Exploring the Concept of Intermediary and Intermediary Regulation in India-2026-2

(This is a continuation of the previous article)

When the Information Technology Act, 2000 came into force on 17 October 2000, the Internet was still in its infancy in India.

The Act introduced the concept of an Intermediary under Section 2(1)(w).

The original definition covered persons who merely received, stored or transmitted electronic records or provided related services.

Typical intermediaries contemplated in 2000 included

    • Internet Service Providers
    • Network Service Providers
    • Web Hosting companies
    • Search Engines
    • Cyber Cafés
    • Telecom infrastructure providers

The intermediary was viewed largely as a technical conduit, not as an active participant in online communication.

Under the original Section 79, intermediaries enjoyed absolute immunity for third-party content as long as they functioned purely as passive network pipelines and had no data-modifying role. The scope of defined intermediaries was narrow, focusing primarily on network and internet service providers.

The intermediary escaped liability only if it could prove that the offence occurred

    • without its knowledge, or
    • despite due diligence.

The burden was therefore on the intermediary.

2008 Amendment

Prompted by systemic gaps and high-profile litigations (such as Avnish Bajaj v. State), Section 79 was completely overhauled. It introduced conditional immunity, establishing that safe harbor depends on the intermediary exercising due diligence and acting immediately to remove content upon receiving “actual knowledge” of an unlawful act.

The new Section 79 declared that an intermediary shall not be liable for third-party information provided it

    • merely provides access,
    • does not initiate transmission,
    • does not select the receiver,
    • does not modify the transmitted information,
    • observes due diligence,
    • complies with Government directions.

The amendment also expanded the statutory definition of intermediary to expressly include entities such as:

    • telecom service providers,
    • network service providers,
    • internet service providers,
    • web-hosting providers,
    • search engines,
    • online payment sites,
    • online auction sites,
    • online marketplaces,
    • cyber cafés.

The philosophy shifted from “liable unless proved innocent” to “immune unless statutory conditions are violated.”

2011 Intermediary Guidelines

The Information Technology (Intermediaries Guidelines) Rules, 2011 were notified under Section 87(2)(zg). They were India’s first comprehensive due diligence rules for intermediaries. They required intermediaries to:

  • publish terms of use,
  • prohibit specified categories of unlawful content,
  • appoint grievance officers,
  • remove unlawful information within prescribed timelines after obtaining actual knowledge,
  • cooperate with Government agencies.

The prohibited-content list included obscenity, defamation, copyright infringement, hate speech, malware and similar categories.

For the first time, the concept of “due diligence” acquired operational meaning.

Shreya Singhal case

The Supreme Court fundamentally reinterpreted “actual knowledge” under Section 79(3)(b). The court ruled that an intermediary is only obligated to take down content upon receiving a court order or a direct government directive, preventing private citizens from forcing platforms to remove content arbitrarily.

Intermediary Rules of 2021

The Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 replaced the 2011 rules. The Government explained that the objective was to increase transparency, accountability and user protection while extending the regulatory framework to digital media and OTT platforms.

These rules introduced a tiered system separating standard intermediaries from Significant Social Media Intermediaries (SSMIs).

Key mandates included appointing India-resident compliance officers, monthly compliance reporting, and tracing the “first originator” of automated/encrypted messages.

The intermediary was no longer viewed as merely a passive conduit.

Instead, different categories of intermediaries acquired different compliance obligations.

New concepts introduced included:

    • Social Media Intermediary (SMI)
    • Significant Social Media Intermediary (SSMI)
    • Resident Grievance Officer
    • Chief Compliance Officer
    • Nodal Contact Officer
    • Monthly Compliance Reports
    • Traceability requirements for significant messaging platforms
    • Automated content detection for specified categories
    • Digital Media Code of Ethics

This marked the transition from safe harbour to safe harbour with accountability.

Amendment of 2022

This amendment introduced government-appointed Grievance Appellate Committees (GACs). Users gained a formal state-backed mechanism to appeal an intermediary’s internal content moderation or account suspension decisions, shifting oversight outward from the platforms.

Amendment of 2023

MeitY introduced a framework empowering a central Fact-Checking Unit (FCU) to flag “false or misleading” information concerning the business of the Central Government, directing intermediaries to remove such flagged content to maintain safe harbor.

