Naavi.org

Data Fiduciaries who are deploying AI products for Personal Data Processing needs to take note that DPDPA Rule (no 12) expects that

“(3) A Significant Data Fiduciary shall observe due diligence to verify that algorithmic software deployed by it for hosting, display, uploading, modification, publishing, transmission, storage, updating or sharing of personal data processed by it are not likely to pose a risk to the rights of Data Principals.”

While some data fiduciaries may find comfort that this only relates to “Significant Data Fiduciaries” and not others, the determination of which data fiduciary is a “Significant Data Fiduciary” may itself may require an assessment of the “Sensitivity” of processing and the harm likely to be caused to the data principal.

The Officer of MeitY designated for this purpose may declare certain classes of data fiduciaries or specific data fiduciaries as “Significant Data Fiduciary”. However if any data fiduciary thinks that if the designated official has not declared a specific category of data fiduciaries as “Significant Data Fiduciaries”, they may not be fully correct.

The need to make an assessment of the Risk of processing still lies with the data fiduciary since he is a “Fiduciary” and not a “Controller”. It is the responsibility of every data fiduciary to do a self evaluation of his processes and document why he is not a significant data fiduciary.

In this context, deployers of AI will have a unique challenge. In case they are using an Open Source AI, it is their responsibility to understand the risk and declare if there is a high risk to a data principal. If however they are unaware of the code of the algorithm then they need to depend on the provider of the algorithm.

Due diligence in this regard means that the data fiduciary obtains an assurance along with indemnity and include it in the contract. Alternatively the provider should be declared as a “Joint Data Fiduciary” so that the responsibility of compliance will be on the provider also.

In the context of proprietary algorithms, the deployer being unaware of how the algorithm processes the personal data, the risk is not quantifiable. In such a case any data fiduciary should presume that the “Unknown Risk” could be high risk and therefore the process renders them as “Significant Data Fiduciary”.

In other words “Deployers of all Proprietary AI algorithms need to be automatically tagged as “Significant Data Fiduciaries”. If use of AI is ubiquitous, then a large number of Data Fiduciaries will be Significant Data Fiduciaries.

Naavi

As expected, MeitY has yielded to the pressure from the industry and granted extension for submission of comments on DPDPA Rules from February 18 to march 5.

It is reported that by this time more than 10000 comments have already been submitted and this extension may swell it further . Hope this will not delay the finalization further.

Naavi

DPDPA 2023 is a special law for protecting the “Privacy” of individuals in the digital space. It works closely with ITA 2000 in terms of Sections 43, 46 (Adjudication), 72A (Processors), 67C (Retention) and several other sections where “Personal Data” is the subject matter of law.

Additionally the Consumer Protection Act had also imposed certain responsibilities on the use of “Dark Patterns” by Data Fiduciaries making it a criminal offence in certain contexts.

Now TRAI has also amended the Telecom Commercial Communications Customer Preference Regulations (TCCCPR) 2018 to include certain guidelines which incidentally will be considered as “Due Diligence”/”Reasonable Security Safeguards” under DPDPA 2023.

One of the main concerns of the data principals is the unregulated spamming by way of telephone and SMS messaging by different operators. In the Singapore PDPPA 2012, a separate chapter is devoted for handling obligations related to “Do Not Call Registry “.

In India the DND registry has been in place for some time but the consumers had continued to get spam calls until recently when it has shown a decline. Now the recent amendments will further bring the spamming from Telecom companies under control.

Some time back TRAI wanted the display of the name of the caller based on the SIM registration data. But this seems to have been opposed and TRAI is now trying to introduce identifiers to the call numbers and messages so that recipients can distinguish the calls from the number itself.

It is now proposed that the messages would be distinguished by prefixes such as P for Promotional, S for Service, T for transactional and G for Government. For calls, the 140 series will be used for promotional calls, while the 1600 series is allocated for transactional and service calls, allowing recipients to easily identify the nature of the communication.

All senders and telemarketers must undergo physical verification, biometric authentication and mobile numbers linking to enhance security. There is a need to ensure that complaint filing mechanism is simplified and Operators maintain detailed records of complaints and sender information for quick identification of violators.

The telecom operators need to also monitor the call and SMS patterns to identify unusual activity such as high call volumes and short call durations which may signal spam. Operators also need to deploy honeypots to monitor emerging spam trends.

