Data Embassies in India

Data Embassies in India

In her Budget speech earlier this year, India’s Finance Minister had stated that the government would facilitate the establishment of ‘data embassies’ for the benefit of countries looking for digital continuity solutions. Such data embassies may be set up under the auspices of GIFT City in India’s first IFSC, located in Gujarat.
Accordingly, in order to allow countries and international companies to set up such embassies, the government may formulate a bespoke policy soon. To that end, it may notify specific norms, such as with respect to: (i) what a data embassy constitutes, (ii) the size and specifications of the data center necessary for such purpose, and (iii) whether data embassies can be virtual.
Further, such a policy will be expected to offer diplomatic immunity with respect to Indian regulations as far as the sovereign and commercial digital data of establishing entities is concerned. While it is likely that the lure of regulatory immunity will promote significant investment in India’s data industry – especially from technology infrastructure providers and cloud storage companies – India’s data embassy policy may allow for the storage of non-personal data only.
On the whole, this initiative appears to be part of a larger plan to build a trusted data storage ecosystem in India. As a novel device under public international law, data embassies have only recently become a viable option, especially among vulnerable states that face multifaceted uncertainties and threats. The idea of storing backups of critical state information in data embassies abroad – especially for the purpose of operating such databases from a secure, off-site center outside a state’s own borders – implies that such information remains available for retrieval in the event of a disaster or other emergency.

'Sensitive' Information Under India’s New Data Regime

Sense and Sensitivity : ‘Sensitive’ Information Under India’s New Data Regime

It appears that India’s Digital Personal Data Protection Bill (“DPDP”) is poised for consideration during the Lok Sabha’s ongoing monsoon session. Present reports about such proceedings suggest that despite strong dissent from the minority, a standing committee managed to adopt a draft report on DPDP just yesterday through a majority vote. Other pressing matters notwithstanding, since the monsoon session is scheduled to last until August 11, the government may get the draft law passed, after all.
Pursuant to Section 11 of DPDP, the central government (“CG”) can classify any company or other entity as a ‘significant data fiduciary’ (“SDF”) based on its own assessment of certain listed factors, which include the volume and sensitivity of personal data processed, as well as the risk of harm to individuals related to such data (“Factors”).
Importantly, special obligations apply to SDFs, in addition to the ones which all data fiduciaries must abide by. Thus, understanding the implications of each prescribed Factor becomes important. However, DPDP itself does not provide much clarity. With regard to ‘sensitivity’, for example, neither does DPDP define the term nor separately explain ‘sensitive personal data/information’ (“SPDI”).
Nevertheless, concerned entities could interpret the term in light of provisions related to SPDI under other laws and proposals – including the SPDI rules and DPDP’s past avatars. Further, given that GDPR had heavily influenced such prior drafts, the EU’s provisions may provide additional interpretive guidance.

Clean Energy: Issue 2 of 2023

Clean Energy: Issue 2 of 2023

S&R Associates presents the second issue of its quarterly roundup series on clean energy. Here, we cover the period between the months of April and June, 2023.
Broadly, this issue comprises regulatory updates on renewable energy and electric vehicles, respectively, including central and state government notifications in this regard, India-related updates and international developments, as well as other miscellaneous items.
In addition, separate analyses with respect to the newly introduced carbon credit trading framework in India provide an overview of the country’s proposed carbon market. Lastly, we discuss the advisability of green hydrogen certification in India.

Personal Data Protection Bill

The Importance of Being ‘Significant’: Significant Data Fiduciaries Under India’s Proposed Data Protection Regime

