Naavi.org

Orissa High Court was confronted with an interesting petition from a parent who refused to give consent to the school of his child which wanted to create an APAAR ID. The ID is considered a unique identification that is designed to provide a lifelong 12 digit digital identifier to store the academic accomplishments. It is meant to be used for certain purposes which are beneficial to the subject in making available the ID to other institutions for educational services. It is not expected to be used for marketing or other purposes prohibited under DPDPA 2023.

However the petitioner invoked the Justice Puttaswamy judgement and no discussion seems to have been made on DPDPA provisions. The school contended that there is a provision to withdraw the consent any time. The Petitioner contended that “Withdrawal of consent” was after providing the consent and is different from “Option not to give consent”.

The Court has agreed with this contention and suggested alteration of the consent form.

Judgement copy available here

The issues that should have been debated here are whether  the school can segregate the APAARID related services from others  and provided a purpose specific privacy notice to enable the subject to understand the likely consequences of not registering for the APAAR ID. Some services should be exclusively linked to the holders of APAAR ID and then such objections would not arise.

By refusing the registration, many of the services of the department of education may become difficult to avail on a later date.

Naavi

On November 19,2025, a major EU proposal has been made to simplify the EU regulations in many areas. It has proposed 15 amendments to GDPR which we are separately taking note of. Additionally it has made changes to Data Act which was a very recent regulation as well as the Artificial Intelligence Act. It appears that EU has realized that its current approach of very strict regulation does not go with the universal approach of  USA and  India to give more freedom to businesses to promote innovation. Perhaps this is a timely move not to let EU become a technologically archaic society.

One of the measures that we need take note of is the Business Wallet proposal  and published a “Digital Rule Book”. The objectives of these changes are captured in this “Press Release”

This proposal is expected to  provide European companies and public sector bodies with a unified digital tool, enabling them to digitalise operations and interactions that in many cases currently still need to be done in person. Businesses will be able to digitally sign, timestamp and seal documents; securely create, store and exchange verified documents; and communicate securely with other businesses or public administrations in their own and the other 26 Member States.

One of the  simplification measures is to develop a unified platform for data exchange so that there would a “Single Digital Gateway” requiring authorities to re-use data already held in another member  state without repeated submissions by businesses. Indian approach of “Centralized eKYC”, “Account Aggregator” and “Consent Manager” as well as the UPI system and “Digital Locker”  follow similar principles and it appears EU wants to follow India in these innovative measures and perhaps improve upon them.

While we can feel proud that Indian initiatives have been validated and followed by EU, we can observe if there are improvements that we may adopt ourselves and amend our established systems including the Consent Manager system under DPDPA 2023. RBI and MeitY may closely monitor the developments.

Naavi.org will also monitor the proposals and try to identify lessons for India.

Some of these discussions could commence in our C.DPO.DA. program of December 20/21. If you have not yet joined the program, check here for registration.

Naavi

To all those who are associated with FDPPI as Members, Registrants for any paid services

Dear Friends

It is the desire of FDPPI/Naavi that all those who are associated with FDPPI during the last 7 years of its existence should consider themselves to be forming an  eco-system to drive DPDPA compliance culture in the country.

We have all entered a new era of DPDPA implementation and hence all those who are now  preparing themselves to be DPOs and Data Auditors are considered as the “NextGen DPOs” and “NextGen Data Auditors” for whom DPDPA implementation is a certainty from 13th May 2027.

We ideally want  all our members and associates to be actually “Certified” for C.DPO.DA. But we are aware that this may not be practical. Hence we want them to be  at least carry a participation certificate for our latest training program even if they want to avoid the challenge of passing of the examination. We are therefore trying to provide a free upgrade of knowledge to all our previous certified professionals or those who have paid and registered in the National Register of Data Protection Professionals by giving them an opportunity to attend our next Virtual program on request. Every such complimentary pass is worth Rs 25000/- which we are donating to the creation of this NextGen data protection professionals.

I hope some will make use of this opportunity.

I wish all these persons will represent the future of DPDPA compliance in India. Some of them may look at generating revenue and building their career and some may continue their pro-bono work as “Privacy Mitra” s.

Naavi/FDPPI however want the country to be full of empowered and  knowledgeable Data Protection Professionals so that we stand out as one country which  transforms itself into a DPDPA compliant society in the next decade.

Let us therefore look forward to the emergence of this new eco system.

Reference: Also see here 

Naavi

An Indian DPO often works  in an environment where the organization encounters both personal data coming under the jurisdiction of DPDPA as well as under GDPR.

