Latest news with #DPDPAct
Economic Times
3 days ago
- Business
- Economic Times
Draft data rules introduce potential for data localisation requirements: trade associations to IT ministry
The draft Digital Personal Data Protection (DPDP) rules introduce the potential for new data localisation needs that are inconsistent with the DPDP Act's supportive approach for data flows, trade bodies told the IT ministry in a letter last week. The draft rules were published on January 3. The final rules are yet to be notified. The Information Technology Industry Council, one of the signatories to the letter, counts Big Tech companies like Amazon, Apple, Google, Meta, Microsoft, Nvidia, and OpenAI as its members.'We urge the government to narrow and align these rules to bring them into alignment with the original intent of the DPDP Act,' the letter's nine signatories said. The other signatories are US India Business Council, Software and Information Industry Association, ACT | The App Association, Asia Internet Coalition, Asia Video Industry Association, Coalition of Services Industries, Computer and Communications Industry Association, and K-Internet. The industry bodies were referring to Rules 12 and 14 of the draft DPDP rules. 'This could be achieved by setting out a clear process, including timelines and safeguards, as well as adequate consultations and timelines for implementing any potential localisation requirements, and determining when and how such data localisation determinations will be made,' the associations said in their letter to The Ministry of Electronics and Information Technology (MeitY), a copy of which was seen by ET. 'We would also urge the government to view any potential restrictions on data free flows from a future "bilateral digital trade "agreement perspective,' the signatories said. The associations also want that Rules 3-15, 21 and 22 shouldn't take effect until or after two years from the date of notification. Rule 22, as currently drafted, provides the potential for an excessively broad scope of government access to private sector data without making clear that this will follow a robust, proportionate, and transparent process with proper avenues of redress and review, they said. Giving further clarity on this process, including by referencing globally-recognised Trusted Government Access principles, would be an effective way to provide clarity and reassurance on this point, they added. The associations supported the Global Cross Border Privacy Rules (CBPR) forum and similar regimes that facilitate the free flow of data across borders, promote interoperability between privacy regimes, and encourage responsible data use and strong privacy protections, they said. Also, personal data breach reporting requires clear, risk-based reporting thresholds to ensure reporting timelines and processes do not end up compromising the efficiency of risk mitigation measures, the associations wrote in their letter dated May 21. They have also asked the MeitY to 'strongly consider' adding back language proposed in previous drafts of the DPDP Act to give critical exclusion for data pertaining to credit reporting to facilitate financial transparency and fraud prevention while supporting financial inclusion. Credit bureaus such as TransUnion CIBIL, Experian, Equifax, and CRIF High Mark are approved by the Reserve Bank of India for operating in the country.
Time of India
3 days ago
- Business
- Time of India
Draft data rules introduce potential for data localisation requirements: trade associations to IT ministry
Live Events The draft Digital Personal Data Protection (DPDP) rules introduce the potential for new data localisation needs that are inconsistent with the DPDP Act's supportive approach for data flows , trade bodies told the IT ministry in a letter last draft rules were published on January 3. The final rules are yet to be Information Technology Industry Council, one of the signatories to the letter, counts Big Tech companies like Amazon, Apple, Google, Meta, Microsoft, Nvidia, and OpenAI as its members.'We urge the government to narrow and align these rules to bring them into alignment with the original intent of the DPDP Act,' the letter's nine signatories said. The other signatories are US India Business Council, Software and Information Industry Association, ACT | The App Association, Asia Internet Coalition, Asia Video Industry Association, Coalition of Services Industries, Computer and Communications Industry Association, and industry bodies were referring to Rules 12 and 14 of the draft DPDP rules.'This could be achieved by setting out a clear process, including timelines and safeguards, as well as adequate consultations and timelines for implementing any potential localisation requirements, and determining when and how such data localisation determinations will be made,' the associations said in their letter to The Ministry of Electronics and Information Technology (MeitY), a copy of which was seen by ET.'We would also urge the government to view any potential restrictions on data free flows from a future "bilateral digital trade "agreement perspective,' the signatories associations also want that Rules 3-15, 21 and 22 shouldn't take effect until or after two years from the date of 22, as currently drafted, provides the potential for an excessively broad scope of government access to private sector data without making clear that this will follow a robust, proportionate, and transparent process with proper avenues of redress and review, they further clarity on this process, including by referencing globally-recognised Trusted Government Access principles, would be an effective way to provide clarity and reassurance on this point, they associations supported the Global Cross Border Privacy Rules (CBPR) forum and similar regimes that facilitate the free flow of data across borders, promote interoperability between privacy regimes, and encourage responsible data use and strong privacy protections, they personal data breach reporting requires clear, risk-based reporting thresholds to ensure reporting timelines and processes do not end up compromising the efficiency of risk mitigation measures, the associations wrote in their letter dated May have also asked the MeitY to 'strongly consider' adding back language proposed in previous drafts of the DPDP Act to give critical exclusion for data pertaining to credit reporting to facilitate financial transparency and fraud prevention while supporting financial bureaus such as TransUnion CIBIL, Experian, Equifax, and CRIF High Mark are approved by the Reserve Bank of India for operating in the country.
