Notice and Consent Requirements

Notice and Consent Requirements in India’s New Digital Data Regime

Given the imminence of India’s refurbished digital data framework, along with the diversely innovative ways in which personal data is collected and/or processed today on account of new technologies and platforms – ‘notice’ and ‘consent’ requirements have assumed additional importance.
In this note, we address some such aspects with reference to the current draft of India’s Digital Personal Data Protection Bill, 2022 (“DPDP”) and the EU’s General Data Protection Regulation (“GDPR”).
While DPDP mirrors certain provisions of GDPR with respect to notice and consent, there are significant departures from the EU template. In particular, while earlier iterations of DPDP had more faithfully reproduced GDPR-like disclosure requirements that were comprehensive, elaborate, and rights-laden, DPDP in its present form eschews several such principles. Moreover, DPDP introduces novelties such as ‘deemed consent’ – which we discuss in our next note.
Nevertheless, subject to potential changes in DPDP’s November 2022 draft further to stakeholder feedback, the revised DPDP bill (which is likely to be tabled before parliament during the monsoon session) may continue to retain references to bespoke regulation as may be subsequently prescribed – allowing for flexibility while technologies, priorities, and public policies evolve over time.


Reverse Flipping

Reverse Flipping: Is it Time to Return Home?

In the last few years, many Indian businesses “flipped” their shareholding structure by setting up a holding company in offshore jurisdictions. This was driven by several factors, including commercial, tax and regulatory considerations. However, this trend has reversed in recent times and the notion of “reverse-flipping” has picked up momentum. One objective of reverse flips has been to achieve a public listing in India. This note explores reverse flips and potential mechanisms to achieve them.


Personal Data

What We Talk About When We Talk About Personal Data

Developments in data science have revolutionized the means through which personal data is capable of being collected and/or processed. Control over mass markets can be instrumentalized through mobile and web-based terminals, each of which remains equipped with a variety of embedded technologies. As a result, vast numbers of users – who remain permanently online – come in contact with such technologies, including with respect to the ‘measurement’ of their individual characteristics.
Further, such bio-surveillance and/or data collection via internet-linked apps and devices is powered by increasingly sophisticated analytic tools provided by the digital infrastructures of online media platforms. Unsurprisingly, therefore, the world has witnessed a growing demand for the re-use of this valuable informational inventory.
Since the aggregation of such an inventory may involve both personal and non-personal data, the associated regulatory paradigm must consider the fundamental differences between the two. More importantly, India’s new digital data regime will likely remain alert about how personal information may be converted into its non-personal equivalent, as well as the ramifications of such conversion.


Arbitration Clause in an Unstamped or Insufficiently Stamped Agreement

An Arbitration Clause in an Unstamped or Insufficiently Stamped Agreement: The Supreme Court Decides

A five-judge bench of the Supreme Court of India has in N.N. Global Mercantile Private Limited v. Indo Unique Flame Limited & Others held by a 3:2 majority that an arbitration clause contained in an instrument that is not duly stamped is non-existent in law until such agreement is validated by payment of the requisite stamp duty following the procedure laid down under the relevant legislation for payment of stamp duty, particularly the Indian Stamp Act, 1899. The minority was of the view that non-payment of stamp duty on an agreement liable to stamp duty, being a curable defect, would not render the arbitration clause contained within such agreement to be void.
The following are the key takeaways from the decision. First, if an arbitration agreement (either standalone or contained as a provision in a contract) is found to be unstamped, it would be impounded immediately and returned only upon payment of the requisite stamp duty and penalty. Second, if such arbitration agreement is insufficiently stamped and the deficit in stamp duty is nominal, parties may undertake a self-assessment and pay the deficit stamp duty and penalty. Should parties not be able to self-assess the deficit in stamp duty, they are required to formally submit the agreement for adjudication with the relevant authority. Third, the judgment expressly notes that it does not comment on Section 9 of the Arbitration Act and Conciliation Act, 1996, as amended, in relation to application by parties to the courts for interim reliefs.


