Naavi.org

On November 5, a report containing AI Governance guidelines were released by MeitY with the declared objective of developing  a foundational reference for policymakers, researchers, and industry to foster greater national and international cooperation for safe, responsible, and inclusive AI adoption.

The guidelines have been drafted by a high-level committee under the chairmanship of Prof. Balaraman Ravindran, IIT Madras, comprising policy experts including Shri Abhishek Singh, Additional Secretary, MeitY; Ms. Debjani Ghosh, Distinguished Fellow, NITI Aayog; Dr. Kalika Bali, Senior Principal Researcher, Microsoft Research India; Mr. Rahul Matthan, Partner, Trilegal; Mr. Amlan Mohanty, Non-Resident Fellow, NITI Aayog; Mr. Sharad Sharma, Co-founder, iSPIRT Foundation; Ms. Kavita Bhatia, Scientist ‘G’ & GC, MeitY & COO IndiaAI Mission; Mr. Abhishek Aggarwal, Scientist D, MeitY & Mr. Avinash Agarwal, DDG (IR), DoT, Ms. Shreeppriya Gopalakrishnan, DGM, IndiaAI.

The Guideline will be analysed by the FDPPI’s AI Chair and its comments will be provided here.

In September this year, FDPPI released DGPSI-AI as a framework for DPDPA Compliance which covered the recommended industry approach to DPDPA Compliance where AI is used by a Data Fiduciary.  This framework which is an extension of the DGPSI framework also covers the requirements of  AI Developers and  Agentic AI  users.

It would be interesting to look at this framework in the light of the guidelines now released.

Watch out for more articles on the guidelines….

Copy of the report can be accessed here:

When the DPDPA Rules are notified, it is expected that different industry segments will have different concerns. Some of these concerns will be in interpretations of the  Rules. Some may indicate conflicts with sectoral regulations and some may even require representations to be made to DPB or MeitY for clarification or modification.

In order to assist the ecosystem, FDPPI is setting up a Special Interest Group of industry experts selected from FDPPI’s trained  and certified DPOs who will continuously monitor the developments and  share their views on a periodical basis in the form of advisories to the industry or otherwise. Where necessary, they will also be in touch with the MeitY and DPB to seek clarifications.

We are presently in the process of  setting up the SIG.

Naavi

“The AI can be good, bad, ugly and Bizarre” says the anchor. What  more you can say for the Albanian  Prime Minister who first created an “AI Minister” named Diella and now is creating 83 babies who are AI Assistants, one for each of the party members in the country’s parliament.  Soon he may replace all his ministers with AI agents and perhaps create a Digital Twin of himself and anoint him as Deputy PM to take over after his death.

The decision is stranger since Diella is herself a “Virtual Chat Bot” and not even a Humanoid robot. Some time later the PM Edi Rama may here of “Parakaya Pravesha” and create a Humanoid Robot in which Diella’s program can be imported. Then she will have a body also.

If we also consider that Saudi Arabia did not hesitate to grant Citizenship to Sophia which also may be emulated by Edi Rama to cross the legal barrier which we understands requires Parliament members in Albania to be  citizens.

The Private Sector is not far behind in this craze and the Columbian MNC named Dictador which has appointed an autonomous AI agent MIKA

Some may dismiss this as jokes to be ignored but to me it is indicative of a malaise that will kill the world as we know today. Of Course, our culture teaches us to think that this was part of the destiny and the next Kalki may actually be an AI agent and an autonomous ruler of the world.

It is simultaneously noticed that Quantum physicists have already identified a pattern development  in the Chaotic quantum chip state which is indicative of development of early signs of general intelligence in the AI.

Once these thoughts combine together and Mr Edi Rama decides to transform himself into a Cyborg by placing a chip inside his brain to link to an AI Agent, we will have the first Global AI leader who can take over the world.

The best we can do is to pray that this should not happen too quickly for all of us to absorb.

Naavi

A passionate tech innovator from Bengaluru has just published a smart and powerful AI-driven tool called “LexiGuard”  to be your valuable assistant for Governance, Risk and Compliance.

The tool developed by Sri Vinod Sreedharan  functions as an expert GRC Co-pilot specialized in instantly analyzing complex regulatory scenarios and providing structured, actionable, and multi-jurisdictional guidance.

