Naavi.org

When ITA 2000 became a law in 2000, it  prescribed a method of authentication in the form of Digital Signatures (Now expanded as Electronic signatures) as the only means of authentication of an electronic document. This provision meant that an un-digitally signed electronic document could not be considered as “Signed” document for contractual purposes.  Hence there was a need for alternative methods of recording an online “Click Wrap Consent”.

The introduction of Aadhar based e-sign has made it simpler to obtain legally acceptable e-signed consent online but it still has a cost and the issue of use/disclosure of Aadhaar as for signing.

Naavi has suggested use of CEAC Drop Box as a kind of alternative to obtaining third party confirmation.

This problem has now got into prominence since “Consent” under DPDPA needs to be properly authenticated.

In the meantime there is the issue of “Stamp Duty” for digital contracts.  During 1999-2000 when ITA 2000 was enacted, India was one of the early countries to adopt the mandatory digital signature system. At that time many countries including India did not specify that stamp duty was payable on electronic documents and some countries specifically mentioned that since there was no viable system for payment of stamp duty for electronic documents, it was exempted. India did not specify the reason but the Indian stamp act at that time could be interpreted as excluding electronic documents from the list of documents requiring payment of stamp duty.

The keeping  of immovable property transfer documents from Schedule I of ITA 2000 was also linked to this problem.

During that time Naavi had introduced the “Digital Value Imprinted Instrument System” (DVIIS) as a system which combined the “Adhesive Stamp System” then prevailing with the “Digital Value Creation” in the back end server to enable a “Hybrid DVIIS coupon” that could be affixed on an instrument of contract along with payment  of stamp duty online. This was in an era where there was no UPI system. It was an innovative system was even presented to the Stock holding Corporation before they came up with the e-stamping of non judicial stamp papers but was rejected in favour of an alternative foreign system.

Over the years, E Governance has moved forward and many State Governments passed laws to mandate payment of stamp duty even on electronic documents.

in September 2022, even the ITA 2000 was amended to remove the immovable property documents from the list of excluded documents for recognition under ITA 2000.

Many options are now available for online payment of stamp duty to the treasury and obtaining an  acknowledgement such as a QR Code/Bar Code Receipt which can be affixed on an electronic document.

Hence currently the electronic documents are considered not excluded for stamp duty.

Kindly consider the previous views expressed in this website as suitably amended due to change of law.

We now however need to ensure that the nature of an instrument needs to be properly identified to distinguish “MOU” from an “Agreement”. We also need clarity on wehther MOUs also need minimal stamp duty or not.

MOU s are considered a documentation of intention and if organizations use MOUs to record their dealings with associates there may be a claim of stamp duty at some level.

While organizations may be fine with considering that the MOUs are not legally enforceable, the possibility of “Penalty” for not stamping the document even when not enforced in a Court could make it a “Compliance Issue”.

In a Privacy Contract where the notice asks for certain permissions which amount to monetization of personal data, there is an underlying financial value. Hence the “Consent” provided in the form of an “Acceptance” can be considered as an “Electronic Document that requires payment  of Stamp Duty”.

If the  data principal raises this issue with the Adjudicator and claims compensation, there could be a demand of the Stamp duty authorities that 10 times the  normal stamp duty on agreements need to be paid and also linked to the value of the underlying data on which a dispute has arisen. Otherwise the document  becomes infructuous both for lack of digital signature and lack of stamp duty payment.

It is necessary for MeitY to consider this ambiguity and  ensure that there  is a clarity on

a) Recognition of Click Wrap Contract which requires amendment of ITA 2000

b) Exemption of Stamp Duty which require amendment of several State Acts on Stamp Duty.

Since “Personal Data” can be “Nominated” DPDPA 2023 has already recognized the “Property Nature” of personal data and the established “Monetization” practices indicate a clear financial value for Personal data assets.

Hence if this ambiguity has to be removed, an amendment to ITA 2000  may be required.

Needs a debate..

Naavi

The virtual townhall meeting to introduce the concept of Association of Independent Data Auditors was held on 27th April 2026.

Here is a link to the recording of the proceedings.

An AI summary of the above event is available here.

Text Summary

Audio podcast

(P.S. Naavi has been posting  video summaries created by AI. These could e considered as synthetic content . However the content is provided by Naavi as a prompt and the AI only summarizes. However in the summarization, AI does take some liberty. In case there is any error, kindly point out. We will try to correct it. Hope there will be no misleading information in these AI videos. If you spot any, please let me know. Such content will be removed.)

Listen to the podcast

PS; Content for this Podcast was provided by Naavi. The episode was created using AI

P.S: One correction in the video: Reporting by Data Auditor of Significant Observations is to the DPB not only to the Board of Directors of the auditee company.

