A day after the Presidential assent to DPDPB 2023, Sansad Dhvani, an organization created by Mr Tejasvi Surya, the MP from South Bangalore organized a public awareness program on DPDPA.
It was great to see the MoS of IT, Sri Rajeev Chandrashekar and Sri Tejasvi Surya explain the salient features of the new law. Mr Sharat Sharma of ispirit was also present and explained certain technical aspects. The event was held in the auditorium of BMS Engineering College, Bengaluru.
After the initial presentations, the trio answered the questions of the audience and there was a healthy participation from the audience which consisted of many Privacy professionals as well as students.
During the discussions Mr Rajeev Chandrashekar also indicated that the work on Digital India Act is also progressing and a draft for public discussion should be available in the next two weeks.
One of the topics which came under repeated discussion during the talk was the role of “Consent Manager”. One could observe that there is still a confusion on the role of a “Consent Manager” under DPDPA 2023 vs “Consent Manager” in the NDHM and in the Account Aggregator project of RBI.
Under Section 2(g) of DPDPA, “Consent Manager” means a person registered with the Board, who acts as a single point of contact to enable a Data Principal to give, manage, review and withdraw her consent through an accessible, transparent and interoperable platform;
Under Section 6(9), “Every Consent Manager shall be registered with the Board in such manner and subject to such technical, operational, financial and other conditions as may be prescribed.”
We can therefore observe that the “Consent Manager” under DPDPA is a “Data Fiduciary” and not completely a “Technology Platform”. The Consent Manager under DPDPA can use a technology platform but is an entity with a visibility on the personal data where as Consent Manager in the Account Aggregator framework (AAF) is a pure technology platform like an ISP.
Legally the Consent Manager under Account aggregator account is an Intermediary under ITA 2000 where as the Consent Manager under DPDPA is a Data Fiduciary with obligations as set out in the DPDPA.
Considering that the Consent Manager platform under AAF can be technically configured in such a manner that the identity of the individuals is not accessible to any human being, it opens up the debate that there may be no apparent “Disclosure” from the data principal to the Consent Manager and hence the liabilities associated with DPDPA for a data fiduciary may not attach to the Consent manager platform. In a way it can be configured as an “Anonymised Transmission of identifiable data”.
Whether all Consent Managers under AAF have configured the system in this manner or not is a matter of audit. If they have not done so, they will also be Data Fiduciaries under DPDPA.
It is expected that when the requirements for accreditation of Consent Managers is released, there could be a criteria of minimum capital and net worth so that it may become a business of the large companies. It would however be necessary to have another layer of Consent Manager Registration Agencies who work as agents of Consent Managers. This could be similar to the Certifying Authority-Registration Authority set up in the ITA 2000 rules where the RA was not mentioned in the Act but brought in through practice.
The rules for Consent Managers need to be therefore drafted with the provision of individuals or entities who can be agents of Consent Managers who will be the real interface between the Data Principal and the Consent system.
Another area where there appeared to be some grey spots is about the “Data Minimization” .
The DPDPA does not specifically mention the Data Minimization though we expect this principles to appear in the subsequent notification of rules [under Section 8(4)]. Presently these have to be interpreted in the “Purpose Limitation” .
Probably we need to wait for the notifications to come up for further discussion on these subjects.
Naavi
The Janvishwas Bill amendment Act 2023 was gazette notified yesterday. This contains many amendments to ITA 2000 which had been provisionally incorporated in the copy of ITA 2000 which is available on this website.
Now they may be considered as finalized amendments.
The copy of the Act is available here
List of Amendments to ITA 2000
Section 33: Failure to Surrender of CA license which has been revoked: Penalty of Rs 5 lakhs. No Imprisonment
Section 44: Penalty for failure to furnish information, return etc penalties increased
a) From 1.50 lakhs to 15 lakhs for not furnishing the required document
b) from Rs 5000/- to Rs 50000/- per day for not submitting returns
c) from 10000/ to Rs 1 lakh for not maintaining books
Section 45: Residuary Penalty increased from Rs 25000/- to Rs 1 lakh and compensation increased from Rs 25000/- to Rs 1 lakh for an individual and Rs 10 lakh for an Intermediary or company
Section 46: “Under this Chapter” changed to “Under this Act” and the word “injury” removed
Section 67C: Penalty up to Rs 25 lakhs from and no imprisonment.
Section 68: Penalty increased to Rs 25 lakhs and imprisonment removed
Section 69B: Imprisonment reduced from 3 years to 1 year and Fine increased to Rs 1 crore
Section 70B: Penalty raised from Rs 1 lakh to Rs 1 crore
Section 72: Penalty increased to Rs 5 lakhs, Imprisonment term removed
Section 72A: Penalty increased to Rs 25 lakhs, Imprisonment removed
Naavi
At FDPPI, the Foundation of Data Protection Day of India, it is proposed to recognize August 11 as the Data Protection Day of India.
This will supplement 17th October which is the Digital Society Day of India.
Naavi
It is observed that on 11th August 2023, Presidential Assent was given to the DPDPA 2023 which has now become a full fledged Act.
The Gazette Version of the Act is available here:
Naavi
In what could be considered as a major overhaul of the Indian Legal system, the Government has released draft revised bills to replace IPC, CrPc and IEA.
The new versions will be as follows:
Indian Penal Code : The Bharatiya Nyaaya Sanhita 2023
Criminal Procedure Code: Bharatiya Nagarik suraksha Sanhita, 2023
Indian Evidence Act: The Bharatiya Sakshya Bill 2023
We were getting ready for the new DPDP 2023 along with Digital India Act and the Telecom Bill. Now it would be a huge challenge to the legal industry as well as the Judiciary to adopt to the new laws.
Probably the senior judges would say…Oh… we cannot go back to colleges once again…. . Opposition may say this is a conspiracy to weaken our judiciary.
Naavi.org however is happy at the initiative. The archaic British time laws needed change. At present we have not studied the changes and in the tsunami of things that we need to address because of DPDPA 2023, it could take some time for us to start studying these laws.
It is however exciting times ahead as the young lawyers will feel they are now ready to compete with the senior lawyers in terms of knowledge. The precedence based jurisprudence may find an end and lawyers and judges need to scratch their brains to find solutions to disputes.
Naavi
