data protection regime in India

India’s New Data Protection Regime: Tracking Updates and Preparing for Compliance

The Digital Personal Data Protection Act, 2023 (the “DPDP Act”), published in India’s official gazette last year, is a new law regulating the collection, storage, use and processing of personal data. The DPDP Act will take effect from the date(s) notified by the Indian Government, and different dates may be notified for different provisions of the DPDP Act. Further, several provisions of the DPDP Act require specific rules which are yet to be notified.
According to a recent statement made by the new union minister of the Ministry of Electronics and Information Technology, the new rules are in advanced stages of drafting and are expected to be released for industry-wide consultation in the near future. Given that both rules and provisions of the DPDP Act are likely to be notified over the next few months, all entities need to check whether and to what extent the DPDP Act applies to them and their operations.
For the purpose of preparing for, and complying with, obligations under the DPDP Act, it would be advisable for all organizations to undertake data mapping exercises and data audits inter alia in order to facilitate the identification and determination of ‘personal’ information from mixed or legacy databases and/or organizational datasets.

AI-Generated Inventions

AI-Generated Inventions: New Questions for Patent Regimes

Since patent regimes around the world are primarily designed to reward “human” innovation, such norms may need to be revisited for the purpose of protecting inventions that are generated by artificial intelligence (“AI”).
In most jurisdictions, existing patent laws contemplate an “inventor” to (only) mean a natural person. Further, recent authoritative interpretations have been reluctant to extend the concept of inventorship to AI systems.
However, with the growing use of AI, modern technology has arrived at an inflection point where an AI algorithm can play a determinative role in the inventive process. Accordingly, the question of granting patents to AI-generated inventions has assumed additional importance, including in terms of incentivizing innovation and investments into future AI models.
Subject to new developments and priorities, legislators may want to consider options such as amending extant patent regimes, introducing a bespoke framework especially for AI-generated inventions, allowing human beings to be named as inventors to the extent of their involvement in the use or development of the AI system concerned, or even doing away with the requirement of naming an inventor for AI-generated inventions.

Semiconductor Industry in India

Opportunities in the Semiconductor Industry in India

Semiconductors or ‘chips’ are the building blocks of electronic devices and are used in a variety of electronic devices from cars to drones as well as smartphones and computers and across various sectors, including the aerospace and defence, telecom and automotive sectors. Currently, a majority of the semiconductor manufacturing market is dominated by countries such as Taiwan, China, the United States, South Korea and Japan. India relies on semiconductor imports from these countries. While the semiconductor manufacturing industry is currently at a nascent stage in India, due to the worldwide shortage of semiconductors, over the last couple of years, India has taken active steps to tap this market.
This note outlines the key initiatives of the Government of India in relation to the semiconductor industry, regulatory framework for investment, setting up operations in India and recent developments/investments in the semiconductor industry in India.

EU’s New Law on Artificial Intelligence

The EU’s New Law on Artificial Intelligence: Global Implications

Pursuant to ‘trilogue’ negotiations among major institutions of the EU, an agreement on a proposed regulation with respect to artificial intelligence (“AI”) was arrived at in Brussels a few months ago, the text of which may be approved, published, and subsequently enter into force later this year. This is the world’s first comprehensive law on AI (the “AI Act”). According to the current draft, the AI Act should apply two years after its entry into force, likely from the second quarter of 2026.
The broad focus of this new law is a risk-based approach, based on an AI system’s capacity to cause harm. Compared to prior legislative proposals, additional elements of the current agreement include rules on high-impact general-purpose AI models that can cause systemic risk in the future, as well as on high-risk AI systems. The AI Act may set a global standard for AI regulation in other jurisdictions, just like the EU’s General Data Protection Regulation (“GDPR”) did with respect to personal information. Moreover, similar to the GDPR, one of the most important effects of the AI Act will be its extraterritorial scope, involving obligations for non-EU businesses as well.

Can Deepfakes be Leveraged Responsibly?

Can Deepfakes be Leveraged Responsibly?

‘Deepfakes’, which involve the creation of highly realistic content (images, video, audio) by harnessing the power of artificial intelligence (“AI”), raise important concerns related to misinformation, identity theft, fraud, privacy infringement and electoral democracy – including as recently witnessed in India via incidents involving media personalities and politicians. However, deepfakes also promise exciting possibilities in various fields and business applications, including for personalized marketing, virtual training simulations and operational efficiency.
As of date, India does not have a specific law to regulate deepfakes or AI. However, certain provisions under the Information Technology Act, 2000 and its corresponding rules (together, the “IT Act”) may be invoked by appropriate authorities in this regard, including with respect to potential misuse and related penalties. In addition, new legislation – such as the proposed Digital India Act and the recently published Digital Personal Data Protection Act, 2023, respectively – which, when acting together, remain poised to overhaul the IT Act in its entirety – may introduce bespoke rules on regulating AI and deepfakes in India.
As organizations navigate this transformative techno-legal landscape, the responsible use of deepfake technology – including through a combined adoption of ethical frameworks, transparent policies, security measures, technical collaborations and awareness campaigns – is necessary to ensure a positive impact on the business ecosystem.

