Naavi.org

HESCOM is the Hubli Electricity Supply Company responsible for managing the electricity supply activities on behalf of the Government of Karnataka including management of electricity connections, metering, collection of usage charges etc.

The organization is headed by an Ex-MLA of Haveri namely Mr Sayeed Azeempeer Khadri. The Managing Director of the Company is Ms Vyshali M.L. IAS, (md@hescom.in). Mr Gaurav Gupta, IAS, (prs.energy@gmail.com) is a senior Director and Dr Vishal R, IAS secyfr-fd@karnataka.gov.in is secretary to Government (Fiscal Reforms). There are many other Directors in the Board responsible for the management of BESCOM.

I have observed that on 7th March 2025, I have received SMS from CP-HESCOM about bills payable on the following two accounts.

1. 2427142 in the name of Nasibsab A Lokapuri for Rs 238/-
2. 2424310 in the name of of F.N. Lokapuri for Rs 208/-

While I had ignored the SMS, I now find that FINTECH companies like CRED have been listing the dues for automatic payment through my accounts with them. I could have ended up making such payments without verification had I not been alert.

I can presume that CRED had my permission to read my SMS and could have picked up the information. However, I donot find any reason why HESCOM should have listed my phone number with the electricity accounts of some body in Hubli while I reside in Bangalore.

I have demanded that HESCOM provide me the details of how they accessed my mobile number and how did they associate my mobile number with two of the Hubli’s electricity meters.

It is clear that HESCOM has violated my privacy and the principles of DPDPA 2023.

I have sought explanation from MD of HESCOM and has not received any reply for 24 hours. I will raise the issue with other senior Directors also if I donot receive any reply by tomorrow.

I am also apprehensive that this indicates a possible scam to create fake electricity meter account to collect “Electricity Subsidy” under the Grihajyothi guarantee of the State Government under fake meters .

I am not sure at this point of time if my other identities such as Aadhaar has also been used in the account in which case it would appear that I am financially supporting the two Lokapuris of Hubli with its own consequences.

HESCOM is responsible for any adverse impact of this wrongful linking of my mobile account with unknown meters in Hubli and also for any scams that may be running under the Grihajyothi scheme.

I therefore demand that the officials of HESCOM in Hubli send me full details of who are these two persons and why is their meters are being billed to my mobile number? and whether there are any other identity documents of mine associated with the accounts.

I am now sending copy of this public notice and disclaimer that I have no association with the Nabisab or F.N Lokapuri to whom the bills relate to both through the web and also through email .This may be considered as an official notice to HESCOM.

Naavi

Yesterday there was an event in Chennai organized by CYSI in which FDPPI was also a partner. It was a well attended program at Anna University Centenary Library auditorium and graced by two Judges namely honourable Justice N Ananda Venkatesan and honourable Justice (Rtd) Mr P. N. Prakash.

The topic for discussion was “Is Cyber Security more essential for Humans or for Information”? Most of the speakers anticipated that we will discuss about the how the law addresses the need to secure a cyber crime victim and how technology addresses “Security” in terms of “Data” being secured and not the person to be secured.

Every body including the speakers were expecting a discussion on how to balance the security efforts between protecting the Privacy of the person behind data and the security of the data itself in the CIA concept. But it was interesting to note that the entire discussion was diverted into a fundamental discussion on the philosophy of Cyber space. It was perhaps unintended but nevertheless very interesting and probably will be a watershed moment in such discussions in India.

It has always been one of the starting points of our discussions on how “Data Security” is not “Securing Data” per-se but securing the person behind “Data”. In this regard we discuss how law like ITA 2000 which is focussed on Cyber Crime prevention is invokable when there is a cause of action for an individual having suffered a loss on account of some contravention of ITA 2000 where as a law like DPDPA is more concerned on how an organization protects “Personal Data”.

