Naavi.org

I draw the attention of the readers to our earlier article “Climate Change impact on ISO 42001” and the “RBI Reference on thee impact of Climate Change on Financial Risk”. RBI had also released the draft guidlines on “Disclosure Framework on Climate related Financial Risls, 2024”

In the FY 2025-26, it is expected that some Banks may start adopting the guidelines.

The key report areas were

1.Governance with board level oversight of climate related risks and opportunities

2.Straegy for managing the short, medium and long term climate related risks

3.Risk Management

4.Metrics and targets.

RBI seem to recommend a phased approach for the disclosures from FY 25-26 onwards going into FY 27-28.

Obviously there are technology companies which are recommending the use of tools with AI to support the organizations in assessing the Climate Risk and perhaps mitigating the risks also.

It is in this context that we need to remember an earlier study of the University of Texas which said that every Chat GPT query consumes 500ml of water to cool the servers. Another estimation was that every LLM interaction may consume power equivalent to running a LED bulb of low intensity for one hour.

Irrespective of the actual metrics, the impact of AI on power consumption cannot be neglected. We have earlier highlighted this in the “Cyrpto Mining” scenario.

It is now time to start thinking if the climate impact of Computing in general should be considered as a risk that needs to be disclosed by all entities not necessarily the REs.

Probably the AI industry should start a disclosure of the impact of their use of AI on climate and necessary metrics need to be developed.

Naavi

FDPPI welcomes the rules being framed on DPDPA 2023 so as to give effect to the Act at the earliest.

The Act has defined the responsibilities of a Data Fiduciary and the Rights of a Data Principal. It has also indicated provisions related to Data Breach Notification and penalties for various non compliance issues.

In order to implement the Act, Government will be setting up a Data Protection Board.

Some of the applicability aspects such as the “Significant Data Fiduciary” and their special responsibilities will also need to be clarified through additional notifications beyond the 25 rules required under different sections of the Act.

Once the formalities of the operationalizing the new Loksabha is completed, it is expected that the Government will release the draft rules for public comments.

In order to collate the views of the industry on the published rules, FDPPI is planning a physical event in Bangalore at the earliest inviting representatives from the Industry to contribute their views on the rules to be consolidated and presented to the MeitY.

We request senior professionals in the industry particularly from the Fintech, HealthCare, Digital Marketing, etc and different Classes of Data Fiduciaries such as Manufacturing Companies, Social Media Intermediaries, AI developers, AI users, Payment Gateways, KYC agencies, Certifying authorities under ITA 2000, Privacy Enhancement technology suppliers etc., who are interested in sharing their views on the published rules to participate in the Industry interaction.

Interested professionals and Companies particularly in Bangalore may kindly contact naavi/FDPPI immedaitely so that the program details can be finalized.

Naavi

Chapter V of the DPDPA 2023 provides the legal provisions related to the constituion of the DPB of India which will be the supervisory body for DPDPA 2023.

Now the draft rules issued has indicated the process for selection of the Chairperson and the members of the Board.

The draft notification is yet to indicate the number of the members to be appointed in the DPBI but indicated that two Search-Cum-Selection Committees will be constituted one for the selection of the Chairperson and the other for the members. The Central Government (meaning the Meity) will approve the selection.

The Search cum Selection Committee for selection of Chairman will consist of

1.Cabinet Secretary who shall be the Chairman

2. Two experts of repute who possess special knowledge or practical experience in the fields of data governance, administration or implementation of laws related to social or consumer protection, dispute resolution, information and communication technology, digital economy, law, regulation or techno-regulation or in any other field which in the opinion of the Central Government may be useful to the Board

3.Secretary to the Government of India in the department of legal affairs

4. Secretary to the Government of India in the Ministry of Electronics and Information Technology who shall be the convener

Similarly, the Search Cum Selection Committee for selecting the members of the Board will consist of

1.Secretary to the Government of India in the Ministry of Electronics and Information Technology, who shall be the Chairperson;

2.two experts of repute, who possess special knowledge or practical experience in the fields of data governance, administration or implementation of laws related to social or consumer protection, dispute resolution, information and communication technology, digital economy, law, regulation or techno-regulation or in any other field which in the opinion of the Central Government may be useful to the Board

3.Secretary to the Government of India in the Department of Legal affairs and

4.The Chairperson

This indicates that the members of the Board will be chosen only after the Chairman is chosen, appointed and takes charge. However there is a provision that this committee can work without the Chairman in the period when he/she has not been appointed/joined.

