DPDPA Rules-The Data Protection Board of India

Chapter V of the DPDPA 2023 provides the legal provisions related to the constituion of the DPB of India which will be the supervisory body for DPDPA 2023.

Now the draft rules issued has indicated the process for selection of the Chairperson and the members of the Board.

The draft notification is yet to indicate the number of the members to be appointed in the DPBI but indicated that two Search-Cum-Selection Committees will be constituted one for the selection of the Chairperson and the other for the members. The Central Government (meaning the Meity) will approve the selection.

The Search cum Selection Committee for selection of Chairman will consist of

1.Cabinet Secretary who shall be the Chairman

2. Two experts of repute who possess special knowledge or practical experience in the fields of data governance, administration or implementation of laws related to social or consumer protection, dispute resolution, information and communication technology, digital economy, law, regulation or techno-regulation or in any other field which in the opinion of the Central Government may be useful to the Board

3.Secretary to the Government of India in the department of legal affairs

4. Secretary to the Government of India in the Ministry of Electronics and Information Technology who shall be the convener

Similarly, the Search Cum Selection Committee for selecting the members of the Board will consist of

1.Secretary to the Government of India in the Ministry of Electronics and Information Technology, who shall be the Chairperson;

2.two experts of repute, who possess special knowledge or practical experience in the fields of data governance, administration or implementation of laws related to social or consumer protection, dispute resolution, information and communication technology, digital economy, law, regulation or techno-regulation or in any other field which in the opinion of the Central Government may be useful to the Board

3.Secretary to the Government of India in the Department of Legal affairs and

4.The Chairperson

This indicates that the members of the Board will be chosen only after the Chairman is chosen, appointed and takes charge. However there is a provision that this committee can work without the Chairman in the period when he/she has not been appointed/joined.

If the Government insists that the draft rules will be kept for public comments for 45 days and notified only there after, the search cum selection committee can only start its function after the notification which is around 2 months from date. There after the search committee needs to have at least two or three meetings before selection which needs to be approved by the Government.

The search, selection and appointment of members may have to start after the Chairman is in place and may take further time unless the Government decides to proceed with the selection of the members even before the first search committee completes its search and the Chairman joins duty.

Hence there is a need for MeitY to work in the background so that the constitution of the DPBI may be speeded up.

The salary and allowances of the Chairman and the Members are also indicated in the rules as Rs 4.5 lakhs per month for the Chairman and Rs 4.0 lakhs per month for the members along with the other facilities as applicable to the Government employees of the relevant grade.

Let us look forward to an early completion of the process so that further notification of operating rules may be completed without further delay.

Naavi

Posted in Cyber Law | 1 Comment

DPDPA Rules-Consent Manager

Naaavi.org has been debating the concept of “Consent Manager” under DPDPA 2023 and the possibility of making it animprovement over the concept of “Consent Manager under the DEPA Framework” which has been adopted under the Account Aggregator scheme.

Now going through the current version of DPDPA rules, the MeitY has chosen not to exercise its option to improve upon the DEPA Framework but retain the concept with which they are more familiar.

Every consent manager needs to be registered with the DPB and shall be an Indian company with its directors and senior management having reputation for record of fairness and integrity. Any conflict of interest with any data fiduciary either at the corporate level or the executive level needs to be avoided.

The Minimum networth of the company has to be not less than Rs 2 crores.

Under sub rule (3) of this Rule 5, it is stated that one of the obligations of the Consent Manager is …

“to establish an accessible, transparent and interoperatble platform that enables a data principal to give, manage, review and withdraw her consent to herslef obtain her personal data from a data fiduciary or to ensure that such personal datails shared with another data fiduciary of her choice, without the consent manager being in a position to access that personal data”

This clause highlights the “Intermediary” role of the Consent Manager under ITA 200o while the sub rule 1(c) states that the Consent Manager shall act in a “Fiduciary” capacity.

The “Fiduciary” capacity and “Intermediary” status are mutually exclusive. They are different and this has been ignored.

Further while the sub clause (1) states that the Consent Manager shall be a Company, sub clause (7) implies that it can be a firm or an association of persons. Further the rule at some place also refers to the “Consent Manager” as “her” indicating that it could even be an individual.

These are probably unintended and can be corrected in the next version.

The rule also prescribes a data retention period of 7 years or longer which could influence the due diligence of data fiduciaries in similar circumstances.

The question is that if the Consent Manager is required to keep the consent information for 7 years or more why not the Primary Data Fiduciary?

