“Voluntary Provision” under the DPA: Too Good to be True?

This article examines some pitfalls around the processing of “voluntarily provided” personal data under India’s Digital Personal Data Protection Act, 2023 (“DPA”), and it is the second of a three-part series. The first, focussing on “employment purposes” can be accessed here.Continue Reading “Voluntary Provision” under the DPA: Too Good to be True?

Need for Syncing Sectoral Regulations with Data Protection Law

Cutting across sectors and borders, the Digital Personal Data Protection Act, 2023 (DPDPA or Act), a lean, principles-based, horizontal legislation was enacted in August 2023 (yet to come into effect). Given the substantive procedural aspects under the Act being left for delegated legislation, the first set of rules is expected to be released for public consultation within 100 (hundred days) of the end of the ongoing General Elections,[1] if the incumbent government is re-elected.Continue Reading Need for Syncing Sectoral Regulations with Data Protection Law

Handle with CARE: Relying on “Purposes of Employment” for Processing Employee Data

India has been preparing for the Digital Personal Data Protection Act, 2023 (“DPA”), for almost a year now. During this time, companies have realised that relying on consent as a long-term basis for processing may be difficult, and instead, using ‘legitimate uses’[1], as the bases for processing may be a better alternative.Continue Reading Handle with CARE: Relying on “Purposes of Employment” for Processing Employee Data

Background

The European Court of Justice (“CJEU”) in mid-2023 passed a landmark judgment in Meta Platforms Inc. v. Bundeskartellamt[1], by imposing strict restrictions on social media entities using personal data of consumer’s for targeting them with personalised advertisements through their platforms. This ruling struck at the core revenue model of many big technology organisations.   Continue Reading The Great Reset: What Lies in Store for Targeted Advertising?  

FIG Paper (No. 34 – Data Law Series 5) Balancing Sectoral Regulation and DPDP Act Compliance by NBFCs & Fintechs

Background

Indian regulators in recent times have shown a keen interest in monitoring the intersection between data, information technology, and cybersecurity with regulated entities—more so in relation to Non-Banking Financial Companies (“NBFCs”) and ‘fintechs’. With the expected enforcement of the Digital Personal Data Protection Act, 2023 (“DPDP Act”), and the promulgation of its rules, it becomes imperative for NBFCs and fintechs to map their journey of compliance from legal and regulatory perspectives.Continue Reading FIG Paper (No. 34 – Data Law Series 5) Balancing Sectoral Regulation and DPDP Act Compliance by NBFCs & Fintechs

FIG Paper No. [29], Data Law Series [3]: Implications of Digital Personal Data Protection Act, 2023 for Foreign Banks in India

Introduction:

The Digital Personal Data Protection Act, 2023 (“DPDP Act”) is India’s foray into the global regulatory movement on personal data rights. In designing the DPDP Act, there has been a strong focus on simplicity, brevity, and standardisation. We note a marked effort to align with data regulation across the world, most significantly, the European Union’s General Data Protection Regulation (GDPR”). While principally similar, the Indian regime has peculiarities for which financial services entities will have to prepare themselves. Continue Reading FIG Paper No. 30, Data Law Series 4: Implications of Digital Personal Data Protection Act, 2023 for Foreign Banks in India

Comparing Global Privacy Regimes Under GDPR, DPDPA and US Data Protection Laws

Nearly five years after a landmark Supreme Court ruling, which reiterated that information privacy is a fundamental right enshrined in the Constitution, India finally enacted its Digital Personal Data Protection Act, 2023 (the “DPDPA” or “Act”), on August 11, 2023.Continue Reading Comparing Global Privacy Regimes Under GDPR, DPDPA and US Data Protection Laws

Primer on IRDAI Information and Cyber Security Guidelines 2023

Introduction

On September 14, 2023, the Insurance Regulatory and Development Authority of India (“IRDAI”) set up an inter-disciplinary standing committee on cyber security, tasked with regularly reviewing the threats inherent in the existing or emerging technologies and suggest appropriate changes to the IRDAI Information and Cyber Security framework to further strengthen the insurance industry’s cyber security posture and resilience.[1] This is in furtherance to the IRDAI having notified the Information and Cyber Security Guidelines on April 24, 2023 (“CS Guidelines 2023”).Continue Reading Primer on IRDAI Information and Cyber Security Guidelines 2023

FIG Paper No 29 – Data Law Series 3: (Implications of Digital Personal Data Protection Act, 2023, on Asset Management Companies)

Background:

  • Asset Management Companies (“AMCs”) act as fiduciaries of unitholders (i.e. investors who hold units in funds managed by an AMC), due to which the Securities and Exchange Board of India (“SEBI”) has mandated various data privacy obligations for AMCs, either directly or through the Association of Mutual Funds of India (“AMFI”).
  • SEBI, in a private letter to AMCs, AMFI and registrar and transfer agents (“RTAs”) dated July 10, 2020 (“SEBI Letter”), required that digital platforms involved in distribution/ advisory and AMCs/ RTAs must respect unitholder’s data privacy. The letter included the following two mandates:
    • unitholder data should not be shared with group entities having multiple business/ products; and
    • products and services of group companies cannot be cross marketed.

Continue Reading FIG Paper No 29 – Data Law Series 3: (Implications of Digital Personal Data Protection Act, 2023, on Asset Management Companies)

FIG Paper No. 28, Data Law Series 2:
Implications of Digital Personal Data Protection Act, 2023 on Indian Banks

Introduction

In the current landscape, Indian banks are bound by data protection obligations under the provisions and rules of the Information Technology Act, 2000, the Prevention of Money Laundering Act, 2002 and relevant directives of the Reserve Bank of India (“RBI”). As we await the enforcement of the Digital Personal Data Protection Act, 2023 (“DPDP Act”) and the publishing of its rules (“DPDP Rules”), there will be a paradigm shift in the data processing protocols of banks amongst other financial entities.Continue Reading FIG Paper No. 28, Data Law Series 2: Implications of Digital Personal Data Protection Act, 2023 on Indian Banks