Nearly five years after a landmark Supreme Court ruling, which reiterated that information privacy is a fundamental right enshrined in the Constitution, India finally enacted its Digital Personal Data Protection Act, 2023 (the “DPDPA” or “Act”), on August 11, 2023.Continue Reading Comparing Global Privacy Regimes Under GDPR, DPDPA and US Data Protection Laws
Data Protection
Primer on IRDAI Information and Cyber Security Guidelines 2023
Introduction
On September 14, 2023, the Insurance Regulatory and Development Authority of India (“IRDAI”) set up an inter-disciplinary standing committee on cyber security, tasked with regularly reviewing the threats inherent in the existing or emerging technologies and suggest appropriate changes to the IRDAI Information and Cyber Security framework to further strengthen the insurance industry’s cyber security posture and resilience.[1] This is in furtherance to the IRDAI having notified the Information and Cyber Security Guidelines on April 24, 2023 (“CS Guidelines 2023”).Continue Reading Primer on IRDAI Information and Cyber Security Guidelines 2023
FIG Paper No 29 – Data Law Series 3: (Implications of Digital Personal Data Protection Act, 2023, on Asset Management Companies)
Background:
- Asset Management Companies (“AMCs”) act as fiduciaries of unitholders (i.e. investors who hold units in funds managed by an AMC), due to which the Securities and Exchange Board of India (“SEBI”) has mandated various data privacy obligations for AMCs, either directly or through the Association of Mutual Funds of India (“AMFI”).
- SEBI, in a private letter to AMCs, AMFI and registrar and transfer agents (“RTAs”) dated July 10, 2020 (“SEBI Letter”), required that digital platforms involved in distribution/ advisory and AMCs/ RTAs must respect unitholder’s data privacy. The letter included the following two mandates:
- unitholder data should not be shared with group entities having multiple business/ products; and
- products and services of group companies cannot be cross marketed.
FIG Paper No. 28, Data Law Series 2: Implications of Digital Personal Data Protection Act, 2023 on Indian Banks
Introduction
In the current landscape, Indian banks are bound by data protection obligations under the provisions and rules of the Information Technology Act, 2000, the Prevention of Money Laundering Act, 2002 and relevant directives of the Reserve Bank of India (“RBI”). As we await the enforcement of the Digital Personal Data Protection Act, 2023 (“DPDP Act”) and the publishing of its rules (“DPDP Rules”), there will be a paradigm shift in the data processing protocols of banks amongst other financial entities.Continue Reading FIG Paper No. 28, Data Law Series 2: Implications of Digital Personal Data Protection Act, 2023 on Indian Banks
FIG Paper (No. 27 – Data Law Series 1): Implications of Digital Personal Data Protection Act, 2023, on Payment Service Providers
Introduction:
The Reserve Bank of India (“RBI”) has allowed certain non-banks to operate in the financial ecosystem for payment processing under the Payment and Settlement Systems Act, 2007 (“PSS Act”), in addition to banks. These non-banks are typically operate Cross Border Money Transfer (“MTSS”); Prepaid Payment Instruments (“PPI”); Bharat Bill Payment Operating Units (“BBPOU”); White Label ATM Operators (“WLAO”), etc.Continue Reading FIG Paper (No. 27 – Data Law Series 1): Implications of Digital Personal Data Protection Act, 2023, on Payment Service Providers
India’s New Data Protection Law: How Does it Differ from GDPR and What Does that Mean for International Businesses?
On August 11, 2023, India’s long-awaited general personal data protection legislation, the Digital Personal Data Protection Act, 2023 (“DPDPA”) was finally enacted.
Governing the world’s fifth largest economy and one of its fastest growing digital markets, the DPDPA will be of importance to a large number of international businesses that operate in India, rely on Indian service providers/group service companies for their operations, or are looking to enter Indian markets.Continue Reading India’s New Data Protection Law: How Does it Differ from GDPR and What Does that Mean for International Businesses?
FIG Paper (No. 25 – Series 2): Shedding Light on Dark Patterns in FinTech: Impact of DPDP Act
Introduction:
The new draft guidelines titled ‘Guidelines for Prevention and Regulation of Dark Patterns, 2023’[1] (“Draft Dark Pattern Guidelines”), released by the Department of Consumer Affairs in September 2023, define dark patterns as “any practices or deceptive design patterns using UI/UX (user interface/user experience) interactions on any platform; designed to mislead or trick users to do something they originally did not intend or want to do; by subverting or impairing the consumer autonomy, decision making or choice; amounting to misleading advertisement or unfair trade practice or violation of consumer rights”.Continue Reading FIG Paper (No. 25 – Series 2): Shedding Light on Dark Patterns in FinTech: Impact of DPDP Act
FIG Paper (No. 24 – Series 1): New Data Law – Financial Services Implications
(Indian) Digital Personal Data Protection Act, 2023 (“DPDP Act”) received Presidential assent on August 11, 2023, and is awaiting notification by the Indian Government, which is expected soon. This FIG Paper examines: (i) the existing data protection/ privacy framework for the Indian financial services space; (ii) overlays DPDP Act considerations; and (iii) preferred approach to “gap” analysis, basis global learnings.Continue Reading FIG Paper (No. 24 – Series 1): New Data Law – Financial Services Implications
Children and Consent under the Data Protection Act: A Study in Evolution
The Digital Personal Data Protection Act, 2023[1] (“Act”) has, at long last, been past before both houses of Parliament and been published in the official Gazette upon receiving Presidential assent.
The Act is intended to provide legislative expression to the contours of the right to privacy as outlined by the Supreme Court of India in the Puttaswamy Judgements[2] and since then, by other constitutional Courts. The principle, which now stands more or less crystallized, is that the autonomy of a person is inalienably linked to their autonomy over their personal data. Therefore, in a regime which continues to be firmly consent based, the questions of who is a child, who can consent to allowing their personal data to be collected, as well as what can and cannot be done with it, are key to their status as ‘Digital Nagariks’ in years to come.Continue Reading Children and Consent under the Data Protection Act: A Study in Evolution
Of Consent and Lawful Uses:Where the Rubber meets the Road
While the concept of consent, in consonance with the current consent based regime under the Information Technology Act, 2000 (“IT Act”)[1] as well as the constitutional primacy of consent and autonomy under various court decisions dealing with the right to information privacy has remained firmly entrenched as the primary basis for collection and processing of personal data under the various drafts of general personal data protection legislation in India over the years,[2] the newly notified Digital Personal Data Protection Act, 2023 (“Act”)[3]also provides for “legitimate use” as key additional basis available to Data Fiduciaries[4] for collection and processing of personal data[5].Continue Reading Of Consent and Lawful Uses:Where the Rubber meets the Road