The Data Protection Industry in India today is waiting for MeitY to start a discussion on the DPDPA Rules.
Currently there is one section of the market which is convinced that MeitY has shared its draft with a closed group of its trusted international Tech Companies like the Meta, Microsoft and Google through their agents in Delhi and is waiting for their approval. Such approvals can only come from USA, and hence delay is inevitable.
Earlier multiple versions like PDPB 2018, PDPB 2019 and DPA 2021 were rejected because there was no “Consensus” in the Big Tech and their agents in India.
Seeking consensus on DPDPA from this section of the industry is like seeking consensus for the Indian Opposition in the Parliament on any action of the Government. If we want progress, we have to have conviction, act in good faith and move on.
DPDPA is a law that affects organizations other than the Big Techies and hence there are many in the industry who are keen to know the mind of MeitY because the Rules can overnight impose “Potential Financial Risks” that have to be provided for in the books of account. Whether they comply or not, the CFOs will demand provision for potential losses and Insurance to cover the Risks.
Hence it is in the interest of the industry that the current state of uncertainty is cleared at the earliest and Rules are made for the benefit of the larger MSME section of the society rather than the handful of members of the BigTech Association.
For this purpose, the section of the industry who are today away from the policy making group in Delhi needs to be vocal and express their views strongly. An opportunity for such expression is being created by FDPPI by an Industry meet on July 27 at Bangalore which should not be missed by them.
The Current version that MeitY has circulated is not necessarily the ideal set of Rules. But we can take it as the best effort preparation and together help MeitY to improve upon it by participate in the July 27 event and forging a strong response.
This should help MeitY to reduce their dependence on the Big Tech and their agents who are bullies in their own right and want MeitY to be at their beck and call.
FDPPI is now giving a platform to this section of the industry to come together and rally behind FDPPI so that MeitY can be liberated from the shackles placed by the Big Tech.
Let Us meet on July 27 at Bangalore to discuss the “DPDPA Rules” and help MeitY to move ahead. Check out www.fdppi.in and register for your participation. If the industry does not raise your voice, there will be no opportunity to change the course of the Rules later.
Let us not be like the Voters who fall for the “Guarantee Bait” and later complain about raising taxes.
The DPDPA 2023 was gazetted on August 11, 2023. However, the Government could not pass the rules and notify the Act before the elections and it is now scheduled for the 100 days agenda of the Modi 3.0 Government.
It is expected that the rules will first be released as “Draft” for eliciting the public response before being notified for effectiveness.
It is very important for all the industries to ensure that they study the rules and record their suggestions before the rules are notified. If they are complacent, it may be difficult to bring changes later.
So far it is the industry has been responsible for the delay in the introduction of the Data Protection laws by objecting to every move made by the Government to introduce the law out of fear of the unknown. We hope the resolve of the Government this time is strong and the notification will go as scheduled.
FDPPI therefore intends that the industry in different sectors study the rules assimilate its consequences and then provide it’s suggestions in time for the Government to accommodate as many views as feasible.
FDPPI therefore has organized a symposium in Bengaluru on 27th July 2024 to collate the voice of the different segments of the industry.
The Venue of the Conference is Suchitra Film Society Auditorium at : 36, 9th Main, B V Karanth Road, 9th Main Road, near Post Office, Banashankari Stage II, Banashankari, Bengaluru, Karnataka 560070.
The tentative program includes discussions in multiple panels as follows:
Panel 1: FDPPI: Introducing the observations of FDPPI
Panel 2: Health Sector: Impact of DPDPA Rules on Health Sector
Panel 3:Fintech: Impact of DPDPA Rules on Fintech Sector
Panel 4: Education: Impact of DPDPA Rules on Education Sector
Panel 5: Other Industries: Impact of DPDPA Rules on Digital marketing and Manufacturing Sector
The program is a hybrid program with speakers joining from all over India. The feedback received from the industry will be briefly discussed and collated for subsequent submission to MeitY.
