Naavi.org

It is a common practice in business that a successful “Brand” tries to monetize its brand value by extending it to other products of the brand owner. The brand owner may operate multiple entities in different locations which will all be part of the same entity.

Some times, the brand is also shared with others under a “Franchise” scheme with a different legal entity. Franchise contracts may be of different types. Some franchisers place complete restrictions on the way the business is presented in terms of the decor so that all franchise outlets of a particular brand look similar to the customer.

Where possible, the recipe of the service is also controlled by the franchisor though the execution still remains with the franchisee. This is expected to provide confidence to customers that the service would also be similar across all franchisee outlets of a brand. There could however be situations where the franchisee may have a set of services which are additional to that of the brand owner. The franchisee may or may not properly disclose whether the additional services are within the brand or outside the brand.

In the DPDPA scenario this popular marketing concept provides its own complications if the franchisee collects personal data of customers, stores it, processes it, shares it with the brand owner, transfers it across borders etc. Often data breaches occur at the franchisee unit and the questions of liability under DPDPA also may come under question.

Since franchisee units are owned by a different legal entity, the role of the franchisee unit may be that of a “Data Fiduciary” in respect of personal information collected. The customer however provides his information and permissions to use based on the perception that he is providing it to the brand owner.

Currently DPDPA recognizes the role of entities as “Data Fiduciaries” when the purpose and means of processing of personal data is determined by an entity. When more than one entity is involved in determining the purpose and means, all may be called “Data Fiduciaries”.

DGPSI, the framework of compliance has coined a term “Joint Data Fiduciaries” for such contexts though the term is not used in DPDPA 2023 or its rules at present.

However in cases where the Franchisee has complete control on the services or part of the services, the brand owner will be lending his name but not determine the purpose or means of processing.

In such cases the franchisee should ensure that there is a separation of services within the brand and outside the brand so that there is no “Consumer Confusion” which is a trademark violation.

However, if the disclosure is not adequately highlighted, the consumer may consume the services only as a part of the services from the brand owner. When consumer complaints arise in such cases, it will be natural for the consumer to raise the complaint against the brand owner and not on the entity that delivers the branded service.

This raises a huge responsibility/liability for the brand owner since the service contract may not cover all the liabilities that are associated with non compliance of DPDPA 2023 either because the ‘Faulty contract” is the responsibility of the franchisor or because the resources of the franchisee may be inadequate.

In terms of “Risk Management”, in such cases the franchisor holds “Unknown Risks” for the activities of the franchisee.

DGPSI considers that such cases need to be covered both by contract as well as the prominent disclosures (like in a dotted line contract with a dominant party). To address such situations DGPSI recognizes the franchisor as a “Super Data Fiduciary” as he is a “Data Fiduciary” of “Data Fiduciaries”.

Surprisingly, this situation arises in more situations than we recognise, whether it is the Telecom Marketing agent or the Insurance marketing agent or a Bank marketing agent calling on you as a representative of the service provider and not disclosing that he represents a vendor. It also applies to hospitals with independent doctors as consultants, Taxi service aggregators, or the Hotels under common brand name such as OYO, Fab etc.

This interpretation comes out of the unique DGPSI framework of compliance which is rightfully called the “Crown Jewel” of DPDPA Compliance frameworks.

It will take some time for other frameworks and even the rules under DPDPA 2023 to add the word “Super Data Fiduciary” into its lingo. But at present It is the endeavour of Naavi to develop “Jurisprudence on DPDPA” through the DGPSI framework.

When such franchisors evaluate themselves for “Significant Data fiduciary” status, they should consider both the volume of data processed by all franchisees and also the “Risk of the Unknown” and self determine that they are “Significant Data Fiduciaries”. When an officer is appointed by MeitY to issue clarifications, it is better MeitY refers to DGPSI for determining the status of an entity as “Significant Data Fiduciary” or not.

Naavi

It is a constant complaint of some Privacy observers that the Government of India has exempted itself from DPDPA 2023 unfairly. However, we have been pointing out that the exemptions that the Government agencies enjoy under Section 17(2) states that the provisions of this act shall not apply in respect of processing of personal data

“only by such instrumentalities of State as the Central Government may notify and in the interest of sovereignty and integrity of state, friendly relations with foreign states, maintenance of public order or preventing incitement to any cognizable offence relating to any of these (Meaning related to sovereignty, integrity of state etc) which are part of Article 19(2).”

Hence to avail such exemption, an appropriate notification may be necessary and not all instrumentalities of state can claim an exemption.

However in this context we have received a well written report developed by Ms Mohini Trivedy. Mohini Trivedy is a final year law student of B.A. LLB, (Hons) at Vivekananda Institute of Professional Studies (GGSIPU), New Delhi as a part of her Internship work at FDPPI.

Copy of the report will be published here shortly.

