FEED Validator

for Atom and RSS and KML

Congratulations!

This is a valid RSS feed.

Recommendations

This feed is valid, but interoperability with the widest range of feed readers could be improved by implementing the following recommendations.

line 47, column 0: content:encoded should not contain loading attribute (6 occurrences) [help]
```
<div class="wp-block-image">
```
line 47, column 0: content:encoded should not contain sizes attribute (5 occurrences) [help]
```
<div class="wp-block-image">
```
line 123, column 9: title should not be blank [help]
```
		<title></title>
         ^
```
line 202, column 0: content:encoded should not contain data-type attribute [help]
```
Significant Data Fiduciary
```
line 202, column 0: content:encoded should not contain data-id attribute [help]
```
Significant Data Fiduciary
```

Source: http://www.naavi.org/wp/?feed=rss2

<?xml version="1.0" encoding="UTF-8"?><rss version="2.0"
xmlns:content="http://purl.org/rss/1.0/modules/content/"
xmlns:wfw="http://wellformedweb.org/CommentAPI/"
xmlns:dc="http://purl.org/dc/elements/1.1/"
xmlns:atom="http://www.w3.org/2005/Atom"
xmlns:sy="http://purl.org/rss/1.0/modules/syndication/"
xmlns:slash="http://purl.org/rss/1.0/modules/slash/"
>
<channel>
<title>Naavi.org</title>
<atom:link href="https://www.naavi.org/wp/feed/" rel="self" type="application/rss+xml" />
<link>https://www.naavi.org/wp</link>
<description>Towards building Cyber Jurisprudence in India</description>
<lastBuildDate>Tue, 23 Apr 2024 03:19:30 +0000</lastBuildDate>
<language>en-US</language>
<sy:updatePeriod>
hourly </sy:updatePeriod>
<sy:updateFrequency>
1 </sy:updateFrequency>
<generator>https://wordpress.org/?v=6.0.3</generator>
<image>
<url>https://www.naavi.org/wp/wp-content/uploads/2015/08/cropped-naavi_lecture2-32x32.jpg</url>
<title>Naavi.org</title>
<link>https://www.naavi.org/wp</link>
<width>32</width>
<height>32</height>
</image>
<item>
<title>Nip this Apple air-pod in the bud.</title>
<link>https://www.naavi.org/wp/nip-this-apple-air-pod-in-the-bud/</link>
<dc:creator><![CDATA[Vijayashankar Na]]></dc:creator>
<pubDate>Tue, 23 Apr 2024 02:59:55 +0000</pubDate>
<category><![CDATA[Cyber Law]]></category>
<guid isPermaLink="false">https://www.naavi.org/wp/?p=17032</guid>
<description><![CDATA[The article published yesterday about “Digital Marketing” and its future in the society increasingly becoming sensitive to Privacy issues has evoked a few responses from other professionals. One such response worth noting is the linked in article “Neuro Data, Capitalism … <a href="https://www.naavi.org/wp/nip-this-apple-air-pod-in-the-bud/">Continue reading →</a>]]></description>
<content:encoded><![CDATA[
The article published yesterday about “Digital Marketing” and its future in the society increasingly becoming sensitive to Privacy issues has evoked a few responses from other professionals.
One such response worth noting is the linked in article “Neuro Data, Capitalism & Privacy Regulation” by Deepti Bhatia. (Incidentally Deepti is the President of Delhi Chapter of FDPPI).
In this article, Deepti raises many issues requiring further debate. We shall take one issue issue raised in this article for discussion today and that is the “Apple Patent on a Bio sensor embedded air pods”.
We have discussed “Neuro Rights” extensively in this website in the past and highlighted how Brain Computer interfaces, Humanoid Robots and CyBorgs with AI could transform the society in directions that may not be desirable. In such discussions, we have factored the raise of technology in neuro science which can read brain waves either through electrodes fixed on a skull cap or a chip embedded surgically inside the human skull.
<div class="wp-block-image">
<figure class="aligncenter size-full"><img loading="lazy" width="463" height="618" src="https://www.naavi.org/wp/wp-content/uploads/2024/04/neuro_sensors.png" alt="" class="wp-image-17033" srcset="https://www.naavi.org/wp/wp-content/uploads/2024/04/neuro_sensors.png 463w, https://www.naavi.org/wp/wp-content/uploads/2024/04/neuro_sensors-225x300.png 225w" sizes="(max-width: 463px) 100vw, 463px" /></figure></div>
In using such devices there was a “Technology Barrier” that would restrict the wide use of such technologies.
However Technology has now progressed alarmingly with Apple applying their skills to develop a wearable which can perhaps read brain waves and claiming a patent.
<a href="https://patentscope.wipo.int/search/en/detail.jsf?docId=US402825807&_cid=P10-LRT3OJ-01103-1" target="_blank" rel="noreferrer noopener">The US patent number US20230225659 titled “Biosignal sensing device using dynamic selection of electrodes”</a> is a dangerous patent that makes the common discussions on “Deceptive Privacy Invasion techniques through Dark Pattern” look absolutely childish.
This device is being designed as “Airpods” looking just like normal airpods and hiding all the electrodes that make the earlier devices clumsy.
<figure class="wp-block-table aligncenter"><table><tbody><tr><td><img loading="lazy" width="234" height="132" src="http://www.naavi.org/wp/wp-content/uploads/2024/04/airpod_neuros_Signal_reading.webp" alt=""/></td><td><img loading="lazy" width="489" height="671" class="wp-image-17034" style="width: 150px;" src="http://www.naavi.org/wp/wp-content/uploads/2024/04/apple_bio_sensor_airpod.png" alt="" srcset="https://www.naavi.org/wp/wp-content/uploads/2024/04/apple_bio_sensor_airpod.png 489w, https://www.naavi.org/wp/wp-content/uploads/2024/04/apple_bio_sensor_airpod-219x300.png 219w" sizes="(max-width: 489px) 100vw, 489px" /></td></tr></tbody></table></figure>
