Latest news with #DPDPAct
The Wire
a day ago
- Business
- The Wire
InCorp Advisory, an Ascentium Company, strengthens Digital & Cyber Risk Practice with acquisition of Ken & Co.
This strategic expansion positions InCorp India as a Premier Cybersecurity and Risk Advisory with AI-enabled Assurance, Cybersecurity, and Data Privacy Compliance Services MUMBAI, India, July 21, 2025 /PRNewswire/ -- InCorp Advisory, an Ascentium Company (InCorp India) and one of India's leading corporate services providers, has strategically acquired Ken & Co., a specialised Governance, Risk, and Compliance (GRC) consulting firm. This acquisition strengthens its position as a premier global cybersecurity and risk advisory partner serving multinational corporations and global outsourcing operations. This acquisition also enhances InCorp India's capabilities to provide turnkey Enterprise Risk Management solutions for fast growing companies. Ken & Co. brings deep expertise in critical regulatory and global service areas, including Regulatory Cybersecurity Compliance (including CSCRF), IT Audit & Assurance, Data Privacy Advisory (including GDPR and DPDP Act), SOC Advisory Services, Cross-Border Cybersecurity Assessments and Cyber maturity assessments with penetration testing capabilities. "Our acquisition of Ken & Co. aligns with InCorp India's vision to deliver future-ready risk, compliance, and assurance services," said Manish Modi, CEO for InCorp Advisory, an Ascentium Company (InCorp India). "It strengthens our portfolio amid rising cybersecurity and regulatory demands, deepens our GRC practice, and expands our footprint in India." CA Narasimhan Elangovan, founder of Ken & Co. and a recognized expert in digital assurance and data privacy, will join InCorp India's leadership team to lead the Cybersecurity Practice. His expertise in regulatory cybersecurity frameworks, data privacy, and global outsourcing assurance will be instrumental in expanding InCorp India's international digital risk consulting capabilities. In the recent past, InCorp India has been strategically strengthening its service portfolio through selective acquisitions of specialised professional services firms that align with its long-term growth strategy. By integrating niche firms with proven track records, such as Ken & Co., InCorp India continues to build a multidisciplinary platform positioned for the evolving regulatory and digital landscape. About InCorp Advisory InCorp Advisory, an Ascentium Company (InCorp India) offers services across strategy, consulting, compliance, taxation, sustainability, risk, and outsourcing for clients around the world. InCorp India operates from offices in Mumbai, Bangalore, Chennai, New Delhi, and GIFT City in India. As part of Ascentium, a global business services platform with more than 2,300 professionals across 44 cities in 22 markets spanning Asia-Pacific (APAC), the Middle East, the Americas, and Europe, supporting over 50,000 client entities, InCorp is expanding opportunities for our clients and partners by offering access to new markets and an even broader range of corporate services, finance and accounting, HR services, as well as fiduciary and trust services. About Ken & Co. Ken & Co. is a boutique consulting firm based in Bengaluru, specialising in Governance, Risk, and Compliance (GRC) with a strong emphasis on technology-driven assurance. Ken & Co. has delivered value to clients through digital audits, privacy and cybersecurity services, and data-driven compliance strategies. Photo: Logo: (Disclaimer: The above press release comes to you under an arrangement with PRNewswire and PTI takes no editorial responsibility for the same.).