Also, is there a “Purpose” for the Consent Manager to collect and hold the consent. If so, is there an expiry period for the same differently? …

Also if according to sub rule (2)(b) the consent Manager needs to to maintain a digial record of and offer to a data principal digital access to
(i) every request for consent approved or rejected by her and
(ii) every data fiduciary who has shared her personal data in response to a reuest for consent approved by her.

how does the sub clause (3) stating that the Consent Manager shall not have access to the Consent can be fulfilled.

Probably a more detailed discussion is required in this regard…

Naavi

Posted in Cyber Law | Leave a comment

DPDPA Rules: Management of Data Principal’s Rights

The draft rules currently under discussion regarding the management of Data Principal’s Rights tries to provide clarity to Sections 11, 12, 13 and 14 of DPDPA 2023.

It is noted that the rules does not make any reference to Section 15 on the duties of the data principal which is a condition precedent to the exercise of Rights and should have been mentioned.

While refering to the requirements, the clause starts with the words,


“(1)For enabling data principals to exercise their rights under Chapter III of the Act, the Data Fiduciary and, where applicable, the Consent Manager, shall publish on her website or app or both, as the case may be,-“

I would like to again point out that the rules refer to the Data Fiduciary or Consent Manager in terms of “her website” as if the Data Fiduciary or the Consent Manager is an “individual”. While the “Data Fiduciary” can be an “individual”, it is not practically feasible for the Consent Manager to be an “Individual” or rather it should not be from the regulatory requirement of business continuity. In fact another rule (yet to be discussed by us) categorically mentions that the Consent Manager shall be a Company.

Hence the use of the word “her” in this context is incorrect and this obsession needs to be avoided. It may lead to un necessary legal issues at some point of time in future. There is a need to go through the entire document and ensure that all references to a Data Fiduciary or Consent Manager shall be changed to “it”or “their” instead of “she” or “her”.

While most of the rules under this clause are a paraphrasing of the Act the lack of reference to the Duties is glaring. The “Rights” guaranteed under the Act is intrinsically linked to the “Duties” both because of the Secton 15 of the Act as well as the Article 19(2) of the constitution restricting the “Right to Privacy” in certain specific contexts.

It is most important to note that under Section 15 of the Act, a Data Principal shall ” comply with the provisions of all applicable laws for the time being in force while exercising rights under the provisions of this Act;”

This has to be highlighted so that no irresponsible attack is mounted on a data fiduciary by motivated data principals who may be encouraged by the competitors or anti nationals.

Similarly, the “Right for Erasure” has to be effectively tempered with the need to ensure through appropriate documentation that there is no need to reain the data because of any other reasons. “Electronic Data” is an evidence for many civil claims and criminal prosecution and irresponsible erasure could become an offence under Section 65 of ITA 200 and also under IPC/IEA.

Compliance officers are unlikely to have adequate appreciation of the laws related to retention of data under other statutes and hence they have to be warned while they try to meet the requirements of the “Right to Erasure”.

Some of these corrections are required in the next draft.

Naavi

Posted in Cyber Law | Leave a comment

DPDPA Rules: The Significant Data Fiduciary

One of the important aspects of DPDPA Rules that was being looked upto was regarding the identification of the “Significant Data Fiduciary” since many obligations including the need to designate the DPO emerges from the definition.

It is surprising that the draft rules meant for public discussion seems to be yet undecided in this aspect and requires an urgent correction to incorporate the details of how we can define a Significant Data Fiduciary. Naavi.org has discussed this issue several times (Refer here)

However the current draft of the rules only state the following in regard to the Significant Data Fiduciary.

Measures to be undertaken by the Significant Data Fiduciary.

(1) A Significant Data Fiduciary shall in addition to the measures provided under the Act undertake the following measures , namely:-

(a) Ensure that its Data Protection Officer shall be the point of contact for answering on its behalf, the questions, if any, raised by the Data Principal about the processing of her personal data

(b) Include in the business contact information to be published under rule 9 a toll-free telephone number issued in India and an e-mail address for Data Principals to contact its Data Protection Officer: and

(c) Undertake the periodic Data Protection Impact assessment and the perioidic audit under the provisions of the Act at least once in every year.

(2) In this rule, the expression “every year” in relation to a Data Fiduciary, shall mean every period of one year reckoned from the date on which

(a) these rules come into force or

(b) such data fiduciary becomes a significant data fiduciary, whichever is later.

For some reasons this clause appears to be poorly constructed and requires urgent revision.

Firstly there is a need to define a “Significant Data Fiduciary” u/s 10(1) so that organziations can start preparing for designating a DPO and instituting measures for audit etc.

Secondly the responsibility of DPO cannot be stated as “Answering the questions of Data Principal”. It should be a responsibility to resolve the disputes of the data principal at the level of the Data Fiduciary and to be a point of contact for the DPB and to also be responsible for any inadequacies for compliance.

