Latest news with #DigitalPersonalDataProtection
Economic Times
2 days ago
- Business
- Economic Times
Draft data rules introduce potential for data localisation requirements: trade associations to IT ministry
The draft Digital Personal Data Protection (DPDP) rules introduce the potential for new data localisation needs that are inconsistent with the DPDP Act's supportive approach for data flows, trade bodies told the IT ministry in a letter last week. The draft rules were published on January 3. The final rules are yet to be notified. The Information Technology Industry Council, one of the signatories to the letter, counts Big Tech companies like Amazon, Apple, Google, Meta, Microsoft, Nvidia, and OpenAI as its members.'We urge the government to narrow and align these rules to bring them into alignment with the original intent of the DPDP Act,' the letter's nine signatories said. The other signatories are US India Business Council, Software and Information Industry Association, ACT | The App Association, Asia Internet Coalition, Asia Video Industry Association, Coalition of Services Industries, Computer and Communications Industry Association, and K-Internet. The industry bodies were referring to Rules 12 and 14 of the draft DPDP rules. 'This could be achieved by setting out a clear process, including timelines and safeguards, as well as adequate consultations and timelines for implementing any potential localisation requirements, and determining when and how such data localisation determinations will be made,' the associations said in their letter to The Ministry of Electronics and Information Technology (MeitY), a copy of which was seen by ET. 'We would also urge the government to view any potential restrictions on data free flows from a future "bilateral digital trade "agreement perspective,' the signatories said. The associations also want that Rules 3-15, 21 and 22 shouldn't take effect until or after two years from the date of notification. Rule 22, as currently drafted, provides the potential for an excessively broad scope of government access to private sector data without making clear that this will follow a robust, proportionate, and transparent process with proper avenues of redress and review, they said. Giving further clarity on this process, including by referencing globally-recognised Trusted Government Access principles, would be an effective way to provide clarity and reassurance on this point, they added. The associations supported the Global Cross Border Privacy Rules (CBPR) forum and similar regimes that facilitate the free flow of data across borders, promote interoperability between privacy regimes, and encourage responsible data use and strong privacy protections, they said. Also, personal data breach reporting requires clear, risk-based reporting thresholds to ensure reporting timelines and processes do not end up compromising the efficiency of risk mitigation measures, the associations wrote in their letter dated May 21. They have also asked the MeitY to 'strongly consider' adding back language proposed in previous drafts of the DPDP Act to give critical exclusion for data pertaining to credit reporting to facilitate financial transparency and fraud prevention while supporting financial inclusion. Credit bureaus such as TransUnion CIBIL, Experian, Equifax, and CRIF High Mark are approved by the Reserve Bank of India for operating in the country.
Time of India
3 days ago
- Business
- Time of India
Draft data rules introduce potential for data localisation requirements: trade associations to IT ministry
Live Events The draft Digital Personal Data Protection (DPDP) rules introduce the potential for new data localisation needs that are inconsistent with the DPDP Act's supportive approach for data flows , trade bodies told the IT ministry in a letter last draft rules were published on January 3. The final rules are yet to be Information Technology Industry Council, one of the signatories to the letter, counts Big Tech companies like Amazon, Apple, Google, Meta, Microsoft, Nvidia, and OpenAI as its members.'We urge the government to narrow and align these rules to bring them into alignment with the original intent of the DPDP Act,' the letter's nine signatories said. The other signatories are US India Business Council, Software and Information Industry Association, ACT | The App Association, Asia Internet Coalition, Asia Video Industry Association, Coalition of Services Industries, Computer and Communications Industry Association, and industry bodies were referring to Rules 12 and 14 of the draft DPDP rules.'This could be achieved by setting out a clear process, including timelines and safeguards, as well as adequate consultations and timelines for implementing any potential localisation requirements, and determining when and how such data localisation determinations will be made,' the associations said in their letter to The Ministry of Electronics and Information Technology (MeitY), a copy of which was seen by ET.'We would also urge the government to view any potential restrictions on data free flows from a future "bilateral digital trade "agreement perspective,' the signatories associations also want that Rules 3-15, 21 and 22 shouldn't take effect until or after two years from the date of 22, as currently drafted, provides the potential for an excessively broad scope of government access to private sector data without making clear that this will follow a robust, proportionate, and transparent process with proper avenues of redress and review, they further clarity on this process, including by referencing globally-recognised Trusted Government Access principles, would be an effective way to provide clarity and reassurance on this point, they associations supported the Global Cross Border Privacy Rules (CBPR) forum and similar regimes that facilitate the free flow of data across borders, promote interoperability between privacy regimes, and encourage responsible data use and strong privacy protections, they personal data breach reporting requires clear, risk-based reporting thresholds to ensure reporting timelines and processes do not end up compromising the efficiency of risk mitigation measures, the associations wrote in their letter dated May have also asked the MeitY to 'strongly consider' adding back language proposed in previous drafts of the DPDP Act to give critical exclusion for data pertaining to credit reporting to facilitate financial transparency and fraud prevention while supporting financial bureaus such as TransUnion CIBIL, Experian, Equifax, and CRIF High Mark are approved by the Reserve Bank of India for operating in the country.
Time of India
22-05-2025
- Business
- Time of India
Confiex launches platforms for streamlined procurement and audit
Confiex Data Room Private Limited, a virtual data room provider in India, recently announced the launch of DocullyVDR E–Tender and DocullyVDR E–Audit. These enterprise-class solutions are designed to improve procurement and auditing processes across India's public and private sectors. The introduction of these platforms occurs as India implements the Digital Personal Data Protection (DPDP) Act and increases scrutiny of procurement and audit practices. Confiex states that these tools offer improved transparency, accountability, and speed in governance workflows. Harvinder Singh, Founder and CEO of Confiex Data Room, said the company aims to reduce friction, prevent information leaks, and build a culture of audit readiness and competitive fairness with these platforms. He noted that the solutions are customized for India, based on its legal system, hosted in government-approved data centers, and built with data security. DocullyVDR E–Tender provides an end-to-end system for managing tenders. It includes features for controlled RFP distribution, real-time Q&A, encrypted bid submissions, and centralized evaluation, intended to limit manipulation or insider influence. Singh also emphasized the significance of data sovereignty for India's digital future, citing the rise in cyberattacks. He explained that Confiex uses MEITY-approved Microsoft Azure Data Centres to ensure compliance with Indian regulations and provide security features that give organizations better control over their sensitive data. by Taboola by Taboola Sponsored Links Sponsored Links Promoted Links Promoted Links You May Like Men Over 50: Frequent Urination & Weak Stream? Do this Before Bed healthydayscare Click Here Undo DocullyVDR E-Tender and E-Audit represent Confiex's effort to gain a strong position in India's growing e-tender and digital audit market by prioritizing compliance, speed, and local data control. Singh believes their platforms will empower India to manage its digital assets under its own legal jurisdiction with increased transparency and trust.
