In a move which should be very useful in fortifying the security of Bank domains, RBI is expected to launch a new TLD bank.in from April 2025.
RBI is also introducing another TLD fin.in to cater to the requirements of the financial sector.
Naavi.org had been one of the first to flag the “Data Laundering” of sensitive personal information that happened through CIBIL transferring its share holding from Indian Banks to Trans Union.
I draw attention to the article “CBI Enquiry is required for finding the truth behind TransUnion taking over CIBIL” . I urge all of you to read this article once again along with the linked earlier articles.
In December 2024, Mr Karti Chidambaram raised the issue of CIBIL scores in the Parliament.
In May 2024, a PIL had been filed in the case of Surya Prakash V Union of India and Others for which the Supreme Court appointed an amicus curie Advocate K Parameshwar
(Refer: W.P.(C) No. 000310 – / 2024 Registered on 07-05-2024: Diary no: 23982/2023; SCIN010239822023)
The petitioner alleges that the Credit Information Companies in collusion with RBI had violated the Data Localisation principle.
It appears that the case is now due for further hearing on 17th February 2025 after the report of the amicus curie and we need to see how the Supreme Court reacts to this sensitive case.
With the current environment of DPDPA 2023, the decision of the Court will assume further significance.
Naavi
P.S: Next hearing on 25th March 2025
Now that the DPDPA 2023 is on the verge of being implemented, the industry is discussing on how to be “DPDPA Compliant”. While discussing the draft rules with the professional community, I often get a feeling that the industry experts are looking forward to a checklist from the MeitY on what to do not so much to do what is prescribed but to do what is not prohibited from being done.
We have often heard some views that what is “Lawful” is what is “Not prohibited by Law”. This may be technically correct and even the Supreme Court may uphold the view. But morally and ethically, it is not correct to interpret what is lawful by searching for what is not prohibited by law but to implement the spirit of the law in its true sense.
The DPDPA has rightly identified that the industry is classified as “Data Fiduciaries” and others and it is the collective responsibility of Data Fiduciaries to ensure that the DPDPA is implemented in letter and spirit. Being a “Fiduciary” of the data principal and not a “Controller” of the personal data, the Data Fiduciaries are legally bound to process personal data only in a manner that protects the Rights of the Data Principal. The spirit of the law is to protect the “Right to Privacy” which is translated for practical purpose into the four rights under Chapter III and 10 obligations under Chapter II of the DPDPA 2023.
In interpreting the laws therefore Companies can be innovative but should not apply their creativity in finding ways of bypassing the law.
It is for this reason that we are circumspect of the MeitY providing too many prescriptions in the law through the rules . Each prescription may be analysed by the unscrupulous entities on what loopholes it opens up.
Less the detailing, less are the opportunities for loopholes.
We therefore believe that the Rules should not be prescriptive and detailed and restrict itself to the “required clarity” derived from the “Principle based law”.
It should be considered that “Due Diligence” by the “Data Fiduciary” is the only road to compliance.
Naavi
The Data Protection Board under DPDPA is likely to be a very important Government office and symbolically represents “Data Security” in India.
As a result it is likely to be a target of attack by the Hackers who have an anti India agenda.
It is therefore necessary to ensure that the DPB website is well protected and at the same time declared as a protected system under ITA 2000.
DPB should also not use any data storage outside India even in cloud of Amazon or Microsoft.
With such a declaration, any attempt to unauthorizedly enter the site becomes a crime with 10 year imprisonment and CERT IN becomes responsible for the security.
Similar declaration should also be made in respect of “Consent Managers” if they are provided “Visibility” to the data exchanged.
Naavi
The draft rules on DPDPA suggest that the rules related to the setting up of the Search Committee for selecting the Chairman and members of the DPB, the rules related to the terms of appointment of the DPB chairman, Members and employees will become effective immediately. However the draft rules is silent on when the other provisions of the Act will become effective.
In our interactions with the industry it has been noticed that the industry is still complacent and expects an unlimited time to be available to them for compliance. This perception needs to be changed by the Government setting some target time line for itself through the rules.
We therefore recommend that Rule 1 be expanded and include the following.
a) The DPB shall be formed within 3 months of this notification and commence its operational website within 4 months of the notification.
b) Provisions related to Registration of Consent Manager shall commence as soon as the DPB becomes operational.
c) Compliance requirements such as Consent, Data Breach Notification and Restrictions on transfer of data outside India (Where applicable) shall be required before 9 months from the notification.
d) Penalties under Section 33 shall be effective after one year from notification. (DPB may use its discretion to use the provision of voluntary undertaking to grant time where it is considered necessary).
e) Section 44 DPDPA 2023 shall be effective along with Section 33 ( so that Section 43A of ITA 2000 (Information Technology Act-2000) will be replaced only after the penalty clauses under DPDPA 2023 becomes effective. )
f) Provisions of 10(2)(a) [DPO] may be made effective within 9 months from the date of notification.
g) All other residual requirements under the Act shall be deemed applicable at the end of one year from notification.
h) Non Corporate Data Fiduciaries and those who fall under the category of SME/MSME shall be provided an additional time of 6 months over and above the time given for other entities for each of the different provisions.
Your comments are welcome.
Naavi
Under the proposed draft rules, the DPB consists of a Chairman and several members to be appointed by two Search Committees which will be set up after the notification of the Draft Rules. One Committee will select the Chairman and the other the Members.
We donot know at this point of time, how many members would be there in the DPB. WE also do not know if the search committees will complete their task quickly and the DPB becomes operational soon.
In order to spur the next level of compliance the DPB needs to come into action.
In this context, the following recommendations are placed before the MeitY.
a) The minimum number of members (excluding the chairman) shall be Six and Maximum shall be Twenty.
b) DPB shall commence its operation with the minimum number of members and MeitY shall review the requirement of the DPB once in a year and increase the number of members as required.
c) The Search Committee may function for one year at a time and shall review the functioning of the DPB annually and submit a report to the MeitY before a new Search Committee is set up for the following year.
d) The respective Search Committee shall be responsible for evaluating any complaints received against the Chairman/Members or observations recorded during the monitoring of the activities of the DPB and recommend disqualification if required.
e) The Search Committee shall meet each quarter or as often as otherwise required to review the activities of the DPB and recommend corrective action if necessary.
f) The external members of the search committee may be paid remuneration as may be determined by the Ministry for the services rendered including sitting fees for meetings.
g) The external members of the Search Committee shall retire each year and shall not be eligible for re-appointment for a continuous second term.
We also hope that the DPB will be operative within the next 3 months.
Naavi
