Data Protection

Subscribe to Data Protection via RSS
Search by Data Protection
Role of State Governments in India’s Data Protection Regime

Introduction

The Ministry of Electronics & Information Technology (“MeitY”) published a draft of the Digital Personal Data Protection Rules, 2025 (“Draft Rules”), on January 3, 2025. These were formulated under the Digital Personal Data Protection Act, 2023 (“DPDP Act” or “Act”), which was passed by Parliament, and received presidential assent on August 11, 2023. The DPDP Act aims to regulate the processing of personal data, and contains requirements for collection, processing and sharing of personal data.Continue Reading Role of State Governments in India’s Data Protection Regime

FIG Paper (No. 40 – Data Law Series 6) Draft Digital Personal Data Protection Rules, 2025 - Key Implications for Financial Services Sector

Background:

  1. India’s first dedicated data privacy law, the Digital Personal Data Protection Act, 2023 (“DPDP Act”)[1], was passed by both houses of Parliament, and received Presidential assent on August 11, 2023. 

Continue Reading FIG Paper (No. 40 – Data Law Series 6) Draft Digital Personal Data Protection Rules, 2025 – Key Implications for Financial Services Sector

RegTech and Digital Public Infrastructure: Navigating Compliance in India’s Digital Landscape

The rapid advancement of India’s Digital Public Infrastructure (“DPI”) – exemplified by initiatives such as Aadhaar, the Unified Payments Interface (“UPI”), and DigiLocker – has reshaped the nation’s digital ecosystem. This DPI has created transformative efficiencies, enabling streamlined interactions between citizens, businesses, and government services. However, as India solidifies its digital-first approach, regulatory challenges around data privacy, user consent, and cybersecurity have surged, demanding robust compliance mechanisms. Regulatory Technology (“RegTech”)  is emerging as a solution to these complex regulatory demands, leveraging automation to help entities comply with the country’s Digital Personal Data Protection Act, 2023[1] (“DPDP Act”), among other regulations.Continue Reading RegTech and Digital Public Infrastructure: Navigating Compliance in India’s Digital Landscape

Within the broad bucket of internal investigations that companies often undertake, disciplinary procedures in relation to employee misconduct are one of the most common forms of investigations. In this piece, we explore the current laws and best practices in relation to employee investigations and conducting disciplinary processes, the potential ramifications of Indian data protection law

“Voluntary Provision” under the DPA: Too Good to be True?

This article examines some pitfalls around the processing of “voluntarily provided” personal data under India’s Digital Personal Data Protection Act, 2023 (“DPA”), and it is the second of a three-part series. The first, focussing on “employment purposes” can be accessed here.Continue Reading “Voluntary Provision” under the DPA: Too Good to be True?

Need for Syncing Sectoral Regulations with Data Protection Law

Cutting across sectors and borders, the Digital Personal Data Protection Act, 2023 (DPDPA or Act), a lean, principles-based, horizontal legislation was enacted in August 2023 (yet to come into effect). Given the substantive procedural aspects under the Act being left for delegated legislation, the first set of rules is expected to be released for public consultation within 100 (hundred days) of the end of the ongoing General Elections,[1] if the incumbent government is re-elected.Continue Reading Need for Syncing Sectoral Regulations with Data Protection Law

Handle with CARE: Relying on “Purposes of Employment” for Processing Employee Data

India has been preparing for the Digital Personal Data Protection Act, 2023 (“DPA”), for almost a year now. During this time, companies have realised that relying on consent as a long-term basis for processing may be difficult, and instead, using ‘legitimate uses’[1], as the bases for processing may be a better alternative.Continue Reading Handle with CARE: Relying on “Purposes of Employment” for Processing Employee Data

Background

The European Court of Justice (“CJEU”) in mid-2023 passed a landmark judgment in Meta Platforms Inc. v. Bundeskartellamt[1], by imposing strict restrictions on social media entities using personal data of consumer’s for targeting them with personalised advertisements through their platforms. This ruling struck at the core revenue model of many big technology organisations.   Continue Reading The Great Reset: What Lies in Store for Targeted Advertising?  

FIG Paper (No. 34 – Data Law Series 5) Balancing Sectoral Regulation and DPDP Act Compliance by NBFCs & Fintechs

Background

Indian regulators in recent times have shown a keen interest in monitoring the intersection between data, information technology, and cybersecurity with regulated entities—more so in relation to Non-Banking Financial Companies (“NBFCs”) and ‘fintechs’. With the expected enforcement of the Digital Personal Data Protection Act, 2023 (“DPDP Act”), and the promulgation of its rules, it becomes imperative for NBFCs and fintechs to map their journey of compliance from legal and regulatory perspectives.Continue Reading FIG Paper (No. 34 – Data Law Series 5) Balancing Sectoral Regulation and DPDP Act Compliance by NBFCs & Fintechs