Further the Apple device can be used for deceptive marketing since it can capture signals such as brain waves, muscle movements etc. It can be much more than the wearables like the Watch and interact directly with the brain activity to read the “Neuro-data” generated by the humans.
The background of the invention states:
Brain activity can be monitored using electrodes placed on the scalp of a user. The electrodes may in some cases be placed inside or around the outer ear of the user. Measuring of the brain activity using electrodes placed in or around the outer ear may be preferred due to benefits such as reduced device mobility and decreased visibility of the electrodes when compared to other devices that require electrodes to be placed on visible areas around the scalp of the user…”
In this context the invention is designed as a wearable where the electrodes are invisible. Hence this is eminently suited for deceptive marketing and taking over of human brain activity through remote influence exercised on the human brain.
Imagine that a person wearing this airpod is taking a buying decision. The airpod server knows the buying intention and can broadcast it to vendors who can instantly bid for neuro messages to be sent to influence the purchase in favour of one supplier over the other. This would be like the dynamic advertisement that would be displayed when you search for a product on google.
The society should recognize the potential for misuse of this technology and take steps that such technologies are killed in the bud.
I urge Indian law makers and particularly Mr Rajeev Chandrashekar (expected to be back as IT Minister) to ensure that this AI device should be banned for sale in India or made subject to very strict licensing.
The IPR authorities should also re-consider if they should provide IPR protection to such devices.
In most of the new Privacy laws, IPR is always respected and granted an exemption. But the time has come to put reigns on IPR through other laws. Forget the international treaties on IPR, it is time to reign in IPR laws in preference to laws that are meant to protect the human society.
Let us remember that Technology can be disruptive but not destructive.
Naavi
Refer also:
<a href="https://www.ncbi.nlm.nih.gov/pmc/articles/PMC6479924/" target="_blank" rel="noreferrer noopener">Wearable system for bio signal acquisition and monitoring…</a>
]]></content:encoded>
</item>
<item>
<title>How Will Digital Marketing Survive DPDPA?</title>
<link>https://www.naavi.org/wp/how-will-digital-marketing-survive-dpdpa/</link>
<dc:creator><![CDATA[Vijayashankar Na]]></dc:creator>
<pubDate>Mon, 22 Apr 2024 03:29:14 +0000</pubDate>
<category><![CDATA[Cyber Law]]></category>
<guid isPermaLink="false">https://www.naavi.org/wp/?p=17030</guid>
<description><![CDATA[One of the industries which is directly under threat of survival after DPDPA is the “Digital marketing industry”. Marketing requires understanding the consumer’s buying behaviour and creating a communication that convinces the prospective customer that a given product or service … <a href="https://www.naavi.org/wp/how-will-digital-marketing-survive-dpdpa/">Continue reading →</a>]]></description>
<content:encoded><![CDATA[
One of the industries which is directly under threat of survival after DPDPA is the “Digital marketing industry”.
Marketing requires understanding the consumer’s buying behaviour and creating a communication that convinces the prospective customer that a given product or service satisfies the requirement of the consumer.
The principle of AIDAS namely, Creating Awareness, Generating Interest, Eliciting a Desire, making the product available and achieving satisfaction in the post sale scenario is the formula for successful marketing of any product or service.
If Marketing does not exist, then the products and services will wither away.
An excessive importance to placing restrictions on Consumer Marketing will eventually increase the cost of the product which will fall on the consumer. If the consumer is vary of bearing this cost, he will reject all offers other than the existing brands about which he already has some information. This means that “New Products” and “New Companies” will have a tough time to promote their existence.
Have we as Privacy professionals thought about the difficulties in “Profiling” and “Targeted Advertising” that any privacy law considers as abhorring?
Has the Digital Marketing Industry thought of how they will survive the post DPDPA scenario in India? . If they try any tricks to hood wink the consumer, they may be accused of practicing “Dark Patterns”. If they are too open and ask for consents, they need to be ready for about a response which will be not more than 1% .
If we look at the responses for “Pay Per Clicks” advertising vs “Banner Ads” and the responses in specific sites like Linked in vs advertising in Blogs we will understand that the Clickthrough rate for social media is around 1.36 % (<a href="https://www.statista.com/statistics/872099/social-media-advertising-ctr/" target="_blank" rel="noreferrer noopener">Q2 2023 statistics</a>). This is for a product which is advertised. If we consider “Request for Consent” as an advertisement, then the click through could be even less.
