Photo of Arun Prabhu

Arun Prabhu

Partner (Co-Head – Digital | TMT) at Cyril Amarchand Mangaldas. Arun special expertise in advising clients in the information technology enabled services, outsourcing and information technology sectors. He was also a member of the Government of India’s working group on the legal enablement of information and communication technology systems. Arun was described as a “very effective and highly knowledgeable” lawyer by Chambers and Partners in 2011. He can be reached at arun.prabhu@cyrilshroff.com

Contact:Read more about Arun Prabhu
The Draft AI Rules: A Welcome First Step

Summary: In a move to regulate deepfake, fake news and other misinformation, the Ministry of Electronics and Information Technology has proposed draft rules seeking to amend the existing intermediary guidelines. They propose a wide definition of “synthetically generated information” without meaningful and practical standards on authenticity thresholds. Combined with this, it provides for prescriptive labelling norms that may leave little to no flexibility for intermediaries and additionally seeks to impose onerous user verification related obligations for significant social media intermediaries without any brightline standards. While the objective of the proposed regulations, rooted in user safety, is laudable, the draft in its current form can have wide reaching implications on how the overall AI ecosystem develops in India. As the devil lies in the details, it would be prudent to revisit the proposed rules and account for practical considerations, thresholds, and standards that will contribute to effective implementation. The draft rules are open for stakeholder consultation until November 6, 2025, and offer an opportunity to engage with the government for shaping the balance between innovation and user safety.Continue Reading The Draft AI Rules: A Welcome First Step

The increasing adoption and deployment of artificial intelligence (“AI”) enabled tools, platforms, and solutions by market participants in the financial sector, including the securities markets, is now widely recognised, both in India[1] and globally[2].Continue Reading The Consultation Paper on AI Regulation : A Case for Nuance?

The Ghost in the Machine?: The Recent “Business Requirement Document” on Consent

Corporate India, eagerly awaiting the final version of the Draft Digital Personal Data Protection Rules, 2025[1] (“Draft Rules”), under the Digital Personal Data Protection Act, 2023[2] (“DPDPA”), was recently jolted by a Business Requirements Document for Consent Management under the DPDPA (“BRD”)[3] discreetly issued by the National e-Governance Division of the Ministry of Electronics and Technology (“MeitY”).Continue Reading The Ghost in the Machine?: The Recent “Business Requirement Document” on Consent

“Voluntary Provision” under the DPA: Too Good to be True?

This article examines some pitfalls around the processing of “voluntarily provided” personal data under India’s Digital Personal Data Protection Act, 2023 (“DPA”), and it is the second of a three-part series. The first, focussing on “employment purposes” can be accessed here.Continue Reading “Voluntary Provision” under the DPA: Too Good to be True?

Handle with CARE: Relying on “Purposes of Employment” for Processing Employee Data

India has been preparing for the Digital Personal Data Protection Act, 2023 (“DPA”), for almost a year now. During this time, companies have realised that relying on consent as a long-term basis for processing may be difficult, and instead, using ‘legitimate uses’[1], as the bases for processing may be a better alternative.Continue Reading Handle with CARE: Relying on “Purposes of Employment” for Processing Employee Data

The Telecommunications Act, 2023 (“Act”) has received presidential assent and has been notified for information.[1] When rulemaking under the Act is completed, and it is notified as being in force, it will replace existing legislation governing telecommunications in India, namely the Indian Telegraph Act, 1885, the Wireless Telegraphy Act, 1933, and the Telegraph Wires (Unlawful Possession) Act, 1950 (collectively, “Telegraph Laws”).Continue Reading The Telecommunications Act, 2023

Comparing Global Privacy Regimes Under GDPR, DPDPA and US Data Protection Laws

Nearly five years after a landmark Supreme Court ruling, which reiterated that information privacy is a fundamental right enshrined in the Constitution, India finally enacted its Digital Personal Data Protection Act, 2023 (the “DPDPA” or “Act”), on August 11, 2023.Continue Reading Comparing Global Privacy Regimes Under GDPR, DPDPA and US Data Protection Laws

India's New Data Protection Law: How Does it Differ from GDPR and What Does that Mean for International Businesses?

On August 11, 2023, India’s long-awaited general personal data protection legislation, the Digital Personal Data Protection Act, 2023 (“DPDPA”) was finally enacted.

Governing the world’s fifth largest economy and one of its fastest growing digital markets, the DPDPA will be of importance to a large number of international businesses that operate in India, rely on Indian service providers/group service companies for their operations, or are looking to enter Indian markets.Continue Reading India’s New Data Protection Law: How Does it Differ from GDPR and What Does that Mean for International Businesses?