Participation is by registration and physical participation is limited. Registration can be made here:
On June 28, 2024, there was a major Information Security Summit at Bengaluru lead by BSIDES Bengaluru.
Amongst the several things discussed during the conference was also a panel discussion on “Tactics for Combating Privacy Threats” in which the undersigned also particiapted.
During the panel discussion, Naavi highlighted that apart from the threats arising out of new technology being misused by Criminals which get reflected as “Information Security threats”, it is necessary to recognize the new genre of threats arising to an organization due to the emergence of Privacy and Data Protection laws.
One of the special features of this new genre of “Regulatory Non Compliance Risk” is that it may materialize even when there is no “Data Breach” and hence the risk management strategies need to be addressed differently from the exisitng practices.
Further, Naavi highlighted that it is necessary to recognize that management of “Privacy Threats” include management of a the limitations of the laws of pricacy and its conflict with security practices. An example was cited regarding a common response of organizations who refuse the identity of the sender of a message to a recipient when the message itself is an object of an offence such as a phishing email or a message.
Naavi also highlighted that there are limitations to the use of technology in automating compliance through technology artifacts which need to be recognized since “Legal Compliance” is not a “Binary Solution” and involves human interpretations.
Naavi believes that with the advent of DPDPA the obligations of organizations have taken a new dimension and it is necessary for them to identify new frameworks such as DGPSI to remain compliant.
The interaction with the audience was very engaging.
FDPPI took the opporutunity to congratulate the organizers and more particularly Ms Sujatha Yakasiri, the founder of BSIDES Bengaluru for the successful orgaization of the event.
Section 65B of Indian Evidence Act (IEA) was a very important amendment made to the age old Indian Evidence Act 1872 consequent to the passing of Information Technology Act 2000 (ITA 2000) notified on 17th October 2000.
This section provided the means of bringing electronic evidence as an admissible evidence in a Court of law and Naavi.org has discussed this several times in the last 20 years. Naavi even published an E Book on the topic (Which is now due for revision).
Now with the passage of the Bharatiya Sakshya Adhiniyam 2023 (BSA 2023) which has been notified for effectiveness on 1st July 2024 along with the new IPC and new CrPC., the section 65B of IEA will be replaced by Section 63 of BSA 2023 with similar provisions.
The objective of this article is to highlight the difference between Section 65B of IEA 1872 and Section 63 of BSA 2023. Section 65B of IEA had 5 sub sections and Section 63 of BSA also has 5 subsections along with a Schedule that prescribes a draft form of a certificate.
Naavi had presented the first Section 65B certificate in any Indian Court in the case of Government of Tamil Nadu vs Suhas Katti in AMM Egmore in 2024 which resulted in a successful conviction of the accused. Subsequently Naavi has provided many such certificates. Till 2012 when Supreme Court came out with the famous Basheer Judgement, views of Naavi were not being accepted by a part of the community but the Basheer judgement cleared most of the doubts prevalent in the market.
However there was no uniformity on the format in which the certificates were provided and all sorts of certificates might have been provided and accepted by the Courts.
Now the Section 63 of BSA clears most of the doubts and has brought some clarity. At the same time it might introduce some additional questions which need to be clarified by domain experts. An attempt has been made below to explain the thoughts of Naavi in this regard.
Let us now analyse this section in depth.
Section 63 of BSA 2023 Vs Section 65B of IEA:
Admissibility of Electronic Records
Section 63 of BSA 2023
Section 65B of IEA 1872 (amended in 2000)
63 Admissibility of electronic records. –
(1) Notwithstanding anything contained in this Adhiniyam, any information contained in an electronic record which is printed on paper, stored, recorded or copied in optical or magnetic media or semiconductor memory which is produced by a computer or any communication device or otherwise stored, recorded or copied in any electronic form (hereinafter referred to as the computer output) shall be deemed to be also a document, if the conditions mentioned in this section are satisfied in relation to the information and computer in question and shall be admissible in any proceedings, without further proof or production of the original, as evidence or any contents of the original or of any fact stated therein of which direct evidence would be admissible.
