Naavi.org

The potential conflict between the implementation of the Digital Personal Data Protection Act, 2023 (DPDPA 2023) and the Right to Information Act has already been recognized and is currently under consideration before the Supreme Court. However, another important area of possible regulatory overlap appears to have escaped the attention of both industry and compliance professionals—the interaction between the POSH Act and DPDPA 2023.

The Sexual Harassment of Women at Workplace (Prevention, Prohibition and Redressal) Act, 2013 (POSH Act) applies to both public and private sector organizations and imposes several statutory obligations on employers. These include:

• Constituting an Internal Committee (IC) comprising a senior woman employee as Presiding Officer, two employee members, and an external member.
• Providing a safe working environment for women employees.
• Formulating and communicating a POSH policy.
• Conducting awareness and training programs.
• Providing administrative support to the Internal Committee.
• Maintaining confidentiality of complainants and proceedings.
• Providing support and protection to complainants.
• Maintaining records and filing statutory reports.
• Treating sexual harassment as misconduct and imposing appropriate disciplinary action.

While these obligations are well understood from an employment law perspective, the implications under DPDPA 2023 have not yet been adequately examined.

Emerging Areas of Conflict

Several provisions of DPDPA 2023 may create practical challenges when applied to POSH-related investigations and records.

1. Right of the Respondent to Information

DPDPA grants Data Principals the right to know how their personal data is being processed. A respondent in a POSH proceeding may therefore seek details regarding the collection, use, storage, and disclosure of information relating to the complaint.

How should an organization balance such requests with the confidentiality obligations imposed by the POSH Act?

2. Requests for Correction or Erasure

A respondent may exercise rights under DPDPA to seek correction, completion, updating, or erasure of personal data maintained by the organization.

However, records relating to a POSH complaint may need to be preserved for statutory, evidentiary, disciplinary, or appellate purposes. In some situations, the respondent may not even be aware that certain information is being retained as part of an ongoing or concluded POSH process.

Can such requests be denied? If so, under what legal justification?

3. Grievance Redressal Rights

DPDPA requires organizations to establish grievance redressal mechanisms for Data Principals.

If a respondent disputes the handling of his personal data in connection with a POSH investigation, should the matter be addressed through the DPDPA grievance process, the POSH process, or both? The possibility of parallel proceedings cannot be ignored.

4. Rights of Nominees

DPDPA introduces the concept of nomination, under which certain rights may devolve upon a nominee in specified circumstances.

The implications of such rights in relation to sensitive POSH records require careful examination. The confidentiality framework under the POSH Act was never designed with such a concept in mind.

Additional Legal Dimensions

The complexity does not end with DPDPA.

Other laws may also influence the rights and obligations of parties involved in a POSH complaint, including:

• The Information Technology Act, 2000, particularly provisions relating to obscene electronic content.
• Relevant provisions of the Bharatiya Nyaya Sanhita (BNS), including offences such as cyber-stalking and electronic harassment.
• The Bharatiya Sakshya Adhiniyam (BSA), particularly provisions relating to admissibility and certification of electronic evidence.
• Employment and disciplinary laws governing workplace misconduct.

Consequently, a single POSH complaint today may involve a complex interplay of privacy rights, evidentiary requirements, employment obligations, criminal law considerations, and data protection principles.

The Need for a Harmonized Approach

Organizations can no longer treat POSH compliance and DPDPA compliance as independent silos. The preservation of confidentiality under POSH may appear to conflict with transparency obligations under DPDPA. Similarly, data subject rights under DPDPA may collide with statutory record-retention requirements under POSH.

Unless these issues are examined and harmonized, organizations may find themselves caught between competing legal obligations. In practical terms, this could create tensions between the Human Resources function, which is responsible for POSH compliance, and the Data Protection Officer, who is responsible for DPDPA compliance.

The challenge before compliance professionals is therefore not merely to comply with both laws independently, but to develop governance frameworks that enable both statutes to operate without undermining each other.

The issue deserves serious examination before the first major dispute brings these conflicts into sharp focus.

