The DPDPA 2023 was gazetted on August 11, 2023. However, the Government could not pass the rules and notify the Act before the elections and it is now scheduled for the 100 days agenda of the Modi 3.0 Government.
It is expected that the rules will first be released as “Draft” for eliciting the public response before being notified for effectiveness.
It is very important for all the industries to ensure that they study the rules and record their suggestions before the rules are notified. If they are complacent, it may be difficult to bring changes later.
So far it is the industry has been responsible for the delay in the introduction of the Data Protection laws by objecting to every move made by the Government to introduce the law out of fear of the unknown. We hope the resolve of the Government this time is strong and the notification will go as scheduled.
FDPPI therefore intends that the industry in different sectors study the rules assimilate its consequences and then provide it’s suggestions in time for the Government to accommodate as many views as feasible.
FDPPI therefore has organized a symposium in Bengaluru on 27th July 2024 to collate the voice of the different segments of the industry.
The Venue of the Conference is Suchitra Film Society Auditorium at : 36, 9th Main, B V Karanth Road, 9th Main Road, near Post Office, Banashankari Stage II, Banashankari, Bengaluru, Karnataka 560070.
The tentative program includes discussions in multiple panels as follows:
Panel 1: FDPPI: Introducing the observations of FDPPI
Panel 2: Health Sector: Impact of DPDPA Rules on Health Sector
Panel 3:Fintech: Impact of DPDPA Rules on Fintech Sector
Panel 4: Education: Impact of DPDPA Rules on Education Sector
Panel 5: Other Industries: Impact of DPDPA Rules on Digital marketing and Manufacturing Sector
The program is a hybrid program with speakers joining from all over India. The feedback received from the industry will be briefly discussed and collated for subsequent submission to MeitY.
Participation is by registration and physical participation is limited. Registration can be made here:
On June 28, 2024, there was a major Information Security Summit at Bengaluru lead by BSIDES Bengaluru.
Amongst the several things discussed during the conference was also a panel discussion on “Tactics for Combating Privacy Threats” in which the undersigned also particiapted.
During the panel discussion, Naavi highlighted that apart from the threats arising out of new technology being misused by Criminals which get reflected as “Information Security threats”, it is necessary to recognize the new genre of threats arising to an organization due to the emergence of Privacy and Data Protection laws.
One of the special features of this new genre of “Regulatory Non Compliance Risk” is that it may materialize even when there is no “Data Breach” and hence the risk management strategies need to be addressed differently from the exisitng practices.
Further, Naavi highlighted that it is necessary to recognize that management of “Privacy Threats” include management of a the limitations of the laws of pricacy and its conflict with security practices. An example was cited regarding a common response of organizations who refuse the identity of the sender of a message to a recipient when the message itself is an object of an offence such as a phishing email or a message.
Naavi also highlighted that there are limitations to the use of technology in automating compliance through technology artifacts which need to be recognized since “Legal Compliance” is not a “Binary Solution” and involves human interpretations.
Naavi believes that with the advent of DPDPA the obligations of organizations have taken a new dimension and it is necessary for them to identify new frameworks such as DGPSI to remain compliant.
The interaction with the audience was very engaging.
FDPPI took the opporutunity to congratulate the organizers and more particularly Ms Sujatha Yakasiri, the founder of BSIDES Bengaluru for the successful orgaization of the event.
Section 65B of Indian Evidence Act (IEA) was a very important amendment made to the age old Indian Evidence Act 1872 consequent to the passing of Information Technology Act 2000 (ITA 2000) notified on 17th October 2000.
This section provided the means of bringing electronic evidence as an admissible evidence in a Court of law and Naavi.org has discussed this several times in the last 20 years. Naavi even published an E Book on the topic (Which is now due for revision).
Now with the passage of the Bharatiya Sakshya Adhiniyam 2023 (BSA 2023) which has been notified for effectiveness on 1st July 2024 along with the new IPC and new CrPC., the section 65B of IEA will be replaced by Section 63 of BSA 2023 with similar provisions.