Naavi

With the closure of public comments on DPDPA Rules on 5th march 2025, many organizations and industry associations have already lodged their objections to different aspects of the rules. Most of them are only considering their vested interests and are not looking at the regulation holistically.

The essence of most of the demands is… “We donot want the regulation. Delay it as long as possible”.

It is shameful that even after 5 years of discussions, the industry is not ready to accept the law and move on.

In one of the latest submissions, the following points have been made.

1.”India’s data protection framework may inadvertently disadvantage start-ups and MSMEs compared to large corporations. Compliance to the DPDP Act demands significant financial and technical resources, which large companies, with dedicated legal and IT teams, are better placed to absorb such requirements. In contrast, start-ups and MSMEs, often operating on tighter budgets, may struggle to meet these obligations without diverting resources away from growth and innovation.

This is a canard and the “Start up argument” is being used as an excuse by the larger organizations.

Actually the act creates many opportunities for Start ups and there are reasonable exemptions to notify exemptions to the start ups which need some relief. What industry associations can do is to help MeitY set up a “Sandbox” to make it easy for Start Ups to claim and manage the exemptions.

2. Among the specific concerns is the supposed “Ambiguity” around the designation of Significant Data Fiduciaries. The objection is “Setting a data volume-based criteria for notifying certain Data Fiduciaries as SDFs may inadvertently disadvantage Indian companies against multinational competitors”.

This is a vague and unsubstantiated allegation. The “Sensitivity” and “Volume” based criteria leaves the companies to make their own Risk Assessment and self evaluate if they have to consider themselves as “Significant” Data Fiduciaries or not. Industry should not expect the Government to do the spoon feeding in this regard. If an organization is not able to assess the personal data processing risks, they need to study the law harder. The wise approach in such cases is to “Err on the safer side”.

If an organization considers itself as “Significant Data Fiduciary” there are only three obligations… Designation of DPO, Conducting of DPIA and Conducting of annual Data Audit from an external data auditor. Even if a company wrongly designates itself as a Significant Data Fiduciary, it only strengthens its data privacy profile.

Our organizations are prepared to adhere to EU laws or US laws even when not mandatory but are reluctant to adhere to the Indian laws. Such tendency is avoidable.

3. A push back is suggested on against potential restrictions on cross-border data transfers, stating that such measures could isolate Indian companies from the global data economy and raise compliance costs. It is claimed “The restrictions on cross-border transfer of data could restrict India’s capacity to maximise data-driven activity, particularly considering the substantial GDP contribution from outsourcing and digital export related activities. Such constraints could impede progress toward the ‘Digital India’ vision”

This is also an unacceptable excuse since we are complaining only against a “Empowering” provision and the same industries are fine with EU isolating itself with its “Adequacy” criteria and exercising its “Data Colonization” strategies over India. India needs to assert its sovereignty over personal data of its citizens and insist on data localization within a short time period. This will give a boost to the local services related to data storage and security.

4. Another objection raised is that “Requiring platforms to verify the identity of parents for every user will place a heavy burden on companies and is not aligned with global privacy standards”.

It is not clear if these organizations donot want the protection sought to be offered to Children. If so, they have to state it openly that Children are the biggest attraction for marketing and profiling them and targeting them with advertising is to be freely permitted. If the task is difficult, it only means that there is a huge business opportunity which the service industry should welcome.

5. It is also stated that ” More safeguards are required that businesses are not forced to disclose proprietary information, such as algorithms, trade secrets, or confidential customer data under Rule 22. A mandatory disclosure of this information basis a government request can negatively impact businesses, significantly disregard the financial resources expended, and potentially stifle innovation”

It appears that “Innovation” is the battering ram with which every inconvenient provision is being attacked. “Innovation” is how to accomplish things within a framework and the adversities arising out of law are the essential barriers that needs to be overcome through innovation. Developing DPDPA compliant solutions is the “Innovation” not the “Free for all” approach.

6. The demand is that even after 5 years of waiting, industry wants another 2 years for compliance and perhaps further time later on as an extension. Though the Government has so far been exhibiting a tendency to bend over backwards on every industry demand, I wish that for once the Modi Government shows commitment to implement its promises.

Unless the law starts hurting, industries will not be motivated to comply and hence the penalties should kick in as quickly as possible and within a time frame of 9-12 months .

It is unfortunate that most of our Industry Associations toe the line of MNCs s and ignore what is good for the Country. MeitY should be able to identify the hidden agenda in the recommendations submitted and uphold the interests of India over the proxies of Tech giants.

Naavi

With the comments on DPDPA rules behind us, organizations now have to start working on how to proceed on the road to compliance.

DGPSI the Crown Jewel of Frameworks for DPDPA Compliance adopts a milestone approach with seven distinctive milestones identified as “Sapthpadi” to DPDPA Compliance.

Organizations need to check their status and identify where they stand today and how they plan to reach their goal.

