Naavi.org

The DPDPA Rules contain two sets of rules. One set appliable immediately on publication and another set for which separate dates will be notified.

The rules that will become immediately applicable namely Rules 1, 2 and 16 to 20 are related to

1. Short title and commencement and Definitions
2. Establishment and functioning of the Data Protection Board

The other rules are related to the obligations.

There is however lack of clarity on when will Section 44 of DPDPA 2023 be considered effective.

Section 44 is the section which addresses the amendments to ITA 2000 and RTI Act. This determines when the obligations under Section 43A of ITA 2000 will extinguish and penalties under Section 33 of DPDPA 2023 kick in.

Since there is no rule associated with either Section 33 or 44 of the DPDPA 2023, in the present set of rules, we need to await the next notification for this purpose probably within the 2 year limit which the Minister has indicated in his interview.

FDPPI had presented a set of comments on 5th August 2024 based on the first draft of the rules then available in which we had made the comment that this should be made effective after one year.

It is considered necessary that a separate rule or a notification should specify when Section 44 of the DPDPA 2023 becomes effective and it has to be synchronized with the notification of Section 33 of DPDPA 2023 on penalties.

For this purpose, either a separate Rule 23 is added to the rules or one more sub clause could be added in Rule 1 stating

4. The sections 33 and 44 of DPDPA 2023 shall come into force with effect from ………………..

If a separate Rule 23 is added, it can also define the current and future role of the Adjudicator of ITA 2000 including a mention that the Adjudicator of ITA 2000 shall continue to be the authority to which a data principal affected by a personal data breach can apply for compensation under Section 43 of ITA 2000.

Naavi

Honourable Minister of IT Sri Ashwin Vaishnaw has indicated that the Government may create a Central body which works with other ministries and sectoral regulators to effectively implement local storage of data without causing any disruptions to the industry. The Committee will collate requests from other ministries and sectoral regulators and come up with its recommendations.

The committee is expected to indicate data export restrictions related to sensitive data and/or by significant data fiduciaries based on the assessment of its impact on the sovereignty and integrity of India, electoral democracy, security, and public order. 

A report at Indian Express suggests that the Government is looking at a two year timeline for full implementation. This however may be restricted to some specific provisions of the Act and many of the provisions may be implemented earlier.

Naavi

The much awaited draft rule on DPDPA for public comments finally was published on January 3, 2025 in the form of a Gazette Notification.

The set of rules follow the pattern that were discussed earlier at FDPPI as Version-1 with some important modifications such as dropping of the model consent form and dropping of the definitions.

The awareness level of DPDPA and the rules are so high at present in the professional circles that a lot of discussions have already started on the rules in the discussion groups. Naavi.org will continue to provide its comments as we go along.

One of the noticeable rule is Rule number 22 accompanied by the schedule 7.

This rule invokes the power under Section 36 of DPDPA 2023 and states

22. Calling for information from Data Fiduciary or intermediary.—

(1) The Central Government may, for such purposes of the Act as are specified in Seventh Schedule, acting through the corresponding authorised person specified in the said Schedule, require any Data Fiduciary or intermediary to furnish such information as may be called for, specify the time period within which the same shall be furnished and, where disclosure in this regard is likely to prejudicially affect the sovereignty and integrity of India or security of the State, require the Data Fiduciary or intermediary to not disclose the same except with the previous permission in writing of the authorised person.

(2) Provision of information called for under this rule shall be by way of fulfilment of obligation under section 36 of the Act.

Under this rule, different officials are proposed to be designated to guide the industry in respect of “Exemptions” and applicability of the Act.

Accordingly an official will be notified to authorize the use of personal data by the State or any of its instrumentalities in the interest of sovereignty and integrity of India or security of state.

Additionally if any official has been authorized under any other applicable law (eg CERT IN) for the purpose of performance of any function under law or for disclosure of information, such official will be the authorized person also under this Act.

Additionally, another interesting observation is that the Government proposes to designate an officer from the MeitY as a person to carry out assessment for notifying any Data Fiduciary or Class of Data fiduciaries as a Significant Data Fiduciary.

This role will be a very important role that defines the applicability of the Act to a large section of the industry. It is possible that a notification may follow on any “Class” of data fiduciaries that may be considered Significant Data Fiduciaries automatically.

DGPSI has covered this requirement by a requirement that a data fiduciary shall develop a self status determination document which will be assessed by the auditor. This requires the data classification to include a “Sensitivity Score” with which the auditor may provide his view.

While we may wait for any further notifications from this officer, organizations need to make their own assessments about the sensitivity of the data processed by them and self determine their status as a Significant Data Fiduciary as proposed by the DGPSI framework.

