Public Consultation on DPDPA Rules Closes today

Posted on March 5, 2025 by Vijayashankar Na

The extended time line for submission of public comments on DPDPA Rules 2025 ends today.

Naavi/FDPPI has already submitted its response, copy of which is available here.

Subsequent to the submission of our recommendations, a few more additional requirements have been identified in view of the recent data breach reports of Adarsh Developers in Bangalore and also Angel One stock broking firm in both of which the role of the cloud service provider came to the fore.

We therefore discussed whether AWS should be declared as a Significant Data Fiduciary and held responsible for security.

We also discussed that all organizations like Banks handling personal data and declared as Protected Systems under Section 70 of ITA 2000 also should be automatically considered as a Significant Data Fiduciary.

While the Government has preferred to stay neutral on designation of Significant Data Fiduciaries and leave it to the Data Fiduciaries to declare themselves as Significant or Not, there will still be references to the designated Meity official to whom references may be made by organizations asking for a certification whether they are “Not Significant Data Fiduciaries’.

FDPPI will provide its views through the DGPSI framework and also perhaps define “Super Data Fiduciaries” and all Consent Managers as Significant Data Fiduciaries. Where AI algorithm is used, the responsibility for the functioning of the AI rests with the deployer who in turn needs to obtain an assurance from the vendor. Where the vendor is not able to certify the compliance of the AI algorithm from DPDPA perspective, the deployer should consider it as an “Unknown Risk” and may use the AI at his risk and responsibility as a “Significant Data Fiduciary”.

We have also pointed out the need for disclosure of “recent Personal Data Breaches” in the notice as holding it back amounts to misrepresentation.

We have also pointed out that systems of DPB should be declared a Protected System under ITA 2000.

We have also pointed out the recent stand of RBI opposing the Privacy Law in respect of the Credit Rating firms which flags the need for sectoral regulators to be kept within the framework of DPDPA. MeitY needs to ensure that MHA and MOF work along with them in a harmonious manner and not let different sectoral regulators have their own regulations that contradict the DPDPA.

Some of these suggestions may also be considered by MeitY.

Naavi

About Vijayashankar Na

Naavi is a veteran Cyber Law specialist in India and is presently working from Bangalore as an Information Assurance Consultant. Pioneered concepts such as ITA 2008 compliance, Naavi is also the founder of Cyber Law College, a virtual Cyber Law Education institution. He now has been focusing on the projects such as Secure Digital India and Cyber Insurance
This entry was posted in Cyber Law. Bookmark the permalink.