The objective of this article is to highlight the difference between Section 65B of IEA 1872 and Section 63 of BSA 2023. Section 65B of IEA had 5 sub sections and Section 63 of BSA also has 5 subsections along with a Schedule that prescribes a draft form of a certificate.
Naavi had presented the first Section 65B certificate in any Indian Court in the case of Government of Tamil Nadu vs Suhas Katti in AMM Egmore in 2024 which resulted in a successful conviction of the accused. Subsequently Naavi has provided many such certificates. Till 2012 when Supreme Court came out with the famous Basheer Judgement, views of Naavi were not being accepted by a part of the community but the Basheer judgement cleared most of the doubts prevalent in the market.
However there was no uniformity on the format in which the certificates were provided and all sorts of certificates might have been provided and accepted by the Courts.
Now the Section 63 of BSA clears most of the doubts and has brought some clarity. At the same time it might introduce some additional questions which need to be clarified by domain experts. An attempt has been made below to explain the thoughts of Naavi in this regard.
Let us now analyse this section in depth.
Section 63 of BSA 2023 Vs Section 65B of IEA:
Admissibility of Electronic Records
Section 63 of BSA 2023
Section 65B of IEA 1872 (amended in 2000)
63 Admissibility of electronic records. –
(1) Notwithstanding anything contained in this Adhiniyam, any information contained in an electronic record which is printed on paper, stored, recorded or copied in optical or magnetic media or semiconductor memory which is produced by a computer or any communication device or otherwise stored, recorded or copied in any electronic form (hereinafter referred to as the computer output) shall be deemed to be also a document, if the conditions mentioned in this section are satisfied in relation to the information and computer in question and shall be admissible in any proceedings, without further proof or production of the original, as evidence or any contents of the original or of any fact stated therein of which direct evidence would be admissible.
65B. Admissibility of electronic records. –– (1) Notwithstanding anything contained in this Act, any information contained in an electronic record which is printed on a paper, stored, recorded or copied in optical or magnetic media produced by a computer (hereinafter referred to as the computer output) shall be deemed to be also a document, if the conditions mentioned in this section are satisfied in relation to the information and computer in question and shall be admissible in any proceedings, without further proof or production of the original, as evidence or any contents of the original or of any fact stated therein of which direct evidence would be admissible
It is important to note that this subsection defines what is a “Computer Output” to which the other subsections of Section 63/65B applies. According to the section information contained in an electronic record is referred to as “Computer output” and it can be either “Printed on paper” or “Stored” on an optical media or magnetic media or semi conductor memory.
In ITA 2000, a document printed out of a computer or binary documents that are processed by a computer are all considered electronic documents and hence the word “Electronic Record” includes such documents even if it is not mentioned.
The critical aspect of the section is that such a Computer output when produced as per this section “Shall” be admissible in the proceedings without the production of the original. The judiciary does not have a discretion not to admit an electronic document unless some lacuna in the process of certification is brought to its notice. Hence this section will be widely debated in all future discussions in the Court involving electronic documents as evidence.
Overall considering the effect of this sub section, there is no difference between the two versions of the sub section 1.
The next sub section 63(2) and 65B(2) compare as follows.
(2) The conditions referred to in sub-section (1) in respect of a computer output shall be the following, namely:—
(a) the computer output containing the information was produced by the computer or communication device during the period over which the computer or communication device was used regularly to create, store or process information for the purposes of any activity regularly carried on over that period by the person having lawful control over the use of the computer or communication device;
(b) during the said period, information of the kind contained in the electronic record or of the kind from which the information so contained is derived was regularly fed into the computer or communication device in the ordinary course of the said activities;
(c) throughout the material part of the said period, the computer or communication device was operating properly or, if not, then in respect of any period in which it was not operating properly or was out of operation during that part of the period, was not such as to affect the electronic record or the accuracy of its contents; and
(d) the information contained in the electronic record reproduces or is derived from such information fed into the computer or communication device in the ordinary course of the said activities.
