Technology; Media and Telecommunications Archives

India’s Digital Personal Data Protection Regime Takes Effect

Insights | November 24, 2025 | Practice Area: Data, Regulatory, Technology; Media and Telecommunications

On November 13, 2025, the Government of India notified the Digital Personal Data Protection Rules, 2025 (“Rules”) under the Digital Personal Data Protection Act, 2023 (“DPDP Act”). These rules follow the draft Digital Personal Data Protection Rules, 2025, which were released for public consultation and comments in January 2025.
The provisions of the DPDP Act and the Rules will come into force in three phases – with phase 1 provisions (relating to constitution of the Data Protection Board of India and other procedural provisions) becoming effective from November 14, 2025; phase 2 provisions (relating to consent managers) becoming effective in November 2026; and phase 3 provisions (substantive provisions) becoming effective in May 2027.
The Rules provide clarity on various aspects of the DPDP Act, including on consent notices, notification requirements in case of a personal data breach, conditions for registration and obligations of Consent Managers, verifiable parental consent for processing children’s data, additional obligations of Significant Data Fiduciaries, new data retention requirements for all data fiduciaries, reasonable security safeguards, and cross-border data transfers.
This note provides an overview of the key provisions under the Rules. Organizations should plan ahead and prepare for compliance under the DPDP Act and Rules.

India’s New Online Gaming Law: Implications for the Gaming Ecosystem

Insights | October 3, 2025 | Practice Area: General Corporate, Technology; Media and Telecommunications

The Promotion and Regulation of Online Gaming Act, 2025 (the “Online Gaming Act”) introduces a new regulatory framework for the gaming sector. The Online Gaming Act marks a significant shift in India’s approach to online gaming by recognizing and promoting e-sports and social games, while prohibiting all forms of real-money online games irrespective of whether they are skill- or chance-based. It extends in its application to both domestic and offshore operators targeting Indian users, as well as other participants in the gaming ecosystem such as financial intermediaries and advertisers.
The Online Gaming Act prescribes stringent penalties for non-compliance and establishes a central Gaming Authority with wide-ranging supervisory and enforcement powers.
This note analyzes the provisions of the Online Gaming Act, the regulatory and compliance risks for industry participants and its future implications.

A Framework for Using AI in the Indian Financial Sector

Insights | September 23, 2025 | Practice Area: Banking and Finance, Data, Regulatory, Technology; Media and Telecommunications

On August 13, 2025, a committee constituted by the Reserve Bank of India (“RBI”) released its report with respect to a proposed framework for the responsible and ethical enablement (FREE) of artificial intelligence (AI) models in the Indian financial sector (such report, “FREE AI Report”), pursuant to principles of transparency, responsibility, and ethical deployment. The proposed framework may require RBI-regulated entities, including banks, to undertake significant investments and operational changes, including with respect to new governance structures and capacity-building measures.
In general, the FREE AI Report provides an overview of potential compliance obligations which might be imposed on RBI-regulated entities through future AI-related regulation. In that regard, the report proposes a sector-specific approach based on amendments to existing regulations and new AI-specific rules. Accordingly, a principles-based framework has been recommended for developing new regulations to guide the development, deployment, and governance of AI. The report also recommends including AI regulation within the scope of certain existing RBI master directions, including on cybersecurity, digital lending, customer service, fraud detection, information technology (“IT”) governance, and outsourcing of IT services.
This note provides a broad overview of the FREE AI Report and discusses the ways in which RBI-regulated entities could act upon its recommendations, including for the purpose of preparing for future AI regulation. AI governance requirements may involve the design and implementation of measures and strategies to ensure that AI models deployed in the financial sector are safe, reliable, and trustworthy, including for enhancing customer confidence and trust, and facilitating greater integration of AI models in finance.

The Impact of India’s Data-Related Laws and Policies on AI Development and Deployment

Insights | July 23, 2025 | Practice Area: Competition/Antitrust, Data, Intellectual Property, Mergers and Acquisitions, Private Equity, Regulatory, Technology; Media and Telecommunications

The rise of Artificial Intelligence (“AI”) and Machine Learning (“ML”) promises both opportunities and risks. To address such risks while leveraging the power of AI/ML for new areas of growth, stakeholders need to remain attentive to an evolving regulatory landscape. Unlike the European Union, India is yet to enact an overarching law on AI. Nevertheless, AI developers, deployers, investors, and other relevant entities in the AI supply chain must stay informed about existing and emergent regulatory initiatives across several industries, sectors, and legal regimes. Given India’s ongoing policy and legislative attempts to govern AI, especially with respect to addressing deployment-related concerns and potential harm, the outcome of such processes is likely to emerge soon, even if in fragmented fashion.
Since AI model training relies heavily on data, India’s fast-developing data protection framework warrants special attention. Balancing compliance with innovation will remain crucial for organizations as they aim to thrive under India’s regulatory ecosystem on digital data and AI.

A Guide to Designing Consent Management Systems under the DPDP Act

Insights | July 18, 2025 | Practice Area: Regulatory, Technology; Media and Telecommunications

The Business Requirement Document (“BRD”) for consent management released by the Ministry of Electronics and Information Technology (MeitY) on June 6, 2025, provides a technical blueprint for organizations to design and implement a consent management system (“CMS”) in compliance with theDigital Personal Data Protection Act, 2023(“DPDP Act”) and its rules.Pursuant to such framework, organizations can design a CMS that enables them to undertake comprehensive consent lifecycle management in a manner that aligns with the DPDP Act’s emphasis on data minimization, purpose limitation, transparency, and accountability.
This note discusses the BRD, including with respect to the functional and operational aspects of consent management, the roles and responsibilities of various stakeholders, and the implications for organizations building or updating their CMS.

