The flow of data across international borders has become the lifeblood of the modern digital economy, yet this seamless transfer of information increasingly collides with national sovereignty concerns and divergent regulatory frameworks. As nations grapple with protecting their citizens’ privacy while maintaining economic competitiveness, a complex web of regulations has emerged that fundamentally reshapes how organizations handle cross-border data transfers.

The Emergence of Cross-Border Data Transfer Regulation

Cross-border data transfers involve the movement of personal or sensitive information from one jurisdiction to another for processing, storage, or operational purposes. These transfers enable everything from cloud computing and international commerce to healthcare research and financial services. However, the borderless nature of the internet has created jurisdictional tensions as governments seek to assert control over data originating within their territories.

The regulatory landscape governing these transfers has evolved dramatically over the past decade. Different nations have adopted varying approaches based on their unique political, economic, and security considerations. Some jurisdictions emphasize protecting individual privacy rights through strict consent requirements and adequacy assessments, while others prioritize national security through data localization mandates or blacklist approaches. This divergence has created significant compliance challenges for multinational organizations that must navigate multiple, sometimes conflicting, regulatory regimes simultaneously.

European Union’s Framework Under GDPR

The European Union established one of the most influential regulatory frameworks for cross-border data transfers through the General Data Protection Regulation. Chapter V of the GDPR, specifically Articles 44 through 50, creates a structured system for regulating how personal data can be transferred outside the European Economic Area [1]. This framework establishes a hierarchical approach with three primary mechanisms for lawful data transfers.

The highest tier involves adequacy decisions issued by the European Commission under Article 45 GDPR. When the Commission determines that a third country ensures an adequate level of protection essentially equivalent to that guaranteed within the EU, personal data can flow to that jurisdiction without requiring specific authorization [1]. The Commission must consider various factors when assessing adequacy, including the rule of law, respect for human rights and fundamental freedoms, relevant legislation concerning public security and national security, data protection rules, professional standards, security measures, and the existence of effective independent supervisory authorities [2].

The concept of “essential equivalence” rather than identical protection was crystallized through landmark litigation. In Data Protection Commissioner v. Facebook Ireland Limited, commonly known as Schrems II, the Court of Justice of the European Union invalidated the EU-US Privacy Shield framework on July 16, 2020 [3]. The Court held that surveillance programs operated by United States intelligence agencies, particularly those authorized under Section 702 of the Foreign Intelligence Surveillance Act and Executive Order 12333, were not limited to what is strictly necessary and constituted disproportionate interference with the rights to data protection and privacy. The judgment emphasized that the level of protection afforded to data transferred outside the EU must be essentially equivalent to that guaranteed by the GDPR when read in light of the Charter of Fundamental Rights of the European Union.

The Schrems II decision fundamentally altered the compliance landscape by invalidating adequacy decisions and placing greater scrutiny on alternative transfer mechanisms. Standard Contractual Clauses, which are pre-approved contractual terms that data exporters and importers can use to legitimize transfers, remained valid under Article 46 GDPR. However, the Court imposed stricter requirements, mandating that organizations using SCCs must conduct case-by-case assessments to ensure that the data importer’s jurisdiction provides essentially equivalent protection, supplementing the clauses with additional safeguards where necessary [3]. This requirement forces organizations to evaluate the laws and practices of destination countries, particularly regarding government surveillance and data access powers, and implement technical, organizational, or contractual measures to compensate for any deficiencies.

Following the Schrems II invalidation, the United States and European Union negotiated a new framework. In July 2023, the European Commission adopted an adequacy decision for the EU-US Data Privacy Framework, which established new protections for personal data transferred from the EU to participating US organizations [4]. This framework was built upon Executive Order 14086, signed by President Biden in October 2022, which strengthened privacy safeguards governing signals intelligence activities and created a new redress mechanism through the Data Protection Review Court. In September 2025, the General Court dismissed a challenge to this adequacy decision in Case T-553/23, affirming that the DPRC provided sufficient independence and impartiality despite being established by executive action rather than congressional legislation [5].

United States National Security Approach

Unlike the EU’s comprehensive data protection regime, the United States historically lacked federal legislation specifically governing cross-border personal data transfers. However, national security concerns prompted a significant shift in American policy. On February 28, 2024, President Biden issued Executive Order 14117 titled “Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern” [6]. This executive order marked the most significant federal action to regulate outbound data flows, representing a departure from the traditionally open approach the United States maintained toward international data transfers.

Executive Order 14117 authorized the Department of Justice to issue regulations under the International Emergency Economic Powers Act to prohibit or restrict certain transactions that would grant countries of concern access to Americans’ bulk sensitive personal data or US government-related data [6]. The order identified China (including Hong Kong and Macau), Russia, Iran, North Korea, Cuba, and Venezuela as countries of concern. The regulatory framework distinguishes between prohibited transactions, which include data brokerage involving covered data and all transactions involving bulk human genomic data, and restricted transactions, which encompass vendor agreements, employment agreements, and investment agreements that must comply with specific security requirements.

On December 27, 2024, the DOJ issued its final rule implementing Executive Order 14117, which took effect on April 8, 2025 [7]. The rule establishes the Data Security Program, creating a comprehensive regulatory structure that requires US persons to take reasonable steps to determine whether their data transactions involve countries of concern or covered persons. Covered persons include foreign entities organized under the laws of countries of concern, entities that are fifty percent or more owned by such countries, foreign individuals primarily resident in these countries, and employees or contractors of covered entities [7]. The program imposes strict due diligence, audit, and reporting requirements, with violations subject to civil penalties up to $368,136 or twice the transaction amount, and criminal penalties including imprisonment up to twenty years for willful violations.

