Privacy Mitra Objectives

Posted on February 11, 2025 by Vijayashankar Na

The Privacy Mitra Yojana of FDPPI intends to work on both dimensions of creating a Privacy Culture amongst the Indian Citizens and Compliance Culture amongst the Data Fiduciaries.

In India Privacy is a new concept. At present only the elite speak of Privacy. For others the “Right to Privacy” is still not a priority. While people understand the adverse effect of a Cyber Crime, they do not fully comprehend the adverse impact of Privacy infringement.

There is therefore a need for building a Privacy Culture in the society for the intentions of DPDPA to succeed.

At the same time, Corporates are also complacent because compliance has a cost and every body is short of resources for compliance. Most companies therefore think that they can wait till some body else gets fined to understand how DPB is likely to function.

In the midst of the reluctance of the companies to take Compliance seriously, and inability of data principals to fight for their rights, the DPDPA as a law has the danger of becoming a paper tiger.

FDPPI therefore considers that it is its responsibility as a full service agency to create the awareness of Privacy in the community, build a compliance culture in the companies before they can deliver their training programs, Certifications, implementation consultancy, audit and assessment.

Towards this goal, FDPPI is now traying to build an all India cadre of committed Privacy enthusiasts to work both in the public front and the corporate front.

In particular FDPPI invites academic institutions to come forward to get their student community take up social projects involving creation of awareness of What is Privacy, Why is it important and How data principals need to be vigilant to protect the Privacy Rights granted to them by DPDPA as a law.

We invite volunteers to join the movement in large numbers to develop the Privacy Compliance Market in India which is good for the society and also create new opportunities for employment and business.

Be in touch with FDPPI and contribute your thoughts in this regard.

Naavi

Posted in Cyber Law | Leave a comment

Be a “Privacy Mitra”

Posted on February 8, 2025 by Vijayashankar Na

Recognizing the need for a nationwide movement on creation of awareness about Privacy and DPDPA Compliance, FDPPI has initiated a new project called Privacy Mitra Yojana (Friends of Privacy Project) to build an army of young volunteers to spread the knowledge of Privacy.

Students from law colleges as well as professionals are invited to register themselves at FDPPI

Educational Institutions, and Professional Bodies, Companies and Individuals who are interested in this National Privacy Mission of FDPPI are invited to contact FDPPI.

Let Us together build a Privacy Conscious society in India

Naavi

Posted in Cyber Law | Leave a comment

Interview in Quatrohive.com

Posted on February 7, 2025 by Vijayashankar Na
In conversation with Vijayashankar Nagarajarao, Chairman, FDPPI
Posted in Cyber Law | Leave a comment

DPDPA Rules.. Draft Recommendations from Naavi.org

Posted on February 7, 2025 by Vijayashankar Na

The Draft DPDPA rules were published by MeitY with time for public comments upto 18th February 2025.

While discussions continue in public space and FDPPI in association with Trust Law has organized a discussion on February 8 with invited audience in Bangalore, Naavi.org has prepared a draft of comments to be submitted to MeitY. Before 18th there will be other discussions also and public may form more views on the submission of Comments either directly or through other organizations.

In order to stimulate thoughts on this regard, we are sharing a copy of the draft comments prepared by Naavi.org and submitted for discussion to FDPPI. If any comments are received here, they will be considered for inclusion.

General Comments:

The law of DPDPA 2023 is already in place and is immutable at this point of time. It is noted that the current exercise is only for fine tuning of the published draft rules.

Hence our comments presume that the law as it has been notified stands as the fundamental document of reference and the comments are only related to the draft rules as are considered feasible under the enacted law.

It is recognized that in the event of any rule exceeding the basic character of the provision of the law to which it refers to, there could be a challenge on the legal validity of the rules as being ultra-vires the law.

For the same reason, it is expected that  the rules may be brief, precise and only cover the essential clarifications without the detailing like a Check list or recommending  any specific tool or technology for implementation.

It is understood that the industry would exercise due diligence in implementing  the law along with the minimum detailing available in the rules. If and when the industry is negligent and does not observe due diligence, the consequences would reflect in the decisions of the inquiry following a registration of a complaint or a suo-moto inquiry.

Clause By Clause Comments

Detailed Clause by Clause comment on all the 22 rules are presented in the form of a separate document here:

Draft Comments on DPDPA Rules from naavi.org

Naavi

Posted in Cyber Law | Leave a comment

“National Personal Data Archive” needs to be created

Posted on January 31, 2025 by Vijayashankar Na

In implementing the DPDPA 2023, and cleaning up the past unregulated collection of personal data by organizations, the Act has prescribed that “Consent should be obtained even for the legacy personal data collection of a data fiduciary. In such cases there could be a large number of data principals who may not return either a valid consent to continue processing or a decision to withdraw consent. Such personal data are “Orphaned for lack of consent” and needs to be purged within a reasonable time.

While ITA 2000 implies that such data should be deleted within one year, DPDPA Rules 2025 seem to indicate possible retention for 3 years in specific cases such as large Social Media Intermediaries, Gaming Intermediaries or E Commerce entities.

There are specific legal requirements for retention of data for long periods after its processing because of other legal provisions such as in Banking or Health sector. In such cases simply remains in the storage to be retrieved only on very exceptional circumstances. However during this period the data remains vulnerable to be stolen and misused creating a burden to the data fiduciary . Additionally data in the hands of a data fiduciary may also be an “Evidence” in a legal proceeding and therefore cannot be deleted till the disputes are settled in the Court.