Regulating Artificial Intelligence

India’s Initiatives on Regulating Artificial Intelligence: Balancing Promotion with Protection

India’s stance on AI regulation has grown more sophisticated over the past few months. On the one hand, the country’s unique requirements have been articulated in respect of making vast datasets available for AI training, as well as to enable rapid AI deployment, innovation and growth. On the other hand, including for the purpose of addressing global concerns (some of which have arisen locally pursuant to recent events like those involving ‘deepfakes’), the government may rely on external influence – such as the risk-based approach contained in a recent political agreement on the EU’s AI Act.
With respect to the latter, new national laws, such as the proposed Digital India Act, may soon establish a concrete compliance framework, including in terms of regulating new technologies, protecting digital users from harm, enhancing intermediary liability, promoting algorithmic accountability and transparency, as well as curtailing monopoly, discrimination and bias. Further, recent reports on AI provide a useful blueprint for India’s long-term vision on AI governance, intellectual property, compute infrastructure and ethical considerations.

Private Sector Participation in India’s Space Sector

Reaching for the Stars: Private Sector Participation in India’s Space Sector

India’s recent achievements in space exploration have garnered significant global attention (e.g., Chandrayaan-3’s soft-landing on the lunar south pole; Aditya-L1’s solar study mission; and hitting key milestones in terms of achieving manned spaceflight capabilities as part of the Gaganyaan project). However, private sector participation in space activities continues to be hamstrung through a combination of: (i) financial constraints (e.g., a lack of access to capital, including continued challenges with respect to securing asset-based financing, such as on account of the mobility of such underlying assets); along with (ii) regulatory ambiguity (e.g., in terms of attributing and quantifying liability, including in respect of third-party liability insurance, as well as with regard to corresponding caps).
Nevertheless, several new initiatives in India hold promise, such as: (i) the Indian Space Policy, 2023; (ii) a stated commitment to increase the country’s global market share, including by moving away from a demand-based model to a supply-centric approach; (iii) the ongoing and time-bound processing of private sector applications (related to space activities) by the Indian National Space Promotion and Authorization Center (IN-SPACe) – a single-window nodal agency – including for the purpose of assisting erstwhile vendors and suppliers to move up the value chain; (iv) the aggregation of user requirements by NewSpace India Limited – a Central Government-owned enterprise – including for the purpose of utilizing new space assets optimally based on determinations of stakeholder accountability, as well as creating new ones based on demand confirmations; along with (v) the launch of the SpaceTech Innovation Network (SpIN) in order to foster entrepreneurial innovation – especially in respect of startups and SMEs.
This note outlines India’s efforts to enhance and improve upon space regulation – including through reforms and liberalization – while also highlighting obstacles in both policy and practice.

India’s Digital Public Infrastructure DPDP Act

India’s Digital Public Infrastructure Could Have All the Answers to Questions Under the DPDP Act

Confusion abounds among key stakeholders of India Inc. with respect to consent management and allied concerns under India’s newly published Digital Persona Data Protection Act, 2023. This is especially true in the context of age verification requirements, along with the means of obtaining verifiable parental consent for children’s data. However, India’s digital public infrastructure could provide all the right answers – eventually. This note explores and examines how.

Modifications to Schemes of Arrangement

Modifications to Schemes of Arrangement

Once a scheme of arrangement has been approved by its shareholders or the relevant National Company Law Tribunal, what, if any, modifications are permissible to the scheme of arrangement without seeking fresh shareholder approval?

This note considers the legal framework for modifications to approved schemes of arrangement. It also examines the proposed merger of Zee Entertainment with Sony Pictures India where this question potentially arises for consideration.

Contractual Arrangements Under India’s New Data Protection Law

Contractual Arrangements Under India’s New Data Protection Law: A Data Fiduciary’s Guide to the Data Processing Universe

In light of India’s new Digital Personal Data Protection Act, 2023 (the “DPDP Act”), organizations need to check whether and to what extent such new compliance regime applies to them and their operations. In this regard, they may need to improve their existing IT and cybersecurity systems. Relatedly, organizations should monitor entities in their supply chains with respect to data processing obligations. In particular, existing contractual arrangements may need to be reviewed, and future data processing agreements (“DPAs”) must be negotiated in light of the new law.

Unlike the GDPR which places certain direct regulatory obligations on data processors, the DPDP Act appears to attribute sole responsibility upon the main custodians of data even when the actual processing is undertaken by data processors pursuant to a contract or other arrangement. Therefore, organizations have to ensure that their own statutory obligations remain mirrored in their supply chain, as well as in delegated/outsourced data processing tasks.

Accordingly, this note discusses due diligence and risk assessment/mitigation strategies; key lessons from the GDPR; necessary clauses in a DPA; the possibility of transferring liability through, and the inclusion of appropriate indemnity provisions in, such DPAs; as well as ensuring confidentiality and security, along with business continuity and disaster recovery, in such contexts.