The DOJ rule defines bulk sensitive personal data to include precise geolocation data, biometric identifiers, human genomic data, personal health data, personal financial data, and certain categories of personally identifiable information when they exceed specified quantitative thresholds [7]. Data brokerage is defined broadly to include the sale of data, licensing of access to data, or similar commercial transactions where the recipient did not collect the data directly from the individuals to whom it relates. The rule provides exemptions for certain transactions, including those required by federal law, clinical trials regulated by the FDA, provision of telecommunications services, financial services transactions subject to existing banking frameworks, and official US government activities.

India’s Blacklist Approach

India enacted the Digital Personal Data Protection Act in August 2023, establishing the nation’s first comprehensive data protection statute [8]. The DPDPA applies extraterritorially to any entity processing personal data of individuals resident in India in connection with offering goods or services to Indian residents. This legislation represents a significant departure from earlier draft bills that proposed stringent data localization requirements for sensitive personal data.

The DPDPA adopts what is termed a blacklist or negative list approach to cross-border data transfers under Section 16. Unlike the EU’s system that requires affirmative adequacy determinations, the DPDPA permits data transfers to any country except those specifically restricted by the central government [8]. The Act grants the government discretionary authority to prohibit transfers to specified countries or territories through notification, without requiring transparency regarding the criteria used for such determinations or providing alternative transfer mechanisms like standard contractual clauses. No countries have been blacklisted as of the regulation’s implementation, leaving significant uncertainty for organizations planning international data operations.

The Digital Personal Data Protection Rules 2025, notified on November 13, 2025, operationalize the DPDPA’s provisions and establish a phased implementation timeline extending twelve to eighteen months [9]. Under the rules, data fiduciaries may transfer personal data to other data fiduciaries or data processors only under valid contracts, though the legislation does not prescribe specific contractual requirements. The DPDPA designates certain entities as Significant Data Fiduciaries, which face heightened obligations including appointing India-based data protection officers, conducting annual audits, and implementing additional security measures. Rule 12 of the draft rules indicates that SDFs may face restrictions on transferring certain categories of personal data outside India, though the exact scope remains subject to government notification.

Importantly, Section 16(2) of the DPDPA specifies that it does not restrict the applicability of other sectoral laws that provide higher degrees of protection [8]. This provision means that sector-specific regulations issued by authorities such as the Reserve Bank of India and the Securities Exchange Board of India continue to operate alongside the DPDPA. For instance, RBI regulations mandate that all payment system providers ensure that data relating to payment systems are stored only in India, effectively requiring data localization for the financial sector. For cross-border transactions involving both foreign and domestic components, data pertaining to the foreign leg may be stored outside India, but domestic transaction data must remain within the country.

The DPDPA provides specific exemptions from standard data transfer requirements under Section 5. These include situations where the transfer is necessary for signing or performing a contract to which the individual is a party, such as cross-border e-commerce, courier services, payment processing, and travel bookings [9]. Transfers necessary to safeguard an individual’s life, health, or property in emergencies are also exempted. Additionally, outbound transfers of employee personal information necessary for cross-border human resource management in accordance with labor rules and collective contracts are permitted without additional compliance requirements.

China’s Evolving Cross-Border Data Transfer Regime

China established a multifaceted legal framework for cross-border data transfers through three foundational laws: the Cybersecurity Law, the Data Security Law, and the Personal Information Protection Law. These statutes created three primary mechanisms for lawful data transfers: security assessments conducted by the Cyberspace Administration of China, standard contracts based on Chinese templates, and certification programs demonstrating compliance with data protection requirements. The comprehensive documentation requirements and extended timescales for obtaining CAC approval presented significant compliance challenges for multinational corporations operating in China.

On March 22, 2024, the CAC issued final Regulations on Promoting and Regulating Cross-Border Data Flows, which took immediate effect and substantially relaxed previous requirements [10]. The regulations introduce three categories of exemptions from the standard legal mechanisms. First, transfers necessary for contract performance, such as those required for cross-border shopping, courier services, payment processing, hotel and flight bookings, visa applications, and examination services, are exempted. Second, transfers necessary to protect life, health, or property in emergency situations do not require compliance with standard mechanisms. Third, employee data transfers necessary for cross-border human resource management conducted according to applicable labor rules and collective contracts are exempt.

The CBDT Regulations also raise thresholds that trigger mandatory compliance, significantly reducing the number of transactions requiring CAC oversight [10]. Organizations not designated as Critical Information Infrastructure Operators that have processed personal information of fewer than one million individuals are exempted from security assessment requirements. Similarly, entities that have not transferred personal information of more than one hundred thousand individuals or sensitive personal information of more than ten thousand individuals to foreign destinations since January 1 of the previous year are exempt from filing standard contracts or obtaining certification.

An innovative provision allows each free trade zone within China to establish a negative list specifying data transfers subject to standard legal mechanisms [10]. Data transfers not included in the negative list are not required to undergo security assessments, standard contract filing, or certification. Such negative lists must receive approval from provincial CAC authorities and be filed with both the central CAC and the National Data Bureau. This approach provides significant flexibility for multinational corporations operating within designated FTZs, potentially enabling more streamlined data operations aligned with international business practices.

Practical Compliance Challenges and Solutions

Organizations conducting cross-border data transfers face numerous operational challenges in maintaining compliance across multiple jurisdictions. Data mapping emerges as the foundational requirement, requiring companies to comprehensively document what data is collected, where it is stored, how it flows across borders, and which entities have access. This process must account for both structured transfers governed by formal contracts and unstructured flows such as employee access to cloud-based systems, internal communications platforms, and collaborative tools.