India’s Concerns About Deepseek and Possible Regulatory Responses

Insights | May 20, 2025 | Practice Area: Data, Regulatory, Technology; Media and Telecommunications

Large language models (“LLMs”) connected with DeepSeek, OpenAI’s ChatGPT, and xAI’s Grok, have faced significant regulatory attention in recent times. In particular, DeepSeek’s LLMs and artificial intelligence (“AI”)-based chatbots have been prohibited, restricted, and/or extensively reviewed by several countries, including because of concerns related to privacy and national security.
While the Government of India (“Government”) is currently monitoring the use of DeepSeek by Indian users, it may adopt regulatory measures under existing provisions of the Information Technology Act, 2000 (“IT Act”) and its rules, as necessary. Such provisions include those related to: (i) blocking public access on account of risks to the security or sovereignty of India (under section 69A of the IT Act), subject to specified procedures and safeguards; and (ii) ‘safe harbor’ and intermediary liability (under section 79 of the IT Act), subject to due diligence and other obligations in respect of hosting third-party information.
Further, the Government has certain powers under the Digital Personal Data Protection Act, 2023 (“DPDP Act”) and its rules, the provisions of which are yet to be notified but are expected to come into force soon. Such powers include restricting cross-border data flows/ transfers and requiring data localization in certain circumstances.

Navigating Data Minimization Requirements under India’s DPDP Act

Insights | January 17, 2025 | Practice Area: Data, Regulatory, Technology; Media and Telecommunications

While the provisions of India’s Digital Personal Data Protection Act, 2023 (“DPDP Act”) and its rules are yet to be notified, organizations need to prepare for a new set of compliance obligations and plan ahead. In large part, the DPDP Act follows global regulatory templates like the EU’s GDPR and embodies similar overarching principles such as data minimization and purpose limitation. The procedural implications of such principles reflected in the DPDP Act will translate into specific obligations and practices related to data collection, processing, sharing, and storage, especially in the context of Big Data analytics – including through the use of artificial intelligence and machine learning techniques.
This note analyzes the principle of data minimization under the DPDP Act, its interface with other laws (including with respect to consumer protection), and discusses potential learnings from other jurisdictions, including for the purpose of implementing such principle at an operational level.

Fiber Opportunity in India: Regulatory Framework and Right-of-Way Management

Insights | January 16, 2025 | Practice Area: General Corporate, Mergers and Acquisitions, Private Equity, Regulatory, Technology; Media and Telecommunications

With increasing demand for high-speed internet, 5G roll-out and data center growth, deployment of a robust and reliable optic fiber cable (“OFC”) infrastructure has become essential to support India’s expanding digital ecosystem. Fueled by this market opportunity, companies are focusing on expanding their OFC networks and investors are exploring potential opportunities for fiber investments in India. Several telecom operators have already consolidated their fiber assets in a path towards monetization of such assets.
This note explores the legal framework and recent developments regarding Right-of-Way for OFC in India.

Draft Digital Personal Data Protection Rules, 2025

Legal Updates | January 10, 2025 | Practice Area: Data, Regulatory, Technology; Media and Telecommunications

A long-anticipated draft of the Digital Personal Data Protection Rules, 2025 (“Draft Rules”) was released by the Central Government (“Government”) on January 3, 2025 for public consultation and comments, along with an explanatory note on the contents on the Draft Rules. Once brought into effect, these rules will enable implementation of the Digital Personal Data Protection Act, 2023 (the “DPDP Act” or the “Act”), which was published in the Official Gazette on August 11, 2023, although not yet in force. The consultation process on the Draft Rules will continue until February 18, 2025. The rules under the DPDP Act are proposed to be implemented in a staggered manner.
To recap, the DPDP Act lays down the law for processing of digital personal data (any data in digital form about an individual who is identifiable by or in relation to such data) in a manner that recognizes both the rights of individuals to protect their personal data and the need to process such data for lawful purposes and for connected or incidental matters. For an overview of the provisions of the DPDP Act, please see our notes here and here.
This note analyzes certain key aspects introduced or further clarified under the draft rule.

Accessing Space for Commercial Activities and Satellite Spectrum Allocation in India

Insights | January 6, 2025 | Practice Area: General Corporate, Mergers and Acquisitions, Private Equity, Regulatory, Technology; Media and Telecommunications

The Government of India has been actively working towards liberalizing the space sector and enhancing private sector participation. In this regard, given the stakes involved and the positions taken by various interested parties, the process for allocation of satellite spectrum remains a contentious point.
There has been a major debate among service providers regarding the appropriate way to allocate satellite spectrum.
While the Telecommunications Act, 2023 (“Telecom Act”) favors administrative allocation of satellite spectrum, the details of such process are yet to be finalized. This note considers the debate involving auctions and administrative allocation and provides an overview of past and recent developments with respect to Supreme Court judgements, digital communications policy, frequency allocation plan, space policy and the Telecom Act. It also discusses past consultation papers and recommendations of the Telecom Regulatory Authority of India on satellite spectrum allocation, as well as the recent provisional satellite spectrum allocation approved by the Department of Telecommunications.