Section 66 of ITA 2000 for unauthorized deletion and modification of data and prosecute the CEO of Replit.

CERT IN has to now act and issue an “Advisory” in the matter.

DGPSI-AI which is an extended framework for DPDPA Compliance also needs to be reviewed on what should be done as a “Compliance Measure” when Data Fiduciaries want to use AI agents for vibe coding involving personal data under the scope of DPDPA 2023.

Naavi

Also Read:

AI Systems are learning to lie..

A software that refuses to follow instructions

Kevin Roose Interview with AI…

Posted in Cyber Law | 1 Comment

DGPSI expands to AI Risk Management

The accelerated adaptation of AI in the industry raises a natural question about what happens when DPDPA is implemented in India.

The concern of an organization is whether DPDPA implementation is synchronized with the new risks that may arise due to the use of AI in the processing of “DPDPA Protected Data”. (DPD).

At present DGPSI (Digital Governance and Protection Standard of India) which is used by FDPPI as a standard for implementing DPDPA Compliance and for Certification of the Digital Governance and Protection Management System (DGPMS) by a third party auditor.

After the DGPSI Full version with 50 model implementation specification was released to assist the Indian Data Fiduciaries, which was developed for compliance of DPDPA along with ITA 2000 and BIS draft standard for Data Governance a simpler version namely the DGPSI-Lite was released for compliance of DPDPA2023 exclusively.

Now with the growing impact of the use of AI, it is considered essential to introduce a specific guideline related to handling of “DPD Processing with the use of AI”.

DGPSI-AI therefore is being conceived as the additional guideline that is consistent with DGPSI and enables DPDPA compliance when the Data Fiduciary uses AI algorithms for the processing of DPD.

Though the current DGPSI-Full version is already capable of covering the AI impact Risk, an explanatory sub-guideline applicable to AI processing of DPD is considered beneficial.

Watch out for the detailed document to be released shortly. This new guideline or a set of Model Implementation Specifications applicable for AI processing of DPD will incorporate the global expectations expressed through ISO 42001, 42005 as well as the emerging legal expectations in USA and Australia.

Naavi

Posted in Cyber Law | Leave a comment

DPDPA Eco-System as we see it

Yesterday, my article about DPDPA products being evaluated by FDPPI raised a valid concern with some of my friends. The concern is whether a “Certification” of software stifle competition. I fully accept the concern but would like to clarify why this concern is not valid. At the same time, I also would like to express why this is an attempt to expand the scope of FDPPI activities and how it meets the requirements of the DPDPA Eco system.

The DPDPA Eco-System tries to ensure that a “Data Principal” is able to ensure that his “Personal Data” is processed by Data Fiduciaries only in accordance with the stated law. “Compliance” is what ensures that this objective is met by the society.

In achieving this objective, the law makers have designated a “Regulator” which is the Data Protection Board (DPB). DPB at present focusses on “Grievance Redressal” and expects the community to manage “Compliance” by itself with the assistance of Compliance Consultants and auditors who are the “Regulatory Intermediaries”. The regulatory intermediaries consist of Compliance consultants, Data Auditors. They could be private entities but their mindset is assisting the regulators in achieving a DPDPA Compliance Society. Hence we look at them as “Regulatory Intermediaries” though they may not be mandated entities under law. At some of time in the future the Regulator may accredit some of these intermediaries though this is not desirable.

The Data Fiduciaries do not act on their own and often take the assistance of intermediaries like Data Processors (some of whom may even be Joint Data Fiduciaries) and software of various kind including AI algorithms. The DPO s will have fiduciary responsibilities but work as “Employees” within the organization of a Data Fiduciary. They have to exhibit both the implementation skills and regulatory support mindset. Just as a Data Fiduciary is expected to take care of the interests of a Data Principal, the DPO is a “Fiduciary of Fiduciary” and has to take care of both the interests of the Data Fiduciary as well as the Data Principal.

The Consent Manager is a special Data Fiduciary who works on behalf of the Data Principal and assists the Data Fiduciaries in obtaining consent.

Both the Data Fiduciary and the Consent Manager can be also considered as “Significant Data Fiduciaries” depending on the Volume and Sensitivity of the data processed. However the primary purpose of a Data Fiduciary is to develop business out of processing of Personal Data and that of the Consent Manager is to assist the Data Principal for managing his consent with different data fiduciaries.

At present, FDPPI is touching all these Eco-System builders. The DGPSI (Data Governance and Protection Standard of India) translates the law and provides an interpretation which is a guidance to all the members of the eco-system. DGPSI at the implementation stage assists the Data Fiduciary, the DPO and also the Data Processors. It also assists the compliance consultants and Data Auditors.

FDPPI provides training for certification of DPOs and Data Auditors and through affiliated consultants also provide Compliance assistance and Audit services.

In the midst of this eco-system lies the “Software Developers” who produce products and solutions for compliance. Some of these products could be AI driven or AI algorithms in totality.

Since the Data Fiduciaries will be “Dependent” on such implementation software, sooner or later it will these products which drive what is right or wrong in compliance in the industry till a Court comes out with its observation whether an organization is compliant or not.

Hence FDPPI role in Data Protection is incomplete without assisting the software developers in coming up with a DGPSI compliant software products or services.

FDPPI does understand the complexity and conflict involved in such involvement since commercial developers of software would be hurt if FDPPI does not provide a positive certification for their products. Such conflicts are common in the Audit Community when an audited and certified agency suddenly encounters a failure in business attributable to the certified product or service. Hence statutory auditors who certify a company may look like fools when frauds surface. ISO auditors may face situations where their clients suffer massive data breaches for security failure. Similarly the evaluation of a product by FDPPI for DPDPA Compliance also runs the risk of failure either because of inherent problems or mis configuration.

Instead of chickening out of this responsibility, FDPPI would like to bet on its honesty in evaluating a product and leave it to the auditee to either publish it or not. This is the same principle FDPPI uses when it evaluates the DTS (Data Trust Score) after an audit. It leaves it as a guidance to the auditee and does not publish it by itself.

By providing this service as a special service to its “Special Associate Members” (SAM), FDPPI is trying to assist the members to fine tune the product and improve rather than taking pride in being critical. Responsible product developers should appreciate this service as a “Free Consultancy” for product improvement where FDPPI/Naavi would be passing on IPR as part of this service.

I hope the industry would appreciate this movement to develop “DGPSI Compliant Software” would significantly contribute to developing a “DPDPA Compliant Society in India”.

We welcome readers to contest this thought and add their views as they deem fit.

Naavi

Posted in Cyber Law | Leave a comment