The discussion in Chennai took an unexpected turn after the Chief Guest honourable Justice Mr Anand Venkatesan raised the fundamental philosophical thought of whether “Cyber Space” is a distinct “Space” different from the “meta Space” we live on and whether a person transfers himself into the Cyber Space when he is in front of the screen. He highlighted how the society is evolving in the use of Internet and why it is necessary for us to think differently when we address Cyber Security.

The introduction of this new thought by Justice Anand was a refreshing revelation of how the society is thinking of this concept whether “Cyber Space” as defined by Mr William Gibson in Neuromancer needs to be re-visited in the context of “Cyber Security”.

Naavi has in the past discussed this in the context of “Digital Contracts” and whether “Jurisdictional issues” in E Commerce transactions can be settled on the basis of whether the visitor of a E-Commerce website travels from his physical location to the location of the Website owner when he enters into a transaction on the website.

To some extent this has been answered by the ITA 2000 by stating that the “location” from which a message is deemed to have been sent is the “Usual Place of Residence” of the sender irrespective of the physical place from which the message was sent.(Section 13 of ITA 2000).

While discussing the status of “Netizens” I have also discussed the concepts of “CiNezens” as a hybrid category of persons who are “Citizens” of a sovereign state while also being “netizens” of a “borderless state”.

This concept also went into the background since the discussion “Cyber Laws is for Netizens” and can be distinct including punishments such as “Banishing from Cyber Space” did not get the traction as rules of the physical space went on to claim the “Cyber Space” as their own extended jurisdiction like the sea or the airspace around the geographical space. It became a fait accompli that “Implementation of all Cyber Laws” was not for the “Cyber Space” but for the “Residents of the Physical Space using Internet”. Hence though Internet had no geographical boundaries, Internet laws created jurisdictional boundaries artificially.

Now Justice Anand pointed out the “Psychological” perception of an Internet user and how he immerses himself in a Cyber Transaction and forgets the world around him even without an AR device or a Meta Verse interaction.

While discussing the “Blue Whale” game and finding a rationale for the victim’s behaviour, I have often referred to the concept of “Cyber hypnotism”. I have also alluded to the same principle to rationalize the recent “Digital Arrest” cases also.

While discussing “Artificial Intelligence Regulation”, I have also discussed the thought that AI is just a software and the Section 11 of ITA 2000 attributes it to an individual and therefore all legal consequences that may be attributed to an AI can be attributed to the human behind the AI and consequently, there is no need to discuss if AI is a “Juridical Person” or not.

While preparing for the event at Chennai I however reflected on how the society is evolving from the days when there were no computers to current day where Computers and mobiles are the life. As this evolution took shape, Internet ushered in a concept of “Cyber Space” as a “Binary Transaction space” independent of the “Internet and the device space”. The “Information” became distinct from the device in which it was stored, transmitted or experienced by the humans”. This “Disassociation” of the “Information” from the device has also been discussed by me while discussing Section 65B/63 concept justifying the need for human intervention in the form of “Certification”. This concept syncs with the concept of “Matter wave theory” of de Broglie the Physicist and concept of “Maya” by Adi Shankaracharya.

While it was easy to answer the question raised in the panel discussion “Is Cyber Security for humans or for information” in once sentence that even “Information Security” is for the benefit of the humans only, the actual discussions have opened up the “Deemed Cyber Space” concept where a person behaves as if he is in a different world when he is on the Internet. The issues arising out of such “Deemed Cyber Space” will be more relevant in the “Meta Verse” scenario where individuals transform themselves into “Avatars” and interact on the Cyber space.

This thought of a “Deemed Cyber Space” arising the instant a person enters the Internet space such as Face Book or Instagram gives me a new logical explanation of how “Cyber Hypnotism” takes place in the case of “Digital Arrest” instances.

This concept has been discussed by us in another concept when we argued for “Neuro Rights” legislation where we have discussed how by recognizing “Neuro signals” as equivalent o “Binary Signals” (Which they actually are), we can extend the ITA 2000 to the manipulation of human thoughts with the use of technology. This thought can be further explored as the creation of the “Deemed Cyber Space”. I will try to explain this concept in greater details some times later.