This means that to get 1 consent, an organization may have to spend cost of 100 notices. Currently the “Privacy Policies” as a “Declaration” does not require a specific consent.
This scenario is an existential threat to Digital Marketing Companies.
As consultants it is difficult for us to either advise an organization to ignore this risk or to provide a suitable compliance solution.
Unfortunately the Digital marketing industry and Internet advertising industry in India has not woken up to the problems and designing a sectoral approach to counter the business risks.
I invite industry professionals to write back and let us know what can be done in this aspect.
Naavi
]]></content:encoded>
</item>
<item>
<title></title>
<link>https://www.naavi.org/wp/17026-2/</link>
<comments>https://www.naavi.org/wp/17026-2/#respond</comments>
<dc:creator><![CDATA[Vijayashankar Na]]></dc:creator>
<pubDate>Mon, 22 Apr 2024 02:40:45 +0000</pubDate>
<category><![CDATA[Cyber Law]]></category>
<guid isPermaLink="false">https://www.naavi.org/wp/?p=17026</guid>
<description><![CDATA[]]></description>
<content:encoded><![CDATA[<div class="wp-block-image">
<figure class="aligncenter size-full"><img loading="lazy" width="764" height="106" src="https://www.naavi.org/wp/wp-content/uploads/2024/04/gukesh.png" alt="" class="wp-image-17027" srcset="https://www.naavi.org/wp/wp-content/uploads/2024/04/gukesh.png 764w, https://www.naavi.org/wp/wp-content/uploads/2024/04/gukesh-300x42.png 300w" sizes="(max-width: 764px) 100vw, 764px" /></figure></div>]]></content:encoded>
<wfw:commentRss>https://www.naavi.org/wp/17026-2/feed/</wfw:commentRss>
<slash:comments>0</slash:comments>
</item>
<item>
<title>Why DGPSI is the Gold Standard of Compliance to DPDPA?</title>
<link>https://www.naavi.org/wp/why-dgpsi-is-the-gold-standard-of-compliance-to-dpdpa/</link>
<comments>https://www.naavi.org/wp/why-dgpsi-is-the-gold-standard-of-compliance-to-dpdpa/#respond</comments>
<dc:creator><![CDATA[Vijayashankar Na]]></dc:creator>
<pubDate>Sun, 21 Apr 2024 03:18:54 +0000</pubDate>
<category><![CDATA[Cyber Law]]></category>
<guid isPermaLink="false">https://www.naavi.org/wp/?p=17024</guid>
<description><![CDATA[India has been discussing the Data Protection Law for last several years and finally arrived at the DPDPA 2023. The act has been notified with Presidential approval but the notification of an effective date and some rules are pending. We … <a href="https://www.naavi.org/wp/why-dgpsi-is-the-gold-standard-of-compliance-to-dpdpa/">Continue reading →</a>]]></description>
<content:encoded><![CDATA[
India has been discussing the Data Protection Law for last several years and finally arrived at the DPDPA 2023.
The act has been notified with Presidential approval but the notification of an effective date and some rules are pending. We hope this is within the 100 days agenda of the Modi 3.0 Government.
We donot know how generous would be the Government in giving time for implementation. At the same time we also donot know how much time each organization takes to be compliant. However one thing is certain, any organization which starts early is likely to meet the dead line more effectively than others who keep procrastinating.
A question however arises how can any organisation starts compliance program before the rules are notified.
It is true that the rules can make a difference to the compliance program. But a large part of time consuming compliance activities are already identified and we donot need any mor clarification.
It is in this context that the framework DGPSI (Data Governance and Protection Standard of India) which has been designed and developed by Professionals of FDPPI emerges as the Gold standard of DPDPA compliance.
For those who donot know DGPSI, it is time to make efforts to know DGPSI Lite and DGPSI Full versions of framework that meets the compliance levels expected in the Act and ready to meet the needs of the emerging rules.
In fact during DGPSI implementation, accredited auditors of FDPPI use procedures which would be more than sufficient to meet the requirements of the rules.
The probability of compliance to the rules is extremely high if one follows the DGPSI framework and the manual of DGPSI implementation.
We are sure that there will be other frameworks which will come forth from different organizations but DGPSI shall remain the Gold standard since it is future ready and adaptable.
It is not enough if Naavi says that DGPSI is the “Gold Standard”. You need to check and be satisfied.
I invite professionals to raise any questions they have on DPDPA compliance and how DGPSI addresses it and we will be happy to answer each one of them. 
Naavi
]]></content:encoded>
<wfw:commentRss>https://www.naavi.org/wp/why-dgpsi-is-the-gold-standard-of-compliance-to-dpdpa/feed/</wfw:commentRss>
<slash:comments>0</slash:comments>
</item>
<item>
<title>Chief Concerns regarding DPDPA Rules</title>
<link>https://www.naavi.org/wp/chief-concerns-regarding-dpdpa-rules/</link>
<comments>https://www.naavi.org/wp/chief-concerns-regarding-dpdpa-rules/#respond</comments>
<dc:creator><![CDATA[Vijayashankar Na]]></dc:creator>