Major additions included

    • Online Gaming Intermediaries,
    • Self-Regulatory Bodies,
    • Permissible Online Games,
    • Online Real Money Games.

The definition of intermediary was effectively enlarged to include gaming platforms with specialised obligations.

Amendment of 2025

Notified to regulate Rule 3(1)(d), this amendment reformed the “actual knowledge” pipeline.

Instead of relying solely on court orders or government notifications in the earlier form, it introduced structured procedures requiring authorised officers, reasoned written intimations, and additional safeguards intended to make takedown decisions more transparent and accountable.

It mandated that executive takedown orders must be written and reasoned, issued by senior personnel (not below Joint Secretary rank), and subjected to a mandatory monthly review by an officer at the Secretary level to ensure proportionality.

Amendment of 2026-1 (Synthetically generated content)

Recognizing the dangers of “Deepfake”, an amendment was introduced for strict liability for Synthetically Generated Information (SGI) or deepfakes. Intermediaries must prominently label AI-generated content, embed non-removable metadata, and dramatically compress response windows—requiring the removal of non-consensual intimate imagery within 2 hours and other prohibited synthetic data within 3 hours.

The intermediary is no longer merely regulating user-generated content. It is now expected to regulate AI-generated content.

Major innovations include:

New statutory concepts

    • Audio-visual information
    • Synthetically Generated Information
    • AI-generated content
    • Metadata
    • Provenance
    • Persistent labels

New duties

Intermediaries must

    • identify synthetic content,
    • label AI-generated content,
    • preserve provenance,
    • deploy technical safeguards,
    • verify user declarations,
    • prevent unlawful deepfakes,
    • use automated detection tools where appropriate.

The Rules also clarify that references to “information” include synthetically generated information and introduce specific due diligence obligations for intermediaries that provide AI generation capabilities.

Structural Progression

The structural progression reveals a clear, permanent shift in the techno-legal architecture:

  • From Passive to Proactive: Intermediaries are no longer viewed as neutral conduits. They are now legally required to deploy algorithmic tools, verification systems, and metadata tagging to police synthetic media.

  • Compression of Compliance Timelines: Turnaround windows for grievance resolution and content blocking have shrunk from the original 72 hours down to urgent 2-to-3-hour operational mandates for high-risk content.

  • Erosion of Safe Harbor Certainty: Safe harbor is no longer a static shield; it functions as an active compliance standard. Any operational failure to uphold the evolving due diligence rules results in an automatic forfeiture of statutory immunity under Section 79, exposing platforms directly to prosecution under applicable penal codes.

The intermediary has therefore evolved into an AI governance participant.

In effect, the intermediary has evolved from a “carrier of information” to a “co-regulator of the digital ecosystem.” While Section 79 continues to provide the legal foundation for safe harbour, the conditions attached to that immunity have expanded substantially, reflecting the increasing expectation that intermediaries actively contribute to maintaining a safe, accountable, and trustworthy online environment.

Proposed Amendment 2026-2

In the amendments proposed now after 21st April 2026 for which public comments were available till May 7, 2026, Government wants the display of notice that a video was synthetically generated to be available through out the duration of the content in a visual display.

This is the amendment which the Government has cited for asking extension of time for its response in the Delhi High Court.

Subsequent to these developments, two more developments have hit the relationship between WhatsApp/Meta and the Government of India.

First was that WhatsApp proposed that it wants to allow users to use a chosen user name like a domain name and the public display of the phone number would be stopped. Government felt that this could hurt the identification of users, allow impersonation and asked WhatsApp to stop the implementation until further orders.

This provision would affect the earlier intermediary guidelines which requires WhatsApp to identify a “Originating user” of a message notified as objectionable by the Government. WhatsApp was contending that this identification was not possible because of “End-to-end Encryption”. FDPPI had in its intervention petition pointed out that this was incorrect since the phone number should be available for disclosure.

Now WhatsApp may even say that it has no means of identifying the phone number and provide only the user name as picked by the user. This would make it even more difficult for the law enforcement to identify the user.

Hence Government has a reason to include in its response this new development.

Yet another change that has happened is that Instagram has been accused of running ads which abuse children. Meta says it has removed the ads now but the controversy about what due diligence is expected of Meta in this regard lingers on. This controversy has impact on the use of “AI” in creating the ads.