Time of India
4 days ago
- Health
- Time of India
The 'legitimate' excuse of assumed consent
By Priyam Sharma Imagine being curled up on your sofa, giggling while watching cat memes on social media, and then suddenly seeing a post of yourself by your nutritionist. Highlighted in bright yellow and green are your name, health issues, and the weight loss they claim to have caused with ' best results ' (because you chose to eat greens, but that's another story). In disbelief, you check the post: your picture zoomed in, the unblurred before-and-after version, your name and health details served up like a rationalised bhel puri to the janta janaardhan , all so they can trust and choose this nutritionist, the self-acclaimed people transformer. When confronted, this nutritionist says the most cliché thing ever: ' Oh, I thought you were okay with sharing. This post was meant to inspire others .' Think of a gym trainer proudly posting your before-after transformation shots and your abs, or a hospital showcasing your recovery story on their Instagram handle all without expressly asking if you were okay with it. From fitness apps flaunting user weight-loss journeys to clinics broadcasting patient recoveries, the line between consent and assumption blurs dangerously under this broad notion of ' legitimate use .' While Indian law has been fairly clear on this point for years, the Information Technology Act, 2000 and its rules explicitly state that no body corporate (a term broad enough to include firms, sole proprietors, partnerships and others engaged in commercial or professional activities) can share such sensitive personal data without explicit consent , failing which it attracts liability under Section 43A. This right also flows from the broader right to life and personal liberty under Article 21 of the Constitution, as reaffirmed by the Supreme Court in K. Puttaswamy vs Union of India (2017) 10 SCC 1, which recognised privacy as a fundamental right. But does the new Digital Personal Data Protection Act, 2023 (DPDP Act), enacted to build a robust data protection framework for India's digital ecosystem, offer equally airtight safeguards? Section 6 of the DPDP Act certainly appears to do so: it requires that consent must be ' free, specific, informed, unconditional and unambiguous ,' underlining that it cannot simply be presumed. However, Section 7(a) then steps in and introduces a potential grey area. It states that when a person has voluntarily provided their personal data to a data fiduciary and has not indicated that they do not consent to its use, the data fiduciary may process it, so long as it is reasonably expected for that purpose. But here lies the catch: Section 7 itself carries the heading ' Certain Legitimate Uses ,' but the actual text of 7(a) does not define the phrase ' legitimate uses ' leaving much to interpretation. What it effectively means is that a data fiduciary can process such voluntarily given data without seeking fresh explicit consent, provided it's for the purpose it was reasonably expected for, and the individual did not expressly object. This creates room for contrasting interpretations: some might argue that once someone has shared their data and hasn't said ' don't use it ,' the door could be interpreted as wide open particularly in the absence of clear statutory safeguards or regulatory guidance on what constitutes ' reasonable expectation .' Others would insist that the individual remains the sole decider of what they have explicitly consented to, knowingly or unknowingly, and that silence or ignorance cannot morph into blanket consent for any kind of processing under Section 7(a). Meanwhile, sub-sections (b) to (i) of Section 7 are considerably more specific: (b) deals with situations where a person disclosed data to avail benefits like subsidies from the State,(c) allows sharing for performance by the State or in the interest of sovereignty and security,while (d) to (i) cover compliance with laws and judgments, responding to medical emergencies, providing medical treatment, employment-related uses, and safeguarding the employer. The scope of Section 7(a), therefore, must necessarily be analysed case by case, considering the facts and the clear intent of the person providing the data. In the earlier example, the person's disclosure of medical history was strictly for obtaining a health plan it can hardly be stretched to justify broadcasting it on social media. Because tomorrow, it might not just be your weight. It could be your genome, your mental health history, or the trail of everywhere you've been. Is that really the future of consent we are comfortable with? (The author is an advocate practising before the Bombay High Court, with prior experience at Crawford Bayley & Co. and Cyril Amarchand Mangaldas. Views expressed are personal.)
Hans India
15-07-2025
- Politics
- Hans India
RTI vs Privacy: And the twain shall never meet
The clash between the Right to Information Act (RTI) 2005, and the Digital Personal Data Protection Act (DPDP) 2023 raises critical constitutional and jurisprudential issues: RTI is rooted in Article 19(1)(a) freedom of speech and expression — which includes the right to receive information. DPDPA draws strength from Article 21, as interpreted in the K S Puttaswamy ruling, which declared privacy a fundamental right. The legal challenge lies in reconciling these two rights when they come into direct conflict. When India passed the Right to Information Act in 2005, it was hailed as a revolutionary tool for empowering citizens and holding public authorities accountable. Two decades on, we now face a growing threat to that hard-won transparency, courtesy the Digital Personal Data Protection (DPDP) Act 2023. Billed as a progressive law meant to safeguard our digital privacy, the