<pubDate>Sat, 20 Apr 2024 03:29:01 +0000</pubDate>
<category><![CDATA[Cyber Law]]></category>
<guid isPermaLink="false">https://www.naavi.org/wp/?p=17016</guid>
<description><![CDATA[India that is Bharath is waiting for the elections to be over and for Mr Modi to come back with a thumping majority. The DPDPA 2023 which was notified with presidential assent needs to be activated within the 100 days … <a href="https://www.naavi.org/wp/chief-concerns-regarding-dpdpa-rules/">Continue reading →</a>]]></description>
<content:encoded><![CDATA[
India that is Bharath is waiting for the elections to be over and for Mr Modi to come back with a thumping majority. The DPDPA 2023 which was notified with presidential assent needs to be activated within the 100 days plan for which we wish that Rajeev Chandrashekar will be back as the IT Minister.
We can expect that just as the <a href="https://naavi.org/uploads_wp/2024/draft_rules_incomplete.pdf" target="_blank" rel="noreferrer noopener">work in progress rules was leaked</a> some time back some body in MeitY is working on the rules.
It is our duty to bring to the notice of the team working on the rules some of our concerns and suggestions.
As per Section 40, at least 25 new rules need to be formulated. Out of these the following 5 rules appear to be of key importance. We would like to propose our suggestions regarding the above.
<div class="wp-block-image">
<figure class="aligncenter size-full is-resized"><img loading="lazy" src="https://www.naavi.org/wp/wp-content/uploads/2024/04/rules_dpdpa_concerns_2.png" alt="" class="wp-image-17017" width="346" height="298" srcset="https://www.naavi.org/wp/wp-content/uploads/2024/04/rules_dpdpa_concerns_2.png 644w, https://www.naavi.org/wp/wp-content/uploads/2024/04/rules_dpdpa_concerns_2-300x259.png 300w" sizes="(max-width: 346px) 100vw, 346px" /></figure></div>
Legacy Data:
Since it is expected that a large number of legacy data principals may not be reachable and may not respond to the new notice, the rules should prescribe the “Reasonable Period” after which the permission is deemed as “Withdrawn”.
The Act now simply states…
“the Data Fiduciary may continue to process the personal data until and unless the Data Principal withdraws her consent.”
This is not in consonance with the spirit of the Act and it cannot be construed that the data can be used for an indefinite period under the excuse that the data principal did not withdraw the consent. It will also be in conflict with the obligations under Section 8(3) to ensure that the data used for processing is “Complete” and “Accurate”.
Also the principle under ITA 2000 is that any privacy policy needs to be renewed not later than one year which therefore becomes an expiry period for the consent in the absence of any other parameter.
The period of 1 year however appears unreasonable in the context of DPDPA 2023. A more reasonable period has to be prescribed and in our view it should not be more than 3 months.
Significant Data Fiduciary
The definition of “Significant Data Fiduciary” could be by far the most important rule to be notified and it is necessary that the Government thinks seriously of the <a href="https://www.naavi.org/wp/significant-data-fiduciary-the-trinity-principle/" data-type="post" data-id="17004">suggestions made in our precious article</a>.
The essence of this suggestion is that the “Tag of Significant Data Fiduciary” is not to be associated with an enterprise as a whole but to specific processes. Under DGPSI, we group processes based on the sensitivity and this should also determine the Significant Data Fiduciary status.
The operating part of the suggestion is to add the following explanation in the rules:
“The term ‘class’ under Section 10(1) of the Act for the application of this rule also applies to any class of personal data process/es that an entity may use where the risk, sensitivity and volume of personal data processed exceeds a specified threshold”
Nomination
If “Nomination” is considered as “Transfer of ownership of an asset on the death of a person” and applied to personal data as a property, then it will be difficult for the Data Fiduciaries to obtain consent through electronic means. We are aware that law does not consider “Nomination” as “Transfer of property” and hence the rights of legal heirs is not affected by the presence of nomination in favour of a person who is not a legal heir. However common people may not be aware of this and may consider “Nomination” as “Bequeathing of property”. If this concept is recognized then electronic consent form cannot be used to register “Nomination” because of Section 1(4) of ITA 2000.
To honour the legal principle that “Nomination” is a procedural convenience adopted by an asset owner to transfer the property to a trusted agent of the property owner for further transfer to legal heirs, an explanation needs to be added as follows.
” Nomination for the purpose of Section 14 of DPDPA 2023 means transfer of custody of personal data and associated digital property in the hands of a data fiduciary to a person designated by the data principal for eventual distribution to the legal heirs. The data fiduciary shall be considered as discharged from his liability of disposal of the digital assets if the custody is properly handed over to the designated nominee”.
