Naavi.org

Naaavi.org has been debating the concept of “Consent Manager” under DPDPA 2023 and the possibility of making it animprovement over the concept of “Consent Manager under the DEPA Framework” which has been adopted under the Account Aggregator scheme.

Now going through the current version of DPDPA rules, the MeitY has chosen not to exercise its option to improve upon the DEPA Framework but retain the concept with which they are more familiar.

Every consent manager needs to be registered with the DPB and shall be an Indian company with its directors and senior management having reputation for record of fairness and integrity. Any conflict of interest with any data fiduciary either at the corporate level or the executive level needs to be avoided.

The Minimum networth of the company has to be not less than Rs 2 crores.

Under sub rule (3) of this Rule 5, it is stated that one of the obligations of the Consent Manager is …

“to establish an accessible, transparent and interoperatble platform that enables a data principal to give, manage, review and withdraw her consent to herslef obtain her personal data from a data fiduciary or to ensure that such personal datails shared with another data fiduciary of her choice, without the consent manager being in a position to access that personal data”

This clause highlights the “Intermediary” role of the Consent Manager under ITA 200o while the sub rule 1(c) states that the Consent Manager shall act in a “Fiduciary” capacity.

The “Fiduciary” capacity and “Intermediary” status are mutually exclusive. They are different and this has been ignored.

Further while the sub clause (1) states that the Consent Manager shall be a Company, sub clause (7) implies that it can be a firm or an association of persons. Further the rule at some place also refers to the “Consent Manager” as “her” indicating that it could even be an individual.

These are probably unintended and can be corrected in the next version.

The rule also prescribes a data retention period of 7 years or longer which could influence the due diligence of data fiduciaries in similar circumstances.

The question is that if the Consent Manager is required to keep the consent information for 7 years or more why not the Primary Data Fiduciary?

Also, is there a “Purpose” for the Consent Manager to collect and hold the consent. If so, is there an expiry period for the same differently? …

Also if according to sub rule (2)(b) the consent Manager needs to to maintain a digial record of and offer to a data principal digital access to
(i) every request for consent approved or rejected by her and
(ii) every data fiduciary who has shared her personal data in response to a reuest for consent approved by her.

how does the sub clause (3) stating that the Consent Manager shall not have access to the Consent can be fulfilled.

Probably a more detailed discussion is required in this regard…

Naavi

The draft rules currently under discussion regarding the management of Data Principal’s Rights tries to provide clarity to Sections 11, 12, 13 and 14 of DPDPA 2023.

It is noted that the rules does not make any reference to Section 15 on the duties of the data principal which is a condition precedent to the exercise of Rights and should have been mentioned.

While refering to the requirements, the clause starts with the words,

“(1)For enabling data principals to exercise their rights under Chapter III of the Act, the Data Fiduciary and, where applicable, the Consent Manager, shall publish on her website or app or both, as the case may be,-“

I would like to again point out that the rules refer to the Data Fiduciary or Consent Manager in terms of “her website” as if the Data Fiduciary or the Consent Manager is an “individual”. While the “Data Fiduciary” can be an “individual”, it is not practically feasible for the Consent Manager to be an “Individual” or rather it should not be from the regulatory requirement of business continuity. In fact another rule (yet to be discussed by us) categorically mentions that the Consent Manager shall be a Company.

Hence the use of the word “her” in this context is incorrect and this obsession needs to be avoided. It may lead to un necessary legal issues at some point of time in future. There is a need to go through the entire document and ensure that all references to a Data Fiduciary or Consent Manager shall be changed to “it”or “their” instead of “she” or “her”.

While most of the rules under this clause are a paraphrasing of the Act the lack of reference to the Duties is glaring. The “Rights” guaranteed under the Act is intrinsically linked to the “Duties” both because of the Secton 15 of the Act as well as the Article 19(2) of the constitution restricting the “Right to Privacy” in certain specific contexts.