DGPSI recommends that data is classified with a “Jurisdiction Tag” so that  data to which DPDPA is applicable is separated from data to  which  GDPR (or any other country’s  law is applicable).

Once this segregation is done, we will have different data  buckets  one for each jurisdiction making application of controls easy.

While compliance for DPDPA is  recommended to be built under the DGPSI-Full (with DGPSI-AI)  or DGPSI-Lite frameworks, the bucket of GDPR data needs to be covered only under GDPR. Currently one framework option for this purpose is ISO 27701:2025.

However, DGPSI which is basically a principle based framework is itself capable of being extended to meet the compliance requirements under GDPR.

To help professionals in being GDPR compliant along with DPDPA compliance, DGPSI has now been expanded to DGPSI-GDPR. It is still a 50 specification framework and includes some AI aspects also. Some of the specifications in the current version have been combined to keep the specification number count to 50.

This DGPSI-GDPR therefore becomes a “Made in India for the EU” framework which we recommend Indian companies to get certified from DGPSI auditors along with DTS maturity assessments.

The framework is being refined and will soon  become a DPDPA-GDPR  combo offer for implementation for  companies who are Data Fiduciaries under DPDPA and Data Controller/Data Processor under GDPR. The first version of this framework will be discussed in the forthcoming C.DPO.DA. Certification program (Virtual) on December 20/21.

(P.S: The program will also discuss Digital Omnibus Proposal of November 19 and proposed GDPR Amendments. )

Interested persons may rush to register themselves asap. (The Early bird discount expires today.)

Check here for Registration

When we last conducted a C.DPO.DA. program on November 1 and 2 at Mumbai, we called it an “Elite DPO” program because we had added DGPSI-AI into the curriculum which otherwise included the basic DPDPA law and Implementation challenges along with the implementation framework of DGPSI Full and DGPSI-Lite. We also briefly added the ISO 27701:2025 version to update the “Elite” Curriculum.

Before the examination for the candidates were due, the DPDPA Rules came into place on November 13. We conducted a supplementary session and included it in the examination that followed.

Now on November 19, GDPR has brought in several changes through the Digital Omnibus Rule which becomes relevant to DPOs who are also handling GDPR data in their organizations in India.

We have therefore decided that in the December 20-21 program, we shall “Enrich” the “Elite” curriculum with

a) DIGITAL Omnibus GDPR modifications
b) A brief coverage of DGPSI-GDPR as a framework

This will be in addition to the

1.Legal Nuances of DPDPA 2023 and DPDPA Rules

2.Implementation Challenges for DPDPA including Classification, ROPA, Governance Structure, DPIA etc

3.Role of DPO and Data Auditor

4.DGPSI as a tool for compliance implementation and audit

We do anticipate time shortage within 12 hours of time allocated. We may therefore need to supplement the 12 hours of interaction with additional material for study in the form of Videos.

Hope participants would see the value of these enrichment which only FDPPI can give .

The “Enriched, Elite C.DPO.DA program” comes with a price of Rs 25000/- till tomorrow EOD. There after the price would be Rs 29500/- including the GST.

It is your right of choice to miss out this special program…

Register today here 

Naavi

On 19th November 2025, the EU has proposed some amendments to GDPR through the “Digital omnibus Regulation” package which could be effective later in the year after necessary approval formalities.

The Digital omnibus package includes the Data Act which introduces  a unified  framework for data regulations. It merges and streamlines certain rules for enabling free flow of non personal data regulation.

Following  proposals are meant to amend  GDPR and they address simplification of compliance to smaller businesses and clarify AI development.

1. Redefining “Personal Data”

he Package proposes two amendments to clarify the concept of “personal data” under the GDPR (references to the “Amended GDPR” relate to the GDPR as it would be amended under the proposals set out in the Package).

• Definition of “personal data” (Art.4(1) Amended GDPR) – The definition of “personal data” under the Amended GDPR would be amended, effectively codifying the recent decision of the CJEU.(Court  of Justice of EU)
  • The revised definition would clarify that information is not personal data for a given entity if that entity cannot identify the natural person to whom the information relates, taking into account “the means reasonably likely to be used” to achieve identification.
• Pseudonymisation (new Art.41a Amended GDPR) – The Package also introduces the possibility that pseudonymised data may, in certain circumstances, no longer be considered personal data for certain entities.
  • The details of such circumstances would be specified through implementing acts adopted by the Commission.

2. Artificial Intelligence

Two additional proposals in the Amended GDPR addresses the processing of personal data when developing and deploying AI systems and models.