(P.S: Consequent  to this chain of thought, the DGPSI-HR framework may be extended with implementation specifications that addresses conflict with POSH Act, ITA 2000 and RTI Act in the next version.)

Naavi

In continuation of our discussions on how to maintain independence of the “Independent  Data Auditors” in a DPDPA compliance scenario, we discussed the need for share holders to approve the appointment so that the auditor does not feel obligated to the management which makes the payments.

One other best practice criteria which Naavi would like to suggest is  that no Data Auditor should continue to audit the same company for more than  3 consecutive years. This is also consistent with the norms adopted by the statutory financial auditors.

This will be currently suggested for the empanelled auditors of AIDAI as part of the self regulation of the auditors as an ethical conduct.

FDPPI in its mechanism for regulating the Certification partners who conduct their audits would include this as a requirement so that auditors who donot adhere to this norm may lose the accreditation status.

Currently we shall try to include this in the Code of Conduct for AIDAI empanelled Auditors and try to implement it.

Naavi

We are aware that one of the aspects that supports independence of a financial auditor is because the statutory financial auditor is appointed by the share holders of a company. Hence the Auditors are able to qualify the report if required and also report frauds to the regulatory authorities without feeling obligated to the management which may fix their remuneration.

Naavi would like to propose a similar scheme for Independent Data Auditors. What this practically means is that the Independent Data Auditor appointed by a Significant Data Fiduciary should be approved by the share holders of a company (in the case of public limited companies) or through a Board resolution (In the case of private limited companies) and an appropriate  Governance body in the case of Government agencies.

Initially this will be suggested in the engagement contract which an AIDAI empanelled auditor would like to obtain from the management of a company.

This will be a best  practice suggestion for the drafting of the engagement contract (a suggested model contract of which will be shared in the CIDA training.)

Naavi

A recent news report indicates that Anthropic, the company behind Claude AI, has extended access to its highly restricted cybersecurity-focused AI model “Mythos” to a select group of organizations across several countries, including India.

What makes this development noteworthy is that India appears to be the only major non-US allied nation included in the current group, while China remains excluded. This signals a growing international recognition of India’s role in the global cybersecurity ecosystem.

Unlike conventional AI models designed for general-purpose applications, Mythos is reportedly capable of identifying software vulnerabilities at a scale that rivals or exceeds human security researchers. Such capabilities can help organizations discover weaknesses in operating systems, browsers, and enterprise software before malicious actors exploit them.

The significance of this development extends beyond technology.

First, it reflects confidence in India’s software talent pool, digital public infrastructure, and cybersecurity capabilities. India’s vast digital ecosystem—spanning banking, telecommunications, digital identity, payments, and public services—offers a unique environment for testing and improving cyber defence technologies.

Second, the move highlights the growing geopolitical importance of AI. Advanced cybersecurity AI tools are increasingly becoming strategic assets comparable to cryptographic technologies, advanced semiconductors, and other national-security capabilities. India’s inclusion in this restricted circle suggests that it is being viewed as a trusted participant in the emerging global AI-security architecture.

Third, the development should be of particular interest to Indian regulators, DPOs, cybersecurity professionals, and Independent Data Auditors. As AI systems begin to play a direct role in vulnerability discovery, risk assessment, and cyber defence, questions of accountability, transparency, governance, and compliance will become increasingly important.

For India, access to such technologies can provide a significant defensive advantage. At the same time, it underscores the need to develop indigenous capabilities so that cybersecurity resilience is built on sovereign foundations rather than dependence on foreign-controlled platforms.

Whether Mythos ultimately proves as transformative as its proponents claim remains to be seen. However, the message is clear: cybersecurity is rapidly becoming an AI-driven domain, and India has now been invited to participate in shaping that future.

The challenge before India is not merely to use such technologies, but to build the governance, audit, and assurance frameworks necessary to ensure that AI-driven cybersecurity remains accountable, trustworthy, and aligned with national interests.

Naavi

Yesterday (June 6), FDPPI conducted the First Induction Training for those who had empanelled as Independent Data  Auditors.  The program went on very well and the participants enjoyed the first of its kind program.

The Program started with an introductory talk from Naavi. Then a panel discussion on “Code of Ethics” was held. A second Panel discussion on Role of Independent Data Auditors followed.