65B. Admissibility of electronic records. –– (1) Notwithstanding anything contained in this Act, any information contained in an electronic record which is printed on a paper, stored, recorded or copied in optical or magnetic media produced by a computer (hereinafter referred to as the computer output) shall be deemed to be also a document, if the conditions mentioned in this section are satisfied in relation to the information and computer in question and shall be admissible in any proceedings, without further proof or production of the original, as evidence or any contents of the original or of any fact stated therein of which direct evidence would be admissible
It is important to note that this subsection defines what is a “Computer Output” to which the other subsections of Section 63/65B applies. According to the section information contained in an electronic record is referred to as “Computer output” and it can be either “Printed on paper” or “Stored” on an optical media or magnetic media or semi conductor memory.
In ITA 2000, a document printed out of a computer or binary documents that are processed by a computer are all considered electronic documents and hence the word “Electronic Record” includes such documents even if it is not mentioned.
The critical aspect of the section is that such a Computer output when produced as per this section “Shall” be admissible in the proceedings without the production of the original. The judiciary does not have a discretion not to admit an electronic document unless some lacuna in the process of certification is brought to its notice. Hence this section will be widely debated in all future discussions in the Court involving electronic documents as evidence.
Overall considering the effect of this sub section, there is no difference between the two versions of the sub section 1.
The next sub section 63(2) and 65B(2) compare as follows.
(2) The conditions referred to in sub-section (1) in respect of a computer output shall be the following, namely:—
(a) the computer output containing the information was produced by the computer or communication device during the period over which the computer or communication device was used regularly to create, store or process information for the purposes of any activity regularly carried on over that period by the person having lawful control over the use of the computer or communication device;
(b) during the said period, information of the kind contained in the electronic record or of the kind from which the information so contained is derived was regularly fed into the computer or communication device in the ordinary course of the said activities;
(c) throughout the material part of the said period, the computer or communication device was operating properly or, if not, then in respect of any period in which it was not operating properly or was out of operation during that part of the period, was not such as to affect the electronic record or the accuracy of its contents; and
(d) the information contained in the electronic record reproduces or is derived from such information fed into the computer or communication device in the ordinary course of the said activities.
(2) The conditions referred to in sub-section (1) in respect of a computer output shall be the following, namely: –– (a) the computer output containing the information was produced by the computer during the period over which the computer was used regularly to store or process information for the purposes of any activities regularly carried on over that period by the person having lawful control over the use of the computer; (b) during the said period, information of the kind contained in the electronic record or of the kind from which the information so contained is derived was regularly fed into the computer in the ordinary course of the said activities; (c) throughout the material part of the said period, the computer was operating properly or, if not, then in respect of any period in which it was not operating properly or was out of operation during that part of the period, was not such as to affect the electronic record or the accuracy of its contents; and (d) the information contained in the electronic record reproduces or is derived from such information fed into the computer in the ordinary course of the said activities
We may observe here that the word” Or Communication device” has been added in the section so that mobile data is clearly within the purview of the section. This was also redundant but clarity is welcome.
Since sub section (1) speaks of “Computer output” the sub section (2) should be attributed to the “Computer Output”. Hence the device referred to in this sub section refers to the computer from which the “Computer Output” is produced. Since “Computer Output” could also be a “Stored” or “Copied” version, the computer device referred to in the sub section (2) should be considered as referring to that computer in which the “Computer Output” was stored or copied and from which the evidence is being extracted.
This interpretation is important since in the cases of documents on the web some people will argue that the hosting operations need to be certified as “working properly” etc., which is incorrect and infeasible. If Mr X is using his computer K to generate the “Computer Output” then K is the device whose owner is relevant for this section and K needs to be working properly etc.
