𝐃𝐚𝐭𝐚 𝐏𝐫𝐢𝐯𝐚𝐜𝐲 𝐰𝐢𝐥𝐥 𝐛𝐞 𝐟𝐚𝐢𝐥𝐢𝐧𝐠 𝐍𝐎𝐓 𝐄𝐕𝐄𝐑𝐘 𝐓𝐈𝐌𝐄 𝐢𝐧 𝐎𝐫𝐠𝐚𝐧𝐢𝐬𝐚𝐭𝐢𝐨𝐧𝐬 𝐝𝐮𝐞 𝐭𝐨 𝐁𝐫𝐞𝐚𝐜𝐡𝐞𝐬 𝐎𝐍𝐋𝐘!! It will be failing due to its implementation in 𝐏𝐢𝐞𝐜𝐞𝐦𝐞𝐚𝐥 𝐌𝐚𝐧𝐧𝐞𝐫! It will be failing due to 𝐍𝐨 𝐑𝐞𝐚𝐥 𝐅𝐫𝐚𝐦𝐞𝐰𝐨𝐫𝐤 𝐡𝐚𝐯𝐢𝐧𝐠 𝐛𝐞𝐢𝐧𝐠 𝐀𝐝𝐨𝐩𝐭𝐞𝐝! It will be failing due to lack of 𝐓𝐞𝐜𝐡𝐧𝐢𝐜𝐚𝐥, 𝐂𝐨𝐦𝐦𝐞𝐫𝐜𝐢𝐚𝐥 & 𝐋𝐞𝐠𝐚𝐥(𝐓𝐂𝐋) 𝐀𝐬𝐩𝐞𝐜𝐭𝐬 𝐑𝐞𝐚𝐥𝐢𝐬𝐭𝐢𝐜𝐚𝐥𝐥𝐲 𝐀𝐩𝐩𝐥𝐢𝐞𝐝! It will be…
A very interesting decision of 𝐇𝐢𝐠𝐡 𝐂𝐨𝐮𝐫𝐭 𝐨𝐟 𝐒𝐨𝐮𝐭𝐡 𝐀𝐟𝐫𝐢𝐜𝐚 in Zulu Nyala Game Ranch v Beukes where 𝐚 𝐟𝐨𝐫𝐦𝐞𝐫 𝐞𝐦𝐩𝐥𝐨𝐲𝐞𝐞 𝐰𝐚𝐥𝐤𝐞𝐝 𝐨𝐟𝐟 𝐰𝐢𝐭𝐡 𝐚 𝐜𝐮𝐬𝐭𝐨𝐦𝐞𝐫 𝐥𝐢𝐬𝐭 𝐭𝐨 𝐛𝐞𝐧𝐞𝐟𝐢𝐭 𝐚 𝐜𝐨𝐦𝐩𝐞𝐭𝐢𝐭𝐨𝐫. 𝐁𝐲 𝐭𝐫𝐞𝐚𝐭𝐢𝐧𝐠 𝐭𝐡𝐞 𝐝𝐢𝐬𝐭𝐢𝐧𝐜𝐭𝐢𝐨𝐧 𝐛𝐞𝐭𝐰𝐞𝐞𝐧 “𝐩𝐞𝐫𝐬𝐨𝐧𝐚𝐥 𝐢𝐧𝐟𝐨𝐫𝐦𝐚𝐭𝐢𝐨𝐧” 𝐚𝐧𝐝 “𝐜𝐨𝐧𝐟𝐢𝐝𝐞𝐧𝐭𝐢𝐚𝐥 𝐢𝐧𝐟𝐨𝐫𝐦𝐚𝐭𝐢𝐨𝐧” 𝐚𝐬 𝐛𝐞𝐢𝐧𝐠 𝐨𝐟 𝐧𝐨 𝐬𝐢𝐠𝐧𝐢𝐟𝐢𝐜𝐚𝐧𝐜𝐞, 𝐭𝐡𝐞 𝐣𝐮𝐝𝐠𝐞 𝐞𝐟𝐟𝐞𝐜𝐭𝐢𝐯𝐞𝐥𝐲 𝐮𝐬𝐞𝐝 𝐏𝐫𝐨𝐭𝐞𝐜𝐭𝐢𝐨𝐧 𝐨𝐟 𝐏𝐞𝐫𝐬𝐨𝐧𝐚𝐥 𝐈𝐧𝐟𝐨𝐫𝐦𝐚𝐭𝐢𝐨𝐧 𝐀𝐜𝐭…
𝗧𝗵𝗲 “𝗕𝗹𝗮𝗰𝗸 𝗕𝗼𝘅” 𝗼𝗳 𝘀𝗺𝗮𝗿𝘁𝗽𝗵𝗼𝗻𝗲 𝗺𝗮𝗻𝘂𝗳𝗮𝗰𝘁𝘂𝗿𝗶𝗻𝗴 𝗶𝘀 𝗯𝗲𝗶𝗻𝗴 𝗽𝗿𝗶𝗲𝗱 𝗼𝗽𝗲𝗻! As per media reports, India’s draft proposal to mandate government access to source code and proprietary software updates represents a seismic shift in the doctrine of digital sovereignty. We are moving beyond standard compliance into a realm where the State acts not just as a…
𝐌𝐨𝐬𝐭 𝐀𝐈 𝐬𝐲𝐬𝐭𝐞𝐦𝐬 𝐚𝐫𝐞 𝐧𝐨𝐭 “𝐡𝐢𝐠𝐡-𝐫𝐢𝐬𝐤” 𝐛𝐲 𝐝𝐞𝐬𝐢𝐠𝐧. Don’t be generic in risk assessment, rather the micro level dynamics of stack of an AI System needs to be focussed upon to have actual perspective of risk assessment. Hence, if not taken care of, they become high-risk by architecture. Traditional AI, Agentic AI, and Agentic RAG…
Introduction The enactment of the Digital Personal Data Protection Act, 2023 (“DPDP Act”), followed by the notification of the Digital Personal Data Protection Rules, 2025, represents a shift in corporate governance operations. For nearly a quarter of a century, data protection in India was governed by the 43A and the SPDI Rules of 2011 under…
For a decade, Indian enterprises hoarded data like oil. We scraped numbers, bought lists, and treated CRMs as goldmines. Under DPDPA , “Legacy Data” sitting in your servers from 2020–2025 is no longer an asset. It is a Toxic Asset. “If you have concerns about the legacy data, you may wish to ask your HR…
