Naavi.org

A day after the Presidential assent to DPDPB 2023, Sansad Dhvani, an organization created by Mr Tejasvi Surya, the MP from South Bangalore organized a public awareness program on DPDPA.

It was great to see the MoS of IT, Sri Rajeev Chandrashekar and Sri Tejasvi Surya explain the salient features of the new law. Mr Sharat Sharma of ispirit was also present and explained certain technical aspects. The event was held in the auditorium of BMS Engineering College, Bengaluru.

After the initial presentations, the trio answered the questions of the audience and there was a healthy participation from the audience which consisted of many Privacy professionals as well as students.

During the discussions Mr Rajeev Chandrashekar also indicated that the work on Digital India Act is also progressing and a draft for public discussion should be available in the next two weeks.

One of the topics which came under repeated discussion during the talk was the role of “Consent Manager”. One could observe that there is still a confusion on the role of a “Consent Manager” under DPDPA 2023 vs “Consent Manager” in the NDHM and in the Account Aggregator project of RBI.

Under Section 2(g) of DPDPA, “Consent Manager” means a person registered with the Board, who acts as a single point of contact to enable a Data Principal to give, manage, review and withdraw her consent through an accessible, transparent and interoperable platform;

Under Section 6(9), “Every Consent Manager shall be registered with the Board in such manner and subject to such technical, operational, financial and other conditions as may be prescribed.”

We can therefore observe that the “Consent Manager” under DPDPA is a “Data Fiduciary” and not completely a “Technology Platform”. The Consent Manager under DPDPA can use a technology platform but is an entity with a visibility on the personal data where as Consent Manager in the Account Aggregator framework (AAF) is a pure technology platform like an ISP.

Legally the Consent Manager under Account aggregator account is an Intermediary under ITA 2000 where as the Consent Manager under DPDPA is a Data Fiduciary with obligations as set out in the DPDPA.

Considering that the Consent Manager platform under AAF can be technically configured in such a manner that the identity of the individuals is not accessible to any human being, it opens up the debate that there may be no apparent “Disclosure” from the data principal to the Consent Manager and hence the liabilities associated with DPDPA for a data fiduciary may not attach to the Consent manager platform. In a way it can be configured as an “Anonymised Transmission of identifiable data”.

Whether all Consent Managers under AAF have configured the system in this manner or not is a matter of audit. If they have not done so, they will also be Data Fiduciaries under DPDPA.

It is expected that when the requirements for accreditation of Consent Managers is released, there could be a criteria of minimum capital and net worth so that it may become a business of the large companies. It would however be necessary to have another layer of Consent Manager Registration Agencies who work as agents of Consent Managers. This could be similar to the Certifying Authority-Registration Authority set up in the ITA 2000 rules where the RA was not mentioned in the Act but brought in through practice.

The rules for Consent Managers need to be therefore drafted with the provision of individuals or entities who can be agents of Consent Managers who will be the real interface between the Data Principal and the Consent system.

Another area where there appeared to be some grey spots is about the “Data Minimization” .

The DPDPA does not specifically mention the Data Minimization though we expect this principles to appear in the subsequent notification of rules [under Section 8(4)]. Presently these have to be interpreted in the “Purpose Limitation” .

Probably we need to wait for the notifications to come up for further discussion on these subjects.

Naavi

The Janvishwas Bill amendment Act 2023 was gazette notified yesterday. This contains many amendments to ITA 2000 which had been provisionally incorporated in the copy of ITA 2000 which is available on this website.

Now they may be considered as finalized amendments.

The copy of the Act is available here

List of Amendments to ITA 2000

Section 33: Failure to Surrender of CA license which has been revoked: Penalty of Rs 5 lakhs. No Imprisonment

Section 44: Penalty for failure to furnish information, return etc penalties increased

a) From 1.50 lakhs to 15 lakhs for not furnishing the required document

b) from Rs 5000/- to Rs 50000/- per day for not submitting returns

c) from 10000/ to Rs 1 lakh for not maintaining books

Section 45: Residuary Penalty increased from Rs 25000/- to Rs 1 lakh and compensation increased from Rs 25000/- to Rs 1 lakh for an individual and Rs 10 lakh for an Intermediary or company

Section 46: “Under this Chapter” changed to “Under this Act” and the word “injury” removed

Section 67C: Penalty up to Rs 25 lakhs from and no imprisonment.

