Photo of Arjun Goswami

Director and head of the Public Policy Practice at the Delhi - NCR office of Cyril Amarchand Mangaldas. He has a rich experience in advising public sector and private sector clients on policy issues related to ESG, Infrastructure, Technology and Finance. He can be reached at arjun.goswami@cyrilshroff.com.

Geopolitical Destiny: The Direction of Indian Strategic Autonomy

Summary: Amidst increasing geopolitical risk globally, India may need to assess its current ‘strategic autonomy’ approach to multi-alignment. This article examines the relationship between India and the US, explores a potential Middle Powers strategy premised on India’s alignment with Europe, and underscores the importance of India strengthening its engagement with the Global South to achieve its geopolitical ambitions amidst shifting global dynamics.Continue Reading Geopolitical Destiny: The Direction of Indian Strategic Autonomy

Role of State Governments in India’s Data Protection Regime

Introduction

The Ministry of Electronics & Information Technology (“MeitY”) published a draft of the Digital Personal Data Protection Rules, 2025 (“Draft Rules”), on January 3, 2025. These were formulated under the Digital Personal Data Protection Act, 2023 (“DPDP Act” or “Act”), which was passed by Parliament, and received presidential assent on August 11, 2023. The DPDP Act aims to regulate the processing of personal data, and contains requirements for collection, processing and sharing of personal data.Continue Reading Role of State Governments in India’s Data Protection Regime

RegTech and Digital Public Infrastructure: Navigating Compliance in India’s Digital Landscape

The rapid advancement of India’s Digital Public Infrastructure (“DPI”) – exemplified by initiatives such as Aadhaar, the Unified Payments Interface (“UPI”), and DigiLocker – has reshaped the nation’s digital ecosystem. This DPI has created transformative efficiencies, enabling streamlined interactions between citizens, businesses, and government services. However, as India solidifies its digital-first approach, regulatory challenges around data privacy, user consent, and cybersecurity have surged, demanding robust compliance mechanisms. Regulatory Technology (“RegTech”)  is emerging as a solution to these complex regulatory demands, leveraging automation to help entities comply with the country’s Digital Personal Data Protection Act, 2023[1] (“DPDP Act”), among other regulations.Continue Reading RegTech and Digital Public Infrastructure: Navigating Compliance in India’s Digital Landscape

Fighting Cybercrime: Global UN Convention on the Anvil

Introduction

Member states of the United Nations approved the draft text of the United Nations Convention Against Cybercrime (‘Draft Convention’) by consensus, in August 2024, after five years of deliberations. It is the UN’s first consolidated attempt at regulating crimes on the internet. The move has attracted its fair share of controversy, with tech companies and human rights organisations protesting against the lack of safeguards.Continue Reading Fighting Cybercrime: Global UN Convention on the Anvil

Need for Syncing Sectoral Regulations with Data Protection Law

Cutting across sectors and borders, the Digital Personal Data Protection Act, 2023 (DPDPA or Act), a lean, principles-based, horizontal legislation was enacted in August 2023 (yet to come into effect). Given the substantive procedural aspects under the Act being left for delegated legislation, the first set of rules is expected to be released for public consultation within 100 (hundred days) of the end of the ongoing General Elections,[1] if the incumbent government is re-elected.Continue Reading Need for Syncing Sectoral Regulations with Data Protection Law

Background

The European Court of Justice (“CJEU”) in mid-2023 passed a landmark judgment in Meta Platforms Inc. v. Bundeskartellamt[1], by imposing strict restrictions on social media entities using personal data of consumer’s for targeting them with personalised advertisements through their platforms. This ruling struck at the core revenue model of many big technology organisations.   Continue Reading The Great Reset: What Lies in Store for Targeted Advertising?  

Children and consent under the
Data Protection Act: A Study in Evolution

The Digital Personal Data Protection Act, 2023[1] (“Act”) has, at long last, been past before both houses of Parliament and been published in the official Gazette upon receiving Presidential assent.

The Act is intended to provide legislative expression to the contours of the right to privacy as outlined by the Supreme Court of India in the Puttaswamy Judgements[2] and since then, by other constitutional Courts. The principle, which now stands more or less crystallized, is that the autonomy of a person is inalienably linked to their autonomy over their personal data. Therefore, in a regime which continues to be firmly consent based, the questions of who is a child, who can consent to allowing their personal data to be collected, as well as what can and cannot be done with it, are key to their status as ‘Digital Nagariks’ in years to come.Continue Reading Children and Consent under the Data Protection Act: A Study in Evolution

Of Consent and Lawful Uses:
Where the Rubber meets the Road

While the concept of consent, in consonance with the current consent based regime under the Information Technology Act, 2000 (“IT Act”)[1] as well as the constitutional primacy of consent and autonomy under various court decisions dealing with the right to information privacy has remained firmly entrenched as the primary basis for collection and processing of personal data under the various drafts of general personal data protection legislation in India over the years,[2] the newly notified Digital Personal Data Protection Act, 2023 (“Act”)[3]also provides for “legitimate use” as key additional basis available to Data Fiduciaries[4] for collection and processing of personal data[5].Continue Reading Of Consent and Lawful Uses:Where the Rubber meets the Road

A Fine Balance:
The DPDA and Data Localization

On November 18, 2022, when the Ministry of Electronics and Information Technology (“MEITY”) tabled an entirely new draft Digital Personal Data Protection Bill, 2022 (“Draft”)[1], the concerns around one section, namely Section 17 dealing with cross-border data transfers, were perhaps more pronounced than the shock which accompanied the withdrawal of a long debated previous draft.Continue Reading A Fine Balance:The DPDA and Data Localization