Year 2026 will be Foundation Year of Trust with Consent Management Framework in place. 1. Notice & Consent Basics Visual flow: Data Fiduciary sends Notice to Data Principal; Data Principal provides Consent back. 2. Purpose Register & Data Mapping Visual flow: Mapping Personal Data to Purpose for the Data Principal. 3. Processor/Vendor Controls (Part A…
𝐀𝐈 𝐆𝐨𝐯𝐞𝐫𝐧𝐚𝐧𝐜𝐞 : 𝐈𝐧𝐝𝐢𝐚 & 𝐆𝐥𝐨𝐛𝐚𝐥 𝐑𝐨𝐚𝐝𝐦𝐚𝐩,𝟐𝟎𝟐𝟔 AI governance is no longer a value statement, rather it is a proof statement. That is why the India 𝐀𝐈 𝐈𝐦𝐩𝐚𝐜𝐭 𝐒𝐮𝐦𝐦𝐢𝐭 𝟐𝟎𝟐𝟔 𝐢𝐧 𝐍𝐞𝐰 𝐃𝐞𝐥𝐡𝐢 𝐚𝐭 𝐁𝐡𝐚𝐫𝐚𝐭 𝐌𝐚𝐧𝐝𝐚𝐩𝐚𝐦 𝐨𝐧 𝟏𝟗 𝐚𝐧𝐝 𝟐𝟎 𝐅𝐞𝐛𝐫𝐮𝐚𝐫𝐲 𝟐𝟎𝟐𝟔 𝐦𝐚𝐭𝐭𝐞𝐫𝐬, because it is positioned around impact, not hype, and around what can…
𝐏𝐨𝐥𝐢𝐜𝐢𝐞𝐬 𝐝𝐨𝐧’𝐭 𝐞𝐧𝐬𝐮𝐫𝐞 𝐜𝐨𝐦𝐩𝐥𝐢𝐚𝐧𝐜𝐞. 𝐌𝐢𝐧𝐝𝐬𝐞𝐭𝐬 𝐝𝐨. 1. Accountability Data Fiduciary duty; demonstrate compliance 2. Purpose limitation Specified purpose; no incompatible processing 3. Data minimisation Only necessary personal data; reduce access 4. Notice to Data Principal Provide notice; clear, itemised information 5. Consent management Free, specific, informed; easy withdrawal 6. Data Principal rights Access; correction/erasure; nominate;…
𝐓𝐨𝐩 𝟏𝟎 𝐓𝐡𝐢𝐧𝐠𝐬 𝐭𝐨 𝐊𝐧𝐨𝐰 𝐢𝐧 𝐓𝐡𝐞 𝐀𝐫𝐭𝐢𝐟𝐢𝐜𝐢𝐚𝐥 𝐈𝐧𝐭𝐞𝐥𝐥𝐢𝐠𝐞𝐧𝐜𝐞 (𝐄𝐭𝐡𝐢𝐜𝐬 𝐚𝐧𝐝 𝐀𝐜𝐜𝐨𝐮𝐧𝐭𝐚𝐛𝐢𝐥𝐢𝐭𝐲) 𝐁𝐢𝐥𝐥, 𝟐𝟎𝟐𝟓. It will have an impact on DPDPA as well. It is a proposed Indian legislative framework designed to regulate the development and deployment of automated systems Creation of an Ethics Committee: The Bill establishes a dedicated Ethics Committee for Artificial Intelligence…
The Mandate of “Specified Purpose” Under the Digital Personal Data Protection Act, 2023, processing personal data is only permissible for a lawful purpose for which the Data Principal has given consent or for certain legitimate uses. A “Specified Purpose” is the fundamental anchor of every data interaction it is the explicit reason mentioned in the…