It is most important to note that under Section 15 of the Act, a Data Principal shall ” comply with the provisions of all applicable laws for the time being in force while exercising rights under the provisions of this Act;”

This has to be highlighted so that no irresponsible attack is mounted on a data fiduciary by motivated data principals who may be encouraged by the competitors or anti nationals.

Similarly, the “Right for Erasure” has to be effectively tempered with the need to ensure through appropriate documentation that there is no need to reain the data because of any other reasons. “Electronic Data” is an evidence for many civil claims and criminal prosecution and irresponsible erasure could become an offence under Section 65 of ITA 200 and also under IPC/IEA.

Compliance officers are unlikely to have adequate appreciation of the laws related to retention of data under other statutes and hence they have to be warned while they try to meet the requirements of the “Right to Erasure”.

Some of these corrections are required in the next draft.

Naavi

One of the important aspects of DPDPA Rules that was being looked upto was regarding the identification of the “Significant Data Fiduciary” since many obligations including the need to designate the DPO emerges from the definition.

It is surprising that the draft rules meant for public discussion seems to be yet undecided in this aspect and requires an urgent correction to incorporate the details of how we can define a Significant Data Fiduciary. Naavi.org has discussed this issue several times (Refer here)

However the current draft of the rules only state the following in regard to the Significant Data Fiduciary.

Measures to be undertaken by the Significant Data Fiduciary.

(1) A Significant Data Fiduciary shall in addition to the measures provided under the Act undertake the following measures , namely:-

(a) Ensure that its Data Protection Officer shall be the point of contact for answering on its behalf, the questions, if any, raised by the Data Principal about the processing of her personal data

(b) Include in the business contact information to be published under rule 9 a toll-free telephone number issued in India and an e-mail address for Data Principals to contact its Data Protection Officer: and

(c) Undertake the periodic Data Protection Impact assessment and the perioidic audit under the provisions of the Act at least once in every year.

(2) In this rule, the expression “every year” in relation to a Data Fiduciary, shall mean every period of one year reckoned from the date on which

(a) these rules come into force or

(b) such data fiduciary becomes a significant data fiduciary, whichever is later.

For some reasons this clause appears to be poorly constructed and requires urgent revision.

Firstly there is a need to define a “Significant Data Fiduciary” u/s 10(1) so that organziations can start preparing for designating a DPO and instituting measures for audit etc.

Secondly the responsibility of DPO cannot be stated as “Answering the questions of Data Principal”. It should be a responsibility to resolve the disputes of the data principal at the level of the Data Fiduciary and to be a point of contact for the DPB and to also be responsible for any inadequacies for compliance.

The current version of the rule appears to reduce the importance of the DPO to that of a help center manger. This is not keeping with the spirit of the Act and needs to be changed immediately before further discussion of the rules in the public domain.

Naavi

While the DPDPA 2023 was gazetted on 11th August 2023, the notification of the date of its effectiveness has been awaited. Presently the draft rule is ready for public comments and the industry is eagerly waiting to know which provisions of the Act will become effective immediately and which will take time.

The current thinking in the Meity seems to be a two stage implementation with about 6 rules to be notified for effect immediately and the remaining around 14+ rules to be effective at some point of time later.

The six rules that may be notified for immediate effect could be

The other rules to be notified on a later date are as follows:

It is expected that the setting up of the DPB may take about 3 months and the remaining rules may come into effect subsequently.

There are a few more rules that are yet to be finalized and perhaps they may come up in the third set.

The exact time schedule for implementation is yet unclear and we may have to wait for the Government to complete the constitution of the DPB before a more specific time schedule can be expected.

Naavi

It is amusing to observe that while draftng the rules of DPDPA, MeitY has gone over board to use the feminine gender in the law which was considered a unique aspect of the drafting of the law.

In the law, the data principal who is an individual was referred to as “She” or “her” instead of the normal use of the term “he” or “him” used in other laws.