Digital India

Child’s Play in Digital India: Handling Teen Data with Kid Gloves?

With respect to the collection/processing of children’s personal information under Indian law, Clause 2(3) of the current draft of the country’s Digital Personal Data Protection Bill, 2022 (“DPDP”) defines a ‘child’ to mean “an individual who has not completed eighteen years of age.” Accordingly, a significant number of individuals may be covered under DPDP’s special requirements related to children’s data.
Meanwhile, the proposed Digital India Act (the “Proposed DI Act”) may also introduce special provisions with respect to children – including by ‘age gating’ them from: (i) addictive technologies, and (ii) online/digital platforms that collect/process their data. However, if the Proposed DI Act ends up defining a ‘child’ with a similarly high threshold, there may be implications for a multitude of online/digital/social media platforms, as well as for children and parents themselves, including in terms of access and compliance.
In this note, the fourth of S&R Data+, we discuss the implications of stipulating an upper age-limit of 18 while defining a child in connection with data protection, including through global comparisons.


Government Dues and IBC Waterfall

Government Dues and IBC Waterfall: Are We Heading Towards a Non-uniform Approach Across Sectors?  

The waterfall mechanism under the Insolvency and Bankruptcy Code, 2016 (“IBC”) gives priority to debts owed to financial creditors over operational dues, including statutory dues. However, certain recent case law and proposed statutory amendments have questioned this principle. In particular, a proposal has emerged that government dues secured pursuant to a transaction or an agreement should have priority over other dues (including financial dues). The Telecommunication Bill, 2022 proposes that the spectrum of telecom companies under insolvency should be returned to the central government on failure of payment of dues. This note discusses certain implications of such proposed changes.


India’s Proposed Digital Governance Framework

Back to the Future: India’s Proposed Digital Governance Framework

A first draft of the proposed Digital India Act (“DIA”) may be ready by June for public review, while a corresponding bill may be introduced before parliament soon thereafter, pursuant to industry feedback. Meanwhile, further to consultations between the Ministry of Electronics and Information Technology and select stakeholders across Bengaluru, New Delhi, and Mumbai in March and May 2023, the following principles appear likely to define the main thrust of the new law: (1) an open internet, (2) online safety, (3) a revised intermediary framework, (4) the regulation of new technologies, (5) non-personal data sharing, and (6) limited (or no) safe harbor.
This note, the third of S&R Data+ – a multipart series on data governance focused on personal and non-personal information – discusses these principles with respect to the DIA.


India’s digital governance framework

India’s Proposed Digital Governance Framework: Past Developments and Present Status

This is the second note of S&R Data+, a multipart series on data governance focused on personal and non-personal data, including with respect to their separate regulatory, legal, and commercial implications. The previous note summarized India’s existing data protection framework and provided an overview of India’s legislative trajectory in that regard. Here, we provide a snapshot of the gradual build-up to India’s proposed digital governance framework, including by analyzing past trends which have led to present developments.
While a recent flurry of legislative and policy activity promises to transform the country’s digital future, two landmark laws with respect to digital personal and non-personal data, respectively, may attain concrete shape by the end of 2023 itself – thereby replacing India’s existing data protection framework under the Information Technology Act, 2000, as amended, along with its allied rules.
While recent reports suggest that India’s current draft of the Digital Personal Data Protection Bill, 2022 is likely to be tabled before parliament in the month of July (as potentially revised pursuant to stakeholder comments), a proposed ‘Digital India Act’ has simultaneously gathered consultative traction – further to which a draft bill is expected around the same time. Thus, July 2023 promises to be a significant period for the country’s future.
Later in the series, we will examine the possible impact of such present developments on the shape of laws to come.