The current version of the rule appears to reduce the importance of the DPO to that of a help center manger. This is not keeping with the spirit of the Act and needs to be changed immediately before further discussion of the rules in the public domain.

Naavi

Posted in Cyber Law | Leave a comment

DPDPA Rules: Which provisions will become effective now

While the DPDPA 2023 was gazetted on 11th August 2023, the notification of the date of its effectiveness has been awaited. Presently the draft rule is ready for public comments and the industry is eagerly waiting to know which provisions of the Act will become effective immediately and which will take time.

The current thinking in the Meity seems to be a two stage implementation with about 6 rules to be notified for effect immediately and the remaining around 14+ rules to be effective at some point of time later.

The six rules that may be notified for immediate effect could be

Short Title and Commencement
Definitions
Appointment of Chairperson and other Members
Salary, allowances and other terms and conditions of service of Chairperson and other members
Proceedings of Board and authentication of its ordders, directions and instruments
Terms and conditions of appointment and service of officers and employees of Board

The other rules to be notified on a later date are as follows:

Notice to seek consent fo data principal
Notice to inform of processing done where data principal has given consent before commencement of Act
Registration, accountability and obligations of a Consent Manager
Processing of Personal data for provision of subsidy, benefit, service, certificate, license or permit
Intimation of personal data breach
Time period for specified purpose to be deemed as no longer being served
Publishing of contact information of person who is able to answer questions about processing
Verifiable Consent for processing personal data of child or person with disability who has lawful guardian
Exemptions from processing of personal data of child
Measures to be undertaken by Significant Data Fiduciary
Rights of Data Principal
Exemption from Act for Research, Archiving and Statistical purposes
Techno Legal measures to be adopted by Board
Appeal

It is expected that the setting up of the DPB may take about 3 months and the remaining rules may come into effect subsequently.

There are a few more rules that are yet to be finalized and perhaps they may come up in the third set.

The exact time schedule for implementation is yet unclear and we may have to wait for the Government to complete the constitution of the DPB before a more specific time schedule can be expected.

Naavi

Posted in Cyber Law | 1 Comment

DPDPA-Rules: Publishing the Business Contact Information of DPO

It is amusing to observe that while draftng the rules of DPDPA, MeitY has gone over board to use the feminine gender in the law which was considered a unique aspect of the drafting of the law.

In the law, the data principal who is an individual was referred to as “She” or “her” instead of the normal use of the term “he” or “him” used in other laws.

Now those who drafted the rules have gone a step further to depict even the organziations in a feminine gender.

For example, while indicating the rules regarding the publishing of the business contact information of a Data Protection Officer, the draft rules meant for discussion states,

(1) A Data Fiduciary shall-

(a) publish on her website or app or both as the case may be and

(b) intimate the data principal through in-app notification and every piece of correspondence with her, the business contact information of a person who is able to answer on behalf of the Data Fiduciary, the questions, if any raised by the Data Principal about the processing of her personal data.

(2) If the Data fiduciary is a significant Data fiducairy, the business contact information published under sub-rule (1) shall be that of its Data Protection officer,

(3) The business contact information to be published under sub-rule (1) shall be published in like manner as is provided in sub-rule (2) of rule 5 (Ed: on the home page).

In majority of cases, the Data Fiduciary is an organziation and the appropriate use of pronoun would have been “It” or simply the Data Fiducairy.

There is one benefit however that has arisen on account of this unatural use of the pronoun “her” to a “Data Fiducairy”. It has focussed on the fact that even an individual can be a “Data Fiduciary” in the context of processing of personal data for “Non Domestic use”. Hence theoretically a Data Fiduciary can also be an individual and therefore the use of the pronoun “Her/she” can be justified.

Leaving this minor observation, this rule is important from the perspective of an indirect admission that “Business Contact Information” is actually “Personal Information” which the data principal out of his “Choice” decides to use for business use.

There are many who consider Naavi9 @gmail.com as personal information and refuse to accept it in some forms. On the other hand naavi @naavi.org is considered as an acceptable business use. This is in my view incorrect since it is the prerogative of naavi to hold out naavi @naavi.org as a business address or personal address and naavi9 @gmail.com as personal email address or business email address.

Under DGPSI framework we have been always recommending to leave the choice of declaring if any e-mail or mobile number is a personal information or business information and many companies have started accepting this argument and incorporating this in their personal information gathering exercise.

I hope after the use of the “her/She” to Data Fiduciary and business contact information of a DPO as “her” information confirms that “Business Contact Information” can contain personal name as part of the e-mail.

…..More discussions will follow.

Naavi

Posted in Cyber Law | Leave a comment