A separate procedure for claim settlement can be prescribed for this purpose (Refer to earlier articles in Naavi.org on <a href="https://www.bing.com/search?cp=CODE+PAGE+USED+BY+YOUR+HTML+PAGE&FORM=FREESS&q=deceased+&q1=site%3Awww.naavi.org" target="_blank" rel="noreferrer noopener">digital data of deceased.</a>
Consent Manager
The definition of “Consent Manager” is another area where the Meity may be stuck to their current DEPA framework and needs to think differently. This aspect has also been discussed by <a href="https://www.naavi.org/wp/consent-manager-under-dpdpa/" target="_blank" rel="noreferrer noopener">Naavi.org earlier </a> and a case has been made out that “Consent Manager” under the Account Aggregator concept is different from the “Special Data Fiduciary concept of a consent manager” used in DPDPA. There is also a need for a very strict application of “Fit and Proper” criteria for registering Consent Managers.
If this aspect is neglected, we can see a major scam of theft of personal data for which the negligence of rule makers would be responsible.
Data Auditor
The rules regarding the credentials of a “Data Auditor” is another area of concern where vested interests can play havoc.
I would welcome Meity to introduce its own accreditation of Data Auditors through an open examination and should refrain from using the terms “All Cert In Accredited Auditors shall be considered as deemed to be qualified to be data auditors under the DPDPA 2023”.
Meity can use the guidance available under FDPPI’s C.DPO.DA. Certification course or DGPSI as a framework to structure the accreditation examination for Data Auditors.
The model adopted by MCA in accrediting Independent Auditors or the Law department in accrediting Patent lawyers can be followed for this purpose. The essence of these models is that the Government has a certain norm of an examination and trainings are conducted by different private bodies and not restricted to any one agency as a “Deemed Expert”.
Naavi
]]></content:encoded>
<wfw:commentRss>https://www.naavi.org/wp/chief-concerns-regarding-dpdpa-rules/feed/</wfw:commentRss>
<slash:comments>0</slash:comments>
</item>
<item>
<title>Psychological impact on Children from AI teachers</title>
<link>https://www.naavi.org/wp/psychological-impact-on-children-from-ai-teachers/</link>
<comments>https://www.naavi.org/wp/psychological-impact-on-children-from-ai-teachers/#respond</comments>
<dc:creator><![CDATA[Vijayashankar Na]]></dc:creator>
<pubDate>Thu, 18 Apr 2024 07:14:01 +0000</pubDate>
<category><![CDATA[Cyber Law]]></category>
<guid isPermaLink="false">https://www.naavi.org/wp/?p=17014</guid>
<description><![CDATA[A trend is developing where some schools are using humanoid robots in teaching. While there is no doubt that the humanoid robot can be a store house of actual knowledge particularly in our educational system based on a specific curriculum … <a href="https://www.naavi.org/wp/psychological-impact-on-children-from-ai-teachers/">Continue reading →</a>]]></description>
<content:encoded><![CDATA[
A trend is developing where some schools are using humanoid robots in teaching. While there is no doubt that the humanoid robot can be a store house of actual knowledge particularly in our educational system based on a specific curriculum and examination pattern based on learning from text books, the psychological impact of a machine teaching an young mind is perhaps needs to be researched.
If there can be a psychological impact of lack of biological parents for abandoned children, adopted children, single parents etc, there is a possibility that the teacher being non-human may also have its own impact psychologically on the children which perhaps may become evident not now but after another decade.
Do children look forward to an emotional support from the teacher apart from guidance on the topic? A study can be made in schools while some teachers are more popular with the students than others and why some students thrive better under one class teacher than the other.
While I am not inclined to go into the details of how a student may feel being taught by a robot instead of a human teacher as it is a core psychological subject, as some body observing the development of technology and its effect on the society, I am uncomfortable with the impact that the humanoid teacher may have on the development of a student particularly in the primary and middle educational level.
Many of the students are actually averse to learning and only when the teacher presents the concepts interestingly in the form of exercises, activities etc., are able to learn. Will a robot be able to perform similarly?
Can the robot express empathy and understand from the look of the child that today his/her mother must have scolded him or he has some other concern on the back of his mind and is unable to focus? It is doubtful that except a sentient robot others may not be able to come any where near the experience of learning from a human.
Further students in class learn not only about the subject but also about life. In this respect only a human teacher can evoke empathy even in the student who can see his mother in the form of teacher which is unlikely to happen in the case of a humanoid robots.
I wish some psychology student does a research on this subject and come up with some insight on this topic.
Naavi