(2) The conditions referred to in sub-section (1) in respect of a computer output shall be the following, namely: –– (a) the computer output containing the information was produced by the computer during the period over which the computer was used regularly to store or process information for the purposes of any activities regularly carried on over that period by the person having lawful control over the use of the computer; (b) during the said period, information of the kind contained in the electronic record or of the kind from which the information so contained is derived was regularly fed into the computer in the ordinary course of the said activities; (c) throughout the material part of the said period, the computer was operating properly or, if not, then in respect of any period in which it was not operating properly or was out of operation during that part of the period, was not such as to affect the electronic record or the accuracy of its contents; and (d) the information contained in the electronic record reproduces or is derived from such information fed into the computer in the ordinary course of the said activities
We may observe here that the word” Or Communication device” has been added in the section so that mobile data is clearly within the purview of the section. This was also redundant but clarity is welcome.
Since sub section (1) speaks of “Computer output” the sub section (2) should be attributed to the “Computer Output”. Hence the device referred to in this sub section refers to the computer from which the “Computer Output” is produced. Since “Computer Output” could also be a “Stored” or “Copied” version, the computer device referred to in the sub section (2) should be considered as referring to that computer in which the “Computer Output” was stored or copied and from which the evidence is being extracted.
This interpretation is important since in the cases of documents on the web some people will argue that the hosting operations need to be certified as “working properly” etc., which is incorrect and infeasible. If Mr X is using his computer K to generate the “Computer Output” then K is the device whose owner is relevant for this section and K needs to be working properly etc.
Generating of a “Computer Output” is an activity such as “Printing out”, “Storing”, “Making a copy in a media” etc and the period referred to here is the period of creating such an output. If the print out is a 10 year Bank statement, it is not necessary that it is to be certified that the computer was working properly for 10 years.
Sub section 63(3) is slightly differently worded than 65B(3) though the objective of both is to ensure that a computer output created by a combination of computers such as a Server and a Client etc is within the definition of the section.
The section states as follows:
(3) Where over any period, the function of creating, storing or processing information for the purposes of any activity regularly carried on over that period as mentioned in clause (a) of sub-section (2) was regularly performed by means of one or more computers or communication device, whether— (a) in standalone mode; or (b) on a computer system; or (c) on a computer network; or(d) on a computer resource enabling information creation or providing information processing and storage; or (e) through an intermediary, all the computers or communication devices used for that purpose during that period shall be treated for the purposes of this section as constituting a single computer or communication device; and references in this section to a computer or communication device shall be construed accordingly.
(3) Where over any period, the function of storing or processing information for the purposes of any activities regularly carried on over that period as mentioned in clause (a) of sub-section (2) was regularly performed by computers, whether–– (a) by a combination of computers operating over that period; or (b) by different computers operating in succession over that period; or (c) by different combinations of computers operating in succession over that period; or (d) in any other manner involving the successive operation over that period, in whatever order, of one or more computers and one or more combinations of computers, all the computers used for that purpose during that period shall be treated for the purposes of this section as constituting a single computer; and references in this section to a computer shall be construed accordingly.
It is interesting to note that Section 63 provides a clarity that even if part of the process of producing a computer output involves a different legal entity which is an “Intermediary”, it is considered as a valid document created by the subject computer owner. During this process the document leaves the custody of the subject computer owner, gets processed outside and returns back.
This operation of processing through an intermediary involves “transmission of data out”, “Storage in the intermediary resources”, “Processing in intermediary resources” and “Re-transmission back to the subject computer owner”. It is difficult to accept the integrity of the document processed with the intermediary except with a “Certificate from the Intermediary” that the data received, processed and re-transmitted has not modified the evidentiary value of the electronic record.
In other words the Intermediary has to provide his own “certificate” as an agent of the subject computer owner as part of his data processing network. The drafting of this aspect is therefore open to interpretation which may be disputed and requires a future clarification from the Supreme Court.