The concept of essentially equivalent protection established in Schrems II requires organizations to conduct transfer impact assessments evaluating whether destination countries provide adequate legal protections. These assessments must analyze the laws and practices of receiving jurisdictions, particularly regarding government surveillance powers, mandatory data disclosure requirements, and available legal remedies for individuals. Where gaps exist, organizations must implement supplementary measures, which can include technical safeguards like encryption, pseudonymization, or data minimization; organizational measures such as limiting data categories transferred or restricting access rights; and contractual provisions establishing clear data processing limitations and audit rights.

Vendor due diligence has become increasingly complex under the new regulatory frameworks. Organizations must screen business partners against sanctions lists, verify ownership structures to identify connections to restricted countries or entities, and ensure contractual agreements include appropriate data protection terms. The DOJ’s Data Security Program requires annual independent audits by qualified entities that are not covered persons, imposing ongoing verification obligations. Similarly, entities designated as Significant Data Fiduciaries under India’s DPDPA must conduct regular compliance audits and maintain detailed processing records.

Privacy-enhancing technologies offer promising solutions for maintaining data utility while addressing cross-border transfer restrictions. Techniques such as fully homomorphic encryption enable computation on encrypted data without requiring decryption, potentially allowing organizations to process data across borders while maintaining confidentiality. Differential privacy adds mathematical noise to datasets to protect individual privacy while preserving statistical accuracy for analysis. Secure multi-party computation allows multiple parties to jointly compute functions over their inputs while keeping those inputs private. Regulators including Singapore’s Infocomm Media Development Authority and the European Data Protection Board have recognized PETs as valuable tools for facilitating compliant cross-border data flows.

Strategic Implications for Global Business

The fragmentation of cross-border data transfer regimes creates strategic challenges for multinational enterprises. Organizations must design data architectures that accommodate varying requirements across jurisdictions, which may necessitate regional data centers, hybrid cloud configurations separating data by geography, or sophisticated access controls limiting which personnel can view data from specific jurisdictions. The costs associated with duplicating infrastructure, implementing multiple compliance programs, and managing legal risks across diverse regulatory systems can be substantial, particularly for small and medium-sized enterprises lacking dedicated compliance resources.

The trend toward data localization requirements and national security-based restrictions on data flows represents a departure from the historically open internet architecture that enabled global digital commerce. Proponents of localization argue that keeping data within national borders enhances security by reducing exposure to foreign surveillance and cyberattacks, enables more effective enforcement of data protection laws, and supports domestic technology industries by requiring local infrastructure investment. Critics contend that localization increases costs without meaningfully improving security, creates inefficiencies by preventing optimization of global data processing, and fragments the internet into isolated spheres that undermine the network effects driving digital innovation.

For organizations developing compliance strategies, several principles emerge from the evolving regulatory landscape. First, compliance programs must be dynamic rather than static, with mechanisms for monitoring regulatory developments and adjusting practices accordingly. The invalidation of adequacy decisions through litigation and the discretionary blacklisting powers granted to governments mean that previously compliant data flows may become restricted with limited notice. Second, a risk-based approach that prioritizes resources based on data sensitivity, transfer volumes, and regulatory scrutiny enables more effective compliance within resource constraints. Third, engaging with policymakers through industry associations and public comment processes provides opportunities to shape emerging regulations and advocate for workable standards that balance privacy, security, and commercial interests.

The geopolitical dimensions of cross-border data regulation merit particular attention. Restrictions on data flows to countries of concern reflect broader tensions between Western democracies and authoritarian regimes regarding technology governance, human rights, and national security. The designation of China, Russia, and other nations as jurisdictions requiring heightened scrutiny for data transfers has significant implications for companies with global operations. Organizations must navigate these geopolitical realities while maintaining business relationships and complying with potentially conflicting legal requirements across jurisdictions.

Conclusion

Cross-border data transfers exist at the intersection of technology, law, commerce, and geopolitics. The regulatory frameworks governing these transfers reflect fundamental tensions between the borderless nature of digital information and the territorial boundaries of national sovereignty. As the volume and importance of international data flows continue to grow, the challenge of creating interoperable regulatory standards that protect individual rights, enable legitimate business activities, and address national security concerns becomes increasingly urgent.

Organizations conducting cross-border data transfers must approach compliance as a strategic imperative rather than a purely legal exercise. Success requires not only understanding the technical requirements of various regulatory frameworks but also anticipating how geopolitical developments and technological changes will reshape the landscape. The investment in robust data governance programs, including mapping, impact assessments, contractual safeguards, technical measures, and ongoing monitoring, positions organizations to adapt to evolving requirements while minimizing operational disruptions. As nations continue developing their approaches to cross-border data regulation, the organizations that can navigate this complexity will gain significant competitive advantages in the global digital economy.

References

[1] European Parliament and Council of the European Union. Regulation (EU) 2016/679 (General Data Protection Regulation), Articles 44-50. https://gdpr-info.eu/art-45-gdpr/ 

[2] European Data Protection Board. Guidelines on the Transfer of Personal Data under Article 45 GDPR. https://gdprhub.eu/Article_45_GDPR 

[3] Court of Justice of the European Union. Case C-311/18, Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems (Schrems II), July 16, 2020. https://www.europarl.europa.eu/RegData/etudes/ATAG/2020/652073/EPRS_ATA(2020)652073_EN.pdf 

[4] European Commission. Commission Implementing Decision (EU) 2023/1795 on the adequate protection of personal data under the EU-US Data Privacy Framework, July 10, 2023. https://laweconcenter.org/resources/schrems-iii-gauging-the-validity-of-the-gdpr-adequacy-decision-for-the-united-states/ 

[5] General Court of the European Union. Case T-553/23, Latombe v Commission, September 3, 2025. https://eucrim.eu/news/general-court-confirms-adequacy-of-us-data-protection/ 

[6] The White House. Executive Order 14117: Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern, February 28, 2024. 