DPDP Act is ironically being used as a potent weapon to deny citizens access to critical information. Government officials can now refuse RTI requests by invoking a broad, often vaguely defined shield of 'personal data'. The result? People are increasingly denied information about how public funds are used, who benefits from welfare programs, and whether officials have misused their positions. Privacy and public interest: Section 8(1) (j) of the RTI Act upholds privacy where necessary, balancing it against public interest. The introduction of an overriding DPDP regime, without clearly defining the scope of exemptions or the hierarchy of laws, creates a dangerous ambiguity. Unless the judiciary or legislature intervene and clarify or harmonise application of these laws, the citizens' right to know may be systematically undermined, particularly when accessing information about the state. This isn't just a bureaucratic tiff between two laws. It is a democratic dilemma. The 'privacy' is being twisted into a legal fig leaf to hide public wrongdoing. What's more alarming is the power imbalance it creates. Lower-level officers — often under political pressure — are now arbiters of what counts as 'personal data,' overriding the established RTI mechanism. Add to this the fact that many states, like Telangana and Andhra Pradesh, don't even have functional RTI commissions due to which tousands of applications are piling up, unanswered. Privacy is a fundamental right as upheld by the Supreme Court in the 2017 Puttaswamy judgment. The RTI Act includes safeguards like Section 8(1)(j)) to protect privacy, disclosing personal information only when it serves a larger public interest. Given this facility, there was no need for another opaque filter. The DPDP Act must not become a smokescreen for stonewalling accountability. Parliament, courts, and civil society must act before we lose one of the most powerful instruments of participatory democracy. Though recently the Chief and four Information Commissioners have been appointed in Telangana, there are still vacancies all over India. There is a need to prioritise issues: 1. Appoint RTI commissioners immediately in states where they do not exist; 2. Reinforce RTI institutions; 3. Amend the DPDP Act to honour RTI's public interest provisions; Train officials so that they can distinguish between legitimate privacy and public transparency; Demand clarity on when RTI should override DPDP, especially in cases pertaining to governance and misuse of public funds. Accountability without RTI! This will invariably have a chilling effect on investigative journalism and civic activism; The government data might become opaque and inaccessible; Citizens will face hurdles when seeking even their own data, if deemed protected under DPDP; There is a need to clear demarcation on when RTI trumps DPDP, especially in public interest. Civil society should challenge the amendments in courts or through public mobilisation, besides building civil society pressure by petitioning Parliament to amend or roll back harmful provisions. This will also result in a decrease in government accountability due to increased opacity. Let's take a look at a recent judgment by the CIC on this conflict: Most of the requests for police related information are stonewalled on the 'privacy' excuse, seldom rightly. That is the major conflict. The Central Information Commission (CIC) (CIC/UTOJK/A/2024/116027 KULDEEPRAJ Vs. UT of Jammu and Kashmir) dismissed a Second Appeal filed against J&K's Home Department and made it unequivocally clear that the RTI Act is not a tool to intrude into personal lives, especially where no public interest is involved. On February 26, 2024, Kuldeep Raj, a resident of Jammu district, wanted to know from the state PIO Home Department information regarding joining reports, selection orders, SROs, category certificates, transfer and promotion details of two police personnel. The First Appellate Authority eventually transferred the matter to the Police Headquarters (PHQ), J&K, in May last year. The appellant filed a Second Appeal before the CIC. During the final hearing held a few days back, the Central Information Commission upheld the PIO's denial of information, stating: 'The requested information qualifies as personal information of third parties and is therefore exempt from disclosure under Section 8(1)(j) of the RTI Act, 2005'. The appeal was filed by an advocate, who sought details of complaints filed by one Fareed Ahmad Chouhan from Ganderbal, including the number of complaints, their nature, status and related documents. The application dated January 11, 2024, was turned down by the Central Public Information Officer (CPIO) of ACB, Kashmir, because disclosure of such information could endanger the life or physical safety of the complainant and could possibly obstruct ongoing investigations or prosecutions. These reasons were cited under Sections 8(1)(g) and 8(1)(h) of the RTI Act, 2005, which exempt disclosure of sensitive information that may harm individual safety or compromise investigative processes. The CIC emphasised that no element of larger public interest was invoked by the appellant to justify overriding the privacy protections enshrined in the law. The Commission cited the Supreme Court's 'Central Public Information Officer, Supreme Court of India Versus Subhash Chandra Agarwal', which held that personal records, including service details, ACRs, financial disclosures, and medical records, are not subject to public disclosure unless a compelling public interest is established. 'The RTI Act is not a surveillance tool and cannot be used to gather personal details of others without a strong and demonstrated public cause,' the CIC noted, adding 'service records of police personnel fall under personal information'. The CIC ruled that ACB J&K had provided a valid and appropriate reply, justifying the denial based on exemptions under the law. 