Hence Government has a reason to include this also in its response.

It is a reasonable expectation that one or more of the petitioners may sooner or later launch another litigation again claiming that the Intermediary guideline is unconstitutional even after a decision is taken on the current dispute in the Delhi High Court.

Hence it is necessary for the Court to ensure that this does not become a continuing dispute that prevents the Government from proceeding further with its functions of regulation and put an end to the dispute.

More discussions will follow. Viewers can send their reactions.

Naavi

Posted in Privacy | Leave a comment

Exploring the Concept of Intermediary and Intermediary Regulation in India-2026-1

India started its journey in Cyber Law with Information Technology Act 2000. The Act originated as a draft in 1998, became a Bill in 1999 and an act on 17th October 2000. Naavi entered the world of Cyber Law with the Draft E commerce Act 1998 and has evolved along with the ITA 2000.

In 2008, a major amendment brought in Section 43A and the concept of Personal Data Protection into the ITA 2000 framework.

In 2023, DPDPA 2023 took over the responsibilities under Section 43A and introduced an entirely new law for “Personal Information Governance”.

In the near future we will have another major change coming up in the form of regulation of AI.

In this journey, the concept of Intermediaries has also evolved from 2000 to 2023 from a “Network Service Provider” to “Data Fiduciary/Data Processor”.

The Intermediary Guidelines which surfaced under Section 79 as a safe harbor provision also evolved into a complete Code by itself regulating a very large part of the industry.

In 2021, the codification of the Intermediary Guidelines was structured in the form of Digital Media Rules. This raised a huge opposition from the industry and is under continuous challenge in the Courts leading upto the current stage where Delhi High Court is sitting on a dispute between Meta (WhatsApp, FaceBook and Instagram) and the Union of India.

FDPPI has filed an intervention petition in this case the next hearing of which is due on July 14/15.
We shall have a complete review of the evolution of the Intermediary Guidelines to refresh ourselves, through a series of articles.

The reference material for this at present is

a) The last order of Delhi High Court posting the next hearing to July 14/15

b) The most recent amendment proposed as draft regarding continuous display of disclaimer on synthetic content

c) The notice of MeitY for public comments dated 21st April 2026

d) Intermediary Guidelines with Consolidated proposed amendments

I request other observers of ITA 2000 to correct me if there are any inaccuracies.

….Continued

Naavi

Posted in Privacy | Leave a comment

Aggregated Data Fiduciaries: A New Governance Model for DPDPA Compliance in the Banking Sector

One of the distinguishing features of the Digital Personal Data Protection Act, 2023 (DPDPA) is that it places accountability at the centre of personal data governance. The law identifies the Data Fiduciary as the entity that determines the purpose and means of processing personal data and makes that entity responsible for complying with the obligations prescribed under the Act.

In legal terms, the position appears straightforward. A bank is a corporate entity and therefore the Bank is the Data Fiduciary. Its branches are merely operational units and not separate legal persons. Consequently, the branches are not independently recognized as Data Fiduciaries under DPDPA.

However, legal definitions do not always reflect operational realities.

The Reality of Banking Operations

Modern banks operate on sophisticated Core Banking Systems (CBS), giving the impression that all customer information is centrally managed. While this is technologically true, it does not mean that personal data is processed only at the Head Office.

In the Banking practice before the advent of “Anywhere Banking”, a Customer was a customer of a Branch. This concept has now undergone a change and Banks recognize that a Customer is a Customer of the Bank with a “Parent Branch” being recognized for the purpose of documentation.

This change brought by the Digital Banking system is not however ideal for the compliance of DPDPA since the collection of personal data often originates at the branch level and then gets onboarded on to the enterprise servers. Consent Management therefore happens at the Branch level. However the KYC may be managed by an organization which has a contract signed at the HO level and not at the branch level.

In cases where Branches use the services of centrally appointed service providers for KYC etc, the status of the Head office and its vendor needs to be defined along with that of the branch as either Data Fiduciary, Joint Data Fiduciary or Data Processor.

Customer grievances are handled at branches as well as through the website.

Loans are processed through branch-level officers and by the models governed by the Central office while loan assets are often managed physically at the Branch level. Documents are collected, verified, digitized and stored through branch operations.

