The Ghost in the Machine?: The Recent “Business Requirement Document” on Consent

Corporate India, eagerly awaiting the final version of the Draft Digital Personal Data Protection Rules, 2025[1] (“Draft Rules”), under the Digital Personal Data Protection Act, 2023[2] (“DPDPA”), was recently jolted by a Business Requirements Document for Consent Management under the DPDPA (“BRD”)[3] discreetly issued by the National e-Governance Division of the Ministry of Electronics and Technology (“MeitY”).Continue Reading The Ghost in the Machine?: The Recent “Business Requirement Document” on Consent

FIG Paper (No. 44 - Series 3): RBI Consolidates Directions on Digital Lending: Implications for REs & LSPs

Background:

The Reserve Bank of India (“RBI”) on May 8, 2025, issued the Reserve Bank of India (Digital Lending) Directions, 2025 (“DL Directions”).

The idea of these new directions was to consolidate the various directions and circulars on digital lending by Regulated Entities (“RE”), previously issued by the RBI[1], provide greater clarity on consumer/ customer centric rights from a customer protection point of view and create a repository with the RBI of all digital lending apps/ platforms (“DLA”) provided by REs/ lending service providers (“LSP”).Continue Reading FIG Paper (No. 44 – Series 3): RBI Consolidates Directions on Digital Lending: Implications for REs & LSPs

Role of State Governments in India’s Data Protection Regime

Introduction

The Ministry of Electronics & Information Technology (“MeitY”) published a draft of the Digital Personal Data Protection Rules, 2025 (“Draft Rules”), on January 3, 2025. These were formulated under the Digital Personal Data Protection Act, 2023 (“DPDP Act” or “Act”), which was passed by Parliament, and received presidential assent on August 11, 2023. The DPDP Act aims to regulate the processing of personal data, and contains requirements for collection, processing and sharing of personal data.Continue Reading Role of State Governments in India’s Data Protection Regime

FIG Paper (No. 40 – Data Law Series 6) Draft Digital Personal Data Protection Rules, 2025 - Key Implications for Financial Services Sector

Background:

  1. India’s first dedicated data privacy law, the Digital Personal Data Protection Act, 2023 (“DPDP Act”)[1], was passed by both houses of Parliament, and received Presidential assent on August 11, 2023. 

Continue Reading FIG Paper (No. 40 – Data Law Series 6) Draft Digital Personal Data Protection Rules, 2025 – Key Implications for Financial Services Sector

RegTech and Digital Public Infrastructure: Navigating Compliance in India’s Digital Landscape

The rapid advancement of India’s Digital Public Infrastructure (“DPI”) – exemplified by initiatives such as Aadhaar, the Unified Payments Interface (“UPI”), and DigiLocker – has reshaped the nation’s digital ecosystem. This DPI has created transformative efficiencies, enabling streamlined interactions between citizens, businesses, and government services. However, as India solidifies its digital-first approach, regulatory challenges around data privacy, user consent, and cybersecurity have surged, demanding robust compliance mechanisms. Regulatory Technology (“RegTech”)  is emerging as a solution to these complex regulatory demands, leveraging automation to help entities comply with the country’s Digital Personal Data Protection Act, 2023[1] (“DPDP Act”), among other regulations.Continue Reading RegTech and Digital Public Infrastructure: Navigating Compliance in India’s Digital Landscape

Within the broad bucket of internal investigations that companies often undertake, disciplinary procedures in relation to employee misconduct are one of the most common forms of investigations. In this piece, we explore the current laws and best practices in relation to employee investigations and conducting disciplinary processes, the potential ramifications of Indian data protection law

“Voluntary Provision” under the DPA: Too Good to be True?

This article examines some pitfalls around the processing of “voluntarily provided” personal data under India’s Digital Personal Data Protection Act, 2023 (“DPA”), and it is the second of a three-part series. The first, focussing on “employment purposes” can be accessed here.Continue Reading “Voluntary Provision” under the DPA: Too Good to be True?

Need for Syncing Sectoral Regulations with Data Protection Law

Cutting across sectors and borders, the Digital Personal Data Protection Act, 2023 (DPDPA or Act), a lean, principles-based, horizontal legislation was enacted in August 2023 (yet to come into effect). Given the substantive procedural aspects under the Act being left for delegated legislation, the first set of rules is expected to be released for public consultation within 100 (hundred days) of the end of the ongoing General Elections,[1] if the incumbent government is re-elected.Continue Reading Need for Syncing Sectoral Regulations with Data Protection Law

Handle with CARE: Relying on “Purposes of Employment” for Processing Employee Data

India has been preparing for the Digital Personal Data Protection Act, 2023 (“DPA”), for almost a year now. During this time, companies have realised that relying on consent as a long-term basis for processing may be difficult, and instead, using ‘legitimate uses’[1], as the bases for processing may be a better alternative.Continue Reading Handle with CARE: Relying on “Purposes of Employment” for Processing Employee Data