Yet another thought I got during the preparation of this topic was whether we the current day humans as a society are a dying species and we need to accept the ” Cinezens” as part of the current society and prepare ourselves to accept Cyborgs and Super Intelligent AI embedded humanoid robots as part of the society. The end result of this is that the human race as we know today will become second class citizens shortly and extinct over time and the world will be ruled by the Cyborgs and humanoid robots. The Cyborgs will be the masters and the humanoid robots will be their servants. By 2026, Mr Elon Musk is expected to send a humanoid robot to Mars and when this humanoid robot meets the aliens in a few decades hence, perhaps it will represent the primitive natives of the the then evolving “Planet of the Cyborgs” which Earth will be.

I am not sure that the audience were able to meet their expectations of the half day seminar or the discussions went tangentially away from the expected topic. However I was pleased with the vindication of some of my 25 year old concepts and opening up of some new thoughts for discussion in the future.

Naavi

It is a common practice in business that a successful “Brand” tries to monetize its brand value by extending it to other products of the brand owner. The brand owner may operate multiple entities in different locations which will all be part of the same entity.

Some times, the brand is also shared with others under a “Franchise” scheme with a different legal entity. Franchise contracts may be of different types. Some franchisers place complete restrictions on the way the business is presented in terms of the decor so that all franchise outlets of a particular brand look similar to the customer.

Where possible, the recipe of the service is also controlled by the franchisor though the execution still remains with the franchisee. This is expected to provide confidence to customers that the service would also be similar across all franchisee outlets of a brand. There could however be situations where the franchisee may have a set of services which are additional to that of the brand owner. The franchisee may or may not properly disclose whether the additional services are within the brand or outside the brand.

In the DPDPA scenario this popular marketing concept provides its own complications if the franchisee collects personal data of customers, stores it, processes it, shares it with the brand owner, transfers it across borders etc. Often data breaches occur at the franchisee unit and the questions of liability under DPDPA also may come under question.

Since franchisee units are owned by a different legal entity, the role of the franchisee unit may be that of a “Data Fiduciary” in respect of personal information collected. The customer however provides his information and permissions to use based on the perception that he is providing it to the brand owner.

Currently DPDPA recognizes the role of entities as “Data Fiduciaries” when the purpose and means of processing of personal data is determined by an entity. When more than one entity is involved in determining the purpose and means, all may be called “Data Fiduciaries”.

DGPSI, the framework of compliance has coined a term “Joint Data Fiduciaries” for such contexts though the term is not used in DPDPA 2023 or its rules at present.

However in cases where the Franchisee has complete control on the services or part of the services, the brand owner will be lending his name but not determine the purpose or means of processing.

In such cases the franchisee should ensure that there is a separation of services within the brand and outside the brand so that there is no “Consumer Confusion” which is a trademark violation.

However, if the disclosure is not adequately highlighted, the consumer may consume the services only as a part of the services from the brand owner. When consumer complaints arise in such cases, it will be natural for the consumer to raise the complaint against the brand owner and not on the entity that delivers the branded service.

This raises a huge responsibility/liability for the brand owner since the service contract may not cover all the liabilities that are associated with non compliance of DPDPA 2023 either because the ‘Faulty contract” is the responsibility of the franchisor or because the resources of the franchisee may be inadequate.

In terms of “Risk Management”, in such cases the franchisor holds “Unknown Risks” for the activities of the franchisee.

DGPSI considers that such cases need to be covered both by contract as well as the prominent disclosures (like in a dotted line contract with a dominant party). To address such situations DGPSI recognizes the franchisor as a “Super Data Fiduciary” as he is a “Data Fiduciary” of “Data Fiduciaries”.