Mint
20-05-2025
- Business
- Mint
Flight safety 2.0: Online booking platforms must guard the privacy of our personal data
The Digital Personal Data Protection (DPDP) Act of 2023 has been viewed as a crucial step in safeguarding Indian data and privacy in digital spaces. With the growing reliance on the internet for various services globally, online businesses have seen a significant surge, particularly in fields like airline ticket reservations. Services such as MakeMyTrip and Goibibo that allow one to make bookings online, as well as the websites of airlines like Indigo, Air India, etc, have transformed how people plan and book a trip. These websites deal with and store private information that includes names, contact details, travel plans, payment method details and even data from official identity-proof documents such as passports and PAN or Aadhaar cards. Also Read: Use verifiable credentials to grant us agency over our digital data All these pieces of information fall under the definition of 'personal data' under Section 2(t) of the DPDP Act because they can be used to identify the person to whom it belongs. Even though online reservations are convenient, they raise privacy concerns. There are risks of mass data breaches and the unauthorized use of an individual's data stolen from these databases. Data minimization: Under Section 4 of the DPDP Act, online platforms for flight bookings, classified as 'data fiduciaries,' must seek the express and informed consent of users before they process their personal data. The Supreme Court, in its K.S. Puttaswamy vs Union of India judgment, held that privacy is a basic constitutional right flowing from Article 21 of the Constitution. This necessitates not only explicit consent, but also data minimization, the principle of which entails collecting, processing and storing only the least personal data required for a specific purpose. Online travel agencies often collect a huge amount of information, even though some of it may not strictly be required for reservations. For instance, the details of a user's occupation are often requested for profession-based discount offers. But under the DPDP law, the right to privacy demands that only necessary data shall be procured and processed. Also Read: Private companies can use Aadhaar infrastructure for identity checks again Security and accuracy: Section 8 of the DPDP Act places an obligation on data fiduciaries like online travel agencies to ensure the security and accuracy of personal data collected. The security measures that are required to be implemented include encryption as well as secure payment gateways for customers to pay, in addition to periodic audits. In Google India Pvt Ltd vs Visakha Industries Ltd (2019), the Supreme Court clarified the liability of intermediaries to safeguard the data of their users. Data erasure: Section 12 of the Act grants people a number of rights, including the right to correct, complete, update or erase their data. This will mean that customers can ask an airline or travel agency to delete their data after the end of their journey (or whenever required). This is in line with directives provided by various court judgments, like the landmark judgment of K.S. Puttaswamy and the 2023 case of Mrs. X vs Union of India, where the court emphasized the need for people to be in control of their personal data. Penalties: The DPDP Act prescribes stringent punishments. It imposes a large fine for a failure to secure personal data, especially in case of a data breach. This measure is expected to make airlines and reservation systems tighten their internal data security systems and thereby decrease the possibility of data breaches. In 2018, the UK Information Commissioner's Office imposed a fine of £20 million on British Airways after the details of over 400,000 clients were leaked through a breach. This could happen with any airline. In fact, in the Air India data breach of 2021, the personal data of approximately 4.5 million individuals was reportedly compromised, an event that led the air carrier to establish stricter internal security measures. Also Read: Mint Quick Edit | Digital access: A welcome new basic right Cross-border data transfers: Another major challenge could be the cross-border transfer of data in case of international travel via foreign airlines through bookings done on domestic platforms. The movement of personal information across national boundaries poses a problem, as different jurisdictions follow different laws. For instance, the EU's General Data Protection Regulation has stringent norms for cross-border data transfers and requires additional safeguards, whereas India's DPDP law is a bit more lenient and permits cross-border transfers unless explicitly prohibited. The law gives the Indian government the authority to blacklist countries for data transfers. As a result, companies in the civil aviation sector will have to navigate varying regulatory requirements and adjust their policies accordingly whenever a country is blacklisted. Also Read: We finally have clarity on the role of consent managers under India's privacy law Flight safety 2.0: The DPDP Act is aimed at providing an environment of openness and trust in digital services, as it endeavours to protect personal data through well-defined rules related to data protection. Online booking platforms will have to revise and refine their procedures for collecting, storing and processing data in order to comply with the law. Such adjustments will likely lead to higher expenditure, as online platforms will be required to implement robust cyber security protocols, conduct regular employee training and periodically review the digital systems procured from third-party vendors to ensure compliance. Overall, these measures will not only enhance the security and reliability of travel booking platforms, but also foster greater confidence and trust among their users. The author is a former member of the Rajya Sabha, former CAG bureaucrat and founding partner of A&N Legal Solutions LLP.