Now those who drafted the rules have gone a step further to depict even the organziations in a feminine gender.

For example, while indicating the rules regarding the publishing of the business contact information of a Data Protection Officer, the draft rules meant for discussion states,

(1) A Data Fiduciary shall-

(a) publish on her website or app or both as the case may be and

(b) intimate the data principal through in-app notification and every piece of correspondence with her, the business contact information of a person who is able to answer on behalf of the Data Fiduciary, the questions, if any raised by the Data Principal about the processing of her personal data.

(2) If the Data fiduciary is a significant Data fiducairy, the business contact information published under sub-rule (1) shall be that of its Data Protection officer,

(3) The business contact information to be published under sub-rule (1) shall be published in like manner as is provided in sub-rule (2) of rule 5 (Ed: on the home page).

In majority of cases, the Data Fiduciary is an organziation and the appropriate use of pronoun would have been “It” or simply the Data Fiducairy.

There is one benefit however that has arisen on account of this unatural use of the pronoun “her” to a “Data Fiducairy”. It has focussed on the fact that even an individual can be a “Data Fiduciary” in the context of processing of personal data for “Non Domestic use”. Hence theoretically a Data Fiduciary can also be an individual and therefore the use of the pronoun “Her/she” can be justified.

Leaving this minor observation, this rule is important from the perspective of an indirect admission that “Business Contact Information” is actually “Personal Information” which the data principal out of his “Choice” decides to use for business use.

There are many who consider Naavi9 @gmail.com as personal information and refuse to accept it in some forms. On the other hand naavi @naavi.org is considered as an acceptable business use. This is in my view incorrect since it is the prerogative of naavi to hold out naavi @naavi.org as a business address or personal address and naavi9 @gmail.com as personal email address or business email address.

Under DGPSI framework we have been always recommending to leave the choice of declaring if any e-mail or mobile number is a personal information or business information and many companies have started accepting this argument and incorporating this in their personal information gathering exercise.

I hope after the use of the “her/She” to Data Fiduciary and business contact information of a DPO as “her” information confirms that “Business Contact Information” can contain personal name as part of the e-mail.

…..More discussions will follow.

Naavi

Data Breach Notification is an important aspect of compliance of any data protection law. DPDPA 2023 also requires a notification both to the DPBI and the Data Principal in the event of a data breach.

The DPDPA 2023 act had simply stated that in the event of a personal data breach, the Data Fiduciary shall give the Board and each affected Data Principal, intimation of such breach in such form and manner as may be prescribed. Now the the DPDPA rules expands the requirement.

The rules prescribe that as soon as the Data Fiduciary becomes aware of the data breach, one intimation has to be sent immediately to the DPBI with preliminary information including

(a)a description of the breach, including its nature
(b)the date and time when the Data Fiduciary became aware of the breach
(c)the timing or duration of occurrence of the breach
(d)the location where the breach occurred
(e)the extent of the breach, in terms of the nature and quantum of data involved and
(f)the potential impact of the breach  

Within the next 72 hours the Data Fiduciary needs to file a second report with details of the breach. DPBI is expected to provide suitable submission forms on its website for the purpose. In this second report the broad facts related to the events, circumstances and reasons leading to the breach need to revealed along with the remedial measures taken.

Additionally information has to be given to the data principal also which should contain the information about the breach as it affects the specific data principal. The rule seems to avoid specifying the time period within which the intimation has to be provided to the data principal.

Perhaps MeitY has to indicate either the 72 hour time limit specified for intimation to the DPBI as also the time limit for data principal or specify a longer duration.

In case there is a need for more time to report the breach because of the need for a detailed investigation, data fiduciary may seek additional time from the DPBI after the second report.

As of now, every data breach under DPDPA is also a data breach under ITA 2000 and hence the need to report to CERT IN as per the CERT IN guidelines will also be required.

Naavi