If the Government insists that the draft rules will be kept for public comments for 45 days and notified only there after, the search cum selection committee can only start its function after the notification which is around 2 months from date. There after the search committee needs to have at least two or three meetings before selection which needs to be approved by the Government.

The search, selection and appointment of members may have to start after the Chairman is in place and may take further time unless the Government decides to proceed with the selection of the members even before the first search committee completes its search and the Chairman joins duty.

Hence there is a need for MeitY to work in the background so that the constitution of the DPBI may be speeded up.

The salary and allowances of the Chairman and the Members are also indicated in the rules as Rs 4.5 lakhs per month for the Chairman and Rs 4.0 lakhs per month for the members along with the other facilities as applicable to the Government employees of the relevant grade.

Let us look forward to an early completion of the process so that further notification of operating rules may be completed without further delay.

Naavi

Naaavi.org has been debating the concept of “Consent Manager” under DPDPA 2023 and the possibility of making it animprovement over the concept of “Consent Manager under the DEPA Framework” which has been adopted under the Account Aggregator scheme.

Now going through the current version of DPDPA rules, the MeitY has chosen not to exercise its option to improve upon the DEPA Framework but retain the concept with which they are more familiar.

Every consent manager needs to be registered with the DPB and shall be an Indian company with its directors and senior management having reputation for record of fairness and integrity. Any conflict of interest with any data fiduciary either at the corporate level or the executive level needs to be avoided.

The Minimum networth of the company has to be not less than Rs 2 crores.

Under sub rule (3) of this Rule 5, it is stated that one of the obligations of the Consent Manager is …

“to establish an accessible, transparent and interoperatble platform that enables a data principal to give, manage, review and withdraw her consent to herslef obtain her personal data from a data fiduciary or to ensure that such personal datails shared with another data fiduciary of her choice, without the consent manager being in a position to access that personal data”

This clause highlights the “Intermediary” role of the Consent Manager under ITA 200o while the sub rule 1(c) states that the Consent Manager shall act in a “Fiduciary” capacity.

The “Fiduciary” capacity and “Intermediary” status are mutually exclusive. They are different and this has been ignored.

Further while the sub clause (1) states that the Consent Manager shall be a Company, sub clause (7) implies that it can be a firm or an association of persons. Further the rule at some place also refers to the “Consent Manager” as “her” indicating that it could even be an individual.

These are probably unintended and can be corrected in the next version.

The rule also prescribes a data retention period of 7 years or longer which could influence the due diligence of data fiduciaries in similar circumstances.

The question is that if the Consent Manager is required to keep the consent information for 7 years or more why not the Primary Data Fiduciary?

Also, is there a “Purpose” for the Consent Manager to collect and hold the consent. If so, is there an expiry period for the same differently? …

Also if according to sub rule (2)(b) the consent Manager needs to to maintain a digial record of and offer to a data principal digital access to
(i) every request for consent approved or rejected by her and
(ii) every data fiduciary who has shared her personal data in response to a reuest for consent approved by her.

how does the sub clause (3) stating that the Consent Manager shall not have access to the Consent can be fulfilled.

Probably a more detailed discussion is required in this regard…

Naavi

The draft rules currently under discussion regarding the management of Data Principal’s Rights tries to provide clarity to Sections 11, 12, 13 and 14 of DPDPA 2023.

It is noted that the rules does not make any reference to Section 15 on the duties of the data principal which is a condition precedent to the exercise of Rights and should have been mentioned.