Subsequently,  some of the Advisors of AIDAI who were physically present. (Mr Rakesh Maheshwari, Sudarshan Mandyam and Mr Madhava Murthy) shard their valuable views.

Post Lunch, Dr Ramasastry Ambarish, Director of MYRA  shared his thoughts on the involvement of Academic  institutions in the development of Data Auditors. Mr Mahndra, CTO, of MYRA shared his views on some technical aspects of Data Breach management.

Then a third panel discussion on the Challenges of Independent Data Auditors was held. Finally an interesting role play was conduced on the “Case of Ramya”.

During the discussions, several new thoughts emerged and they will be discussed in due course.

An Audio track of the event was taken on record through the Zoom. A clean video recording is under development.

Some important suggestions that came up during the discussions which will be further discussed include

a) whether  the Auditors should be voluntarily rotated after 2 or three years

b) Whether the share holders of a company should approve the appointment.

c) Whether Scoping of an  Audit be done by some body other than the Management and the Auditor

d) Increasing the value of the FDPPI certifications by building Association with other Certification bodies and Academic institutions.

AIDAI will consider adopting some of  these provisions into their activities.

Naavi

More photos of the event available here

Yesterday, in an order from the Chief Commissioner of the Central Consumer Protection Authority of India (CCPAI) passed an order fining “Physics Walla Limited”  and “McAfee Software India Private Limited“, imposed penalties for using “Dark Patterns” in their digital platform.

PhysicsWallah has been fined ₹5 lakh, while McAfee has been fined ₹1 lakh. Both companies have been directed to remove such practices from their platforms and ensure that consumers are able to make informed choices without pressure or manipulation.

  Refer: Press release from PIB

Copy of the order

Also refer Naavi.org article on the Relevance of Consumer Act for Privacy

The action has been taken under the Consumer Protection Act, 2019, the Consumer Protection (E-Commerce) Rules, 2020, and the Guidelines for Prevention and Regulation of Dark Patterns, 2023.

The CCPAI could have not only imposed civil fines upto Rs 10 lakhs which it has invoked, but could have also invoked prosecution under Section 89 of CPA 2019. It could have also barred the service for upto 2 years.

Under Section 89,  of CPA 2019: Any manufacturer or service provider who causes a false or misleading advertisement to be made which is prejudicial to the interest of consumers shall be punished with imprisonment for a term which may extend to two years and with fine which may extend to ten lakh rupees; and for every subsequent offence, be punished with imprisonment for a term which may extend to five years and with fine which may extend to fifty lakh rupees.

In the instant case, the CCPAI has stopped at imposing  a fine and not proceeded with prosecution that could have imposed criminal penalties.

Nevertheless, this  has been a good case study on how “Use of Dark Patterns” which is also part of the “Prevention of harm to data principals as defined under DPDPA 2023” is a “Risk” under DPDPA to be mitigated.

The contravention was recognized because Physics Walla had used a pre-ticked box to collect Rs 10 as donation (Basket Sneaking), also used an emotional messaging that discouraged users from removing donation (confirm shaming) and also forced action in requiring users to share personal information before accessing courses advertised as free.

This could also have invoked penalties under DPDPA 2023 if it was fully effective today. (we are 339 days from the day when DPDPA 2023 will become fully effective).

In the case of Mcafee, CCPAI observed that the subscription process did not provide a neutral choice before deciding whether  to renew their subscriptions. The options provided were “Renew Now” and “Accept Risk”, portraying non-renewal as a risky decision.

Those who are watching the Privacy space will realize that similar mistakes are committed by hundreds of companies and all of them should consider this instance  as a warning.

When lawyers invoke DPDPA charges  against such companies, they will quote this order to say that they were fore warned.

All “Independent Data Auditors” should take note of this incidence as a risk under DPDPA.

Also Refer here for other instances where CCPA-I has given orders on dark patterns. Please note that each of such cases could be cases under DPDPA and escalate the penalties upto Rs 250 crores.

Naavi

Watch the Audio Review of the above post in the link :Naavi Academy

Also see the video review here: