Managing Consent

Yes Means Yes: Managing Consent Under India’s New Data Protection Law

Unlike the EU’s GDPR (which allows non-consensual data processing under various circumstances), India’s new Digital Personal Data Protection Act, 2023 (the “DPDP Act”) relies heavily on consent as a ground for processing personal data. Other than a few ‘legitimate uses’ specified in the DPDP Act, consent will be the only legal basis for processing digital personal data in India once the law enters into force. This note discusses the role of consent managers and the potential of notice-and-consent management platforms (both inhouse and outsourced) to help entities comply with their obligations under the DPDP Act.


Disclosure Requirement SEBI Listing Regulations

Assessing the Sweep of a Recently Introduced Disclosure Requirement in the SEBI Listing Regulations

On June 14, 2023, the Securities and Exchange Board of India (“SEBI”) notified certain amendments to the SEBI (Listing Obligations and Disclosure Requirements) Regulations, 2015 (“SEBI Listing Regulations”). The amendments are designed to strengthen corporate governance in listed entities by enhancing shareholder suffrage and disclosure of material events. Notably, the amendments introduced a new Regulation 30A that is to be read with a newly inserted Clause 5A of Paragraph A of Part A of Schedule III to the SEBI Listing Regulations (“Clause 5A”). Regulation 30A mandates shareholders, promoters, promoter group entities, related parties, directors, key managerial personnel, and employees of a listed entity or of its holding company, subsidiary, or associate company (“Specified Persons”) to notify the listed entity as and when any of them enters into agreements covered by Clause 5A (“5A Agreements”).
This note highlights the key features of Clause 5A and outlines certain practical considerations for Specified Persons and listed entities.


Digital Personal Data Protection Act 2023

It’s Personal: A Roadmap for Data Mapping in Digital India

Although India’s newly published Digital Personal Data Protection Act, 2023 (the “DPDP Act”) is not yet in force, it is likely to take effect soon. Accordingly, while entities wait for the government to notify discrete provisions of the DPDP Act along with specific rules under it, they could use this transitional phase to align themselves to the requirements of the new regime and prepare for future obligations. Before anything else, organizations could draw up a compliance roadmap, the starting point of which should include a comprehensive data mapping exercise.
Organizational databases are likely to contain vast volumes of digitized information, not all of which may be considered ‘personal’ data. This note discusses the main features of the data mapping process, including the determination of, and the processual prerogatives with respect to, personal information contained in mixed datasets – where organizational data inventories are likely to comprise both personal and non-personal data.


Digital Personal Data Protection Act 2023

All Aboard: Getting Ready for India’s New Data Protection Journey

The Digital Personal Data Protection Act, 2023 (the “DPDP”) is poised to (re)define India’s legal framework with respect to the processing of digital personal data.
This new regime is designed to be an overarching one, irrespective of data category (in terms of sensitivity) or entity type. While provisions of the DPDP are likely to be notified soon, all organizations need to check whether and to what extent the DPDP applies to them and their operations.


Digital Personal Data Protection Act 2023

India’s New Law: The Digital Personal Data Protection Act, 2023

This note provides an overview of the Digital Personal Data Protection Act, 2023 that was published in the official gazette pursuant to a notification dated August 11, 2023. The Act will become effective from the date(s) notified by the Central Government, and different dates may be notified for different provisions. Also, rules may be notified in future, not inconsistent with the provisions of the Act, to carry out the purposes of the Act. The Act seeks to overhaul the current legal framework governing personal data in India. Accordingly, the Act establishes a legal framework to protect digital personal data, including by prohibiting the unauthorized use, alteration or sharing of information in a way that compromises the confidentiality, integrity and/or accuracy of such data. In this regard, the Act distinguishes among a data principal, data fiduciary and data processor, and provides rights for data principals and imposes obligations on data fiduciaries. The Act applies to consent managers as well.


’22/’23 Vision: Because India’s 2022 Draft Data Protection Law is so Last Year

A new version (the “23 Draft”) of India’s long-awaited Digital Personal Data Protection law (“DPDP”) is being moved for consideration and passing in the Lok Sabha today, i.e., Monday, August 7, 2023.
India has made several attempts over the last few years, including in terms of parliamentary tabling (and withdrawal), to introduce a comprehensive legal framework for data protection. However, the 23 Draft of DPDP was introduced in the Lok Sabha only late last week.
As such, it is a revised version of a previous DPDP draft that was released in November last year for public comments (the “22 Draft”). While the revised version contains several incremental changes compared to the 22 Draft, some such differences may prove significant in the long run.
A detailed analysis of the 23 Draft, along with an in-depth review relative to its prior iterations, will soon follow. Meanwhile, a few key takeaways from the current version in light of the changes made to the 22 Draft are highlighted here.
Accordingly, this note comprises two parts. Part I discusses the legislative status and possibilities with respect to DPDP’s 23 Draft. Part II provides a summary of key changes made to the 22 Draft, as currently reflected in the 23 Draft.