As regards consent requests, if a customer opts out of promotional messages, senders are prohibited from seeking consent once again for 90 days. Further, consent for an ongoing transaction will have a validity limitation of 7 days.

These regulations may be considered necessary due diligence for DPDPA Compliance in the Telecom companies.

The penalties may also be increased with Rs 2 lakhs for first violation, 5 lakhs for second and Rs 10 lakhs for subsequent violations when there is mis reporting of Unsolicited Commercial Communications. (UCC). Repeat offenders may face suspension of all telecom resources with a 15 day suspension to start with and black listing for subsequent violations.

When the spamming is undertaken by any other company such as the Banks, Stock brokers or Insurance agencies since the telemarketing facility is under the regulation of TRAI, the penalties envisaged above may also be made applicable on them though they may come under different sectoral regulators for their operations.

There is one issue however that if there is a penalty imposed under TRAI act for spamming , DPB may not be able to impose its penalties in the same context as it would become “double jeopardy”. When such complaints are received by DPB, it may exercise the option to direct the complaints to the sectoral regulators to the extent possible.

We suppose that these changes could reduce some of the spamming by the Telecom Companies.

Naavi

In a move which should be very useful in fortifying the security of Bank domains, RBI is expected to launch a new TLD bank.in from April 2025.

RBI is also introducing another TLD fin.in to cater to the requirements of the financial sector.

Ref: Times of India

Naavi.org had been one of the first to flag the “Data Laundering” of sensitive personal information that happened through CIBIL transferring its share holding from Indian Banks to Trans Union.

I draw attention to the article “CBI Enquiry is required for finding the truth behind TransUnion taking over CIBIL” . I urge all of you to read this article once again along with the linked earlier articles.

In December 2024, Mr Karti Chidambaram raised the issue of CIBIL scores in the Parliament.

In May 2024, a PIL had been filed in the case of Surya Prakash V Union of India and Others for which the Supreme Court appointed an amicus curie Advocate K Parameshwar

(Refer: W.P.(C) No. 000310 – / 2024 Registered on 07-05-2024: Diary no: 23982/2023; SCIN010239822023)

The petitioner alleges that the Credit Information Companies in collusion with RBI had violated the Data Localisation principle.

It appears that the case is now due for further hearing on 17th February 2025 after the report of the amicus curie and we need to see how the Supreme Court reacts to this sensitive case.

With the current environment of DPDPA 2023, the decision of the Court will assume further significance.

Naavi

P.S: Next hearing on 25th March 2025

Now that the DPDPA 2023 is on the verge of being implemented, the industry is discussing on how to be “DPDPA Compliant”. While discussing the draft rules with the professional community, I often get a feeling that the industry experts are looking forward to a checklist from the MeitY on what to do not so much to do what is prescribed but to do what is not prohibited from being done.

We have often heard some views that what is “Lawful” is what is “Not prohibited by Law”. This may be technically correct and even the Supreme Court may uphold the view. But morally and ethically, it is not correct to interpret what is lawful by searching for what is not prohibited by law but to implement the spirit of the law in its true sense.

The DPDPA has rightly identified that the industry is classified as “Data Fiduciaries” and others and it is the collective responsibility of Data Fiduciaries to ensure that the DPDPA is implemented in letter and spirit. Being a “Fiduciary” of the data principal and not a “Controller” of the personal data, the Data Fiduciaries are legally bound to process personal data only in a manner that protects the Rights of the Data Principal. The spirit of the law is to protect the “Right to Privacy” which is translated for practical purpose into the four rights under Chapter III and 10 obligations under Chapter II of the DPDPA 2023.

In interpreting the laws therefore Companies can be innovative but should not apply their creativity in finding ways of bypassing the law.

It is for this reason that we are circumspect of the MeitY providing too many prescriptions in the law through the rules . Each prescription may be analysed by the unscrupulous entities on what loopholes it opens up.

Less the detailing, less are the opportunities for loopholes.

We therefore believe that the Rules should not be prescriptive and detailed and restrict itself to the “required clarity” derived from the “Principle based law”.

It should be considered that “Due Diligence” by the “Data Fiduciary” is the only road to compliance.

Naavi