The retention of data by a data fiduciary when it is no longer required for processing is a security burden and hence it would be good to ensure that such data is deleted.

When data is required for research purpose they may be anonymized or de-identified or pseudonymised.

In all other cases the data remains as a potential risk for the data fiduciary and has to be encrypted and kept safely.

Some times data of deceased persons with or without nomination may also remain “Unclaimed”.

In order to address all such instances, it is considered necessary for the Government to create a “National Archival of Personal Data” and enable depositing of all deleted personal data by the data fiduciaries. Part of this may be “Unclaimed Personal Data” and part of it may be “Required for Legal necessities”.

Such data should be properly indexed and should be retrievable on a later day if the data principal wakes up from slumber and claims it as his lost property.

This archive will ensure that “History is not destroyed” in the guise of “Right to Forget” or “Right to Erasure” and that the nation preserves the value of all data created in India for whatever it is worth including supporting the Indian AI development.

Comments are welcome

Naavi

Posted in Cyber Law | Leave a comment

Mapping of Section 40 of DPDPA 2023 with Rules

Posted on January 31, 2025 by Vijayashankar Na

Mapping of Section 40 to the Draft  Rules notified on January 3, 2025

Sl NoSection 40DescriptionDraft Rule
1(a)the manner in which the notice given by the Data Fiduciary to a Data Principal shall inform her, under sub-section (1) of section 5; (purpose)3
2(b)the manner in which the notice given by the Data Fiduciary to a Data Principal shall inform her, under sub-section (2) of section 5; ( Rights)13
3(c)the manner of accountability and the obligations of Consent Manager under sub-section (8) of section 6;4
4(d)the manner of registration of Consent Manager and the conditions relating thereto, under sub-section (9) of section 6;4
5(e)the subsidy, benefit, service, certificate, licence or permit for the provision or issuance of which, personal data may be processed under clause (b) of section 7;5
6(f)the form and manner of intimation of personal data breach to the Board under sub-section (6) of section 87
7(g)the time period for the specified purpose to be deemed as no longer being served, under sub-section (8) of section 8;8
8(h)the manner of publishing the business contact information of a Data Protection Officer under sub-section (9) of section 8;9
9(i)the manner of obtaining verifiable consent under sub-section (1) of section 9;10
10(j)the classes of Data Fiduciaries, the purposes of processing of personal data of a child and the conditions relating thereto, under sub-section (4) of section 9;11
11(k) the other matters comprising the process of Data Protection Impact Assessment under sub-clause (i) of clause (c) of sub-section (2) of section 10;12
12(l)the other measures that the Significant Data Fiduciary shall undertake under sub-clause (iii) of clause (c) of sub-section (2) of section 10;12
13(m) the manner in which a Data Principal shall make a request to the Data Fiduciary to obtain information and any other information related to the personal data of such Data Principal and its processing, under sub-section (1) of section 11;13
14(n)the manner in which a Data Principal shall make a request to the Data Fiduciary for erasure of her personal data under sub-section (3) of section 12;13
15(o)the period within which the Data Fiduciary shall respond to any grievances under sub-section (2) of section 1313
16(p)the manner of nomination of any other individual by the Data Principal under sub-section (1) of section 14;13
17(q)the standards for processing the personal data for exemption under clause (b) of sub-section (2) of section 17;15
18(r)the manner of appointment of the Chairperson and other Members of the Board under sub-section (2) of section 19;16
19(s)the salary, allowances and other terms and conditions of services of the Chairperson and other Members of the Board under sub-section (1) of section 20;17
20(t)the manner of authentication of orders, directions and instruments under sub-section (1) of section 23;18
21(u)the terms and conditions of appointment and service of officers and employees of the Board under section 2420
22(v)the techno-legal measures to be adopted by the Board under sub-section (1) of section 28;19
23(w)the other matters under clause (d) of sub-section (7) of section 28;
24(x)the form, manner and fee for filing an appeal under sub-section (2) of section 2921
25(y)the procedure for dealing an appeal under sub-section (8) of section 29;21
26(z)any other matter which is to be or may be prescribed or in respect of which provision is to be, or may be, made by rules…including who is a Significant Data Fiduciary1,2,6,14,22,

It may be observed that all the rules notified may be mapped to one of the sub sections of Section 40. While some of the rules have schedules for more details, some rules are just a reproduction of the specific section of the Act.

Rule 6 about “Reasonable Safeguards” Rule 14 about Transfer of data outside India” and Rule 22 about officials to be appointed for certain purposes are linked to “Any other matter”. Out of this there could be some grumblings whether “Data localisation” is being brought in through the rules. This is one of the sensitive aspects of the rule since industry wants a free hand to transfer personal data collected in India outside the country including for AI learning and targeted advertising. However Section 16 of the Act can be considered as supporting this aspect.

The Schedule under Rule 22 provides for the means to declare any data fiduciary as a “Significant Data Fiduciary” and covers one of the gaps in the earlier draft version of the rules.

All the 22 rules may perhaps be considered “necessary”. We may continue to comment on each of the rule as to whether the detailing is “Sufficient or Excessive”.

Naavi

Posted in Cyber Law | Leave a comment