[7] U.S. Department of Justice. Final Rule Implementing Executive Order 14117, December 27, 2024, effective April 8, 2025. https://www.hoganlovells.com/en/publications/new-doj-rule-limits-crossborder-data-transfers-to-protect-national-security 

[8] Government of India. Digital Personal Data Protection Act, 2023, enacted August 11, 2023. https://www.lw.com/admin/upload/SiteAttachments/Indias-Digital-Personal-Data-Protection-Act-2023-vs-the-GDPR-A-Comparison.pdf 

[9] Government of India, Ministry of Electronics and Information Technology. Digital Personal Data Protection Rules 2025, notified November 13, 2025. https://www.hoganlovells.com/en/publications/indias-digital-personal-data-protection-act-2023-brought-into-force- 

[10] Cyberspace Administration of China. Regulations on Promoting and Regulating Cross-Border Data Flows, March 22, 2024. https://www.whitecase.com/insight-alert/china-released-new-regulations-ease-requirements-outbound-cross-border-data-transfers 

The post Cross-Border Data Transfers: Sovereignty Meets the Borderless Internet appeared first on Bhatt & Joshi Associates.

Introduction

The evolution of consent from a traditional contractual principle to its contemporary digital manifestation represents one of the most significant transformations in contract law. In the digital age, digital consent in India has moved beyond the classical formalities of physical signatures and face-to-face negotiations to encompass electronic interactions, digital signatures, and online acceptances. This transformation reflects not merely a change in medium but a fundamental reimagining of how mutual agreement is established, authenticated, and enforced in commercial transactions. The Indian legal framework has responded to this metamorphosis through a combination of traditional contract principles enshrined in the Indian Contract Act, 1872, and modern legislation including the Information Technology Act, 2000, and the Digital Personal Data Protection Act, 2023. Understanding this evolution requires examining both the continuity of foundational principles and the adaptations necessary for the digital realm.

The Traditional Foundation of Consent in India

The Indian Contract Act, 1872 establishes consent as a cornerstone of valid contractual relationships. Section 13 of the Act defines consent as occurring when two or more persons agree upon the same thing in the same sense, a principle known as consensus ad idem [1]. This requirement ensures that parties share a genuine meeting of minds regarding the essential terms of their agreement. The Act goes further in Section 14 to distinguish between mere consent and free consent, stipulating that consent is said to be free when it is not caused by coercion, undue influence, fraud, misrepresentation, or mistake. These provisions establish that valid consent must be voluntary, informed, and uninfluenced by improper pressures or deceptions.

The traditional understanding of consent emphasized physical manifestations of agreement such as signed documents, witnessed exchanges, and formal ceremonies. These tangible markers provided clear evidence of contractual intention and helped prevent disputes about whether agreement had been reached. The physical nature of traditional consent mechanisms also imposed practical limitations on the speed and geographical scope of commercial transactions, as parties typically needed to be in the same location or exchange physical documents through relatively slow communication channels.

Digital Transformation of Consent Mechanisms in India

The advent of electronic commerce necessitated a fundamental reconsideration of how consent could be manifested and authenticated in digital environments. This transformation raised critical questions about whether agreements formed through electronic means could satisfy the requirements of traditional contract law, particularly regarding the authenticity of parties’ identities and the integrity of their expressed intentions. The legal framework needed to address whether an email exchange, a website click, or a digital signature could constitute valid consent equivalent to traditional written agreements.

The Information Technology Act, 2000 provided the legislative foundation for recognizing electronic forms of consent in India [2]. This Act was enacted to give legal recognition to transactions carried out by means of electronic data interchange and other means of electronic communication, commonly referred to as electronic commerce. The Act established that contracts could be formed through electronic means and that electronic records and digital signatures would have legal validity equivalent to paper documents and handwritten signatures.

Section 10A of the Information Technology Act, 2000 explicitly recognizes the validity of contracts entered into through electronic means [3]. This provision states that where in a contract formation, the communication of proposals, the acceptance of proposals, the revocation of proposals and acceptances are expressed in electronic form or by means of an electronic record, such contract shall not be deemed to be unenforceable solely on the ground that such electronic form or means was used for that purpose. This provision removes any doubt about the legal enforceability of electronic contracts, provided they satisfy the essential requirements of the Indian Contract Act, 1872.

Electronic Signatures and Authentication

A central challenge in the digital transformation of consent in india has been establishing reliable methods for authenticating the identity of parties and ensuring the integrity of their expressed intentions. The Information Technology Act, 2000 addresses this challenge through its provisions on electronic signatures and digital signatures. Section 2(1)(ta) of the Act defines electronic signature as authentication of any electronic record by a subscriber by means of the electronic technique specified in the Second Schedule and includes digital signature [4]. Digital signatures use cryptographic techniques involving asymmetric key pairs to verify the authenticity and integrity of electronic documents.

The legal framework provides that electronic signatures issued by licensed certifying authorities carry a presumption of authenticity under Indian evidence law. Section 85B of the Indian Evidence Act, 1872, as amended, provides that courts shall presume the electronic signature is affixed by the person by whom it purports to have been affixed unless the contrary is proved. This presumption significantly reduces the burden of proof for parties seeking to enforce electronically signed contracts, as they do not need to establish the authenticity of the signature unless specifically challenged.

The practical effect of these provisions is to place electronic signatures on equal legal footing with handwritten signatures for most commercial purposes. Organizations conducting business electronically can rely on digital signatures to authenticate contracts, purchase orders, and other commercial documents without requiring physical signatures. This has facilitated the growth of electronic commerce by removing legal uncertainty about the enforceability of digitally signed agreements.