• Processing for AI development (new Art.88c Amended GDPR) –
  • The Package includes a new provision to clarify that controllers can rely on legitimate interests under Art. 6(1)(f) Amended GDPR to process personal data for the development and operation of an AI system.
    • Such reliance would remain subject to the usual balancing test for legitimate interests, appropriate safeguards, and any EU or Member State laws that expressly require consent for the relevant processing.
• Special category personal data (“SCD”) and AI systems (Art.9(2) & new Art.9(5) Amended GDPR) –
  • The proposed amendments would allow residual processing of SCD in the context of developing and deploying AI systems and models, provided that the controller “effectively protect[s] without undue delay such data from being used to produce outputs, from being disclosed or otherwise made available to third parties”.
    • The proposed addition of Art.9(5) in the Amended GDPR also makes clear that, as a general rule, SCD should not be used for the development or operation of AI systems.

3. Key Operational Amendments

The Package also proposes to revise several practical data protection obligations, including data subject access requests (“DSARs“), personal data breach notifications, and data protection impact assessments (“DPIAs“).

• (a) DSARs (Art.12(5) Amended GDPR) –
  • The proposed amendment introduces a new ground for refusing (or charging a reasonable fee for responding to) a DSAR where “the data subject abuses the rights conferred by [the Amended GDPR] for purposes other than the protection of their data” (emphasis added).
    • The scope of this exemption remains uncertain, including whether it could assist organisations in responding to a DSAR submitted in litigation, where the purpose of the DSAR appears to be to obtain information for use in that litigation.
• (b) Personal data breach notifications (Art.33 Amended GDPR) –
  • The proposed amendment would:
    • (i) raise the threshold for notifying data protection supervisory authorities (“SAs“) regarding personal data breaches, aligning the threshold in the Amended GDPR with the threshold for notifying data subjects (i.e., only where a breach “is likely to result in a high risk to the rights and freedoms of natural persons”);
    • (ii) extend the deadline for notifying SAs from 72 to 96 hours; and
    • (iii) introduce a single-entry point for incident reporting (once established), which would also act as the single-entry point for various other related notifications (e.g., under NIS2 / DORA).⁴
    • In addition, the European Data Protection Board (“EDPB“) would be mandated to prepare a common notification template and a list of circumstances in which a breach is likely to result in a high risk to an individual’s rights and freedoms, with both instruments subject to review at least every three years and updates where necessary.
• (c) DPIAs (Art.35 Amended GDPR) –
  • The proposed amendment would harmonise DPIA requirements across the EU through EU-wide guidance.
    • Under this approach, the EDPB would compile unified lists of processing activities that do or do not require a DPIA, and create a standard DPIA template and methodology.
    • Once approved by the Commission, these EU-wide lists would supersede national lists, ensuring that organisations face the same DPIA triggers across all Member States. Any national lists already published by SAs would continue to apply until the Commission adopts the relevant implementing act.

• • (d) ROPA exemption to SMCs (Small midcap companies* and SMEs
    • • The omnibus package extends exemption from SMCs, SMEs ( less than 250 employees) under Article 30(5)  to apply only to “high risk” processing such as AI profiling or biometrics and removes  disqualifiers like occasional processing or special category data (except employment-related under Article 9(2)(b))

(* SMCs are defined as ..fewer than 750 employees.,  total balance sheet not exceeding EUR 129 million, an annual net turnover not exceeding EUR 150 million. SMEs are currently defined as enterprises with under 250 employees, combined with an annual turnover up to 50 million euro or a balance sheet total up to 43 million)

• • (e) Cookie Banners and ePrivacy:
    • • The package integrates ePrivacy rules into GDPR; enable one-click accept/refuse for cookies, with choices respected for 6 months

It is observed from the suggested changes that EU authorities are correcting some of the stringent provisions in the earlier version .

In the DGPSI-GDPR version of the framework being developed by FDPPI, these changes will be used though they are legally effective subsequent to necessary clearances.

The changes to the definition of Personal Data to exclude data which cannot be reliably identified with a natural person is the principle already adopted under DGPSI where only a “Set of data elements” which together identify an individual is considered as “Personal Data” and not otherwise. Exclusion of “Pseudonymised  Data” from the definition aligns with the definition of “Anonymisation” where the user of the data cannot identify the individual.

The changes in the DSAR are similar to the RTI regulation in India where the Right to information is denied when  it is requested in support of an intended litigation.

Naavi

Reference:

Proposed Amendments to GDPR

All amendments:

Digital Omnibus Proposal

Annexes