Surprisingly, this situation arises in more situations than we recognise, whether it is the Telecom Marketing agent or the Insurance marketing agent or a Bank marketing agent calling on you as a representative of the service provider and not disclosing that he represents a vendor. It also applies to hospitals with independent doctors as consultants, Taxi service aggregators, or the Hotels under common brand name such as OYO, Fab etc.

This interpretation comes out of the unique DGPSI framework of compliance which is rightfully called the “Crown Jewel” of DPDPA Compliance frameworks.

It will take some time for other frameworks and even the rules under DPDPA 2023 to add the word “Super Data Fiduciary” into its lingo. But at present It is the endeavour of Naavi to develop “Jurisprudence on DPDPA” through the DGPSI framework.

When such franchisors evaluate themselves for “Significant Data fiduciary” status, they should consider both the volume of data processed by all franchisees and also the “Risk of the Unknown” and self determine that they are “Significant Data Fiduciaries”. When an officer is appointed by MeitY to issue clarifications, it is better MeitY refers to DGPSI for determining the status of an entity as “Significant Data Fiduciary” or not.

Naavi

It is a constant complaint of some Privacy observers that the Government of India has exempted itself from DPDPA 2023 unfairly. However, we have been pointing out that the exemptions that the Government agencies enjoy under Section 17(2) states that the provisions of this act shall not apply in respect of processing of personal data

“only by such instrumentalities of State as the Central Government may notify and in the interest of sovereignty and integrity of state, friendly relations with foreign states, maintenance of public order or preventing incitement to any cognizable offence relating to any of these (Meaning related to sovereignty, integrity of state etc) which are part of Article 19(2).”

Hence to avail such exemption, an appropriate notification may be necessary and not all instrumentalities of state can claim an exemption.

However in this context we have received a well written report developed by Ms Mohini Trivedy. Mohini Trivedy is a final year law student of B.A. LLB, (Hons) at Vivekananda Institute of Professional Studies (GGSIPU), New Delhi as a part of her Internship work at FDPPI.

Copy of the report will be published here shortly.

Naavi

With the closure of public comments on DPDPA Rules on 5th march 2025, many organizations and industry associations have already lodged their objections to different aspects of the rules. Most of them are only considering their vested interests and are not looking at the regulation holistically.

The essence of most of the demands is… “We donot want the regulation. Delay it as long as possible”.

It is shameful that even after 5 years of discussions, the industry is not ready to accept the law and move on.

In one of the latest submissions, the following points have been made.

1.”India’s data protection framework may inadvertently disadvantage start-ups and MSMEs compared to large corporations. Compliance to the DPDP Act demands significant financial and technical resources, which large companies, with dedicated legal and IT teams, are better placed to absorb such requirements. In contrast, start-ups and MSMEs, often operating on tighter budgets, may struggle to meet these obligations without diverting resources away from growth and innovation.

This is a canard and the “Start up argument” is being used as an excuse by the larger organizations.

Actually the act creates many opportunities for Start ups and there are reasonable exemptions to notify exemptions to the start ups which need some relief. What industry associations can do is to help MeitY set up a “Sandbox” to make it easy for Start Ups to claim and manage the exemptions.

2. Among the specific concerns is the supposed “Ambiguity” around the designation of Significant Data Fiduciaries. The objection is “Setting a data volume-based criteria for notifying certain Data Fiduciaries as SDFs may inadvertently disadvantage Indian companies against multinational competitors”.

This is a vague and unsubstantiated allegation. The “Sensitivity” and “Volume” based criteria leaves the companies to make their own Risk Assessment and self evaluate if they have to consider themselves as “Significant” Data Fiduciaries or not. Industry should not expect the Government to do the spoon feeding in this regard. If an organization is not able to assess the personal data processing risks, they need to study the law harder. The wise approach in such cases is to “Err on the safer side”.