]]></content:encoded>
<wfw:commentRss>https://www.naavi.org/wp/psychological-impact-on-children-from-ai-teachers/feed/</wfw:commentRss>
<slash:comments>0</slash:comments>
</item>
<item>
<title>“Significant Data Fiduciary” …The Trinity Principle</title>
<link>https://www.naavi.org/wp/significant-data-fiduciary-the-trinity-principle/</link>
<comments>https://www.naavi.org/wp/significant-data-fiduciary-the-trinity-principle/#respond</comments>
<dc:creator><![CDATA[Vijayashankar Na]]></dc:creator>
<pubDate>Thu, 18 Apr 2024 03:00:02 +0000</pubDate>
<category><![CDATA[Cyber Law]]></category>
<guid isPermaLink="false">https://www.naavi.org/wp/?p=17004</guid>
<description><![CDATA[In the DPDPA 2023, when the rules are notified, one of the most important aspects which the industry is looking forward to is the notification under Section 10(1) on the identification of a Significant Data Fiduciary. The “Data Fiduciary” (DF) … <a href="https://www.naavi.org/wp/significant-data-fiduciary-the-trinity-principle/">Continue reading →</a>]]></description>
<content:encoded><![CDATA[
In the DPDPA 2023, when the rules are notified, one of the most important aspects which the industry is looking forward to is the notification under Section 10(1) on the identification of a Significant Data Fiduciary.
The “Data Fiduciary” (DF) is an entity that determines the purpose and means of processing of personal data as distinguished from the “Data Processor” who processes the personal data under the instruction from another entity which determines the purpose and means.
There are some instances when one organization determines the purpose and then engages another organization which has full control on the means of processing for the given purpose. In such instances both organizations become “Joint Data Fiduciaries”.
Once this distinction is determined an organization needs to determine whether they are “Significant Data Fiduciaries” or not.
If volume is a criteria there could be many processors who become “Data Fiduciaries”. Firstly since they manage proprietary processing technologies they may become joint Data Fiduciaries. There after, they may become “Significant Data Fiduciaries” since as processors for many Data Fiduciaries, the cumulative volume they handle may exceed the thresholds even if the vendors themselves may operate at low volumes. 
In other words, in today’s chain of processors, the sub contractor (Who is today referred to as a data processor) could be a “SDF” while the main contracting party may be only a “DF”.
Many cloud service providers will fall into the category of SDF where as their users may not be.
It is possible that the determination of when a DF becomes a SDF is not determined only on the basis of “Volume” but also on “Sensitivity”. Sensitivity (including processing of children data) itself is based on the “Risk to the Data Principal” and hence the criteria for determination of SDF status may depend on Volume-Sensitivity-Risk combination.
It is also possible that without consideration of “Volume”, some factors such as ‘Risk’, as well as the ‘impact on sovereignty and integrity of India’, ‘risk to electoral democracy’, ‘security of state’ or ‘public order’ may be considered as independent criteria under which an organization may be classified as SDF .
Hence the primary criteria for identifying SDF status is the “Risk status of Processing” and volume becomes a secondary factor.
The term Data Fiduciary used in DPDPA is similar to the term “Data Controller” under GDPR and hence it would be natural for many to interpret DF from their knowledge of a Data Controller under GDPR.
The current interpretation of Data Controller is that “An Organization is a Data Controller”. If the same is applied in India, an “Organization” becomes a “Data Fiduciary”.
I would however like to challenge this concept of the status of Data Fiduciary being assigned to an organization.
Most of us today accept that an organization is some times a data controller and some times also a data processor. Significant Data Fiduciary is considered another status with special obligations. We identify this as the “Trinity Principle” where an organization can be any one of these categories for compliance purpose.
This “Trinity” principle of an organization seems to remind us of the famous Heisenberg principle of uncertainty applicable to light and matter. The Trinity principle states that an organization in the context of Data Protection context may exist in any of the three states of Data Fiduciary, Significant Data Fiduciary or Data Processor and the controls have to be applied accordingly.
These three different categories of status of an organization adds uncertainty to when the organization should designate a DPO or appoint a DA or when it has the obligations under Section 9. 