Judicial Recognition of Electronic Consent

The evolution of consent in the digital age has been significantly shaped by judicial interpretation of how traditional contract principles apply to electronic communications. The landmark case of Trimex International FZE Ltd. v. Vedanta Aluminium Ltd. (2010) represents a watershed moment in the judicial recognition of electronic consent [5]. In this case, the Supreme Court of India addressed whether a contract had been validly formed through an exchange of emails between parties negotiating the supply of bauxite.

The facts of the case involved Trimex offering to supply bauxite to Vedanta through email communications, which Vedanta accepted after several email exchanges confirming the supply of five shipments. Although a formal written contract had been drafted, it had not been executed before disputes arose. Vedanta subsequently denied the existence of a binding contract, arguing that no formal agreement had been signed. The Supreme Court rejected this argument and held that a valid contract had been concluded through the email exchanges.

The Court’s reasoning emphasized that once essential terms including price, quantity, product specifications, delivery and payment terms, discharge port, shipment lots, demurrage rate, and quality benchmarks had been agreed upon through email communications, a binding contract came into existence. The Court found that the minute-by-minute email correspondences between the parties clearly demonstrated that both parties were aware of the various terms and were in agreement regarding those terms. The communication of acceptance was complete when Vedanta’s email stating “we confirm the deal for five shipments” came to the knowledge of Trimex, satisfying the requirement of absolute and unconditional acceptance under Section 7 of the Indian Contract Act, 1872.

This decision established several important principles regarding electronic consent. First, it confirmed that emails constitute valid means of communicating offers and acceptances under contract law. Second, it held that the absence of a formally signed document does not invalidate a contract when the essential terms have been agreed upon through electronic communications. Third, it recognized that the exchange of emails can provide sufficient evidence of consensus ad idem, or meeting of minds, between parties. These principles have provided a solid foundation for the enforceability of contracts formed through electronic communications in India.

Free Speech and Digital Expression

The evolution of digital consent in India has intersected with fundamental rights in unexpected ways, as illustrated by the landmark case of Shreya Singhal v. Union of India (2015) [6]. While this case primarily concerned freedom of speech rather than commercial contracts, it has important implications for understanding consent in digital environments. The case challenged Section 66A of the Information Technology Act, 2000, which criminalized sending offensive messages through electronic communication services.

The Supreme Court struck down Section 66A as unconstitutional, finding it violated the right to freedom of speech and expression guaranteed under Article 19(1)(a) of the Constitution of India. The Court held that the provision was vague and overbroad, using undefined terms such as offensive, menacing, annoyance, and inconvenience that could encompass a vast amount of protected speech. Justice Nariman, writing for the Court, emphasized that restrictions on speech must be narrowly tailored and clearly defined, not capable of arbitrary application by law enforcement authorities.

This decision has implications for digital consent because it recognizes that individuals’ expressions and communications in digital environments deserve the same constitutional protections as traditional forms of communication. When individuals provide consent through digital means, whether for contracts or data processing, their ability to express themselves freely and without fear of arbitrary prosecution is protected. The decision also establishes that laws regulating digital conduct must be clearly defined and not susceptible to vague or arbitrary application, a principle that extends to regulations governing how consent is obtained and expressed in digital contexts.

Data Protection and Informed Consent

The most recent and comprehensive evolution of digital consent in India appears in the Digital Personal Data Protection Act, 2023, which came into force through phased implementation beginning in November 2025 [7]. This Act fundamentally reconceptualizes consent as it applies to the processing of personal data in digital form. Unlike earlier legislation that focused primarily on commercial transactions, the Digital Personal Data Protection Act centers on the relationship between individuals as data principals and organizations as data fiduciaries who process personal data.

Section 6 of the Act requires that consent for processing personal data must be free, specific, informed, unconditional, and unambiguous with a clear affirmative action [8]. This standard represents a significant evolution from traditional contract law concepts of consent. The requirement that consent be specific means that blanket permissions for undefined purposes are insufficient; data fiduciaries must obtain consent for each distinct purpose for which they intend to process personal data. The informed requirement mandates that individuals receive clear notice of what personal data is being collected, for what purposes, and what consequences may follow from providing consent.

The unconditional nature of required consent under the Act means that data fiduciaries cannot condition the provision of services on consent to data processing that is unnecessary for providing those services. For example, an e-commerce platform cannot require customers to consent to sharing their purchase history with third parties for marketing purposes as a condition of making a purchase if such sharing is not necessary to complete the transaction. This prevents the coercive bundling of necessary and unnecessary data processing under a single consent framework.

The requirement for clear affirmative action ensures that consent cannot be inferred from silence or inaction. Pre-checked boxes, default opt-ins, and similar mechanisms do not constitute valid consent under the Act. Instead, individuals must take a positive action such as clicking a button or selecting an option to indicate their agreement to data processing. This requirement recognizes that in digital environments, interface design choices can strongly influence behavior, and genuine consent requires active choice rather than passive acceptance of default settings.

Regulatory Framework and Compliance Requirements

The Digital Personal Data Protection Rules, 2025, published in November 2025, provide detailed operational requirements for obtaining and managing consent under the Digital Personal Data Protection Act [9]. These rules establish a phased implementation timeline extending through May 2027, giving organizations time to adapt their consent mechanisms and data processing practices to the new requirements. The rules specify that privacy notices must be provided in clear and plain language, available in English or any of the twenty-two languages listed in the Eighth Schedule of the Constitution of India.

Data fiduciaries must provide itemized descriptions of the personal data they collect and specific explanations of the purposes for which each category of data will be processed. The rules require that privacy notices include readily accessible means for individuals to withdraw consent, exercise their rights under the Act, and file complaints with the Data Protection Board of India. This emphasis on accessibility and clarity reflects a recognition that consent is meaningful only when individuals genuinely understand what they are agreeing to and can exercise control over their personal data.