Personal and Non-Personal Data

Personal and Non-Personal Data in Digital India: Before and After

Over the past few years, the ripple effects of GDPR and the EU’s wider data governance regime have spread to, and influenced, the rest of the world – including India – especially with respect to the latter’s ongoing efforts to overhaul its domestic data protection framework. Furthermore, certain recent developments, involving key legislative and policy interventions, promise to fundamentally transform the country’s digital future, much like Europe’s. For instance, by the end of the year, two far-reaching laws – a ‘Digital Personal Data Protection Act’ (“DPDP”) and a ‘Digital India Act’ – may both reach fruition with respect to digitized personal data and non-personal data, respectively.
However, major gaps persist when it comes to distinguishing between the two. This distinction has assumed additional importance today for India – poised as it is on the cusp of a new governance architecture, replete with consequences related to collection, consent, processing, storage, protection, breach, exploitation, sovereignty, ownership, and localization. Accordingly, it is time that the unique techno-legal challenges and opportunities connected with personal and non-personal data, respectively, were separately examined – including to analyze their discrete regulatory requirements and commercial scope. At the same time, paradigmatic boundaries within the personal/non-personal continuum have increasingly blurred on account of the rising use of mixed datasets and de-anonymization techniques, the regulation of which has demanded urgent governmental attention.
In light of the above – ‘Data+’ – a special multipart series on data governance, will focus on analyzing personal and non-personal data separately while exploring the various legal, business, and regulatory issues associated with the two – including with respect to certain extraordinary innovations proposed under DPDP relative to GDPR, such as in respect of ‘deemed’ consent; sensitivity, volume, and harm; and relatedly, ‘significant data fiduciaries’. This note – the first of this special series – is divided into two sections. In Section I, we provide a brief summary of whether, and how, India’s existing data protection framework addresses the definitions of, and the distinction between, personal and non-personal data, respectively. In Section II, we provide an overview of India’s staggered legislative trajectory in this regard. Further into the series, we will analyze India’s proposed digital governance paradigm, including with respect to differences between personal and non-personal data.


Data Embassies

Readying the Law to Host ‘Data Embassies’ in India

Consistent with India’s stated aims of becoming a data storage and cloud computing hub, as the country seeks to encourage foreign governments and businesses to establish ‘data embassies’ at Gujarat’s GIFT City, a bespoke policy may soon be formulated along the lines of Bahrain’s cloud law, as well as for the purpose of defining a ‘data embassy’ appropriately such that its underlying and/or associated infrastructure qualifies for diplomatic protection under international law. Alternatively, such entities could be instrumentalized through customized bilateral agreements that re-interpret the Vienna Convention (like Estonia and Monaco signed with Luxembourg in 2017 and 2021, respectively) in respect of granting regulatory immunity to potentially both personal and non-personal information (as if it were physical premises), including with regard to non-sovereign commercial digital databases.
Clause 17 of India’s current draft of the Digital Personal Data Protection Bill, 2022 (“DPDP”) permits digitized personal data to be stored overseas, albeit at locations that satisfy the government in terms of political and protectional adequacy. In that regard, a revised iteration of DPDP (or rules framed thereunder) may subsequently include the principle of reciprocity in a way that foreign state or private entities are able to use local cloud ecosystems through state-of-the-art data centers located inside an Indian SEZ, including for the purpose of storing copies of critical government or business information for continuity, backup, and/or recovery-related reasons – in case the main servers back home get compromised – including on account of sustained denial-of-service attacks, a natural disaster, full-scale military invasions, or any other national emergency. 
Nevertheless, since DPDP deals exclusively with digitized personal data, if India’s data embassy policy envisages the storage of non-personal information only, it may need to rely on a different legislation – such as the proposed Digital India Act. Meanwhile, although certain Tier 3 and Tier 4 data centers with business continuity and disaster recovery functions are already operational at GIFT City, data embassies may require a new approach by leveraging diplomatic agreements bolstered by cloud technology solutions. Accordingly, India may want to develop a separate legal framework for the purpose of being perceived as a reliable host with respect to sensitive foreign databases.
With this background, this note examines how countries and companies (especially vulnerable and/or at-risk ones) that want and/or need digital continuity solutions may evaluate available options – given policy, legal, and logistical constraints in this regard.