Generating of a “Computer Output” is an activity such as “Printing out”, “Storing”, “Making a copy in a media” etc and the period referred to here is the period of creating such an output. If the print out is a 10 year Bank statement, it is not necessary that it is to be certified that the computer was working properly for 10 years.
Sub section 63(3) is slightly differently worded than 65B(3) though the objective of both is to ensure that a computer output created by a combination of computers such as a Server and a Client etc is within the definition of the section.
The section states as follows:
(3) Where over any period, the function of creating, storing or processing information for the purposes of any activity regularly carried on over that period as mentioned in clause (a) of sub-section (2) was regularly performed by means of one or more computers or communication device, whether— (a) in standalone mode; or (b) on a computer system; or (c) on a computer network; or(d) on a computer resource enabling information creation or providing information processing and storage; or (e) through an intermediary, all the computers or communication devices used for that purpose during that period shall be treated for the purposes of this section as constituting a single computer or communication device; and references in this section to a computer or communication device shall be construed accordingly.
(3) Where over any period, the function of storing or processing information for the purposes of any activities regularly carried on over that period as mentioned in clause (a) of sub-section (2) was regularly performed by computers, whether–– (a) by a combination of computers operating over that period; or (b) by different computers operating in succession over that period; or (c) by different combinations of computers operating in succession over that period; or (d) in any other manner involving the successive operation over that period, in whatever order, of one or more computers and one or more combinations of computers, all the computers used for that purpose during that period shall be treated for the purposes of this section as constituting a single computer; and references in this section to a computer shall be construed accordingly.
It is interesting to note that Section 63 provides a clarity that even if part of the process of producing a computer output involves a different legal entity which is an “Intermediary”, it is considered as a valid document created by the subject computer owner. During this process the document leaves the custody of the subject computer owner, gets processed outside and returns back.
This operation of processing through an intermediary involves “transmission of data out”, “Storage in the intermediary resources”, “Processing in intermediary resources” and “Re-transmission back to the subject computer owner”. It is difficult to accept the integrity of the document processed with the intermediary except with a “Certificate from the Intermediary” that the data received, processed and re-transmitted has not modified the evidentiary value of the electronic record.
In other words the Intermediary has to provide his own “certificate” as an agent of the subject computer owner as part of his data processing network. The drafting of this aspect is therefore open to interpretation which may be disputed and requires a future clarification from the Supreme Court.
For the time being the Jurisprudential advice from us would be that
“Where the processing of the computer output involves computers owned by multiple owners, the owner who presents the evidence must hold confirmatory certificates from the other sub processors that during the processing of data at their end, the material value of the evidentiary content has not been altered”.
For this purpose the sub processor may be called to the Court for evidence or may submit the details of the tool and how it processes the data in the form of a certified document.
The next most important section is Section 65B(4) or Section 63 (4) which speaks of the manner in which certificate has to be issued.
(4) In any proceeding where it is desired to give a statement in evidence by virtue of this section, a certificate doing any of the following things shall be submitted along with the (a) identifying the electronic record containing the statement and describing the manner in which it was produced; (b) giving such particulars of any device involved in the production of that electronic record as may be appropriate for the purpose of showing that the electronic record was produced by a computer or a communication device referred to in clauses (a)to (e) of sub-section (3); (c) dealing with any of the matters to which the conditions mentioned in sub-section (2) relate, and purporting to be signed by a person in charge of the computer or communication device or the management of the relevant activities (whichever is appropriate) and an expert shall be evidence of any matter stated in the certificate; and for the purposes of this sub-section it shall be sufficient for a matter to be stated to the best of the knowledge and belief of the person stating it in the certificate specified in the Schedule.