The rules establish special protections for children and persons with disabilities, requiring verifiable parental or guardian consent before processing their personal data. Data fiduciaries must implement age verification mechanisms and may not engage in behavioral monitoring, tracking, or targeted advertising directed at children. These provisions recognize that certain populations require enhanced protections because they may be less able to provide informed consent or more vulnerable to manipulation through data processing practices.

Intersection of Contract and Data Protection Law

The contemporary legal framework governing digital consent in India now operates at the intersection of three major legislative schemes: the Indian Contract Act, 1872, the Information Technology Act, 2000, and the Digital Personal Data Protection Act, 2023. These frameworks are complementary but address different aspects of consent in digital environments. The Indian Contract Act provides the foundational principles of offer, acceptance, and free consent that apply to commercial transactions regardless of the medium through which they occur. The Information Technology Act establishes the legal validity of electronic forms and signatures for conducting those transactions. The Digital Personal Data Protection Act imposes specific requirements on how consent must be obtained for processing personal data, which often occurs as part of digital transactions.

This intersection creates both opportunities and challenges for organizations operating in digital environments. On one hand, the legal framework provides clear recognition that digital forms of consent are valid and enforceable, facilitating electronic commerce and data-driven services. On the other hand, organizations must navigate multiple layers of requirements to ensure their consent mechanisms satisfy the standards of all applicable legal frameworks. A digital service provider, for example, must ensure that its terms of service constitute a valid contract under traditional principles, that electronic signatures are obtained in compliance with the Information Technology Act, and that consent for data processing meets the heightened standards of the Digital Personal Data Protection Act.

Practical Implications of Digital Consent in Indian Commerce

The evolution of consent from traditional contractual principles to digital performance mechanisms in India has significant practical implications for how organizations design their digital interfaces and business processes. Organizations must implement consent mechanisms that are not only legally compliant but also user-friendly and aligned with business objectives. This requires careful attention to interface design, information architecture, and the user experience of providing consent.

Best practices for obtaining digital consent include providing layered privacy notices that offer brief summaries with options to access detailed information, using clear and simple language rather than legal jargon, presenting consent requests at contextually appropriate moments rather than overwhelming users with information at initial registration, and providing granular choices that allow users to consent to specific data processing purposes rather than offering only all-or-nothing consent options. Organizations should also implement robust consent management systems that track when and how consent was obtained, what specific purposes were consented to, and when consent was withdrawn or expired.

The requirement for ongoing consent management represents a significant operational challenge. Unlike traditional contracts where consent is typically obtained once at the formation of the relationship, digital consent under data protection law is dynamic and revocable. Individuals have the right to withdraw consent at any time, requiring organizations to implement systems that can process withdrawal requests and cease the relevant data processing activities. Organizations must also be prepared to renew consent when purposes change or when legal requirements mandate periodic reconfirmation of consent.

Conclusion

The transformation of consent from a traditional contractual principle to a digital performance mechanism represents a fundamental evolution in how commercial relationships are formed and maintained. This evolution preserves core principles of voluntary agreement and meeting of minds while adapting them to the realities of electronic commerce and data-driven services. The Indian legal framework has responded to this transformation through a combination of legislative innovation and judicial interpretation, establishing that electronic forms of consent are legally valid while imposing enhanced requirements to ensure such consent is genuinely informed and freely given.

The contemporary landscape of digital consent in india is characterized by the intersection of multiple legal frameworks that complement and reinforce each other. The Indian Contract Act, 1872 provides timeless principles of offer, acceptance, and free consent that continue to govern commercial relationships regardless of medium. The Information Technology Act, 2000 removes legal barriers to electronic transactions by recognizing the validity of electronic records and signatures. The Digital Personal Data Protection Act, 2023 imposes heightened standards for consent in the context of personal data processing, reflecting increased societal awareness of privacy concerns in the digital age.

Looking forward, the evolution of consent is likely to continue as new technologies and business models emerge. Artificial intelligence, machine learning, and automated decision-making systems raise novel questions about how consent can be obtained and maintained when data processing purposes may change or evolve over time. The rise of decentralized technologies and blockchain-based systems may create new mechanisms for expressing and managing consent. The legal framework will need to continue adapting to ensure that the fundamental principle of voluntary, informed agreement remains meaningful in increasingly complex digital environments.

Organizations operating in digital environments must recognize that obtaining valid consent is not merely a legal compliance exercise but a fundamental aspect of building trust with customers and users. Consent mechanisms that are transparent, user-friendly, and respectful of individual autonomy not only satisfy legal requirements but also contribute to positive user experiences and long-term business relationships. As digital commerce continues to grow and evolve, the ability to obtain and manage consent effectively will remain a critical organizational capability that bridges legal compliance, user experience, and ethical data practices.

References

[1] Indian Contract Act, 1872, Section 13 & 14. Available at: https://www.indiacode.nic.in/bitstream/123456789/2187/2/A187209.pdf 

[2] Information Technology Act, 2000. Available at: https://www.indiacode.nic.in/handle/123456789/1999 

[3] Information Technology Act, 2000, Section 10A. Available at: https://www.meity.gov.in/content/information-technology-act-2000 

[4] Information Technology Act, 2000, Section 2(1)(ta). Available at: https://www.indiacode.nic.in/bitstream/123456789/13116/1/it_act_2000_updated.pdf 

[5] Trimex International FZE Ltd. v. Vedanta Aluminium Ltd., (2010) 3 SCC 1. Available at: https://indiankanoon.org/doc/658803/ 

[6] Shreya Singhal v. Union of India, (2015) 5 SCC 1. Available at: https://indiankanoon.org/doc/110813550/ 

[7] Digital Personal Data Protection Act, 2023. Available at: https://www.meity.gov.in/static/uploads/2024/06/2bf1f0e9f04e6fb4f8fef35e82c42aa5.pdf 

[8] Digital Personal Data Protection Act, 2023, Section 6. Available at: https://prsindia.org/billtrack/digital-personal-data-protection-bill-2023 

[9] Digital Personal Data Protection Rules, 2025. Available at: https://www.pib.gov.in/PressReleasePage.aspx?PRID=2190655 

The post Digital Consent in India: Legal Evolution from Traditional Contracts to Data Protection appeared first on Bhatt & Joshi Associates.