Business Standard
20-05-2025
- Business
- Business Standard
IDfy's Privy unveils 'Data Compass'- India's first DPDPA-focused Data Governance solution
PRNewswire Mumbai (Maharashtra) [India], May 20: As India awaits the official release of the rules of the DPDP Act, one thing is clear - privacy can no longer be an afterthought for companies. With the DPDPA, privacy is becoming the foundational principle for how businesses collect, store, and use digital personal data. With companies gearing up for DPDPA compliance, a key focus area has emerged across the board: data governance. To help companies embrace privacy by design, Privy by IDfy, India's first consent governance suite, has launched Privy Data Compass; a data governance module. This platform enables enterprises to locate, identify, classify, and evaluate digital personal data sitting across their systems. By surfacing these insights, the module helps companies reduce the risk of breaches, ensure proper data disposal, and establish clear accountability for every data point in their ecosystem. This visibility is a critical first step toward enabling explicit consent collection, a key requirement under the upcoming DPDPA framework. "As enterprises gear up for DPDP Act compliance, it's critical to recognize that data governance isn't just an internal function- it must extend across the entire ecosystem. The weakest links often lie with external data processors, vendors, and partners. True trust and compliance require governance frameworks that account for these external risks and embed accountability at every touchpoint," says Malcolm Gomes, COO at IDfy. To address these ecosystem-level risks, Privy Data Compass offers a deep and nuanced approach to data discovery and classification, powered by IDfy's 14 years of experience verifying and processing identity documents at scale across India. It automates the discovery, classification, and cataloging of both structured and unstructured data across enterprise environments - including endpoint devices, CRMs, Google Drive, FTP servers and cloud storage. With native support for both current and legacy India-specific identifiers like Aadhaar, PAN, Voter ID, etc, the solution accurately detects and categorises documents, including whether PII is masked or unmasked. These deep insights drive automated masking and deletion workflows, executed entirely within the enterprise's infrastructure, ensuring minimal data exposure and maximum control. "Our AI models are trained on India-specific documents of all legacy formats and languages across all Indian states- something most global tools can't match. That's how we verify over 60 million profiles every month, with an average response time of under 2 seconds- all within the enterprise's own infrastructure. Having operated at the intersection of identity and compliance for years, our deep understanding of evolving document formats keeps us a step ahead," says Nikhil Jhanji, DSCI-certified DPO at IDfy. Privy's Data Compass is also one of the few privacy products in India that offers endpoint scanning, helping organizations ensure that PII data isn't lingering on employee laptops or field agent devices. This is especially crucial for the BFSI and insurance sectors, where agents often collect sensitive data locally before uploading it. Data governance is the bedrock of meaningful privacy programs, strengthening downstream efforts like consent, risk, and rights management. With IDfy's new product offering, enterprises gain accurate, context-rich visibility into their data, enabling smarter, more actionable compliance. As the foundational layer of the privacy stack, it not only supports regulatory readiness under the DPDP Act but also drives long-term business value. With large organizations already piloting the solution, Privy by IDfy is emerging as the trusted privacy partner for enterprises in India. About Privy by IDfy : Privy is India's leading Consent Governance suite, enabling organizations to manage user consent for Personally Identifiable Information (PII) in line with the DPDP Act requirements. By prioritizing transparency and trust, Privy helps businesses establish robust compliance practices. Privy empowers your Data Protection Officer to strengthen customer trust, govern data responsibly, and stay ahead of regulatory expectations. It provides solutions for: 1. Consent & Rights Management 2. Data Governance 3. Risk Management 4. Continuous Compliance About IDfy: As an Integrated Identity Platform, IDfy scales trust by empowering businesses to verify identity products, detect fraud, and ensure compliance with identity authentication at its core, ensuring security and regulatory adherence. A pioneer in digital trust for over 13 years, IDfy enables more than 2 million authentications every single day. Logo:
Mint
20-05-2025
- Business
- Mint
Flight safety 2.0: Online booking platforms must guard the privacy of our personal data