(4) In any proceedings where it is desired to give a statement in evidence by virtue of this section, a certificate doing any of the following things, that is to say, –– (a) identifying the electronic record containing the statement and describing the manner in which it was produced; (b) giving such particulars of any device involved in the production of that electronic record as may be appropriate for the purpose of showing that the electronic record was produced by a computer; (c) dealing with any of the matters to which the conditions mentioned in sub-section (2) relate, and purporting to be signed by a person occupying a responsible official position in relation to the operation of the relevant device or the management of the relevant activities (whichever is appropriate) shall be evidence of any matter stated in the certificate; and for the purposes of this subsection it shall be sufficient for a matter to be stated to the best of the knowledge and belief of the person stating it.
This sub section defines the contents of the Certificate and how it is to be issued.
The certificate needs to contain the “Identity of the electronic record”, “Particulars of the devices involved in its production” and “Signed by the person in charge of the computer” and an expert. A copy of such certificate is provided in the schedule also.
The persons who have drafted this sub section have considered that the “Person in charge of a computer” and the “Expert” are two different persons. When this is looked at along with the earlier sub section related to an “Intermediary”, it is possible to interpret that certificate is required by the “Intermediary” also which is not ordinarily feasible.
We should therefore jurisprudentially interpret that certificate is required only from the owner of the computer from which the computer output was produced and will be supported by a “Declaration” that the owner believes that the processing at the hands of the intermediary has not materially altered the evidentiary value of the document.
The sub section uses a terminology “an Expert”. Fortunately it does not use the term “The expert”. In case the words “The expert” had been used, it would have introduced a confusion with the Section 79A expert. “An Expert” means any other person with necessary expertise.
The copy of the certificate template as given in the schedule is as follows:
It is observed that the “Computer Output” in the form of a print out may not have a hash value of its own and the hash value stated here should be considered as referring to the original from which the print out was taken. This means that the electronic document should be first saved as a document in the media for the purpose of calculating the hash value. Whoever drafted this was not fully aware of the implications of this suggestion and hence we need to develop a work around for this. The “Expert” should either store one electronic version of the document which is printed out or state that since the computer output is in the form of a paper document, the hash value refers to the scanned copy of the print out.
The last sub section namely 63(5) refers to a context where the subject computer device from which the evidence is extracted and certified may itself get the feed from another computer. It is not necessary that it should originally be produced by the computer itself.
This sub section states as follows:
(5) For the purposes of this section,— (a) information shall be taken to be supplied to a computer or communication device if it is supplied thereto in any appropriate form and whether it is so supplied directly or (with or without human intervention) by means of any appropriate equipment; (b) a computer output shall be taken to have been produced by a computer or communication device whether it was produced by it directly or (with or without human intervention) by means of any appropriate equipment or by other electronic means as referred to in clauses (a) to (e) of sub-section (3).
(5) For the purposes of this section, –– (a) information shall be taken to be supplied to a computer if it is supplied thereto in any appropriate form and whether it is so supplied directly or (with or without human intervention) by means of any appropriate equipment; (b) whether in the course of activities carried on by any official, information is supplied with a view to its being stored or processed for the purposes of those activities by a computer operated otherwise than in the course of those activities, that information, if duly supplied to that computer, shall be taken to be supplied to it in the course of those activities; (c) a computer output shall be taken to have been produced by a computer whether it was produced by it directly or (with or without human intervention) by means of any appropriate equipment. Explanation.––For the purposes of this section any reference to information being derived from other information shall be a reference to its being derived therefrom by calculation, comparison or any other process.]
This subsection provides a possible solution to the problem of obtaining a certificate of assurance from the sub processors that when the evidentiary computer output is produced in multiple computers owned by different owners.
The observation is that after the processing by the sub processor, a final version is back with the subject computer owner. If the certificate is produced for the “As is where is version of the electronic document”, it may be possible not to insist on the assurance certificates from the previous processors.
As an example, let us say there is a document D1 with Mr X in a Computer K. This is sent to an intermediary M who returns a version of the document D2.