Hence, even where centralized databases exist, the operational handling of personal data remains highly decentralized.

For a customer, the Branch Manager is the face of the Bank. It is the branch that decides how the customer is onboarded, how documentation is verified, how service requests are processed and, in many cases, how customer data is shared with third parties for legitimate banking operations.

The Branch, therefore, exercises significant operational control over personal data.

Centralized Systems, Decentralized Processing

This distinction between centralized storage and decentralized processing is becoming even more complicated because many branches independently use:

    • AI-assisted customer service tools.
    • Document verification software.
    • OCR-based KYC applications.
    • Loan scoring models.
    • Fraud detection systems.
    • Analytics platforms.
    • Cloud-based business applications.

Branches also interact with numerous third-party service providers such as:

    • Recovery agencies.
    • Valuation agencies.
    • Legal firms.
    • Marketing agencies.
    • Document digitization vendors.
    • Collection agencies.
    • Technology support vendors.

Each of these relationships may involve processing of personal data.

Although corporate policies may require approval from the Head Office, operational decisions are frequently taken at the branch level, creating a situation where privacy risks arise far away from the office of the Bank’s Data Protection Officer (DPO).

A Governance Gap

This creates an interesting governance challenge for DPDPA Compliance.

Legally, accountability rests with the Bank. Operationally, responsibility is distributed across hundreds or even thousands of branches.

Traditional compliance models tend to assume that privacy governance is centralized. In practice, however, DPDPA compliance succeeds or fails at the operational level.

If a branch employee collects excessive information…

If customer consent is not properly recorded…

If a local vendor mishandles customer information…

If an AI tool is deployed without adequate assessment…

…the resulting non-compliance affects the Bank as a whole.

The law may hold the Bank accountable, but the operational failure occurs at the branch.

The Concept of an Aggregated Data Fiduciary

To bridge this governance gap, DGPSI-Bank proposes the concept of Bank as an “Aggregated Data Fiduciary”  while the branches are “Operational Data Fiduciaries.”

Kindly note that this is a Governance approach and does not legally redefine the concept of Data Fiduciary or a Significant Data Fiduciary. Given the sensitivity of the financial information however, both the Bank and the Branch are to be considered as “Significant Data Fiduciaries”.

Under this model:

    • The Bank remains the sole legal Data Fiduciary under DPDPA.
    • Every branch functions as an Operational Data Fiduciary for governance purposes.
    • Accountability is cascaded to the level where processing decisions are actually implemented.
    • Enterprise-wide legal responsibility remains centralized.

A company has one Board of Directors, yet each factory, plant, regional office and branch has managers responsible for operational compliance.

Similarly, DPDPA accountability should flow from the Board to the branch.

The Role of the Branch Manager

For most customers, the Branch Manager effectively represents the Bank.

Accordingly, the Branch Manager should ordinarily function as the Branch Privacy Officer or Branch Data Protection Coordinator, unless another officer is specifically designated for this purpose.

This should not be confused with the statutory DPO appointed by the Bank.

The enterprise DPO continues to discharge the legal responsibilities prescribed under DPDPA, while the Branch Privacy Officer becomes responsible for implementing privacy controls, maintaining records, ensuring evidence of compliance and coordinating with the central privacy office.

This creates a practical governance hierarchy without altering the statutory framework.

Implications for Independent Data Auditors

The concept of an Aggregated Data Fiduciary also has important implications for Independent Data Auditors.

An audit limited to Head Office policies is unlikely to provide meaningful assurance regarding actual compliance.

Auditors should evaluate:

    • Branch-level consent management.
    • Local vendor governance.
    • AI deployment practices.
    • Record retention.
    • Employee awareness.
    • Incident reporting.
    • Privacy governance.
    • Evidence supporting compliance.

Only then can an Independent Data Auditor provide credible assurance regarding DPDPA compliance.

Beyond Banking

Although the banking industry provides a compelling illustration, the concept has much wider application.

Insurance companies.

Large hospital networks.

Retail chains.

Telecommunication operators.

Educational institutions with multiple campuses.

Government departments with regional offices.

Public Sector Undertakings.

Franchise-based business models.

In all these cases, the legal Data Fiduciary is a single entity, while operational processing is widely distributed.

The Aggregated Data Fiduciary model offers a structured mechanism for distributing operational responsibility without diluting legal accountability.