It is for this reason that the DGPSI (Data Governance and Protection Standard of India) adopts the principle that
“Every Organization is an aggregation of multiple processes”.
This principle of DGPSI is related to the Trinity principle of categorization of compliance entities and makes it easy to recognise that in one process the organization may be a Data fiduciary and in another a Data Processor. By the same logic, in one process an organization is a “Significant Data Fiduciary” and in another, simply a “Data Fiduciary”.
Thus an organization is like a “Trinity” and in terms of compliance may need to be a Data Processor some times, Data Fiduciary some other times and Significant Data Fiduciary some other times. This can be identified and tagged if we break up an organization into processes of personal information for compliance.
Unfortunately, GDPR did not visualize this possibility and the DPDPA 2023 at the level of he Act has also not visualized this possibility.
However, while framing the rules, it is possible for the Government to bring in this “Trinity Principle” and distinguish our law from the rest of the world.
The Section 10(1) provides an option to notify either any “Data Fiduciary” or a “Class of Data Fiduciary” as a SDF and the Government can use the “Class” as a sub category of a DF and link it to a process.
For example, (after stating the general criteria for determining the data fiduciary), it may state
“The term ‘class’ under Section 10(1) of the Act for the application of this rule applies to any class of personal data process/es that an entity may use where the risk, sensitivity and volume of personal data processed exceeds a specified threshold”
I hope the Meity incorporates this principle when the rules are notified…..
Naavi
Also refer: <a href="https://www.naavi.org/wp/why-not-significant-data-fiduciary-be-process-centric/" target="_blank" rel="noreferrer noopener">Why Not “Significant Data Fiduciary” be Process Centric</a>
]]></content:encoded>
<wfw:commentRss>https://www.naavi.org/wp/significant-data-fiduciary-the-trinity-principle/feed/</wfw:commentRss>
<slash:comments>0</slash:comments>
</item>
<item>
<title>100 day agenda of Modi 3.0 to address some old demands of Naavi.org</title>
<link>https://www.naavi.org/wp/100-day-agenda-of-modi-3-0-to-address-some-old-demands-of-naavi-org/</link>
<comments>https://www.naavi.org/wp/100-day-agenda-of-modi-3-0-to-address-some-old-demands-of-naavi-org/#respond</comments>
<dc:creator><![CDATA[Vijayashankar Na]]></dc:creator>
<pubDate>Wed, 17 Apr 2024 01:29:06 +0000</pubDate>
<category><![CDATA[Cyber Law]]></category>
<guid isPermaLink="false">https://www.naavi.org/wp/?p=16996</guid>
<description><![CDATA[As India awaits for the 2024 Lok Sabha elections to be completed and for the new Government to take charge, many of the long pending suggestions of Naavi are likely to find place in the immediate 100 day implementation plan … <a href="https://www.naavi.org/wp/100-day-agenda-of-modi-3-0-to-address-some-old-demands-of-naavi-org/">Continue reading →</a>]]></description>
<content:encoded><![CDATA[
As India awaits for the 2024 Lok Sabha elections to be completed and for the new Government to take charge, many of the long pending suggestions of Naavi are likely to find place in the immediate 100 day implementation plan of the next Modi Government.
One such thing is setting up of the National Cyber Security Agency (NCSA). Another focus area is the control of mobile crimes and introduction of the “Calling Name Presentation (CNAP).
The NCSA will likely to be the umbrella organization for managing Cyber Crime prevention.
<a href="https://economictimes.indiatimes.com/news/india/tackling-mobile-frauds-in-new-govts-100-day-plan-caller-id-service-national-cyber-security-agency-to-be-set-up/articleshow/109323045.cms?from=mdr" target="_blank" rel="noreferrer noopener">Refer Economic Times article here</a>
The NCSA needs to function with a “Cyber Space Jurisdiction” cutting across the State Police Jurisdictions and take over many of the intra state Cyber crimes which have given raise to many mafia centers in Bharatpur, Nuh etc. where criminals are unable to be controlled by the state police for various reasons. Similarly, CNAP should significantly reduce the vishing frauds.
We need similar law and procedure to ensure that E-Mail sender’s identity and domain name identity is also displayed. Without waiting for Google and Proton mail to introduce such systems, NCSA itself should introduce a “Digital Identity Gateway” which should be integrated with the browser and email clients and display the sender identity or domain name registrant identity.