For the time being the Jurisprudential advice from us would be that
“Where the processing of the computer output involves computers owned by multiple owners, the owner who presents the evidence must hold confirmatory certificates from the other sub processors that during the processing of data at their end, the material value of the evidentiary content has not been altered”.
For this purpose the sub processor may be called to the Court for evidence or may submit the details of the tool and how it processes the data in the form of a certified document.
The next most important section is Section 65B(4) or Section 63 (4) which speaks of the manner in which certificate has to be issued.
(4) In any proceeding where it is desired to give a statement in evidence by virtue of this section, a certificate doing any of the following things shall be submitted along with the (a) identifying the electronic record containing the statement and describing the manner in which it was produced; (b) giving such particulars of any device involved in the production of that electronic record as may be appropriate for the purpose of showing that the electronic record was produced by a computer or a communication device referred to in clauses (a)to (e) of sub-section (3); (c) dealing with any of the matters to which the conditions mentioned in sub-section (2) relate, and purporting to be signed by a person in charge of the computer or communication device or the management of the relevant activities (whichever is appropriate) and an expert shall be evidence of any matter stated in the certificate; and for the purposes of this sub-section it shall be sufficient for a matter to be stated to the best of the knowledge and belief of the person stating it in the certificate specified in the Schedule.
(4) In any proceedings where it is desired to give a statement in evidence by virtue of this section, a certificate doing any of the following things, that is to say, –– (a) identifying the electronic record containing the statement and describing the manner in which it was produced; (b) giving such particulars of any device involved in the production of that electronic record as may be appropriate for the purpose of showing that the electronic record was produced by a computer; (c) dealing with any of the matters to which the conditions mentioned in sub-section (2) relate, and purporting to be signed by a person occupying a responsible official position in relation to the operation of the relevant device or the management of the relevant activities (whichever is appropriate) shall be evidence of any matter stated in the certificate; and for the purposes of this subsection it shall be sufficient for a matter to be stated to the best of the knowledge and belief of the person stating it.
This sub section defines the contents of the Certificate and how it is to be issued.
The certificate needs to contain the “Identity of the electronic record”, “Particulars of the devices involved in its production” and “Signed by the person in charge of the computer” and an expert. A copy of such certificate is provided in the schedule also.
The persons who have drafted this sub section have considered that the “Person in charge of a computer” and the “Expert” are two different persons. When this is looked at along with the earlier sub section related to an “Intermediary”, it is possible to interpret that certificate is required by the “Intermediary” also which is not ordinarily feasible.
We should therefore jurisprudentially interpret that certificate is required only from the owner of the computer from which the computer output was produced and will be supported by a “Declaration” that the owner believes that the processing at the hands of the intermediary has not materially altered the evidentiary value of the document.
The sub section uses a terminology “an Expert”. Fortunately it does not use the term “The expert”. In case the words “The expert” had been used, it would have introduced a confusion with the Section 79A expert. “An Expert” means any other person with necessary expertise.
The copy of the certificate template as given in the schedule is as follows:
It is observed that the “Computer Output” in the form of a print out may not have a hash value of its own and the hash value stated here should be considered as referring to the original from which the print out was taken. This means that the electronic document should be first saved as a document in the media for the purpose of calculating the hash value. Whoever drafted this was not fully aware of the implications of this suggestion and hence we need to develop a work around for this. The “Expert” should either store one electronic version of the document which is printed out or state that since the computer output is in the form of a paper document, the hash value refers to the scanned copy of the print out.
The last sub section namely 63(5) refers to a context where the subject computer device from which the evidence is extracted and certified may itself get the feed from another computer. It is not necessary that it should originally be produced by the computer itself.