A Natural Evolution of DPDPA Governance

Earlier, we had proposed the concept of a Super Data Fiduciary to describe organizations that exercise overarching governance over multiple independently operating entities, particularly in sectors such as healthcare.

The concept of an Aggregated Data Fiduciary addresses a different challenge.

It recognizes that within a single legal entity, operational responsibility may itself be distributed across numerous business units that process personal data on a daily basis.

As organizations increasingly adopt AI, cloud services and decentralized digital operations, this governance model becomes even more relevant.

DPDPA establishes legal accountability. Organizations must now develop governance structures that make that accountability operational.

The concept of the Aggregated Data Fiduciary is one such framework. It enables organizations to combine centralized legal responsibility with decentralized operational ownership, thereby strengthening governance, improving auditability and making DPDPA compliance more effective.

It is hoped that regulators, compliance professionals, auditors and industry bodies will examine this concept and contribute to its refinement as India’s data protection jurisprudence continues to evolve.

Open for public Deabte.

Naavi

Posted in Privacy | Leave a comment

The Data Valuation Policy under DGPSI

(This is in continuation of the previous article on Evolution of Data Valuation in India)

DGPSI Full version has indicated a model implementation specification which states

“Organization shall establish an appropriate policy to recognize the financial value of data and assign a notional financial value to each data set and bring appropriate visibility to the value of personal data assets managed by the organization to the relevant stakeholders.”

So far this has remained a suggestion which is more to indicate the auditee that they need to move in this direction. But with CAG guidelines for PSU auditors, the time has come to expand this MIS into a draft policy.

A tentative attempt is made in this direction to present a draft policy here for further discussion.

Copy of draft policy

This draft policy takes into account Naavi’s Theory of Data and Data Valuation Standard of India as supporting documents.

This is work in progress and Comments are welcome.

We can discuss this during our Chennai Seminar on July 17th 2026.

Quote:

Applicability: All business units, data repositories, and processing operations handling Personal Data.

Framework Alignment: DGPSI Model Implementation Specification 9 (MIS-9) & Data Valuation Standard of India (DVSI)

1. Purpose & Objective

In accordance with Model Implementation Specification 9 (MIS-9) of the Data Governance and Protection Standard of India (DGPSI) framework, this policy outlines a structured, techno-legal mechanism to recognize, compute, and track the financial value of personal data assets under management.

By assigning a notional financial value to internal personal datasets, this organization aims to:

    • Bring strategic boardroom visibility to the economic importance of Data Governance and Protection.

    • Justify and allocate proportionate resources, budgetary tools, and infrastructure to safeguard data.

    • Balance corporate data assets directly against corresponding operational and statutory liabilities under the Digital Personal Data Protection Act (DPDPA).

2. Scope

This policy applies to all structured and unstructured personal data sets acquired, generated, processed, or stored by the organization in its capacity as a Data Fiduciary or Data Processor. It covers both active consumer/client databases and historical, administrative, or employee records.

3. Governance Structure

To maintain accountability, a formal data valuation hierarchy is established:

    • Data Valuation Committee (DVC): A cross-functional oversight committee comprising the Data Protection Officer (DPO), Chief Financial Officer (CFO), Head of Internal Audit, and Chief Information Officer (CIO). The DVC is responsible for approving specific valuation metrics annually.

    • Data Valuation Officer (DVO): A designated operational role tasked with executing asset measurements, maintaining the Centralized Personal Data Inventory, and reporting periodic asset fluctuations to the DVC.

4. Valuation Methodology: The Two-Stage DVSI Model

To ensure calculations are robust and defensible during third-party data audits, the organization adopts the Data Valuation Standard of India (DVSI) two-stage valuation protocol.

                  [ STAGE 1: INTRINSIC VALUE (IV) ]
       Computed via Cost of Acquisition or Market Replacement
                                │
                                ▼
             [ STAGE 2: VALUE MULTIPLIER INDEX (VMI) ]
   Adjusts value based on Consent, Accuracy, Age, and Sensitivity
                                │
                                ▼
               [ FINAL NOTIONAL DATASET VALUE ]

Stage 1: Determination of Intrinsic Value (IV)

The baseline value of a dataset is calculated using the Cost-Based Method, capturing the direct financial outlays incurred to build the asset:

Where market metrics are readily available (e.g., commercial marketing registries or structured platform logs), a Market-Replacement approach may be utilized subject to DVC approval.