We are after roughly one month and ten days into the DPDPA implementation countdown. Since, the notification dropped in November, 𝐈 𝐡𝐚𝐯𝐞 𝐰𝐚𝐭𝐜𝐡𝐞𝐝 𝐦𝐚𝐧𝐲 𝐨𝐫𝐠𝐚𝐧𝐢𝐳𝐚𝐭𝐢𝐨𝐧𝐬 𝐭𝐫𝐞𝐚𝐭 𝐭𝐡𝐢𝐬 𝐩𝐞𝐫𝐢𝐨𝐝 𝐚𝐬 𝐚 𝐯𝐚𝐜𝐚𝐭𝐢𝐨𝐧 𝐫𝐚𝐭𝐡𝐞𝐫 𝐭𝐡𝐚𝐧 𝐚 𝐬𝐩𝐫𝐢𝐧𝐭. 𝐋𝐞𝐭’𝐬 𝐛𝐞 𝐩𝐫𝐞𝐜𝐢𝐬𝐞 𝐚𝐛𝐨𝐮𝐭 𝐰𝐡𝐚𝐭 𝐭𝐡𝐢𝐬 𝐬𝐢𝐥𝐞𝐧𝐜𝐞 𝐜𝐨𝐬𝐭𝐬 𝐲𝐨𝐮. The 12 Months Milestone (November 2026): This isn’t a ‘soft launch.’…
Introduction The health technology ecosystem is expanding at a faster rate than any other segment within consumer and medical innovation. From smartwatches and continuous glucose monitors to cardiac telemetry patches, sleep monitoring bands, post-surgery recovery trackers and elder-care remote monitoring systems, the industry has shifted from occasional data collection to continuous and intimate surveillance of…
Are you stuck in the “No-Brain Data Discovery” tools trap? If your “data discovery” is an Excel chase send sheet, collect inputs, merge tabs then understand this plainly: You have an inventory. Not accountability. And under DPDPA, inventory won’t survive the first grievance or incident. If discovery doesn’t produce evidence, it produces liability. The one…
Introduction In India’s democracy few laws have been as empowering such as the Right to Information (“RTI”) Act, 2005. It acts like a tool in the hands of citizens to cut through the opacity of bureaucratic secrecy, thereby allowing citizens to hold power to account. However, this transparency is now threatened by a change made…
We click ‘Accept’ thousands of times a day, yet almost no one truly understands what they are agreeing to. Consent isn’t dead rather it never really lived.” A Realising Moment A Fortune 500 client’s consent form had approximately 12,000 words. I asked the concerned professional, “Have you read this fully?” And “Will your users?” Though…
Introduction India, a country which has become more and more digitalized over the years, faces critical issues like data security and privacy, especially with such a large population. The security of the data on mobile phones is more crucial than ever since they are becoming an essential part of both our personal and professional lives….