The Digital Personal Data Protection (DPDP) Act of 2023 has been viewed as a crucial step in safeguarding Indian data and privacy in digital spaces. With the growing reliance on the internet for various services globally, online businesses have seen a significant surge, particularly in fields like airline ticket reservations. Services such as MakeMyTrip and Goibibo that allow one to make bookings online, as well as the websites of airlines like Indigo, Air India, etc, have transformed how people plan and book a trip. These websites deal with and store private information that includes names, contact details, travel plans, payment method details and even data from official identity-proof documents such as passports and PAN or Aadhaar cards. Also Read: Use verifiable credentials to grant us agency over our digital data All these pieces of information fall under the definition of 'personal data' under Section 2(t) of the DPDP Act because they can be used to identify the person to whom it belongs. Even though online reservations are convenient, they raise privacy concerns. There are risks of mass data breaches and the unauthorized use of an individual's data stolen from these databases. Data minimization: Under Section 4 of the DPDP Act, online platforms for flight bookings, classified as 'data fiduciaries,' must seek the express and informed consent of users before they process their personal data. The Supreme Court, in its K.S. Puttaswamy vs Union of India judgment, held that privacy is a basic constitutional right flowing from Article 21 of the Constitution. This necessitates not only explicit consent, but also data minimization, the principle of which entails collecting, processing and storing only the least personal data required for a specific purpose. Online travel agencies often collect a huge amount of information, even though some of it may not strictly be required for reservations. For instance, the details of a user's occupation are often requested for profession-based discount offers. But under the DPDP law, the right to privacy demands that only necessary data shall be procured and processed. Also Read: Private companies can use Aadhaar infrastructure for identity checks again Security and accuracy: Section 8 of the DPDP Act places an obligation on data fiduciaries like online travel agencies to ensure the security and accuracy of personal data collected. The security measures that are required to be implemented include encryption as well as secure payment gateways for customers to pay, in addition to periodic audits. In Google India Pvt Ltd vs Visakha Industries Ltd (2019), the Supreme Court clarified the liability of intermediaries to safeguard the data of their users. Data erasure: Section 12 of the Act grants people a number of rights, including the right to correct, complete, update or erase their data. This will mean that customers can ask an airline or travel agency to delete their data after the end of their journey (or whenever required). This is in line with directives provided by various court judgments, like the landmark judgment of K.S. Puttaswamy and the 2023 case of Mrs. X vs Union of India, where the court emphasized the need for people to be in control of their personal data. Penalties: The DPDP Act prescribes stringent punishments. It imposes a large fine for a failure to secure personal data, especially in case of a data breach. This measure is expected to make airlines and reservation systems tighten their internal data security systems and thereby decrease the possibility of data breaches. In 2018, the UK Information Commissioner's Office imposed a fine of £20 million on British Airways after the details of over 400,000 clients were leaked through a breach. This could happen with any airline. In fact, in the Air India data breach of 2021, the personal data of approximately 4.5 million individuals was reportedly compromised, an event that led the air carrier to establish stricter internal security measures. Also Read: Mint Quick Edit | Digital access: A welcome new basic right Cross-border data transfers: Another major challenge could be the cross-border transfer of data in case of international travel via foreign airlines through bookings done on domestic platforms. The movement of personal information across national boundaries poses a problem, as different jurisdictions follow different laws. For instance, the EU's General Data Protection Regulation has stringent norms for cross-border data transfers and requires additional safeguards, whereas India's DPDP law is a bit more lenient and permits cross-border transfers unless explicitly prohibited. The law gives the Indian government the authority to blacklist countries for data transfers. As a result, companies in the civil aviation sector will have to navigate varying regulatory requirements and adjust their policies accordingly whenever a country is blacklisted. Also Read: We finally have clarity on the role of consent managers under India's privacy law Flight safety 2.0: The DPDP Act is aimed at providing an environment of openness and trust in digital services, as it endeavours to protect personal data through well-defined rules related to data protection. Online booking platforms will have to revise and refine their procedures for collecting, storing and processing data in order to comply with the law. Such adjustments will likely lead to higher expenditure, as online platforms will be required to implement robust cyber security protocols, conduct regular employee training and periodically review the digital systems procured from third-party vendors to ensure compliance. Overall, these measures will not only enhance the security and reliability of travel booking platforms, but also foster greater confidence and trust among their users. The author is a former member of the Rajya Sabha, former CAG bureaucrat and founding partner of A&N Legal Solutions LLP.