It’s  core knowledge base prioritizes critical global and Indian regulations, including the DPDPA 2023, GDPR and the DGPSI Framework with a  mandate is to deliver intelligence that enables organizations to efficiently manage legal obligations and operational risks.

LexiGuard is designed to streamline your GRC workflow by translating complex legal text into business and technical action, offering the following key benefits.

Converting intricate legal provisions into credible interpretations for use in business,  is a challenge which LexiGuard has boldly taken on. I would like visitors to checkout and test the tool and let me know the feedback.

Remember this is an AI tool meant for your personal knowledge. It is not to be used to provide any advise to others. If required, contact Mr Vinod Sreedharan for copyright clearance.

The link to access the tool is here

Naavi

While we are awaiting the release of DPDPA Rules, Ministry is busy in releasing rules under PROGA 2025, Amendment to Intermediary Guidelines for Synthetic Content and the Telecom Regulations Act 2023.  All these three have impact on DPDPA and will have multiple authorities to which Chairman and Members are to be appointed.

We can obviously guess that the matrix of who will be the Chairman of DPB, Who will be the Chairman of Online Gaming Authority, Who will head the Grievance Appellate Committee under Intermediary Guidelines is too complicated for the MeitY to finalize within the 10 days time Mr Ashwini Vaishnaw had set ending September 28, 2025.

Public comments are open on the PROGA rules till 31st October, Intermediary Guidelines  upto November 6 . The telecom rules have  already been finalized on 22nd October 2025.

Understanding the interplay of all these rules against the proposed final rules under DPDPA is a nightmare for DPOs.

As a prelude to the C.DPO.DA. Certification program which FDPPI is conducting in Mumbai on Nov 1 and 2, a preliminary discussion on these rules is being organized as a Linkedin-live session on 27th October 2025 at 7.00 pm.

You may obtain the joining  link here:

Please register and contribute to the knowledge base. We shall take a more detailed discussion on the DPO responsibilities in the certification program on Nov 1 and 2. In view of these new developments, we will continue to receive registrations for the program for a few more days. (Registration Link)

Consolidated  Intermediary Guidelines after the proposed amendments (Comments open till Nov 6, 2025)

PROGA Rules for Comments (Comments open till October 31, 2025)

Telecom Act Rules  (amendments) (Effective from October 22,2025)

Updated Telecom Rules of 2024 with markings of amendments in blue

Naavi

Following the publication of the draft rules under Section 56 of the Telecommunications Act 2023, on 25th June 2025 and after obtaining public comments, the Ministry of telecommunications has issued the final rule on 22nd October 2025 called ” Telecommunications (Telecom Cyber Security) amendment Rules 2025 which have come into force from October 22nd, 2025.

Most of the provisions of the Telecommunications Act were directed towards licensed Telecommunication companies  (also refer here for details of the Act) . However some parts of the Act applied to OTT platforms and Messaging Platforms.

The Tele Communications Act 2023 which was passed by the Parliament in December 2023 and received presidential assent on December 24, 2023. Some sections of the Act were notified for effect on 26 th June 2024 and More on July 5th 2024.

The compendium rules notified till date are

Now this Notification GSR 771(E) dated 22nd October 2025 which is called Telecommunications (Telecom Cyber Security) Amendment Rules, 2025 brings in further important changes that could impact both ITA 2000 and DPDPA applicability to some entities.

This latest notification should be read with the earlier notification of 21st November 2024.

The rules defines a new entity named TIUE which will be an intermediary under ITA 2000 and Data Fiduciary under DPDPA. It is defined as

“TIUE (telecommunication identifier user entity)‖ means a person, other than a licensee or authorised entity, which uses telecommunication identifiers for the identification of its customers or users, or for provisioning, or delivery of services‘”

Since most services use Mobile Number as an “Identity” parameter,, all such entities would be considered TIUEs. Such entities are already covered under the concept of “Due Diligence” in the Intermediary Guidelines of ITA 2000 or Obligations of Consent under DPDPA, the new rule under Telecommunications act adds another  procedural check point for compliance and hence comes under DGPSI-Full version.