Section 68: Penalty increased to Rs 25 lakhs and imprisonment removed

Section 69B: Imprisonment reduced from 3 years to 1 year and Fine increased to Rs 1 crore

Section 70B: Penalty raised from Rs 1 lakh to Rs 1 crore

Section 72: Penalty increased to Rs 5 lakhs, Imprisonment term removed

Section 72A: Penalty increased to Rs 25 lakhs, Imprisonment removed

Naavi

At FDPPI, the Foundation of Data Protection Day of India, it is proposed to recognize August 11 as the Data Protection Day of India.

This will supplement 17th October which is the Digital Society Day of India.

Naavi

It is observed that on 11th August 2023, Presidential Assent was given to the DPDPA 2023 which has now become a full fledged Act.

The Gazette Version of the Act is available here:

Naavi

In what could be considered as a major overhaul of the Indian Legal system, the Government has released draft revised bills to replace IPC, CrPc and IEA.

The new versions will be as follows:

Indian Penal Code : The Bharatiya Nyaaya Sanhita 2023

Criminal Procedure Code: Bharatiya Nagarik suraksha Sanhita, 2023

Indian Evidence Act: The Bharatiya Sakshya Bill 2023

We were getting ready for the new DPDP 2023 along with Digital India Act and the Telecom Bill. Now it would be a huge challenge to the legal industry as well as the Judiciary to adopt to the new laws.

Probably the senior judges would say…Oh… we cannot go back to colleges once again…. . Opposition may say this is a conspiracy to weaken our judiciary.

Naavi.org however is happy at the initiative. The archaic British time laws needed change. At present we have not studied the changes and in the tsunami of things that we need to address because of DPDPA 2023, it could take some time for us to start studying these laws.

It is however exciting times ahead as the young lawyers will feel they are now ready to compete with the senior lawyers in terms of knowledge. The precedence based jurisprudence may find an end and lawyers and judges need to scratch their brains to find solutions to disputes.

Naavi

When Information Technology Bill was notified with effect from 17th October 2000, Naavi.org/Cyber Law College declared 17th October 2000 as the Digital Society Day to mark the day when legal recognition was first made available in India to electronic documents. Since then Naavi has been conducting some events on 17th October each year to celebrate the event.

In a similar vein Naavi in association with Foundation of Data Protection Professionals in India (FDPPI) along with Manipal Law School is now celebrating “Data Protection Day of India” to commemorate the passage of one of the most awaited laws in India namely the Digital Personal Data Protection Act 2023.

The Act was passed in Loksabha on 7th August and Rajyasabha on 9th August and is expected to get the consent of the President before the Independence Day. It is anticipated that the Presidential assent would be provided on 14th August 2023.

Simultaneously FDPPI has declared a “DPDPA Carnival” starting with immediate effect till the end of August 31 and would conduct many outreach programs on DPDPB 2023 to different organizations.

Some of the events already finalized are

1. 11/8/2023 to a group of one of the large Consultancy firm in India
2. 12/8/2023 to a group of Cyber Law Students
3. 13/8/2023 to a group of Technology professionals
4. 2o/8/2023 for publication in a national media house
5. 22/8/2023 for a group of industry professionals in Bengaluru
6. 24/8/2023 for a group of professionals in Chennai

Additionally a few more are in the final stages of finalization. More details will be shared in due course.

The fortnight is truly sparkling with activities in spreading the information about the new law across India. FDPPI is proud that it has also encouraged many other professionals to conduct similar events in different places and unlike in the previous occasions there will be no dearth of awareness building activities for this act.

Naavi