Stage 2: Application of the Value Multiplier Index (VMI)

To bridge the gap between financial cost and regulatory compliance, the Intrinsic Value must be adjusted dynamically by a multiplier matrix () that scores the legal and operational quality of the personal data:

Data Valuation Standard of India

The VMI is computed by evaluating four distinct criteria:

Legal / Consent Status

Explicit, verifiable, and active consent recorded for multi-purpose utilization.Valid consent for a singular, ongoing operational purpose.No Consent / Restricted Use: Data processed under high-risk grounds or where consent is withdrawn/expired ().

Evaluation Factor High Multiplier () Neutral/Base () Degradation / Penalty ()
Data Accuracy / Trust High validation score; verified via active KYC or multi-factor confirmation. Standard operational validity with periodic bounce rates. Unverified, outdated, or stale records with high system error rates.
Sensitivity Depth Contains high-impact identifiers or critical personal data requiring stringent security layers. Standard Personal Identifiable Information (PII). Masked, heavily truncated, or low-utility generic metadata.
Temporal Relevance (Age) Real-time, fresh behavioral logs or active transactional records. Stable historical profiles with quarterly interactions. Dormant data nearing retention limits; subject to immediate right to erasure.

5. DPDPA Reversible Life Cycle & Financial Depreciation

Unlike conventional corporate assets, the value of personal data is fully reversible. The life cycle dictates strict rule-based depreciation tracking:

    • Consent Withdrawal Depreciation: If a Data Principal exercises their right to withdraw consent under the DPDPA, the financial value of that specific record immediately drops to zero () and must be deleted.

    • Purpose Expiry Depreciation: The moment the specified purpose for processing is fulfilled, the dataset’s multiplier falls to zero, forcing its removal from the active asset register.

    • The Compliance Premium: Datasets that achieve a high Data Trust Score (DTS) via independent third-party validation receive a positive valuation weighting, reflecting their minimized liability exposure.

6. Reporting and Visibility

    • Below-the-Line Financial Visibility: The final aggregated notional value of personal data assets shall be maintained on an internal management register and presented as a “below-the-line” item alongside corporate financial reporting. It shall not be commingled with standard statutory balance sheet line items unless acquired through an M&A transaction.

      Data Valuation Standard of India
    • Board Level Disclosure: The DPO and CFO shall jointly submit a biannual Data Asset and Risk Report to the Board of Directors, detailing the shifting monetary value of the enterprise’s data holdings alongside estimated statutory liability exposures.

7. Audit and Review

This policy and its active calculations are subject to independent review during annual data audits conducted by Certified Independent Data Auditors (CIDAs) using the DGPSI-Full verification framework.

Unquote

Naavi

Also refer:  Research paper on Data Valuation- Mr Peter Walsh

Posted in Privacy | Leave a comment

The Evolving Landscape of Data Valuation

For years, the phrase “Data is the new oil” was thrown around as a vague corporate cliché. Today, that narrative has  shifted from an abstract marketing pitch into a measurable, techno-legal reality. Driven by incoming international accounting frameworks, local regulatory mandates, and indigenous governance models, India is establishing a structured environment where data is recognized not just as an operational by product, but as a quantifiable financial asset.

Evaluating the multi-layered initiatives across India reveals how different agencies are approaching data valuation, along with their current operational status.

1. Macro-Government & Policy Initiatives: The Public Sector Shift

The government has recognized that to build a true digital economy, the state must find a uniform way to measure digital assets.

  • MoSPI and SNA 2025 Adoption: The Ministry of Statistics and Programme Implementation (MoSPI) has actively engaged with the United Nations System of National Accounts (SNA 2025) guidelines. These standards formally recognize data as an economic factor of production. Government committees are currently outlining how public sector undertakings (PSUs) should officially categorize and track data assets.

  • The CAG Mandate: The Comptroller and Auditor General (CAG) of India has signalled a clear need to capture the intrinsic value of data repositories within public asset reporting.

  • Current Status: In Development/Policy Phase. Draft frameworks are under review to determine how state-owned data exchanges and infrastructure datasets can be accounted for without compromising national security or individual privacy.

