Naavi.org

The Foundation of Data Protection Professionals in India (FDPPI) proposes to establish FDPPI Study Centres across different cities in India as part of its capacity-building and community-development initiatives in the field of data protection, privacy, and digital governance.

These Study Centres will be managed and coordinated by Associate Faculty of FDPPI and will function as local knowledge hubs to promote continuous professional learning and engagement.

Objectives of FDPPI Study Centres

• • To create a structured platform for regular interaction among data protection professionals, auditors, compliance officers, legal experts, and technology practitioners.

  • To conduct periodic training programs, workshops, and certification-oriented sessions aligned with FDPPI’s professional development framework.

  • To facilitate knowledge discussions, case-study reviews, regulatory updates, and best-practice sharing on emerging developments such as DPDPA implementation, DGPSI frameworks, and global privacy trends.

  • To encourage local networking and professional community building, thereby strengthening FDPPI’s national outreach and grassroots presence.

  • To support talent development and mentoring for aspiring DPOs, Data Auditors, and governance professionals.

Each Study Centre will meet at regular intervals (monthly / bi-monthly as decided locally) and may organize public awareness programs, industry roundtables, and collaborative initiatives with academic institutions and industry bodies.

Through this initiative, FDPPI aims to build a vibrant nationwide ecosystem of data protection excellence, enabling continuous learning, professional growth, and practical implementation support.

Each Study Center will require at least one Empanelled Associate Faculty Member as the “Coordinator”. This will be an independent individual initiative working in association with the Chapters.

Associate Faculty Members will be  empanelled to independently conduct certification training programs preparing individuals to take the online examinations of FDPPI.

Persons interested in managing such centres are requested to contact FDPPI/Naavi

We had already discussed the petitions of Venkatesh Nayak and Reporter’s Collective related to the DPDPA challenge in Supreme Court in these columns. Now the details of another petition filed by Ms Geeta Seshu has also become available.

Copy of Petition by Geeta Seshu and  Software Freedom Law Center

The prayer in this petition numbered WP(c)275 of 2026 is to  stay the operation of

1. 1. Section 24 read with Rules 17,18 and 21 as well as Fifth and Sixth  Schedules of the DPDPA Rules
   2. Section 17(2)(a) of DPDPA2023
   3. Rule 6
   4. Section 36 read with Rule 23 and Seventh Schedule

and for passing related directions to the Ministries of Law,  IT and Home.

The essential part of the grounds presented are similar to what we have already discussed in the petitions of Venkatesh Nayak and Reporter’s Collective.

Main grounds are

1. 1. Lack of Exemption for Journalistic Purposes
   2. Constitutionality of the Data Processing by the State and the Over Board Powers  to Exempt Instrumentalities of the State
   3. Compensation Vacuum
   4. Lack of Independence  of the DPB
   5. Surveillance

Our Brief Comments are as follows. These are additional to the  comments already presented in our earlier post in which we had listed all the 21 articles related to the earlier petitions along with our suggestions of how the concerns of the petitions could be satisfied .

1. Lack of Exemption for Journalistic Purposes

The “Journalist” of 2026 is no longer the “Fourth Pillar of Democracy” as is often referred to. Most  Media houses today are owned by commercial organizations and most freelancers are funded by international opinion makers who hold their own vested interests. There is a need therefore to “Define” who is a Journalist in the current era of Digital publications, You Tubers and Bloggers.

“Journalism” involves “Reporting of News”. News is a collection of “Facts”.  Predominantly, the content of a news report is “Non Personal Data”.  If any new report has to report a “Fact” that it is a news about an “individual”, then personal data may be involved. However, the “news” is about the occurrence of an event. It need not be “Person Centric”. Over the years, journalism has changed its “News reporting” objective and become “Personality oriented”. The profession needs to correct this approach.

In the news we have facts related to politicians and public figures. This is not to be considered as “Personal Data Protected by DPDPA” since they are the identities in discharge of a public function and its reporting is not barred  by law.

When we discuss that a certain MP said something, the reporting of the name of the MP is not barred  by DPDPA.  If however the journalist  has to report the personal affairs of  an individual because he  thinks it is in public interest, he  has to face the risk of being charged for defamation.

DPDPA only states that there should be a “Legal Basis” for processing of personal data and does  not bar such processing. If the affected individual has a complaint, that has to be addressed by the law as a “Defamation” and the Journalist can defend  the same in public interest. This is an existing law and DPDPA does not curtail such right of a journalist to report any matter which is personal.

The petitioner himself acknowledges that the affected individual (such as the person who claims to have been defamed by the journalist) has no remedy under DPDPA. The petitioner should therefore be happy that DPDPA does not enable the person about whom a reporter files a suspected defamatory report has no remedy under DPDPA. (Remedies if any lie under other laws such as BNS and ITA 2000.)