'The safety of individuals and integrity of law enforcement processes must be protected over disclosure of information where no overriding public interest is demonstrated', the Commission said. He further said: 'Disclosing such information may expose the whistleblower to victimization or harassment and could derail sensitive investigations,' the Commission observed, adding 'the appellant has failed to establish any larger public interest that would warrant overriding the exemptions provided under the Act'. This order looks to be a denial to the applicant. The entire question is about what is 'overriding the exemptions' on what compelling public interest is. The PIO, First and Second appeals are heavily dependent upon the 2019 judgment. Instead of going through the time-consuming process of using RTI methodology, the applicant may have to go to a writ petition. All petitioners invariably face the same questions. Another bundle of cases will add to the heavy pendency. Advocates are happy, and judges will be using the time to discuss these old issues. And the victims are the applicants. This transparency watchdog will go a long way in deterring those who are using the RTI Act to breach privacy rights based on the risk of violating privacy, for which the DATA Act prescribed heavy, exorbitant penalties. The judges quite easily use 'the balance between transparency and protection of whistleblowers'. (The writer is Advisor, School of Law, Mahindra University, Hyderabad)
Time of India
02-07-2025
- Business
- Time of India
Navigating the DPDP Act: Essential Compliance Strategies for Hotels, ET HospitalityWorld
The Digital Personal Data Protection Act, 2020 (DPDP Act) constitutes a pivotal shift in India's privacy landscape, by establishing a comprehensive legal framework for the protection of personal data in the modern global digital economy. The DPDP Act establishes a rights-based framework designed to balance user privacy rights with the legitimate interests of data processing by organisations and government. Advt Advt Join the community of 2M+ industry professionals. Subscribe to Newsletter to get latest insights & analysis in your inbox. All about ETHospitalityWorld industry right on your smartphone! Download the ETHospitalityWorld App and get the Realtime updates and Save your favourite articles. Within the DPDP Act are a structured set of obligations on organizations that process 'personal data' – known as Data Fiduciaries – to ensure processing is done lawfully, securely, and transparently with due regard for the rights of individuals. The definition of personal data includes any data that relates to an identifiable individual - from sensitive financial details like credit card numbers to seemingly minor information like hotel guest preferences, such as whether one prefers a smoking its heart, the DPDP Act empowers individuals with greater control over their personal data. Specifically, the DPDP Act includes a focus on consent to process personal data and creates personal rights for individuals, similar to the EU GDPR and other international privacy laws. The DPDP Act seeks to reframe the individuals from passive subject of data collection to active participants in the construction of their own digital identity. It elevates the one-time checkbox into dynamic and revokable dialogue between individuals and the organisations handling their data. However, to implement this vision, hotels will need to radically change the way they organize and handle personal to meet these obligations can lead to significant penalties - up to ₹250 crores for inadequate security measures that result in data breaches. Other fines include ₹200 crores for unreported breaches involving children's data, ₹150 crores for lapses by significant data fiduciaries, and ₹50 crores for general with the DPDP Act not only fulfils a legal obligation but also builds public trust. Mature privacy programs enhance a hotel's reputation and reduce the risk of data breaches and can therefore serve as a competitive edge in B2C also worth noting that most Directors and Officers insurance policies in India exclude cyber risks. Similarly, many cyber insurance policies do not cover liabilities arising from contractual obligations related to data handling. As a result, organizations must carefully negotiate and define data-related responsibilities in contracts to avoid unexpected exposure. However, even with contracts in place, the DPDP Act makes it clear that Data Fiduciaries remain legally responsible for compliance, regardless of any contractual full enforcement of the DPDP Act rapidly approaching, this is an opportunity for businesses to proactively strengthen their privacy infrastructure. To be effective and sustainable, this must go beyond policy documents and be structured as a long-term strategic uplift what issues should hotels tackle first?Firstly, hotels must understand the scale of the risk. They should begin their privacy uplift process by 'data mapping' - identifying what personal data they hold, and which systems are involved in handling that data. This should result in a register of key data assets and data processing activities. This documentation must be kept up to date as data handling processes this new insight into their data holdings, hotels should minimise the data they hold. Many hotels hold far more personal data than they require for compliance or business operations – this increases risk and storage costs but adds no business value. Identifying the legal obligations to retain different data types in a retention schedule, and then applying that schedule to your data holdings, can help identify over-retained