As per the amendments, Government will have powers to “seek data related to telecommunication identifiers used by a TIUE in the form and manner as specified on the portal; “. This will be an add on to Section 69B of ITA 2000.

Government can also direct such TIUEs “to establish necessary infrastructure and equipment for collection and provision of such data from designated points to enable its processing and storage”

The rule “Every telecommunication entity shall ensure compliance with the directions and standards, including timelines for their implementation, as may be issued by the Central Government for the prevention of misuse of telecommunication identifiers or telecommunication equipment or telecommunication network or telecommunication services for ensuring telecom cyber security” will now apply to TIUEs also.

Rule 5(6) which now states “Where the Central Government considers that immediate action under sub-rule (5) is necessary or expedient in the public interest, it shall without issuing a notice under sub-rule (2), pass an order recording the reasons thereof, with appropriate directions to the telecommunication entity to temporarily suspend use of the relevant telecommunication identifier.”

will be replaced by

―(6) Where the Central Government considers that immediate action under sub-rule (5) is necessary or expedient in the public interest, it shall without issuing a notice under sub-rule (2), pass an order recording the reasons thereof, with appropriate direction—

(a) to the telecommunication entity to temporarily suspend use of the relevant telecommunication identifier; and
(b) to the TIUE to temporarily suspend use of the relevant telecommunication identifier for identification of or for delivery of message or services to its customers or users.‖;

In rule number (8) following clause will be substituted for the existing clause

―Provided that any modification of the order under sub-rule (6) may also include an order directing:
(a) the telecommunication entity to permanently disconnect the use of the relevant
telecommunication identifier as specified under clause (b) of sub-rule (5); and

(b) the TIUE to prohibit or circumscribe the use of relevant telecommunication identifiers for identification of its customers or users, or for delivery of message or services, in the manner as may be specified in such order to enable the reuse of relevant telecommunication identifiers.

This will be  an extension to the powers 69A of ITA 2000.

The rule “The Central Government may, if it considers necessary, or pursuant to any request made by any person providing services that are linked to telecommunication identifiers, share the list of telecommunication identifiers that have been acted upon pursuant to orders under sub-rule (5), or sub-rule (6), or sub-rule (8), or sub-rule (9), with such persons and, by order, direct such persons to also prohibit or circumscribe the use of such telecommunication identifiers for identification of their customers or for delivery of services, in the manner as may be specified in such order.” will now apply to TIUEs

The Government  is also setting up a platform called “MNV Platform” for Mobile number validation to which all authorized entities and licensees need to participate.

An IMEI data base is also mandated to be maintained by all entities engaged in the sale and purchase of telecom equipment.

The MNV will be a “Significant Data Fiduciary” under DPDPA.

A summary of compliance requirements collated by one of the members of FDPPI are as follows:

Security Flag and Suspension Mechanism:

If the government flags a phone number for security reasons, both licensed telecom operators and TIUEs can be ordered to suspend the number’s use, potentially cutting off a user across multiple platforms simultaneously.

Emergency Action Without Prior Notice:

Authorities may act without prior notice in the interest of public safety or security, provided reasons are recorded .

IMEI Verification for Used Mobile Devices:

Buyers and sellers of used mobile phones must verify device IMEIs against a government database.

The database will list tampered, stolen, blacklisted, or fraud-linked devices.

Sale or purchase of blacklisted IMEIs is prohibited.

Device manufacturers cannot reuse existing IMEIs for new or imported devices.

Implementation Modalities Pending:

Financial, procedural, and data submission details (including any fees or portal-based compliance processes) will be defined through a dedicated online portal, which is yet to be launched.

Key Takeaway

The continued inclusion of potential compliance obligations for TIUEs sets a concerning precedent. By linking user verification and suspension powers to phone-number-based identification, the rules effectively extend the telecom cybersecurity framework to digital platforms and internet-based businesses — including those in fintech, e-commerce, OTT, edtech, mobility, logistics etc.

This development raises important questions regarding proportionality, scope, and operational impact for non-licensed entities that rely on mobile numbers for user authentication.

…More  to follow

Naavi

(Join a virtual discussion on 27th October 2025 at Linkedin  Events.)