Managing Consent

Yes Means Yes: Managing Consent Under India’s New Data Protection Law

Unlike the EU’s GDPR (which allows non-consensual data processing under various circumstances), India’s new Digital Personal Data Protection Act, 2023 (the “DPDP Act”) relies heavily on consent as a ground for processing personal data. Other than a few ‘legitimate uses’ specified in the DPDP Act, consent will be the only legal basis for processing digital personal data in India once the law enters into force. This note discusses the role of consent managers and the potential of notice-and-consent management platforms (both inhouse and outsourced) to help entities comply with their obligations under the DPDP Act.

Disclosure Requirement SEBI Listing Regulations

Assessing the Sweep of a Recently Introduced Disclosure Requirement in the SEBI Listing Regulations

On June 14, 2023, the Securities and Exchange Board of India (“SEBI”) notified certain amendments to the SEBI (Listing Obligations and Disclosure Requirements) Regulations, 2015 (“SEBI Listing Regulations”). The amendments are designed to strengthen corporate governance in listed entities by enhancing shareholder suffrage and disclosure of material events. Notably, the amendments introduced a new Regulation 30A that is to be read with a newly inserted Clause 5A of Paragraph A of Part A of Schedule III to the SEBI Listing Regulations (“Clause 5A”). Regulation 30A mandates shareholders, promoters, promoter group entities, related parties, directors, key managerial personnel, and employees of a listed entity or of its holding company, subsidiary, or associate company (“Specified Persons”) to notify the listed entity as and when any of them enters into agreements covered by Clause 5A (“5A Agreements”).
This note highlights the key features of Clause 5A and outlines certain practical considerations for Specified Persons and listed entities.

Digital Personal Data Protection Act 2023

It’s Personal: A Roadmap for Data Mapping in Digital India

Although India’s newly published Digital Personal Data Protection Act, 2023 (the “DPDP Act”) is not yet in force, it is likely to take effect soon. Accordingly, while entities wait for the government to notify discrete provisions of the DPDP Act along with specific rules under it, they could use this transitional phase to align themselves to the requirements of the new regime and prepare for future obligations. Before anything else, organizations could draw up a compliance roadmap, the starting point of which should include a comprehensive data mapping exercise.
Organizational databases are likely to contain vast volumes of digitized information, not all of which may be considered ‘personal’ data. This note discusses the main features of the data mapping process, including the determination of, and the processual prerogatives with respect to, personal information contained in mixed datasets – where organizational data inventories are likely to comprise both personal and non-personal data.

Amendments to the Voluntary Delisting Process

Proposed Amendments to the Voluntary Delisting Process

The Securities and Exchange Board of India issued a consultation paper proposing certain amendments to the Securities and Exchange Board of India (Delisting of Equity Shares) Regulations, 2021. Amendments have been proposed to the counter-offer mechanism of the reverse book-building process, manner of calculation of floor price and the determination of the reference date. A fixed-price route for delisting and a framework for delisting of investment holding companies have also been proposed. This note summarizes the proposed changes to the voluntary delisting process.

Digital Personal Data Protection Act 2023

All Aboard: Getting Ready for India’s New Data Protection Journey

The Digital Personal Data Protection Act, 2023 (the “DPDP”) is poised to (re)define India’s legal framework with respect to the processing of digital personal data.
This new regime is designed to be an overarching one, irrespective of data category (in terms of sensitivity) or entity type. While provisions of the DPDP are likely to be notified soon, all organizations need to check whether and to what extent the DPDP applies to them and their operations.

Digital Personal Data Protection Act 2023

India’s New Law: The Digital Personal Data Protection Act, 2023

This note provides an overview of the Digital Personal Data Protection Act, 2023 that was published in the official gazette pursuant to a notification dated August 11, 2023. The Act will become effective from the date(s) notified by the Central Government, and different dates may be notified for different provisions. Also, rules may be notified in future, not inconsistent with the provisions of the Act, to carry out the purposes of the Act. The Act seeks to overhaul the current legal framework governing personal data in India. Accordingly, the Act establishes a legal framework to protect digital personal data, including by prohibiting the unauthorized use, alteration or sharing of information in a way that compromises the confidentiality, integrity and/or accuracy of such data. In this regard, the Act distinguishes among a data principal, data fiduciary and data processor, and provides rights for data principals and imposes obligations on data fiduciaries. The Act applies to consent managers as well.


Secondment: An Endless Battle with the Tax Authorities!

Secondment of employees, as an approach, has become a common practice followed by multinationals to utilize their skilled resources with an ambition of geographical expansion. The tax implications at the time of re-imbursement of salary costs to secondees under a secondment arrangement has been a controversial issue which has led to protracted litigation between the tax authorities and the assessees. The courts have delivered plethora of judgements over the past many years depending upon the facts and circumstances of each case. This note discusses the principles emerged from various judicial precedents.

’22/’23 Vision: Because India’s 2022 Draft Data Protection Law is so Last Year

A new version (the “23 Draft”) of India’s long-awaited Digital Personal Data Protection law (“DPDP”) is being moved for consideration and passing in the Lok Sabha today, i.e., Monday, August 7, 2023.
India has made several attempts over the last few years, including in terms of parliamentary tabling (and withdrawal), to introduce a comprehensive legal framework for data protection. However, the 23 Draft of DPDP was introduced in the Lok Sabha only late last week.
As such, it is a revised version of a previous DPDP draft that was released in November last year for public comments (the “22 Draft”). While the revised version contains several incremental changes compared to the 22 Draft, some such differences may prove significant in the long run.
A detailed analysis of the 23 Draft, along with an in-depth review relative to its prior iterations, will soon follow. Meanwhile, a few key takeaways from the current version in light of the changes made to the 22 Draft are highlighted here.
Accordingly, this note comprises two parts. Part I discusses the legislative status and possibilities with respect to DPDP’s 23 Draft. Part II provides a summary of key changes made to the 22 Draft, as currently reflected in the 23 Draft.

India’s New Data Regime

How Much and How Bad? Significant Others in India’s New Data Regime

According to a document dated August 1, 2023 made available today in respect of the list of business scheduled for the Lok Sabha’s coming calendar, the government will introduce an as-yet unreleased Union Cabinet-approved draft of the Digital Personal Data Protection Bill (“DPDP”) in India’s parliament tomorrow.
Despite stiff opposition, a parliamentary standing committee managed to adopt a favorable report on the revised 2023 version of DPDP, tabling it yesterday across both Houses and recommending an expeditious passage into law.
While DPDP is largely modeled on GDPR, India’s bespoke legislation may include a few key changes relative to the EU’s – such as in respect of significant data fiduciaries (“SDFs”), where the government is authorized to classify any entity as an SDF based on its own assessment of factors such as informational sensitivity, volume and the risk of harm.
Our last note on SDF parameters focused on sensitivity alone. Here, we address considerations related to ‘volume’ and ‘harm’, respectively. Since special obligations apply to SDFs (over and above those which all data fiduciaries must comply with), certain procedural aspects of impact assessments, automated processing and individual profiling may follow a GDPR-like template via bespoke regulation, as framed under DPDP later. Further, India’s existing SPDI Rules, as well as past and present legislative proposals, including the proposed Digital India Act and prior DPDP iterations, may provide indicative guidance.