This sub section states as follows:
(5) For the purposes of this section,— (a) information shall be taken to be supplied to a computer or communication device if it is supplied thereto in any appropriate form and whether it is so supplied directly or (with or without human intervention) by means of any appropriate equipment; (b) a computer output shall be taken to have been produced by a computer or communication device whether it was produced by it directly or (with or without human intervention) by means of any appropriate equipment or by other electronic means as referred to in clauses (a) to (e) of sub-section (3).
(5) For the purposes of this section, –– (a) information shall be taken to be supplied to a computer if it is supplied thereto in any appropriate form and whether it is so supplied directly or (with or without human intervention) by means of any appropriate equipment; (b) whether in the course of activities carried on by any official, information is supplied with a view to its being stored or processed for the purposes of those activities by a computer operated otherwise than in the course of those activities, that information, if duly supplied to that computer, shall be taken to be supplied to it in the course of those activities; (c) a computer output shall be taken to have been produced by a computer whether it was produced by it directly or (with or without human intervention) by means of any appropriate equipment. Explanation.––For the purposes of this section any reference to information being derived from other information shall be a reference to its being derived therefrom by calculation, comparison or any other process.]
This subsection provides a possible solution to the problem of obtaining a certificate of assurance from the sub processors that when the evidentiary computer output is produced in multiple computers owned by different owners.
The observation is that after the processing by the sub processor, a final version is back with the subject computer owner. If the certificate is produced for the “As is where is version of the electronic document”, it may be possible not to insist on the assurance certificates from the previous processors.
As an example, let us say there is a document D1 with Mr X in a Computer K. This is sent to an intermediary M who returns a version of the document D2.
Now the document provided for evidentiary purpose may be either D1 or D2.
D1 may be in a format that is not easily readable and hence converting it to D2 may be essential.
The question that arises is whether M should be considered as an intermediary and if so how should we account for the change of D1 to D2 and possible implication on the integrity of the evidence.
In the earlier paragraph we suggested that we can take the certificate of assurance from M that the evidentiary integrity of D1 has not been altered in D2. (eg: D1 is an image which is compressed into D2 and no other change is made).
In view of the 63(5) an alternative exists to avoid the need for the certificate from the intermediary.
We may consider that D2 is the evidentiary document provided to the Court and earlier processing is not under the control of the person who owns the computer and produces D2 as evidence with necessary certification.
The experts who provide Section 63 certificates need to therefore incorporate these description of how the document originated in the annexure to the certificate using the scheduled format as a covering certificate.
To sum up, there is a fresh requirement of experts and lawyers to understand Section 63 of Bharatiya Sakshya Adhiniyam and for Judges also to appreciate the points mentioned above.
I am certain that the above discussion is the first such discussion on the section and there will be many more discussions and seminars in which this will be discussed till one day the Supreme Court also understands it and puts it into one of its judgements.
Naavi in the meantime continue to use the thoughts provided here to issue certificates if required. (P.S: At present Naavi has stopped issuing Section 65B certificates due to his pre-occupations with DPDPA related activities).
In the FY 2025-26, it is expected that some Banks may start adopting the guidelines.
The key report areas were
1.Governance with board level oversight of climate related risks and opportunities
2.Straegy for managing the short, medium and long term climate related risks
3.Risk Management
4.Metrics and targets.
RBI seem to recommend a phased approach for the disclosures from FY 25-26 onwards going into FY 27-28.
Obviously there are technology companies which are recommending the use of tools with AI to support the organizations in assessing the Climate Risk and perhaps mitigating the risks also.
It is in this context that we need to remember an earlier study of the University of Texas which said that every Chat GPT query consumes 500ml of water to cool the servers. Another estimation was that every LLM interaction may consume power equivalent to running a LED bulb of low intensity for one hour.
Irrespective of the actual metrics, the impact of AI on power consumption cannot be neglected. We have earlier highlighted this in the “Cyrpto Mining” scenario.
It is now time to start thinking if the climate impact of Computing in general should be considered as a risk that needs to be disclosed by all entities not necessarily the REs.
Probably the AI industry should start a disclosure of the impact of their use of AI on climate and necessary metrics need to be developed.
