Background

The European Court of Justice (“CJEU”) in mid-2023 passed a landmark judgment in Meta Platforms Inc. v. Bundeskartellamt[1], by imposing strict restrictions on social media entities using personal data of consumer’s for targeting them with personalised advertisements through their platforms. This ruling struck at the core revenue model of many big technology organisations.   Continue Reading The Great Reset: What Lies in Store for Targeted Advertising?  

Comparing Global Privacy Regimes Under GDPR, DPDPA and US Data Protection Laws

Nearly five years after a landmark Supreme Court ruling, which reiterated that information privacy is a fundamental right enshrined in the Constitution, India finally enacted its Digital Personal Data Protection Act, 2023 (the “DPDPA” or “Act”), on August 11, 2023.Continue Reading Comparing Global Privacy Regimes Under GDPR, DPDPA and US Data Protection Laws

FIG Paper No. 28, Data Law Series 2:
Implications of Digital Personal Data Protection Act, 2023 on Indian Banks

Introduction

In the current landscape, Indian banks are bound by data protection obligations under the provisions and rules of the Information Technology Act, 2000, the Prevention of Money Laundering Act, 2002 and relevant directives of the Reserve Bank of India (“RBI”). As we await the enforcement of the Digital Personal Data Protection Act, 2023 (“DPDP Act”) and the publishing of its rules (“DPDP Rules”), there will be a paradigm shift in the data processing protocols of banks amongst other financial entities.Continue Reading FIG Paper No. 28, Data Law Series 2: Implications of Digital Personal Data Protection Act, 2023 on Indian Banks

FIG Paper (No. 24 – Series 1): 
New Data Law – Financial Services Implications

(Indian) Digital Personal Data Protection Act, 2023 (“DPDP Act”) received Presidential assent on August 11, 2023, and is awaiting notification by the Indian Government, which is expected soon. This FIG Paper examines: (i) the existing data protection/ privacy framework for the Indian financial services space; (ii) overlays DPDP Act considerations; and (iii) preferred approach to “gap” analysis, basis global learnings.Continue Reading FIG Paper (No. 24 – Series 1): New Data Law – Financial Services Implications

Of Consent and Lawful Uses:
Where the Rubber meets the Road

While the concept of consent, in consonance with the current consent based regime under the Information Technology Act, 2000 (“IT Act”)[1] as well as the constitutional primacy of consent and autonomy under various court decisions dealing with the right to information privacy has remained firmly entrenched as the primary basis for collection and processing of personal data under the various drafts of general personal data protection legislation in India over the years,[2] the newly notified Digital Personal Data Protection Act, 2023 (“Act”)[3]also provides for “legitimate use” as key additional basis available to Data Fiduciaries[4] for collection and processing of personal data[5].Continue Reading Of Consent and Lawful Uses:Where the Rubber meets the Road

Preparing for the DPDA

PREPARING FOR THE DPDA

In the culmination of a decade long process,[1] the Digital Personal Data Protection Bill, 2023 (“Bill”)[2] was passed before the Lok Sabha on August 7, 2023.

While the important subject matter of the Bill, its long legislative history, and the widely publicised dissents in the Parliamentary Standing Committee[3] portend that it may not pass unchanged, its enactment seems likely within the next few weeks or months.

Further, given its relatively concise nature and, the limited rulemaking and regulatory framework that is needed to enable it, it seems likely that while the Bill will be brought into force in a phased manner,[4] operative portions of it may come into effect relatively quickly.Continue Reading Preparing for the DPDA

Digital Personal Data Protection Bill, 2023

The Digital Personal Data Protection Bill, 2023 (“Bill”)[1] tabled before Parliament on August 3, 2023 is the culmination of a decade long process for evolving general data protection regime for India.

By withdrawing an elaborate, prescriptive draft which was under consideration by Parliament until 2021, to introducing a new, lean, principles based draft for consultation on November 18, 2022 (“Draft”),[2] and then engaging an extensive consultation process which reportedly involved in excess of 20,000 submissions,[3] and several dozen discussions involving personal participation at the highest levels of the Ministry, the Ministry of Electronics and Information Technology has set the stage for the evolution and adoption of a customized and Indian legislation that seeks to find a balance between enabling ease of doing business, and protecting sovereign imperatives and citizens’ rights, which has proved elusive globally.[4] Continue Reading The DPDP Bill Overview: A New Dawn for Data Protection in India