Now the document provided for evidentiary purpose may be either D1 or D2.
D1 may be in a format that is not easily readable and hence converting it to D2 may be essential.
The question that arises is whether M should be considered as an intermediary and if so how should we account for the change of D1 to D2 and possible implication on the integrity of the evidence.
In the earlier paragraph we suggested that we can take the certificate of assurance from M that the evidentiary integrity of D1 has not been altered in D2. (eg: D1 is an image which is compressed into D2 and no other change is made).
In view of the 63(5) an alternative exists to avoid the need for the certificate from the intermediary.
We may consider that D2 is the evidentiary document provided to the Court and earlier processing is not under the control of the person who owns the computer and produces D2 as evidence with necessary certification.
The experts who provide Section 63 certificates need to therefore incorporate these description of how the document originated in the annexure to the certificate using the scheduled format as a covering certificate.
To sum up, there is a fresh requirement of experts and lawyers to understand Section 63 of Bharatiya Sakshya Adhiniyam and for Judges also to appreciate the points mentioned above.
I am certain that the above discussion is the first such discussion on the section and there will be many more discussions and seminars in which this will be discussed till one day the Supreme Court also understands it and puts it into one of its judgements.
Naavi in the meantime continue to use the thoughts provided here to issue certificates if required. (P.S: At present Naavi has stopped issuing Section 65B certificates due to his pre-occupations with DPDPA related activities).
In the FY 2025-26, it is expected that some Banks may start adopting the guidelines.
The key report areas were
1.Governance with board level oversight of climate related risks and opportunities
2.Straegy for managing the short, medium and long term climate related risks
3.Risk Management
4.Metrics and targets.
RBI seem to recommend a phased approach for the disclosures from FY 25-26 onwards going into FY 27-28.
Obviously there are technology companies which are recommending the use of tools with AI to support the organizations in assessing the Climate Risk and perhaps mitigating the risks also.
It is in this context that we need to remember an earlier study of the University of Texas which said that every Chat GPT query consumes 500ml of water to cool the servers. Another estimation was that every LLM interaction may consume power equivalent to running a LED bulb of low intensity for one hour.
Irrespective of the actual metrics, the impact of AI on power consumption cannot be neglected. We have earlier highlighted this in the “Cyrpto Mining” scenario.
It is now time to start thinking if the climate impact of Computing in general should be considered as a risk that needs to be disclosed by all entities not necessarily the REs.
Probably the AI industry should start a disclosure of the impact of their use of AI on climate and necessary metrics need to be developed.
FDPPI welcomes the rules being framed on DPDPA 2023 so as to give effect to the Act at the earliest.
The Act has defined the responsibilities of a Data Fiduciary and the Rights of a Data Principal. It has also indicated provisions related to Data Breach Notification and penalties for various non compliance issues.
In order to implement the Act, Government will be setting up a Data Protection Board.
Some of the applicability aspects such as the “Significant Data Fiduciary” and their special responsibilities will also need to be clarified through additional notifications beyond the 25 rules required under different sections of the Act.
Once the formalities of the operationalizing the new Loksabha is completed, it is expected that the Government will release the draft rules for public comments.
In order to collate the views of the industry on the published rules, FDPPI is planning a physical event in Bangalore at the earliest inviting representatives from the Industry to contribute their views on the rules to be consolidated and presented to the MeitY.
We request senior professionals in the industry particularly from the Fintech, HealthCare, Digital Marketing, etc and different Classes of Data Fiduciaries such as Manufacturing Companies, Social Media Intermediaries, AI developers, AI users, Payment Gateways, KYC agencies, Certifying authorities under ITA 2000, Privacy Enhancement technology suppliers etc., who are interested in sharing their views on the published rules to participate in the Industry interaction.
Interested professionals and Companies particularly in Bangalore may kindly contact naavi/FDPPI immedaitely so that the program details can be finalized.