Evidence Based Compliance: The New Currency Under DPDPA The Digital Personal Data Protection Act, 2023 marks a decisive turn in how organisations will be evaluated. The future standard is clear: Compliance will be judged by evidence, not paperwork. Policies, notices, and contracts matter but they no longer determine regulatory outcomes. What matters is the organisation’s…
The Digital Personal Data Protection Act, 2023 (DPDPA) requires organisations that process digital personal data in India to provide a clear, accessible privacy notice before or at the time of collection. The form and manner are set by the Act and will be supplemented by rules under the Act. Earlier government communications indicated that formal…
OLD: Consent is a static checkbox exercise, sufficient for legal ‘satisfaction’. VIBE: Consent is a provable, real-time user journey, where every interaction is logged as irrefutable evidence of informed choice and ongoing intent. OLD: Compliance is an IT department’s operational burden, handled by technical staff. VIBE: Compliance is a C-Suite imperative, where proactive logging of…
How to Align Your Contracts for DPDPA Compliance? The implementation of Digital Personal Data Protection Act, 2023 (DPDPA) requires organisations to adopt structured contractual safeguards with all third-parties who process personal data. Updating contracts is one of the fastest and most effective ways to strengthen compliance and reduce risk exposure. 1. Identify All Data Handling…
Introduction The implementation of the Digital Personal Data Protection (hereinafter referred to as “DPDP”) Act, 2023, will be significantly transforming the landscape of data governance for Indian organizations, with a particular focus on safeguarding personal data in compliance with global standards. For procurement and legal teams, vendor due diligence has emerged as a strategic priority,…
INTRODUCTION The Digital Personal Data Protection (hereinafter referred to as “DPDP”) Act, 2023, marks a transformative shift in how Indian banks manage personal data, particularly within the context of correspondent banking, where cross-border data flows are an operational necessity. Correspondent banking where banks facilitate financial services for other banks, often in different jurisdictions relies heavily…
When I look back at the last three decades of regulatory transitions in India from excise to GST implementation, from IT Act amendments to sectoral cybersecurity standards, then one lesson has remained unchanged: Those who wait for the deadline always lose the advantage. Not legally, but operationally. The DPDPA is no different. On paper, the…
The Digital Personal Data Protection Act, 2023, and its accompanying Rules have fundamentally altered the compliance landscape for India’s healthcare sector. For hospitals, diagnostic centers, and telemedicine platforms processing patient data, the stakes have never been higher. With penalties reaching up to ₹250 crore for serious contraventions and regulatory enforcement now operational, the time for…
INTRODUCTION The price, output, and quality are three primary parameters that competition law has traditionally focused on. The advent of zero price digital services, however, has changed this classical framework. Consumers in the digital economy do not use money to obtain anything, but rather their personal data, which serves as the business model for online…
The Digital Personal Data Protection Rules, 2025 were notified in the Gazette on 13 November 2025 (G.S.R. 846(E)). Some provisions are already in force, while the core compliance obligations kick in over the next 12–18 months: Rules 1, 2 and 17–21 apply from publication; Rule 4 (Consent Managers’ registration) starts one year after publication; Rules…
13 November 2025 will be remembered as the day India crossed into a new digital era, a Privacy Singularity. For the first time, the rights of the Indian citizen are codified, actionable, and backed by statutory duties on every Data Fiduciary and Processor. This is bigger than compliance. It is a redistribution of digital power….
Introduction One of the rapidly expanding sectors of the digital economy, the online real-money gaming (hereinafter referred to as “RMG”) industry in India has been a matter of a severe legal reckoning in the state of Tamil Nadu. In a landmark case in Play Games 24×7 Private Limited and Ors. v. State of Tamil Nadu…
Introduction In today’s digital economy, cross-border data transfers are a key part of global trade. For Indian businesses, this is a day-to-day operational reality, but it is also a trigger for multifaceted challenges because of the range of disparate and often conflicting data protection laws in different countries. The disequilibrium of legal regulations is not…
Disclaimer & Confirmation
As per the rules of the Bar Council of India, law firms are not permitted to solicit work and advertise. By clicking on the “I AGREE” button below, user acknowledges the following:
However, the user is advised to confirm the veracity of the same from independent and expert sources.