If we look at the “Journalist” as a “Data Fiduciary”,  the responsibility for publishing “News” lies with a publisher and not a “Reporter”. “Reporter” is an employee or a “Contractual service provider” for the publisher. Only such reporters who run their own blogs and You Tube channels may be considered as “Reporters and Publishers”. In this case, “Publishing” is business and certain risks lie with them as “Intermediaries” under ITA 2000. The individual journalist can be considered only as a part of  the publishing network and if DPB wants to place any penalty, they have the obligation to consider if the penalty is necessary and reasonable. DPDDPA does not say that every reporter who publishes personal information of a member of public should be fined Rs 250 crores.

The decisions of DPB if any are also appeallable to TDSAT and Supreme Court and hence if DPB  does any penalties on a journalist, there is a clear possibility of DPB being questioned if there is any unfair decision. Law can only enable such judicial oversight and cannot speculate whether the DPB members will be honest or corrupt, efficient  or not. The Search Committee has to take the necessary precautions to find the right persons and the members of the search committee are senior bureaucrats who know their responsibility.

It may be interesting for some to take a look at  FDPPI’s recommendations made  to MeitY  on DPDPA Rules (Which was anyway ignored by them).

In this note we had recommended the following for DPB Constitution

DPB Constitution

This rule refers to Section 19 of DPDPA 2023 and the following comments are recommended.

a) The minimum number of members (excluding the chairman) shall be Six and Maximum shall be Twenty.

b) DPB shall commence its operation with the minimum number of members and MeitY shall review the requirement of the DPB once in a year and increase the number of members as required.

c) The Search Committee may function for one year at a time and shall review the functioning of the DPB annually and submit a report to the MeitY before a new Search Committee is set up for the following year.

d) The respective Search Committee shall be responsible for evaluating any complaints received against the Chairman/Members or observations recorded during the monitoring of the activities of the DPB and recommend disqualification if required

e) The Search Committee shall meet each quarter or as often as otherwise required to review the activities of the DPB and recommend corrective action if necessary.

f) The external members of the search committee may be paid remuneration as may be determined by the Ministry for the services rendered including sitting fees for meetings.

g) The external members of the Search Committee shall retire each year and shall not be eligible for re-appointment for a continuous second term.

It may be observed that our suggestion was to make the  Search Committee  itself as an oversight committee. I am not sure if the essence of the  recommendation was really understood by the Meity.  Maybe now they will see reason why Naavi/FDPPI came with such suggestions. Even now we will be happy to assist MeitY to make corrections to the Rules that will satisfy all the petitioners to be satisfied.

In the recent note on the other petitions we have suggested a “Registration of Researchers” who can be the investigative journalists and others and they can use both the legitimate use and exemption facilities available under DPDPA.

Our recommendation in this regard has been as follows

 On Exemption for Journalists

DPDPA has so far not made any specific exemptions for any category of data principals including SMEs, Educational institutions, Charitable Institutions, Religious Institutions, Professions like Advocates, Chartered Accountants or Doctors. All exemptions and Legitimate use is based on purposes. Exemptions are available for Startups  (On notification), Companies for mergers and acquisitions after court approval, Financial institutions after default etc. Further exemptions are also empowered for specific purposes  and an official would be designated for the purpose of granting such exemptions. Those journalists or organizations of journalists who conduct Social Audits or public  interest research may be given specific conditional permissions with obligations of purpose specific use, with data minimization, retention minimization and accountability.

For this purpose a “Register of Approved Journalists for Research” may be created by the Ministry of Information and may include all Social media bloggers as  “Digital Journalists”.

Other aspects of the petition have already been addressed and I will refrain from repeating the same.

Naavi

Naavi and FDPPI are conducting several Certification programs on DPDPA. Naavi’s Cyber Law College has been providing Certification in Cyber Laws (ITA 2000) since October 2000. Subsequently, it started providing HIPAA and GDPR training on apnacourse.com platform.

In the recent years, we have been conducting three programs CDPP-I, CDPP-Module G and C.DPO.DA.

Considering the changes that  have been occurring in the DPDPA space, Naavi/FDPPI have now decided to introduce the the four specific training programs mentioned above.

All programs will be on hybrid  mode with part of the coverage through recorded videos and part by either live virtual interaction or physical interaction.

Details of fees and schedule will be finalized in due course.

The Global Track will cover GDPR compliance both through ISO 27701  and DGPSI-GDPR.

The training programs will be initially conducted by Cyber Law College and later will be rolled out through empanelled independent trainers. FDPPI will introduce online examination modules for each of these modules and provide its Certification.

Individual trainers who are interested in empanelment may contact Naavi/FDPPI through e-mail.

Naavi

Earlier on March 5 we had summarized the discussions on the DPDPA Petitions in the 16 different articles in this blog.  Now we are  adding the following 5 subsequent articles .

The entire set of articles that we have discussed in the last fortnight on the DPDPA Challenge petitions in the Supreme Court are  available here.

I request law students to study these articles and create a document of reference to aid  the Supreme Court in deciding about the petition.

Naavi