If an organization considers itself as “Significant Data Fiduciary” there are only three obligations… Designation of DPO, Conducting of DPIA and Conducting of annual Data Audit from an external data auditor. Even if a company wrongly designates itself as a Significant Data Fiduciary, it only strengthens its data privacy profile.

Our organizations are prepared to adhere to EU laws or US laws even when not mandatory but are reluctant to adhere to the Indian laws. Such tendency is avoidable.

3. A push back is suggested on against potential restrictions on cross-border data transfers, stating that such measures could isolate Indian companies from the global data economy and raise compliance costs. It is claimed “The restrictions on cross-border transfer of data could restrict India’s capacity to maximise data-driven activity, particularly considering the substantial GDP contribution from outsourcing and digital export related activities. Such constraints could impede progress toward the ‘Digital India’ vision”

This is also an unacceptable excuse since we are complaining only against a “Empowering” provision and the same industries are fine with EU isolating itself with its “Adequacy” criteria and exercising its “Data Colonization” strategies over India. India needs to assert its sovereignty over personal data of its citizens and insist on data localization within a short time period. This will give a boost to the local services related to data storage and security.

4. Another objection raised is that “Requiring platforms to verify the identity of parents for every user will place a heavy burden on companies and is not aligned with global privacy standards”.

It is not clear if these organizations donot want the protection sought to be offered to Children. If so, they have to state it openly that Children are the biggest attraction for marketing and profiling them and targeting them with advertising is to be freely permitted. If the task is difficult, it only means that there is a huge business opportunity which the service industry should welcome.

5. It is also stated that ” More safeguards are required that businesses are not forced to disclose proprietary information, such as algorithms, trade secrets, or confidential customer data under Rule 22. A mandatory disclosure of this information basis a government request can negatively impact businesses, significantly disregard the financial resources expended, and potentially stifle innovation”

It appears that “Innovation” is the battering ram with which every inconvenient provision is being attacked. “Innovation” is how to accomplish things within a framework and the adversities arising out of law are the essential barriers that needs to be overcome through innovation. Developing DPDPA compliant solutions is the “Innovation” not the “Free for all” approach.

6. The demand is that even after 5 years of waiting, industry wants another 2 years for compliance and perhaps further time later on as an extension. Though the Government has so far been exhibiting a tendency to bend over backwards on every industry demand, I wish that for once the Modi Government shows commitment to implement its promises.

Unless the law starts hurting, industries will not be motivated to comply and hence the penalties should kick in as quickly as possible and within a time frame of 9-12 months .

It is unfortunate that most of our Industry Associations toe the line of MNCs s and ignore what is good for the Country. MeitY should be able to identify the hidden agenda in the recommendations submitted and uphold the interests of India over the proxies of Tech giants.

Naavi

With the comments on DPDPA rules behind us, organizations now have to start working on how to proceed on the road to compliance.

DGPSI the Crown Jewel of Frameworks for DPDPA Compliance adopts a milestone approach with seven distinctive milestones identified as “Sapthpadi” to DPDPA Compliance.

Organizations need to check their status and identify where they stand today and how they plan to reach their goal.

The C.DPO.DA. training program that FDPPI conducts will trace these seven steps and how best to achieve them. An 18 hour virtual program on week ends with 6 days training of 3 hours each has been planned by the FDPPI team to start from April 12.

The program will be be held between 10.00 am to 1.00 pm on April 12, 13, 19,20, 26 and 27th with a possible extension if required to 3/4 th May to discuss the Examination for Certification.

We have recently conducted two physical programs for this content in Bangalore and Mumbai which has been well appreciated. The Virtual Program is now available across the Country and abroad and will be a great opportunity for all interested individuals. Organizations need to depute select persons from their organization so that they can prepare themselves to be “DPDPA Ready” in the year 2025-26.

The tentative coverage during the six sessions would be as follows. Naavi will be the lead faculty for the program.

For details of registration …please refer https://fdppi.in/wp/virtual-c-dpo-da-program-on-weekends/

Naavi