Naavi

Comments to continue…

The Government has released the draft DPDPA Rules for public consultation. Public can submit their feedback on the mygov.in website till 18th February 2025.

The notification is available at https://naavi.org/uploads_wp/2025/dpdpa_draft_rules_english_.pdf

Naavi

The new year resolution that FDPPI is pursuing for 2025 is to further promote the urgency for DPDPA Compliance during the year.

Towards this direction, FDPPI continues to

a) Build Awareness

b) Build Expertise

c) Provide the framework for compliance

d) Collaborate with PET developers

Currently there are lots of activities by different individuals and organizations about creating awareness of DPDPA. We welcome all these initiatives though there could be some differences of views on some aspects of the law here and there. Essentially the differences may come because other professionals may still be under the influence of the GDPR while we try to have an independent Jurisprudential view on different aspects of law. 

Whether it is the definition of what is “Personal Data” , How to identify the “Significant Data Fiduciary”, How to work on the rights of Grievance redressal and Nomination, or Data Monetization,  FDPPI may have a slightly different  view than some of the other professionals.

However, FDPPI welcomes the efforts of all community leaders in making “Data Privacy” a buzz word in the industry.

FDPPI now focusses on the next generation of work which is the enabling of implementation through the suggested DGPSI framework which can be used for implementation as well as third party audit and certification.

When a new thought like DGPSI comes to the market, there will be many who will continue to stick by the old practices…. and say “You should have done what others have done for years”. 

It is time to leave such advisors to the past and move ahead with DGPSI. The Birla Opus paint advertisement provides a similar message which describes exactly the sentiments I echo on DGPSI vs other frameworks.

DGPSI is an implementation framework that focusses on compliance of DPDPA. It has some revolutionary thoughts related to data classification, process based compliance, distributed responsibility, data monetization etc. In the past few months we are already seeing that some of the practitioners of other frameworks shifting their stand and saying this is also our view and can be implemented in the current framework as well.  I welcome such softening of the stand on DGPSI and look forward to them adopting DGPSI as a whole or incorporate its principles within the other frameworks they would like to stand by.

We intend discussing this concept of DGPSI as a framework for DPDPA compliance in depth during the three  day workshop at Mumbai on January 24, 25 and 26. 

Contact today to register yourself. This could be a turning point in the career of all ISMS auditors who would like to become a DPDPA Auditor.

Say No to dogmas  and yes to the new generation framework of DGPSI.

Naavi

DPDPA is a law and compliance and by nature any legal provision is an area of uncertainty. There will be different interpretations to the law. The User’s perspective of the law is always in his favour and Consumer Courts often are biased in favour of interpreting law in favour of the data principals. Hence if a technology process is cleverly using the personal data to generate insights that deliver targeted advertising, the consumer may feel it is a “Dark Pattern Practice” while the technology perspective or business usage of the same usage could be more permissible.

If the same instance is referred to a High Court there may be an interpretation more in favour of the business. However, understanding technology could still be a challenge and depending on the seniority of the advocate and the ability to aggressively present his point of view, one counsel may score over the other in convincing the judge that his view only is correct.

In such circumstances, it is a challenge for the corporate management to take a view one way or the other. This is the interpretational challenge that every Data Fiduciary has to successfully negotiate.

Even if we look at the basic requirement of “Discovery” and “Classification” of data as “Personal Data to which DPDPA is appliable”. ( Protected Personal Information), Whether there needs to be a classificational difference between Personal Data is a business contact data or a transactional data whether it is coming under GDPR or DPDPA or both is always a difficult decision to make.

Each one of us as a Data Protection Professional may have our own view on this dilemma. It is not certain if the Judge in a Court will agree with our view.

Living with this DPDPA dilemma is therefore the toughest task for a professional. Often within the organization itself there will be a challenge in convincing the CEO that your view is the correct view.

This is the dilemma which DGPSI as a framework is trying to resolve. through an elaborate PPI Classification Matrix.

The DGPSI’s PPI Classification Matrix is oriented to DPDPA as an act and tries to tag the data with reference to a specific section to which it would relate to. At first glance this may look too elaborate but it simplifies the compliance at the next level.

Time will tell whether this type of DPDPA based classification could be incorporated into the automated data classification tools that are being built for DPDPA Compliance. Since the classification logic has to be different for DPDPA as compared to say GDPR, the data has to be first classified in accordance with the applicable law and then classified as PPI under DPDPA or not. Until the software tools can adopt this two level classification the tools need to be used with human supervision to avoid any mis classification.

FDPPI will be discussing this DPDPA Dilemma and how DGPSI tries to resolve this in the special three day training on C.DPO.DA. which FDPPI will be organizing at Mumbai on January 24/25/26.

Naavi