While refering to the requirements, the clause starts with the words,

“(1)For enabling data principals to exercise their rights under Chapter III of the Act, the Data Fiduciary and, where applicable, the Consent Manager, shall publish on her website or app or both, as the case may be,-“

I would like to again point out that the rules refer to the Data Fiduciary or Consent Manager in terms of “her website” as if the Data Fiduciary or the Consent Manager is an “individual”. While the “Data Fiduciary” can be an “individual”, it is not practically feasible for the Consent Manager to be an “Individual” or rather it should not be from the regulatory requirement of business continuity. In fact another rule (yet to be discussed by us) categorically mentions that the Consent Manager shall be a Company.

Hence the use of the word “her” in this context is incorrect and this obsession needs to be avoided. It may lead to un necessary legal issues at some point of time in future. There is a need to go through the entire document and ensure that all references to a Data Fiduciary or Consent Manager shall be changed to “it”or “their” instead of “she” or “her”.

While most of the rules under this clause are a paraphrasing of the Act the lack of reference to the Duties is glaring. The “Rights” guaranteed under the Act is intrinsically linked to the “Duties” both because of the Secton 15 of the Act as well as the Article 19(2) of the constitution restricting the “Right to Privacy” in certain specific contexts.

It is most important to note that under Section 15 of the Act, a Data Principal shall ” comply with the provisions of all applicable laws for the time being in force while exercising rights under the provisions of this Act;”

This has to be highlighted so that no irresponsible attack is mounted on a data fiduciary by motivated data principals who may be encouraged by the competitors or anti nationals.

Similarly, the “Right for Erasure” has to be effectively tempered with the need to ensure through appropriate documentation that there is no need to reain the data because of any other reasons. “Electronic Data” is an evidence for many civil claims and criminal prosecution and irresponsible erasure could become an offence under Section 65 of ITA 200 and also under IPC/IEA.

Compliance officers are unlikely to have adequate appreciation of the laws related to retention of data under other statutes and hence they have to be warned while they try to meet the requirements of the “Right to Erasure”.

Some of these corrections are required in the next draft.

Naavi

One of the important aspects of DPDPA Rules that was being looked upto was regarding the identification of the “Significant Data Fiduciary” since many obligations including the need to designate the DPO emerges from the definition.

It is surprising that the draft rules meant for public discussion seems to be yet undecided in this aspect and requires an urgent correction to incorporate the details of how we can define a Significant Data Fiduciary. Naavi.org has discussed this issue several times (Refer here)

However the current draft of the rules only state the following in regard to the Significant Data Fiduciary.

Measures to be undertaken by the Significant Data Fiduciary.

(1) A Significant Data Fiduciary shall in addition to the measures provided under the Act undertake the following measures , namely:-

(a) Ensure that its Data Protection Officer shall be the point of contact for answering on its behalf, the questions, if any, raised by the Data Principal about the processing of her personal data

(b) Include in the business contact information to be published under rule 9 a toll-free telephone number issued in India and an e-mail address for Data Principals to contact its Data Protection Officer: and

(c) Undertake the periodic Data Protection Impact assessment and the perioidic audit under the provisions of the Act at least once in every year.

(2) In this rule, the expression “every year” in relation to a Data Fiduciary, shall mean every period of one year reckoned from the date on which

(a) these rules come into force or

(b) such data fiduciary becomes a significant data fiduciary, whichever is later.

For some reasons this clause appears to be poorly constructed and requires urgent revision.

Firstly there is a need to define a “Significant Data Fiduciary” u/s 10(1) so that organziations can start preparing for designating a DPO and instituting measures for audit etc.

Secondly the responsibility of DPO cannot be stated as “Answering the questions of Data Principal”. It should be a responsibility to resolve the disputes of the data principal at the level of the Data Fiduciary and to be a point of contact for the DPB and to also be responsible for any inadequacies for compliance.

The current version of the rule appears to reduce the importance of the DPO to that of a help center manger. This is not keeping with the spirit of the Act and needs to be changed immediately before further discussion of the rules in the public domain.

Naavi