personal data. The over-retained data can then be securely disposed of. Ultimately, you cannot mishandle or lose data you do not hold – thus minimising your risk and compliance great insight into smaller data holdings, it will be easier to perform a gap assessment against the requirements of the DPDP Act. This, in turn, will enable the development of a comprehensive and robust data governance framework that sets out how personal data is to be handled throughout the 'data lifecycle' – from the point that the personal data is collected, to how it is stored, used and disclosed, and ultimately archived or disposed framework should include not only top-level policy objectives that align with the DPDP Act and other relevant privacy laws (for example, store personal data securely) but standards, procedures, and tools to enable those policy objectives (such as a security standard, specified encryption methods and access controls, secure storage locations). That is, the policy objectives must be implemented in the operations of the business – in how data is actually managed, and how systems are and implementing this framework is unlikely to be a short-term process – larger and more complex hotels may require 2-3 years to complete their uplift processes. However, there will likely be 'low hanging fruit' that can be addressed through short term projects to immediately reduce Indian hotels, good privacy practice is no longer a 'nice to have' subject, it is a compliance priority. Rising customer expectations and evolving cyber threats make robust data handling essential. In a world where trust is everything, doing the right thing with personal data isn't just smart, it's essential. To stay protected, hotels must clearly define data responsibilities in authors, Sujjain Talwar is co-founding partner and Pallavi Agarwal is an associate at Economic Laws Practice Tim de Sousa is the managing director at FTI Consulting . The views expressed in this article are those of the authors and do not necessarily represent those of ET HospitalityWorld
Time of India
02-07-2025
- Politics
- Time of India
Privacy bill could be sent to Attorney General for assessing RTI impact
Academy Empower your mind, elevate your skills India's proposed privacy bill—Digital Personal Data Protection (DPDP) Act—will be referred to the Attorney General of India R Venkataramani for an opinion on whether the much-awaited legislation violates the country's Right to Information (RTI) Act as alleged by opposition parties and members of civil society, people in the know move may clear the clouds of uncertainty hovering over the legislation enacted by Parliament in August 2023, but which is not yet operational pending notification of its Rules.A draft of the proposed Rules was released for stakeholder consultation in January this a meeting chaired by minister for electronics and IT, Ashwini Vaishnaw on Monday, the stalled Act, which bestows individuals with greater control over their personal data while also enabling responsible data processing practices, came up for discussion.'There are a couple of issues which need to be resolved,' a senior government official told ET.'It will be referred to the AG, but the government's view is that the DPDP Act doesn't dilute the RTI Act and amendment doesn't stop those seeking information under RTI to get access to it,' the official Vaishnaw is expected to write to all the members of Parliament explaining the position.'Anyone accessing any information, be it about the MNREGA scheme or data about a farmer welfare scheme can do it without any issue through the RTI, " according to officials who said there are no restrictions for journalists seeking information has been an outcry by the opposition, civil society over an amendment to the RTI Act's Section 8(1)(j) made through the DPDP Act, passed in 2023. It amended a section of the RTI Act, removing the earlier safeguard that allowed disclosure of personal information if it served public interest and did not amount to 'unwarranted' invasion of amendment – allowing authorities to withhold any information containing personal details – restricts journalists, activists, lawyers, and others from accessing crucial information needed to hold governments accountable and expose corruption, members of the civil society have who spoke to ET pointed out that the Rules are not being held in abeyance because of the outcry over the Act.'The Act was passed in 2023, where the RTI amendment was brought about, if there were concerns about it, they should have been raised then,' said people cited above.'The government is holding discussions about the Rules and keeping them ready while the political issue has to be resolved at the political level,' they proposed legislation has also left out another provision that stated that "information which cannot be denied to the Parliament, or a state legislature shall not be denied to any person".On March 26, over 120 MPs from the INDIA bloc urged the repeal of Section 44(3) of the DPDP Act, warning that it undermines the RTI Act by removing the public interest test in Section 8(1)(j).Shortly after, in response to a letter by Congress leader Jairam Ramesh, Vaishnaw cited Section 3 of the DPDP Act and said that the RTI framework remains protected."The DPDP Act, as outlined in Section 3, provides exemptions for personal data that is 'made or caused to be made publicly available' by individuals or entities under legal obligations. This ensures transparency while maintaining the need for privacy," Vaishnaw had written in an April 10 letter to Jairam had reported on 22 March that more than 30 civil society organisations launched a campaign seeking the rollback of a provision in the Digital Personal Data Protection (DPDP) Act that amended the Right to Information (RTI) Act.