FDPPI welcomes the rules being framed on DPDPA 2023 so as to give effect to the Act at the earliest.
The Act has defined the responsibilities of a Data Fiduciary and the Rights of a Data Principal. It has also indicated provisions related to Data Breach Notification and penalties for various non compliance issues.
In order to implement the Act, Government will be setting up a Data Protection Board.
Some of the applicability aspects such as the “Significant Data Fiduciary” and their special responsibilities will also need to be clarified through additional notifications beyond the 25 rules required under different sections of the Act.
Once the formalities of the operationalizing the new Loksabha is completed, it is expected that the Government will release the draft rules for public comments.
In order to collate the views of the industry on the published rules, FDPPI is planning a physical event in Bangalore at the earliest inviting representatives from the Industry to contribute their views on the rules to be consolidated and presented to the MeitY.
We request senior professionals in the industry particularly from the Fintech, HealthCare, Digital Marketing, etc and different Classes of Data Fiduciaries such as Manufacturing Companies, Social Media Intermediaries, AI developers, AI users, Payment Gateways, KYC agencies, Certifying authorities under ITA 2000, Privacy Enhancement technology suppliers etc., who are interested in sharing their views on the published rules to participate in the Industry interaction.
Interested professionals and Companies particularly in Bangalore may kindly contact naavi/FDPPI immedaitely so that the program details can be finalized.
Chapter V of the DPDPA 2023 provides the legal provisions related to the constituion of the DPB of India which will be the supervisory body for DPDPA 2023.
Now the draft rules issued has indicated the process for selection of the Chairperson and the members of the Board.
The draft notification is yet to indicate the number of the members to be appointed in the DPBI but indicated that two Search-Cum-Selection Committees will be constituted one for the selection of the Chairperson and the other for the members. The Central Government (meaning the Meity) will approve the selection.
The Search cum Selection Committee for selection of Chairman will consist of
1.Cabinet Secretary who shall be the Chairman
2. Two experts of repute who possess special knowledge or practical experience in the fields of data governance, administration or implementation of laws related to social or consumer protection, dispute resolution, information and communication technology, digital economy, law, regulation or techno-regulation or in any other field which in the opinion of the Central Government may be useful to the Board
3.Secretary to the Government of India in the department of legal affairs
4. Secretary to the Government of India in the Ministry of Electronics and Information Technology who shall be the convener
Similarly, the Search Cum Selection Committee for selecting the members of the Board will consist of
1.Secretary to the Government of India in the Ministry of Electronics and Information Technology, who shall be the Chairperson;
2.two experts of repute, who possess special knowledge or practical experience in the fields of data governance, administration or implementation of laws related to social or consumer protection, dispute resolution, information and communication technology, digital economy, law, regulation or techno-regulation or in any other field which in the opinion of the Central Government may be useful to the Board
3.Secretary to the Government of India in the Department of Legal affairs and
4.The Chairperson
This indicates that the members of the Board will be chosen only after the Chairman is chosen, appointed and takes charge. However there is a provision that this committee can work without the Chairman in the period when he/she has not been appointed/joined.
If the Government insists that the draft rules will be kept for public comments for 45 days and notified only there after, the search cum selection committee can only start its function after the notification which is around 2 months from date. There after the search committee needs to have at least two or three meetings before selection which needs to be approved by the Government.
The search, selection and appointment of members may have to start after the Chairman is in place and may take further time unless the Government decides to proceed with the selection of the members even before the first search committee completes its search and the Chairman joins duty.
Hence there is a need for MeitY to work in the background so that the constitution of the DPBI may be speeded up.
The salary and allowances of the Chairman and the Members are also indicated in the rules as Rs 4.5 lakhs per month for the Chairman and Rs 4.0 lakhs per month for the members along with the other facilities as applicable to the Government employees of the relevant grade.
Let us look forward to an early completion of the process so that further notification of operating rules may be completed without further delay.