Introduction

India’s journey toward establishing a robust data protection framework reached a significant milestone with the enactment of the Digital Personal Data Protection Act, 2023, which received Presidential assent on 11 August 2023 [1]. At the heart of this legislative achievement lies the Data Protection Board of India, a specialized adjudicatory body established under Section 18 of the Act. The Board represents India’s institutional response to the fundamental right to privacy, which was recognized by the Supreme Court in the landmark Justice K.S. Puttaswamy judgment [2]. Unlike traditional regulatory authorities that combine policy formulation with enforcement, the Data Protection Board has been conceived as a purely quasi-judicial entity focused exclusively on adjudication and enforcement of data protection obligations. The Board’s establishment, which became operational on 13 November 2025 following the notification of the Digital Personal Data Protection Rules, 2025 [3], marks the beginning of India’s new era of privacy governance.

Constitutional Foundation and Legislative Evolution

The constitutional underpinning of data protection regulation in India flows directly from the Supreme Court’s historic decision in Justice K.S. Puttaswamy (Retd.) and Anr. vs Union of India and Ors., delivered on 24 August 2017 [2]. In this unanimous verdict by a nine-judge constitutional bench, the Court held that the right to privacy is protected as an intrinsic part of the right to life and personal liberty under Article 21 and as part of the freedoms guaranteed by Part III of the Constitution of India. The judgment explicitly overruled earlier precedents in M.P. Sharma vs. Satish Chandra and Kharak Singh vs. State of Uttar Pradesh, which had declined to recognize privacy as a constitutionally protected fundamental right. Justice D.Y. Chandrachud, writing for the majority, articulated that privacy is not merely about being left alone but encompasses three essential dimensions: repose (freedom from surveillance), sanctuary (protection of personal spaces), and intimate decision (autonomy over fundamental personal choices).

Following this constitutional declaration, the Government of India embarked on drafting comprehensive data protection legislation. After multiple iterations and extensive stakeholder consultations that garnered over 6,915 inputs during the final consultation phase [3], Parliament enacted the Digital Personal Data Protection Act, 2023. The Act follows what the government terms the SARAL approach—Simple, Accessible, Rational, and Actionable—employing plain language to ensure accessibility to both individuals and businesses. Notably, the Act became the first legislation in Indian parliamentary history to use “she/her” pronouns instead of the conventional “he/him” pronouns, reflecting evolving societal sensibilities.

Structure and Composition of the Data Protection Board

Chapter V of the Digital Personal Data Protection Act, 2023, mandates the Central Government to establish the Data Protection Board of India by notification [1]. The Board’s composition reflects a multidisciplinary approach, consisting of a Chairperson and Members appointed by the Central Government. While the precise number of members remains subject to determination based on workload and specialization requirements, the legislation requires appointees to possess expertise in law, data protection, information technology, cybersecurity, or public administration. This ensures the Board brings together diverse perspectives necessary for adjudicating complex privacy disputes in the digital age.

The Digital Personal Data Protection Rules, 2025, which were notified on 14 November 2025, established a four-member Board operating as a fully digital office [3]. Members serve fixed terms prescribed by the government, with removal provisions limited to cases of misconduct, incapacity, or conflict of interest. This tenure-based appointment structure aims to insulate the Board from political pressures, though concerns about independence persist given the Central Government’s role in both appointments and removal decisions. The Board operates through digital platforms and a dedicated mobile application, enabling citizens to file complaints, track cases, and receive decisions without requiring physical presence—a feature aligned with the government’s Digital India vision.

Quasi-Judicial Powers and Functions

The Data Protection Board’s designation as a quasi-judicial body distinguishes it from traditional regulatory agencies in India [4]. While bodies like the Securities and Exchange Board of India (SEBI), Reserve Bank of India (RBI), and Telecom Regulatory Authority of India (TRAI) combine policy formulation, regulation, and adjudication, the Data Protection Board exercises purely adjudicatory functions. Section 18 of the Act specifically empowers the Board to adjudicate disputes between Data Principals (individuals whose personal data is processed) and Data Fiduciaries (entities determining the purpose and means of data processing).

The Board’s quasi-judicial character manifests through several critical powers. First, it conducts inquiries into alleged violations of the Act, exercising investigative authority akin to civil courts. Second, it determines whether Data Fiduciaries have breached their statutory obligations, including consent requirements, security safeguards, and breach notification duties. Third, the Board issues binding directions for compliance, which may include orders for data erasure, cessation of processing activities, or implementation of corrective measures. Fourth, and perhaps most significantly, the Board imposes monetary penalties scaling up to Rs. 250 crore per breach [5].

The penalty framework under Schedule I of the Act categorizes violations into six tiers. The highest penalties, reaching Rs. 250 crore, apply to failures in implementing reasonable security safeguards to prevent data breaches and non-compliance with breach notification obligations to the Board and affected individuals. Additional obligations concerning children’s data attract penalties up to Rs. 200 crore. Processing data without valid consent, failing to honor Data Principal rights, or breaching duties related to accuracy and erasure can each result in penalties up to Rs. 50 crore per instance. The Board’s discretion in penalty determination considers factors including the nature, gravity, and duration of violations, the volume and sensitivity of data involved, harm caused to individuals, and whether the breach was repetitive [5].