Business Upturn
20-05-2025
- Business
- Business Upturn
IDfy's Privy unveils ‘Data Compass'- India's first DPDPA-focused Data Governance solution
MUMBAI, India , May 20, 2025 /PRNewswire/ — As India awaits the official release of the rules of the DPDP Act, one thing is clear – privacy can no longer be an afterthought for companies. With the DPDPA, privacy is becoming the foundational principle for how businesses collect, store, and use digital personal data. With companies gearing up for DPDPA compliance, a key focus area has emerged across the board: data governance. To help companies embrace privacy by design, Privy by IDfy, India's first consent governance suite, has launched Privy Data Compass; a data governance module. This platform enables enterprises to locate, identify, classify, and evaluate digital personal data sitting across their systems. By surfacing these insights, the module helps companies reduce the risk of breaches, ensure proper data disposal, and establish clear accountability for every data point in their ecosystem. This visibility is a critical first step toward enabling explicit consent collection, a key requirement under the upcoming DPDPA framework. 'As enterprises gear up for DPDP Act compliance, it's critical to recognize that data governance isn't just an internal function- it must extend across the entire ecosystem. The weakest links often lie with external data processors, vendors, and partners. True trust and compliance require governance frameworks that account for these external risks and embed accountability at every touchpoint,' says Malcolm Gomes , COO at IDfy. To address these ecosystem-level risks, Privy Data Compass offers a deep and nuanced approach to data discovery and classification, powered by IDfy's 14 years of experience verifying and processing identity documents at scale across India . It automates the discovery, classification, and cataloging of both structured and unstructured data across enterprise environments – including endpoint devices, CRMs, Google Drive, FTP servers and cloud storage. With native support for both current and legacy India -specific identifiers like Aadhaar, PAN, Voter ID, etc, the solution accurately detects and categorises documents, including whether PII is masked or unmasked. These deep insights drive automated masking and deletion workflows, executed entirely within the enterprise's infrastructure, ensuring minimal data exposure and maximum control. 'Our AI models are trained on India -specific documents of all legacy formats and languages across all Indian states- something most global tools can't match. That's how we verify over 60 million profiles every month, with an average response time of under 2 seconds- all within the enterprise's own infrastructure. Having operated at the intersection of identity and compliance for years, our deep understanding of evolving document formats keeps us a step ahead,' says Nikhil Jhanji , DSCI-certified DPO at IDfy. Privy's Data Compass is also one of the few privacy products in India that offers endpoint scanning, helping organizations ensure that PII data isn't lingering on employee laptops or field agent devices. This is especially crucial for the BFSI and insurance sectors, where agents often collect sensitive data locally before uploading it. Data governance is the bedrock of meaningful privacy programs, strengthening downstream efforts like consent, risk, and rights management. With IDfy's new product offering, enterprises gain accurate, context-rich visibility into their data, enabling smarter, more actionable compliance. As the foundational layer of the privacy stack, it not only supports regulatory readiness under the DPDP Act but also drives long-term business value. With large organizations already piloting the solution, Privy by IDfy is emerging as the trusted privacy partner for enterprises in India . About Privy by IDfy : Privy is India's leading Consent Governance suite, enabling organizations to manage user consent for Personally Identifiable Information (PII) in line with the DPDP Act requirements. By prioritizing transparency and trust, Privy helps businesses establish robust compliance practices. Privy empowers your Data Protection Officer to strengthen customer trust, govern data responsibly, and stay ahead of regulatory expectations. It provides solutions for: 1. Consent & Rights Management2. Data Governance3. Risk Management 4. Continuous Compliance
