DPDPA Dilemma

Posted on December 29, 2024 by Vijayashankar Na

DPDPA is a law and compliance and by nature any legal provision is an area of uncertainty. There will be different interpretations to the law. The User’s perspective of the law is always in his favour and Consumer Courts often are biased in favour of interpreting law in favour of the data principals. Hence if a technology process is cleverly using the personal data to generate insights that deliver targeted advertising, the consumer may feel it is a “Dark Pattern Practice” while the technology perspective or business usage of the same usage could be more permissible.

If the same instance is referred to a High Court there may be an interpretation more in favour of the business. However, understanding technology could still be a challenge and depending on the seniority of the advocate and the ability to aggressively present his point of view, one counsel may score over the other in convincing the judge that his view only is correct.

In such circumstances, it is a challenge for the corporate management to take a view one way or the other. This is the interpretational challenge that every Data Fiduciary has to successfully negotiate.

Even if we look at the basic requirement of “Discovery” and “Classification” of data as “Personal Data to which DPDPA is appliable”. ( Protected Personal Information), Whether there needs to be a classificational difference between Personal Data is a business contact data or a transactional data whether it is coming under GDPR or DPDPA or both is always a difficult decision to make.

Each one of us as a Data Protection Professional may have our own view on this dilemma. It is not certain if the Judge in a Court will agree with our view.

Living with this DPDPA dilemma is therefore the toughest task for a professional. Often within the organization itself there will be a challenge in convincing the CEO that your view is the correct view.

This is the dilemma which DGPSI as a framework is trying to resolve. through an elaborate PPI Classification Matrix.

The DGPSI’s PPI Classification Matrix is oriented to DPDPA as an act and tries to tag the data with reference to a specific section to which it would relate to. At first glance this may look too elaborate but it simplifies the compliance at the next level.

Time will tell whether this type of DPDPA based classification could be incorporated into the automated data classification tools that are being built for DPDPA Compliance. Since the classification logic has to be different for DPDPA as compared to say GDPR, the data has to be first classified in accordance with the applicable law and then classified as PPI under DPDPA or not. Until the software tools can adopt this two level classification the tools need to be used with human supervision to avoid any mis classification.

FDPPI will be discussing this DPDPA Dilemma and how DGPSI tries to resolve this in the special three day training on C.DPO.DA. which FDPPI will be organizing at Mumbai on January 24/25/26.

Naavi

About Vijayashankar Na

Naavi is a veteran Cyber Law specialist in India and is presently working from Bangalore as an Information Assurance Consultant. Pioneered concepts such as ITA 2008 compliance, Naavi is also the founder of Cyber Law College, a virtual Cyber Law Education institution. He now has been focusing on the projects such as Secure Digital India and Cyber Insurance
This entry was posted in Cyber Law. Bookmark the permalink.