Economic Times
19-05-2025
- Business
- Economic Times
Digitally safe & sound
Dismissing a petition by PhonePe against a police notice related to a 2022 online sports betting investigation, Karnataka High Court recently ruled that digital payment intermediaries are not fully immune from disclosing users' confidential transaction details and account credentials in criminal cases. The ruling underscores the delicate balance between privacy, security and growth. How India navigates this terrain will shape civil liberties, and define its economic trajectory. The 2017 Supreme Court judgment in 'Justice K S Puttaswamy (Retd) vs Union of India' recognised privacy as a fundamental right, aligning India with progressive global data protection standards and bolstering user confidence, a vital ingredient for digital commerce. But the apex court also stipulated that this right is not absolute, and must be harmonised with other compelling state interests. To this end, the 'proportionality test' was established - a nuanced, 4-pronged framework requiring any state intrusion into privacy to: Have a legitimate aim. Be necessary in a democratic society. Be proportionate to the need. Include robust procedural safeguards against abuse. This test is a fulcrum upon which interests of individual liberty and collective security must be balanced, ensuring neither an anarchic digital space nor an overreaching surveillance state. For the digital economy, this framework promises predictability and fairness, both essential for attracting investment and fostering innovation. National security, undeniably, presents one of the most essential legitimate aims. In an era where digital platforms can be exploited for terrorism, sophisticated cyber warfare and large-scale economic fraud, the state's primary responsibility to protect its citizens and its economic stability is paramount. Legislative tools such as Section 69 of the IT Act, enabling lawful interception, and Digital Personal Data Protection (DPDP) Act, reflect this pressing reality. DPDP Act, while aiming to create a data protection regime, rightly includes exemptions for processing personal data in the interest of India's sovereignty, security, public order, and prevention or investigation of offences. Such provisions are pragmatic necessities. The PhonePe case underscores this, affirming that while consumer privacy is vital, it cannot serve as an impenetrable shield for illicit activities that undermine the integrity of our financial systems. Nevertheless, privacy advocates correctly argue that privacy and security are not adversarial. Robust privacy protections can, in fact, bolster security by shielding citizens from identity theft, financial scams, and the chilling effects of undue surveillance that can stifle innovation and free expression, the lifeblood of a dynamic digital economy. The apprehension that expansive surveillance powers without stringent oversight could mirror the Orwellian state is a legitimate fear. An environment of perceived pervasive surveillance can erode public trust, discouraging participation in the digital economy and potentially driving data and talent to jurisdictions perceived as more optimal path forward, therefore, is not a binary choice between privacy and security, but a commitment to the proportionality principle. This means any restriction on privacy must be demonstrably necessary, narrowly tailored and subject to rigorous India's digital economy, this translates into actionable imperatives: Necessity and specificity Surveillance must be a tool of last resort, targeted at genuine, identifiable threats, not a broad dragnet. This will ensure that most citizens and businesses can operate freely, fostering a climate of trust. Robust oversight mechanisms Independent judicial or parliamentary review of surveillance requests is crucial. Transparent, accountable oversight builds confidence that these powers are not being misused, which is essential for domestic and international business confidence. Data minimisation and purpose limitation Entities, both public and private, should collect necessary data and use it only for specified, legitimate purposes. This reduces the attack surface for breaches and limits the scope of potential government requests. Transparent frameworks While operational details of security measures must remain confidential, legal and procedural frameworks governing data access must be clear and publicly accessible. This predictability is key for businesses to navigate the regulatory leaders, innovators and stakeholders in India's growth story understand that a stable, predictable and rights-affirming regulatory environment is the bedrock of economic prosperity. When citizens trust that their data is protected and that state powers are exercised judiciously, they engage more readily in the digital marketplace. When businesses trust that the rules are clear and fairly-applied, they invest with greater High Court's stance reflects the nuanced balancing act required. By diligently applying the proportionality framework, we can cultivate an ecosystem where privacy and security are not seen as conflicting forces, but as complementary pillars supporting a vibrant, secure and equitable digital future. (The writer is former secretary,consumer affairs, GoI)