2. Regulatory Compliance Drivers: The DPDP Act & Toxic Data

The rollout of the Digital Personal Data Protection Act (DPDPA) has upended traditional data accumulation strategies. Data valuation in India can no longer be evaluated through the lens of potential monetization alone; it must be balanced against statutory liability.

  • Asset vs. Liability Dynamics: With penalties reaching up to ₹250 crore per non-compliance instance, unconsented, poorly structured, or “zombie” data is no longer an asset—it is an active balance sheet liability.

  • Current Status: Active Enforcement Preparation. Organizations are actively filtering their datasets to compute their “clean data” volume. Under this model, data value dynamically depreciates the moment a Data Principal withdraws consent or the processing purpose expires.

3. Indigenous Institutional Frameworks: DGPSI and DVSI

While traditional accounting standards (like Ind AS 38) remain highly conservative about capitalizing internally generated data, pioneering frameworks within India have stepped forward to fill the gap.

  • Data Governance and Protection Standard of India (DGPSI): Developed by FDPPI, DGPSI has embedded financial data valuation directly into its governance specifications. Specifically, Model Implementation Specification 9 (MIS-9) explicitly requires organizations to establish a policy assigning a notional financial value to distinct datasets. This ensures the board has visibility into the economic worth of the data assets they oversee. DGPSI’s metric—the Data Trust Score (DTS)—serves as a core indicator of how compliance directly protects and enhances an asset’s baseline value.

  • Data Valuation Standard of India (DVSI): Operating alongside DGPSI, the DVSI model introduces a specialized two-stage valuation methodology. It calculates the intrinsic cost of data (using classic cost of acquisition or market parameters) and applies a dynamic multiplier index based on legal compliance, data accuracy, and cryptographic protection.

  • Current Status: Operational/Implementation Phase. The newly launched Association of Independent Data Auditors (AIDAI) is actively training and empanelling Certified Independent Data Auditors (CIDAs) to handle data audits that combine compliance testing with these advanced data valuation techniques.

4. Valuation in Insolvency and Distress: The IBC Track

The most concrete financial realizations of data value are currently occurring under distressed corporate conditions.

  • Insolvency and Bankruptcy Code (IBC), 2016: Resolution Professionals (RPs) and Registered Valuers regularly encounter scenarios where a failed startup, fintech platform, or e-commerce provider holds minimal physical assets, but possesses massive, highly structured user databases and proprietary transaction algorithms.

  • Current Status: Fully Functional Legal Practice. Courts and liquidators treat these data stacks as intangible corporate property under Section 36 of the IBC, utilizing Income or Market-driven slump sales to maximize recovery returns for creditors.

Reconciling Value and Responsibility: The “Data Balance Sheet”

The convergence of these initiatives points toward a inevitable destination: the Data Balance Sheet. Under a double-entry governance framework, personal data under management must be accounted for simultaneously as an economic asset and a corresponding contingent liability (accounting for potential data breaches, regulatory fines, and remediation costs).

Organizations that wait for standard accounting boards to hand down a rigid template will find themselves exposed to severe regulatory and financial risks. Relying on frameworks like DGPSI to understand exactly what data you possess, what value it generates, and what risks it carries is no longer just a compliance choice—it is a baseline requirement for modern corporate sustainability.

(To Be continued)

Naavi

Posted in Privacy | Leave a comment

Let us not be blind to the value of Data

We often discuss the concept of Data Processing under “Data Blind” conditions.  It essentially means that the processor does not have access to identifiable personal data which he is processing. The system is suggested for “Consent Managers”.

We are however discussing another aspect of “Being Blind to the Value of Data”.  There are two examples in India where an organization being “Data Value Blind” suffered adverse consequences. One was Net4India which was liquidated probably because NCLT was blind to the value of data in the organization. Second was the case of CIBIL which quietly transferred data worth around Rs 700000 crores to a foreign organization for a mere Rs 3800 crores.

On the other hand there are multiple examples in US where data valuation has been used to ward off bankruptcy proceedings.

If you are interested in this topic of “Data Valuation”, Please be present on July 17 at Palmgrove, Chennai where FDPPI/AIDAI will be discussing the issues on Data Valuation. (Check for details at www.aidai.org.in)

Naavi

Posted in Privacy | Leave a comment