DPDP Act

The Ghost in the Machine?: The Recent “Business Requirement Document” on Consent

Corporate India, eagerly awaiting the final version of the Draft Digital Personal Data Protection Rules, 2025[1] (“Draft Rules”), under the Digital Personal Data Protection Act, 2023[2] (“DPDPA”), was recently jolted by a Business Requirements Document for Consent Management under the DPDPA (“BRD”)[3] discreetly issued by the National e-Governance Division of the Ministry of Electronics and Technology (“MeitY”).Continue Reading The Ghost in the Machine?: The Recent “Business Requirement Document” on Consent

Introduction:

Technology has fundamentally transformed the financial services industry, with many contemporary financial institutions (“FI”) adopting a digital-first or exclusively online business model. With third-party technology service providers handling critical functions for FIs, as outsourced partners, regulators such as the Reserve Bank of India (“RBI”), Securities and Exchange Board of India (“SEBI”) and the Insurance Regulatory and Development Authority of India (“IRDAI”) have issued their respective guidelines on outsourcing/ adoption of cloud services.[i] Additionally, FIs are also required to comply with general data protection laws.[ii]Continue Reading FIG Paper (No. 46 – Series 3): Contracting Considerations for Financial Institutions

FIG Paper (No. 44 - Series 3): RBI Consolidates Directions on Digital Lending: Implications for REs & LSPs

Background:

The Reserve Bank of India (“RBI”) on May 8, 2025, issued the Reserve Bank of India (Digital Lending) Directions, 2025 (“DL Directions”).

The idea of these new directions was to consolidate the various directions and circulars on digital lending by Regulated Entities (“RE”), previously issued by the RBI[1], provide greater clarity on consumer/ customer centric rights from a customer protection point of view and create a repository with the RBI of all digital lending apps/ platforms (“DLA”) provided by REs/ lending service providers (“LSP”).Continue Reading FIG Paper (No. 44 – Series 3): RBI Consolidates Directions on Digital Lending: Implications for REs & LSPs

Role of State Governments in India’s Data Protection Regime

Introduction

The Ministry of Electronics & Information Technology (“MeitY”) published a draft of the Digital Personal Data Protection Rules, 2025 (“Draft Rules”), on January 3, 2025. These were formulated under the Digital Personal Data Protection Act, 2023 (“DPDP Act” or “Act”), which was passed by Parliament, and received presidential assent on August 11, 2023. The DPDP Act aims to regulate the processing of personal data, and contains requirements for collection, processing and sharing of personal data.Continue Reading Role of State Governments in India’s Data Protection Regime

FIG Paper (No. 40 – Data Law Series 6) Draft Digital Personal Data Protection Rules, 2025 - Key Implications for Financial Services Sector

Background:

  1. India’s first dedicated data privacy law, the Digital Personal Data Protection Act, 2023 (“DPDP Act”)[1], was passed by both houses of Parliament, and received Presidential assent on August 11, 2023. 

Continue Reading FIG Paper (No. 40 – Data Law Series 6) Draft Digital Personal Data Protection Rules, 2025 – Key Implications for Financial Services Sector

Introduction:

The rapid development and deployment of Artificial Intelligence (“AI”) and Machine Learning (“ML”) tools by market participants over the course of the past year prompted the Securities and Exchange Board of India (“SEBI”) to issue, on November 13, 2024, a consultation paper on “Proposed amendments with respect to assigning responsibility for the use of Artificial Intelligence Tools by Market Infrastructure Institutions, Registered Intermediaries and other persons regulated by SEBI” (“Draft Amendments”), seeking public suggestions on a series of amendments to the extant regulations.Continue Reading SEBI’s Proposed New Amendments on Usage of AI Tools by Regulated Entities

RegTech and Digital Public Infrastructure: Navigating Compliance in India’s Digital Landscape

The rapid advancement of India’s Digital Public Infrastructure (“DPI”) – exemplified by initiatives such as Aadhaar, the Unified Payments Interface (“UPI”), and DigiLocker – has reshaped the nation’s digital ecosystem. This DPI has created transformative efficiencies, enabling streamlined interactions between citizens, businesses, and government services. However, as India solidifies its digital-first approach, regulatory challenges around data privacy, user consent, and cybersecurity have surged, demanding robust compliance mechanisms. Regulatory Technology (“RegTech”)  is emerging as a solution to these complex regulatory demands, leveraging automation to help entities comply with the country’s Digital Personal Data Protection Act, 2023[1] (“DPDP Act”), among other regulations.Continue Reading RegTech and Digital Public Infrastructure: Navigating Compliance in India’s Digital Landscape

Within the broad bucket of internal investigations that companies often undertake, disciplinary procedures in relation to employee misconduct are one of the most common forms of investigations. In this piece, we explore the current laws and best practices in relation to employee investigations and conducting disciplinary processes, the potential ramifications of Indian data protection law

FIG Paper (No. 34 – Data Law Series 5) Balancing Sectoral Regulation and DPDP Act Compliance by NBFCs & Fintechs

Background

Indian regulators in recent times have shown a keen interest in monitoring the intersection between data, information technology, and cybersecurity with regulated entities—more so in relation to Non-Banking Financial Companies (“NBFCs”) and ‘fintechs’. With the expected enforcement of the Digital Personal Data Protection Act, 2023 (“DPDP Act”), and the promulgation of its rules, it becomes imperative for NBFCs and fintechs to map their journey of compliance from legal and regulatory perspectives.Continue Reading FIG Paper (No. 34 – Data Law Series 5) Balancing Sectoral Regulation and DPDP Act Compliance by NBFCs & Fintechs

FIG Paper (No. 32) - Outsourcing of Financial Services: Harmonising the Law and Looking Ahead

Background

The Reserve Bank of India (“RBI”) issued the draft Master Direction – Reserve Bank of India (Managing Risks and Code of Conduct in Outsourcing of Financial Services) Directions, 2023 (“Draft MD”), on October 26, 2023. With the COVID-19 pandemic and the digitisation of financial services globally, financial institutions started becoming increasingly dependent on their service partners and agents to reduce costs and avail expertise not available internally.Continue Reading FIG Paper (No. 32 – Series 1): Outsourcing of Financial Services: Harmonising the Law and Looking Ahead