India’s New Data Regime

How Much and How Bad? Significant Others in India’s New Data Regime

According to a document dated August 1, 2023 made available today in respect of the list of business scheduled for the Lok Sabha’s coming calendar, the government will introduce an as-yet unreleased Union Cabinet-approved draft of the Digital Personal Data Protection Bill (“DPDP”) in India’s parliament tomorrow.
Despite stiff opposition, a parliamentary standing committee managed to adopt a favorable report on the revised 2023 version of DPDP, tabling it yesterday across both Houses and recommending an expeditious passage into law.
While DPDP is largely modeled on GDPR, India’s bespoke legislation may include a few key changes relative to the EU’s – such as in respect of significant data fiduciaries (“SDFs”), where the government is authorized to classify any entity as an SDF based on its own assessment of factors such as informational sensitivity, volume and the risk of harm.
Our last note on SDF parameters focused on sensitivity alone. Here, we address considerations related to ‘volume’ and ‘harm’, respectively. Since special obligations apply to SDFs (over and above those which all data fiduciaries must comply with), certain procedural aspects of impact assessments, automated processing and individual profiling may follow a GDPR-like template via bespoke regulation, as framed under DPDP later. Further, India’s existing SPDI Rules, as well as past and present legislative proposals, including the proposed Digital India Act and prior DPDP iterations, may provide indicative guidance.


Data Embassies in India

Data Embassies in India

In her Budget speech earlier this year, India’s Finance Minister had stated that the government would facilitate the establishment of ‘data embassies’ for the benefit of countries looking for digital continuity solutions. Such data embassies may be set up under the auspices of GIFT City in India’s first IFSC, located in Gujarat.
Accordingly, in order to allow countries and international companies to set up such embassies, the government may formulate a bespoke policy soon. To that end, it may notify specific norms, such as with respect to: (i) what a data embassy constitutes, (ii) the size and specifications of the data center necessary for such purpose, and (iii) whether data embassies can be virtual.
Further, such a policy will be expected to offer diplomatic immunity with respect to Indian regulations as far as the sovereign and commercial digital data of establishing entities is concerned. While it is likely that the lure of regulatory immunity will promote significant investment in India’s data industry – especially from technology infrastructure providers and cloud storage companies – India’s data embassy policy may allow for the storage of non-personal data only.
On the whole, this initiative appears to be part of a larger plan to build a trusted data storage ecosystem in India. As a novel device under public international law, data embassies have only recently become a viable option, especially among vulnerable states that face multifaceted uncertainties and threats. The idea of storing backups of critical state information in data embassies abroad – especially for the purpose of operating such databases from a secure, off-site center outside a state’s own borders – implies that such information remains available for retrieval in the event of a disaster or other emergency.


'Sensitive' Information Under India’s New Data Regime

Sense and Sensitivity : ‘Sensitive’ Information Under India’s New Data Regime

It appears that India’s Digital Personal Data Protection Bill (“DPDP”) is poised for consideration during the Lok Sabha’s ongoing monsoon session. Present reports about such proceedings suggest that despite strong dissent from the minority, a standing committee managed to adopt a draft report on DPDP just yesterday through a majority vote. Other pressing matters notwithstanding, since the monsoon session is scheduled to last until August 11, the government may get the draft law passed, after all.
Pursuant to Section 11 of DPDP, the central government (“CG”) can classify any company or other entity as a ‘significant data fiduciary’ (“SDF”) based on its own assessment of certain listed factors, which include the volume and sensitivity of personal data processed, as well as the risk of harm to individuals related to such data (“Factors”).
Importantly, special obligations apply to SDFs, in addition to the ones which all data fiduciaries must abide by. Thus, understanding the implications of each prescribed Factor becomes important. However, DPDP itself does not provide much clarity. With regard to ‘sensitivity’, for example, neither does DPDP define the term nor separately explain ‘sensitive personal data/information’ (“SPDI”).
Nevertheless, concerned entities could interpret the term in light of provisions related to SPDI under other laws and proposals – including the SPDI rules and DPDP’s past avatars. Further, given that GDPR had heavily influenced such prior drafts, the EU’s provisions may provide additional interpretive guidance.


Clean Energy

Clean Energy: Issue 2 of 2023

S&R Associates presents the second issue of its quarterly roundup series on clean energy. Here, we cover the period between the months of April and June, 2023.
Broadly, this issue comprises regulatory updates on renewable energy and electric vehicles, respectively, including central and state government notifications in this regard, India-related updates and international developments, as well as other miscellaneous items.
In addition, separate analyses with respect to the newly introduced carbon credit trading framework in India provide an overview of the country’s proposed carbon market. Lastly, we discuss the advisability of green hydrogen certification in India.