Naavi.org

Recognizing the need for a nationwide movement on creation of awareness about Privacy and DPDPA Compliance, FDPPI has initiated a new project called Privacy Mitra Yojana (Friends of Privacy Project) to build an army of young volunteers to spread the knowledge of Privacy.

Students from law colleges as well as professionals are invited to register themselves at FDPPI

Educational Institutions, and Professional Bodies, Companies and Individuals who are interested in this National Privacy Mission of FDPPI are invited to contact FDPPI.

Let Us together build a Privacy Conscious society in India

Naavi

The Draft DPDPA rules were published by MeitY with time for public comments upto 18th February 2025.

While discussions continue in public space and FDPPI in association with Trust Law has organized a discussion on February 8 with invited audience in Bangalore, Naavi.org has prepared a draft of comments to be submitted to MeitY. Before 18th there will be other discussions also and public may form more views on the submission of Comments either directly or through other organizations.

In order to stimulate thoughts on this regard, we are sharing a copy of the draft comments prepared by Naavi.org and submitted for discussion to FDPPI. If any comments are received here, they will be considered for inclusion.

General Comments:

The law of DPDPA 2023 is already in place and is immutable at this point of time. It is noted that the current exercise is only for fine tuning of the published draft rules.

Hence our comments presume that the law as it has been notified stands as the fundamental document of reference and the comments are only related to the draft rules as are considered feasible under the enacted law.

It is recognized that in the event of any rule exceeding the basic character of the provision of the law to which it refers to, there could be a challenge on the legal validity of the rules as being ultra-vires the law.

For the same reason, it is expected that  the rules may be brief, precise and only cover the essential clarifications without the detailing like a Check list or recommending  any specific tool or technology for implementation.

It is understood that the industry would exercise due diligence in implementing  the law along with the minimum detailing available in the rules. If and when the industry is negligent and does not observe due diligence, the consequences would reflect in the decisions of the inquiry following a registration of a complaint or a suo-moto inquiry.

Clause By Clause Comments

Detailed Clause by Clause comment on all the 22 rules are presented in the form of a separate document here:

Draft Comments on DPDPA Rules from naavi.org

Naavi

In implementing the DPDPA 2023, and cleaning up the past unregulated collection of personal data by organizations, the Act has prescribed that “Consent should be obtained even for the legacy personal data collection of a data fiduciary. In such cases there could be a large number of data principals who may not return either a valid consent to continue processing or a decision to withdraw consent. Such personal data are “Orphaned for lack of consent” and needs to be purged within a reasonable time.

While ITA 2000 implies that such data should be deleted within one year, DPDPA Rules 2025 seem to indicate possible retention for 3 years in specific cases such as large Social Media Intermediaries, Gaming Intermediaries or E Commerce entities.

There are specific legal requirements for retention of data for long periods after its processing because of other legal provisions such as in Banking or Health sector. In such cases simply remains in the storage to be retrieved only on very exceptional circumstances. However during this period the data remains vulnerable to be stolen and misused creating a burden to the data fiduciary . Additionally data in the hands of a data fiduciary may also be an “Evidence” in a legal proceeding and therefore cannot be deleted till the disputes are settled in the Court.

The retention of data by a data fiduciary when it is no longer required for processing is a security burden and hence it would be good to ensure that such data is deleted.

When data is required for research purpose they may be anonymized or de-identified or pseudonymised.

In all other cases the data remains as a potential risk for the data fiduciary and has to be encrypted and kept safely.

Some times data of deceased persons with or without nomination may also remain “Unclaimed”.

In order to address all such instances, it is considered necessary for the Government to create a “National Archival of Personal Data” and enable depositing of all deleted personal data by the data fiduciaries. Part of this may be “Unclaimed Personal Data” and part of it may be “Required for Legal necessities”.

Such data should be properly indexed and should be retrievable on a later day if the data principal wakes up from slumber and claims it as his lost property.

This archive will ensure that “History is not destroyed” in the guise of “Right to Forget” or “Right to Erasure” and that the nation preserves the value of all data created in India for whatever it is worth including supporting the Indian AI development.

Comments are welcome

Naavi

Mapping of Section 40 to the Draft  Rules notified on January 3, 2025

It may be observed that all the rules notified may be mapped to one of the sub sections of Section 40. While some of the rules have schedules for more details, some rules are just a reproduction of the specific section of the Act.