In modern Cars we find the “Advanced Driver Assistance System” or ADAS to improve the safety of driving. This includes the alerts on speed or lane discipline maintenance. A similar system of “Advanced DPDPA Assistance System” is represented by the “Independent Data Auditors”, a profession subtly recognized by DPDPA 2023 and identified  by FDPPI.

This is the profession of “Independent Data Auditors” (IDA). FDPPI is the first to recognize the need for this profession and taken the effort to nurture this profession by starting a “Association of Independent Data Auditors of India” (AIDAI).

AIDAI was launched formally on 11th April 2026 in a physical function in Bangalore. But for the larger audience, AIDAI is being presented through a town hall meeting today the 27th April 2026 at 7.00 pm. The link for free registration is available here:

The Objective of this meeting is to introduce the nature and potential of this profession and to invite professionals like ISO 27001 lead auditors, Chartered Accountants, Cost Accountants, Company Secretaries etc to join the forum and expand their activities into Data Audit.

AIDAI also has the ambition of adopting “Probationary Independent Auditors” who will undergo a training for a period, work as interns and assistants to other DPOs before getting themselves “Accredited” or “Certified”.

AIDAI is built on the principle of “Vasudaiva Kutumbakam” inviting all professionals in similar areas of specialization  to come together on one platform. What may surprise many but comes naturally to FDPPI is that even professionals who are certified by other organizations as DPOs or Chartered Accountants or CMAs are accepted as “Accredited” Independent Data Auditors and empanelled in AIDAI.

AIDAI has plans to conduct an induction program for all newly empanelled IDAs to introduce them to the basics of the profession of IDA some time in June 2026 at Bangalore. (Physical event).

Who is an IDA?

DPDPA 2023 expects a set  of professionals who will

“Undertake “An evaluation of the compliance of a Significant Data Fiduciary in accordance with the provisions of the Act”.

The law prescribes that a Significant Data Fiduciary shall appoint an independent data auditor (IDA) to carry out the data audit.

It is the vision of FDPPI that has flagged this statutory role of an “IDA” as a professional who will be the “Guardian of Data Accountability”. Accordingly the new institution AIDAI is born.

Currently a Division of FDPPI, led by a CEO Mr Vijayendra Shenoy who is a veteran Information Security specialist and  supported by a Governance Committee

The team at AIDAI will be guided by a group of Advisors who are leaders of their own in the industry. The Group of Advisors which is being finalized will consist of leaders from the related domains such as ISO auditors, DPDPA specialists, Chartered Accountants etc.

Prospects for IDAs 

According to Rule no 13, of DPDPA

A Significant Data Fiduciary shall, once in every period of twelve months from the date on which it is notified as such or is included in the class of Data Fiduciaries notified as such, undertake a Data Protection Impact Assessment and an audit to ensure effective observance of the provisions of this Act and the rules made thereunder.

A Significant Data Fiduciary shall cause the person carrying out the Data Protection Impact Assessment and audit to furnish to the Board (Ed: Data Protection Board which is the regulator)  a report containing significant observations in the Data Protection Impact Assessment and audit.

These are the statutory activities that an “Independent Data Auditor” must perform and is mandatory in respect of a Significant Data Fiduciary.

Though there is still a need for clarity  about “Who is a Significant Data Fiduciary” and whether the Government will take the responsibility of “Notifying” a data fiduciary as “Significant Data Fiduciary” or leave it to the judgement of a “Data Fiduciary” to himself determine  whether he is a “Significant” data fiduciary or not based on the volume and sensitivity of personal data processed.

The Government cannot know the intricacies of the processing that a data fiduciary is undertaking and hence except defining sensitive sectors like Health Care or Fintech, cannot individually identify data fiduciaries who can be notified as “Significant Data Fiduciaries”.  It will therefore be a self determination responsibility of a Data Fiduciary.

In the context of the use of biometrics and AI by most organizations,  a large number of data fiduciaries who may not be having high volumes data will still possess “Sensitive personal information” with “Unknown AI Risk”. Hence wise organizations will err on the safe side by self classifying themselves as Significant Data Fiduciaries and take the assistance of Independent Data Auditors to help them keep within the lane and also to alert them from time to time when they  tend to take an unacceptable Risk.

The profession which will act as this “Advanced DPDPA Assistance system” (ADAS) is the Independent Data Auditors who will assist the DPOs and guide the management towards the right path.

FDPPI and AIDAI is committed to nurture this profession and make it the key pillar of creating the DPDPA compliance culture in the country. It is indirectly the support structure for “Privacy Protection through  Personal Data Protection”.

We invite all interested persons to join the town hall today and come on board this profession of the future.

Naavi