The C.DPO.DA. training program that FDPPI conducts will trace these seven steps and how best to achieve them. An 18 hour virtual program on week ends with 6 days training of 3 hours each has been planned by the FDPPI team to start from April 12.

The program will be be held between 10.00 am to 1.00 pm on April 12, 13, 19,20, 26 and 27th with a possible extension if required to 3/4 th May to discuss the Examination for Certification.

We have recently conducted two physical programs for this content in Bangalore and Mumbai which has been well appreciated. The Virtual Program is now available across the Country and abroad and will be a great opportunity for all interested individuals. Organizations need to depute select persons from their organization so that they can prepare themselves to be “DPDPA Ready” in the year 2025-26.

The tentative coverage during the six sessions would be as follows. Naavi will be the lead faculty for the program.

For details of registration …please refer https://fdppi.in/wp/virtual-c-dpo-da-program-on-weekends/

Naavi

The extended time line for submission of public comments on DPDPA Rules 2025 ends today.

Naavi/FDPPI has already submitted its response, copy of which is available here.

Subsequent to the submission of our recommendations, a few more additional requirements have been identified in view of the recent data breach reports of Adarsh Developers in Bangalore and also Angel One stock broking firm in both of which the role of the cloud service provider came to the fore.

We therefore discussed whether AWS should be declared as a Significant Data Fiduciary and held responsible for security.

We also discussed that all organizations like Banks handling personal data and declared as Protected Systems under Section 70 of ITA 2000 also should be automatically considered as a Significant Data Fiduciary.

While the Government has preferred to stay neutral on designation of Significant Data Fiduciaries and leave it to the Data Fiduciaries to declare themselves as Significant or Not, there will still be references to the designated Meity official to whom references may be made by organizations asking for a certification whether they are “Not Significant Data Fiduciaries’.

FDPPI will provide its views through the DGPSI framework and also perhaps define “Super Data Fiduciaries” and all Consent Managers as Significant Data Fiduciaries. Where AI algorithm is used, the responsibility for the functioning of the AI rests with the deployer who in turn needs to obtain an assurance from the vendor. Where the vendor is not able to certify the compliance of the AI algorithm from DPDPA perspective, the deployer should consider it as an “Unknown Risk” and may use the AI at his risk and responsibility as a “Significant Data Fiduciary”.

We have also pointed out the need for disclosure of “recent Personal Data Breaches” in the notice as holding it back amounts to misrepresentation.

We have also pointed out that systems of DPB should be declared a Protected System under ITA 2000.

We have also pointed out the recent stand of RBI opposing the Privacy Law in respect of the Credit Rating firms which flags the need for sectoral regulators to be kept within the framework of DPDPA. MeitY needs to ensure that MHA and MOF work along with them in a harmonious manner and not let different sectoral regulators have their own regulations that contradict the DPDPA.

Some of these suggestions may also be considered by MeitY.

Naavi

On 27th February, Angel one became aware of a data breach which it seems to have reported through email to its customers reported a personal data breach and has issued a notification to the data principals probably on March 2. According to one report nearly 8 million users have been affected by the breach.

Report at www.varuta.com

The data breach is reported to involve unauthorized access to AWS resources. The leak was not discovered by the Company directly and was revealed by the monitoring of the Darkweb by its dark web monitoring partner.

In an official statement, Angel One assured its clients that their securities, funds, and credentials were not affected by the breach. In a sweetly worded notice it stated as follows:

The breach re-ignites the issue of what are the responsibilities of the cloud service providers related to securing the access and monitoring of the data exfiltration.

Just as we expect Bankers to monitor their client’s access to the CBS system through an adaptive authentication system, we should raise a question on why is AWS negligent in placing security measures that should identify the data leak when the exfiltration is happening.

While we expect Angel one to encrypt the data and protect the log in from its side, it is reasonable to expect AWS also to protect its systems from unauthorized access just as we expect banks to monitor the authentication requests.

We should also request MeitY to consider that part of the AWS storage and other cloud service providers which caters to “Significant Data Fiduciaries” (Angel One may be one) should be declared as a “Protected System under Section 70 of ITA 2000” so that it is taken seriously by the cloud service providers.

Such systems may be identified as “DPDPA Compliant Storage Service”. If AWS can provide HIPAA compliant Storage service, it should be capable of providing DPDPA Compliant service also (May be a new revenue generation model for AWS and others).

At present the Angelone website does not contain any prominent notice though the email has been sent to the users.

Under DPDPA compliance we need to discuss if it is not necessary to report the data breach (Recent) as part of the notice for the new customers who may be joining the service.

FDPPI has already recommended that “All Data Breaches recorded since 11th August 2023 may be reported to DPB under the powers of Section 36 of DPDPA 2023 “.. Along with this we must add that “In every notice information on past data breach information upto one year should indicated”

Naavi