Rule 6 about “Reasonable Safeguards” Rule 14 about Transfer of data outside India” and Rule 22 about officials to be appointed for certain purposes are linked to “Any other matter”. Out of this there could be some grumblings whether “Data localisation” is being brought in through the rules. This is one of the sensitive aspects of the rule since industry wants a free hand to transfer personal data collected in India outside the country including for AI learning and targeted advertising. However Section 16 of the Act can be considered as supporting this aspect.

The Schedule under Rule 22 provides for the means to declare any data fiduciary as a “Significant Data Fiduciary” and covers one of the gaps in the earlier draft version of the rules.

All the 22 rules may perhaps be considered “necessary”. We may continue to comment on each of the rule as to whether the detailing is “Sufficient or Excessive”.

Naavi

Ever since the Government of India notified the draft rules for DPDPA on January 3, 2025, there have been hectic discussions in the industry circles about understanding the rules and also suggesting changes. It is understood that more than 6000 comments have already been received by the MeitY and obviously many more will be received before 18 th February 2025, which is the last date fixed for filing of public comments.

Under these circumstances, the demand of one section of the industry that more time is required for filing the comments and the last date for submission should be extended is meaningless. We therefore hope that the consultation process will end on 18th February 2025 and MeitY will release the final version of the rules shortly thereafter.

A large number of discussions in industry fora tend to demand that the MeitY should give a checklist of how to comply with the law so that the compliance can be simplified and automated. Industry which is bitten by the AI bug wants a DPDPA Compliance algorithm which at the click of a button will generate a DPDPA Compliance structure for their company. While the new generation of AI tools can generate a well drafted DPDPA Compliance policy for an organization at the click of a button, since DPDPA Compliance is a “Legal Compliance”, automation will have its own limitations in arriving at a human like compliance structure.

Further, “Compliance” does not end with the generation of some 20-30 policies which is taken on record by a company. They have to be converted into practice for which the “DPDPA Compliance Culture” is required to be developed across all the members of the workforce of an organization and its business associates. Hence human intervention in compliance would be essential and this does not happen with “Automation”.

At present, companies are using al their clout to convince the MeitY to convert the rules into a “Check List” so that they can make their compliance work easy. The public consultations where there are representatives of the Meity are therefore often used as a means of convincing the Government that a point by point “To Do List” is released as the Rules.

The Government seems to be well aware that if it falls into this trap there will be possibilities of some rules being termed as “Ultra-Vires the Act” and a potential legal challenge may emerge to the entire set of rules. The Big Tech which is in the forefront of such litigations are perhaps already in the process of drafting their objections whether on the infeasibility of the “Verifiable Parental Consent” or ” Data Localization” or any other provisions to claim that the rules are “Vague”, “Impractical”, “Killing innovation”, “Causing a Chilling effect on the industry” etc.

It would therefore be wise for the MeitY to avoid the trap by the “Risk Avoidance” strategy and release only such rules as are necessary and mandated by the DPDPA 2023 and nothing more. Just as we say that data should be shared on “Need to Know basis” to reduce the risk, it is recommended that Meity may notify only such rules that fit the criteria of “Need to Notify” and avoid excessive clarification.

Since what ever notification or advisories that come from the MeitY directly will be considered as “Subordinate Legislation”, they will be used in Courts to defend disputed compliance.

It is often seen in the ITA 2000 disputes that the defendant companies say “I have a certificate of ISO 27001 certification and hence I am in deemed compliance of Section 43A of ITA 2000 and hence should not be held liable for any negligence”. Similarly any announcements of MeitY through the notified rule or an advisory that certain compliance may be achieved by XYZ method, they become a subordinate legislation.

For example, if MeitY says that Personal Data may be anonymized with the use of Technology A, then Technology A becomes the “Deemed Compliance” for anonymisation and used in defence at the Courts even though it might have failed to protect a given data breach.

Hence one of the first principles that the MeitY should adopt is that “Law is already there and the Rules can only be made as required under the Law” and nothing more. It is for the industry to find ways of complying with what the law intends and defend it’s means in the Courts when a dispute arises.

The outer boundary of rules should therefore be Section 40 sub sections (a) to (z).

Let us explore in the next article, these 26 sub sections of Section 40 as what the Law prescribes as limitations to the rule making and try to map it with the 22 rules presently notified and see where there is a risk of the rules being “Ultra-Vires”.

Naavi