Under Section 11 of India’s Digital Personal Data Protection Bill (“DPDP”), the central government (as opposed to a data protection authority) is authorized to notify ‘data fiduciaries’ (“DFs”) as ‘significant’ DFs (“SDFs”).
A DF can be any person who – either alone or in conjunction with others – determines the purpose and means of processing personal data. Individuals, companies, firms or any artificial juristic person may be considered a DF under DPDP. However, SDFs need to comply with additional obligations, over and above those prescribed for DFs in general. Such general obligations may include those listed under the IT Act and its rules.
Past iterations of DPDP had contained references to SDFs as well (although General Data Protection Regulation (“GDPR does not have an exact equivalent). In addition, some such prior versions had classified other types of DFs, such as: (i) ‘guardian’ DFs (“GDFs”) (in respect of children’s data, similar to the U.S.’s COPPA); and (ii) social media intermediaries (“SMIs”).
However, DPDP obliterates such latter categories, to the extent that GDFs and SMIs may now be subsumed under SDFs. Moreover, erstwhile SMI-specific parameters have been added to those applicable for SDF assessments. Nevertheless, since DPDP contains only a sparse description of SDF obligations in its present avatar, added requirements may be specified later. Meanwhile, DFs may want to check how such obligations were detailed in the past. Accordingly, in this note, we discuss DPDP’s provisions on SDFs with reference to existing law and past legislative proposals.

Personal Data

Defining the Scope of ‘Personal Data’ in Digital India

Last week, India’s Union Cabinet approved a revised version (the “2023 Draft”) of the Digital Personal Data Protection Bill (“DPDP”), which proposes to replace the country’s existing data protection framework.
Pursuant to extensive feedback received on a November 2022 draft (the “2022 Draft”), it now appears that the 2023 Draft of DPDP is ready for parliamentary deliberation during the monsoon session, scheduled between July 20 and August 11.
While several bills in this regard were drafted in the past, and various attempts have been made over the last decade to address privacy and data protection in India, the present instance may prove different on account of DPDP’s rudimentary form relative to previous iterations.
In this note, we unpack and discuss the statutory definition of personal data under the 2022 Draft. Our analysis is in light of GDPR provisions. Importantly, Section 4 of DPDP limits the latter’s operation to the processing of digital personal data. This is the first time that an Indian legislative proposal has expressly clarified such limitation.

Listing Obligations and Disclosure Requirements

SEBI Tightens Governance Norms for Listed Entities

On June 14, 2023, the SEBI tightened governance requirements for listed entities by amending the Securities and Exchange Board of India (Listing Obligations and Disclosure Requirements) Regulations, 2015. One of the key changes brought about by the SEBI is to the disclosure regime under Regulation 30 of the LODR Regulations, which will become effective on July 14, 2023. This note discusses these changes and their implications.

regulating Artificial Intelligence in India

Regulating Artificial Intelligence in India: Challenges and Considerations

Artificial Intelligence (“AI”), and generative AI applications in particular (e.g., ChatGPT), may revolutionize vast sections of the global economy. Significantly, this change could occur sooner than expected. On account of its ability to understand and process natural language, generative AI can perform a diverse set of tasks that consume a majority of human work time, thereby adding unprecedented value across sectors.
However, it is also important to account for adverse consequences. After all, AI can be deployed to infringe upon privacy, cause socio-political disruptions, generate biased outputs, and violate intellectual property rights (“IPRs”).
Nevertheless, India’s stance on regulating AI remains ambiguous. While the Ministry of Electronics and Information Technology was reluctant to introduce AI-specific laws at first, subsequent reports indicate that individuals may be ‘protected’ against harmful deployment. Accordingly, limits on AI use may be articulated under the proposed Digital India Act, including through the prism of user safety.
In this note, we analyze cross-jurisdictional developments for the purpose of exploring a viable regulatory template. While India’s approach should foster innovation and growth, it should not sacrifice individual and collective rights. At any rate, the risks associated with generative AI need to be recognized upfront, including for the purpose of designing India’s new digital regime.

SEBI Listing Regulations

Recent Amendments to the SEBI Listing Regulations: Additional Disclosure of Agreements and Special Rights to Shareholders

On June 14, 2023, the SEBI introduced certain amendments to the SEBI (Listing Obligations and Disclosure Requirements) Regulations, 2015, including in relation to disclosure of agreements entered into by or in relation to listed companies and approval by shareholders for special rights granted to shareholders.
While the amendments aim to create a more robust compliance framework and increase transparency and accountability of listed entities, they are likely to lead to additional compliance burden for listed entities and reduce flexibility to shareholders to enter into inter-se arrangements.