Appropriate consent can be made available by the user of the service without infringing on the Privacy .
Hopefully the rules of DPDPA 2023 will also be released during the same time. Naavi.org may publish a document shortly on the 26+ required notifications that the Government needs to make to indicate that it is not an insurmountable task any way given the intentions.
There is also a proposal for NFIR (National Financial Information Registry Bill). This should change the current <a href="https://unacademy.com/content/bank-exam/study-material/general-awareness/brief-notes-on-credit-information-companies-regulation-act-2005/" target="_blank" rel="noopener">non compliant system run by CIBIL</a> and other rating agencies under the <a href="https://kanoongpt.in/bare-acts/the-credit-information-companies-regulation-act-2005" target="_blank" rel="noopener">Credit Information Companies (Regulation) Act 2005</a> which has conveniently facilitated siphoning off of lakhs of crores worth of data of Indian Bank customers to USA. RBI has in its certification system failed to monitor the activities of these companies and today TransUnion a US Company is the owner of TransUnion CIBIL and personal information provided to Bankers for the purpose of a loan/credit card is without proper consent shared with the US entity. This should stop and the new Act is an opportunity to correct this monumental mistake.
Naavi
]]></content:encoded>
<wfw:commentRss>https://www.naavi.org/wp/100-day-agenda-of-modi-3-0-to-address-some-old-demands-of-naavi-org/feed/</wfw:commentRss>
<slash:comments>0</slash:comments>
</item>
<item>
<title>FDPPI Event in Delhi on May 12</title>
<link>https://www.naavi.org/wp/fdppi-event-in-delhi-on-may-12/</link>
<comments>https://www.naavi.org/wp/fdppi-event-in-delhi-on-may-12/#comments</comments>
<dc:creator><![CDATA[Vijayashankar Na]]></dc:creator>
<pubDate>Fri, 12 Apr 2024 01:46:38 +0000</pubDate>
<category><![CDATA[Cyber Law]]></category>
<guid isPermaLink="false">https://www.naavi.org/wp/?p=16988</guid>
<description><![CDATA[The Delhi Chapter of FDPPI is conducting a workshop on DPDPA 2023 Implementation Challenges & Framework, on 12th May 2024 in New Delhi. This will be a day long workshop which will cover the DPDPA and its applicability, how GDPR & ISO 27701 certified … <a href="https://www.naavi.org/wp/fdppi-event-in-delhi-on-may-12/">Continue reading →</a>]]></description>
<content:encoded><![CDATA[
The Delhi Chapter of FDPPI is conducting a workshop on DPDPA 2023 Implementation Challenges & Framework, on 12th May 2024 in New Delhi.
<figure class="wp-block-image size-full"><img loading="lazy" width="724" height="1024" src="https://www.naavi.org/wp/wp-content/uploads/2024/04/dpdpa_2-724x1024-1.png" alt="" class="wp-image-16989" srcset="https://www.naavi.org/wp/wp-content/uploads/2024/04/dpdpa_2-724x1024-1.png 724w, https://www.naavi.org/wp/wp-content/uploads/2024/04/dpdpa_2-724x1024-1-212x300.png 212w" sizes="(max-width: 724px) 100vw, 724px" /></figure>
This will be a day long workshop which will cover the DPDPA and its applicability, how GDPR & ISO 27701 certified companies can adopt DPDPA, CXO Insights implementation guidance and framework.
This is an excellent opportunity to interact with the community of privacy professionals and gain more insights. The workshop will be led by Mr. Na.Vijayashankar (Naavi), Chairman, FDPPI and Mr Ramesh Venkataraman, Director, FDPPI.
The workshop cost is INR 11,000/- (with GST) which includes the course content, lunch, and beverages at the venue.
Early bird offer till Apr 22, 2024 – 15% discount
Group enrolment of 3 or more – 20% discount
Register at <a href="https://forms.gle/SSWsV1W3pHWbkgbV9">https://forms.gle/SSWsV1W3pHWbkgbV9</a>
For queries, write to delhi@fdppi.in/ fdppi4privacy@gmail.com
]]></content:encoded>
<wfw:commentRss>https://www.naavi.org/wp/fdppi-event-in-delhi-on-may-12/feed/</wfw:commentRss>
<slash:comments>1</slash:comments>
</item>
</channel>
</rss>

If you would like to create a banner that links to this page (i.e. this validation result), do the following:

Download the "valid RSS" banner.
Upload the image to your own server. (This step is important. Please do not link directly to the image on this server.)
Add this HTML to your page (change the image src attribute if necessary):

<a href="http://www.feedvalidator.org/check.cgi?url=http%3A//www.naavi.org/wp/%3Ffeed%3Drss2"><img src="valid-rss-rogers.png" alt="[Valid RSS]" title="Validate my RSS feed" /></a>

If you would like to create a text link instead, here is the URL you can use:

http://www.feedvalidator.org/check.cgi?url=http%3A//www.naavi.org/wp/%3Ffeed%3Drss2

Home · About · News · Docs · Terms