Adjudication Process and Natural Justice

The Data Protection Board follows structured adjudicatory procedures rooted in principles of natural justice. Before approaching the Board, Data Principals must first exhaust the grievance redressal mechanisms provided by the Data Fiduciary or Consent Manager. This tiered approach aims to resolve disputes at the earliest stage, reserving the Board’s intervention for unresolved grievances. Upon receiving a complaint, the Board initiates inquiries, affording the concerned Data Fiduciary an opportunity to be heard. The digital infrastructure enables online submission of complaints, electronic filing of responses, and virtual hearings, ensuring accessibility while maintaining procedural fairness.

The Board exercises its powers in accordance with the principles laid down in the Code of Civil Procedure, 1908, and possesses authority equivalent to civil courts for purposes of enforcing attendance, examining witnesses on oath, requiring document production, and issuing commissions. At any stage of proceedings, the Board may direct parties to attempt resolution through mediation, reflecting India’s broader emphasis on alternative dispute resolution mechanisms [6]. Additionally, the Board can accept voluntary undertakings from Data Fiduciaries to ensure compliance, modifying terms through mutual consent where appropriate.

Orders passed by the Board are enforceable as decrees of civil courts, lending them coercive authority. All penalties collected are credited to the Consolidated Fund of India [6]. The Board also possesses directive powers extending beyond individual cases. Upon recommendation from the Central Government, it can investigate breaches by intermediaries and issue binding compliance directions, which must be accompanied by reasoned orders following an opportunity for the affected party to be heard.

Appellate Mechanism and Judicial Oversight

Recognizing the Data Protection Board’s significant powers, the Act establishes a clear appellate mechanism. Section 29 designates the Telecom Disputes Settlement and Appellate Tribunal (TDSAT) as the appellate authority for Board decisions [7]. TDSAT, established under Section 14 of the Telecom Regulatory Authority of India Act, 1997, as amended in 2000, has evolved into a specialized tribunal adjudicating disputes across telecom, broadcasting, airport tariff, and cyber matters. Its jurisdiction was extended to Aadhaar-related appeals under Section 33C of the Aadhaar Act, 2016.

TDSAT comprises a Chairperson who must be or have been a Judge of the Supreme Court or Chief Justice of a High Court, along with two Members who have held posts equivalent to Secretary to the Government of India or possess extensive knowledge in relevant technical fields [7]. Appeals from TDSAT’s decisions lie directly to the Supreme Court of India, completing the judicial hierarchy. Data Principals dissatisfied with Board orders may appeal to TDSAT within prescribed timelines, and TDSAT’s orders themselves are executable as civil court decrees.

Beyond statutory appeals, Board decisions remain subject to judicial review by High Courts under Article 226 and the Supreme Court under Article 32 of the Constitution. As privacy constitutes a fundamental right under Article 21, courts can review Board orders for errors of law, procedural irregularities, proportionality of penalties, and adherence to constitutional safeguards [4]. This multilayered oversight ensures that the Board’s quasi-judicial exercise remains subject to constitutional accountability, balancing specialized adjudication with judicial guardianship of fundamental rights.

Regulatory Framework and Implementation Timeline

The Digital Personal Data Protection Rules, 2025, operationalize the Act’s provisions through a phased implementation approach [3]. Administrative provisions concerning the Board’s establishment, appointment of members, and organizational structure became effective immediately upon notification on 13 November 2025. Registration provisions for Consent Managers—entities facilitating consent management between Data Principals and Data Fiduciaries—will open on 13 November 2026. The substantive compliance requirements, including consent mechanisms, privacy notices, security obligations, and penalty provisions, will become fully enforceable on 13 May 2027, providing businesses an eighteen-month transition period.

This graduated timeline reflects the government’s recognition of implementation challenges faced by organizations, particularly startups and micro, small, and medium enterprises (MSMEs). The Rules adopt graded compliance burdens, imposing higher obligations on Significant Data Fiduciaries—entities identified by the government based on volume and sensitivity of data processed and associated risks. Significant Data Fiduciaries must appoint India-based Data Protection Officers, conduct Data Protection Impact Assessments, engage independent data auditors, and periodically share significant observations with the Board [8].

The Board’s digital-first operational model represents a departure from traditional tribunal functioning. The dedicated online portal and mobile application enable citizen-centric grievance redressal, with Data Fiduciaries required to respond to Data Principal requests within ninety days [3]. This technological integration aligns with broader governance reforms emphasizing ease of living and ease of doing business while ensuring transparency in adjudicatory processes.

Challenges, Concerns, and Constitutional Questions

Despite its innovative design, the Data Protection Board faces several challenges that may shape its evolution. First, the question of institutional independence remains contentious. Unlike the judiciary, where appointment mechanisms involve consultation with the Chief Justice of India and constitutional safeguards protect tenure, the Board consists entirely of executive appointees serving fixed terms. Critics argue this structure compromises the Board’s ability to adjudicate impartially in cases involving government entities, particularly given the Act’s broad exemptions for State processing in the interests of sovereignty, security, public order, and law enforcement [4].

Second, the penalty framework’s constitutional validity may face judicial scrutiny. The Act authorizes some of the highest administrative monetary penalties in Indian law, yet lacks detailed standards for determining penalty quantum beyond general factors. The concept of “reasonable security safeguards”—breach of which attracts the maximum penalty—remains undefined in the Act, requiring interpretation through rules or judicial precedent. Courts have historically invalidated disproportionate administrative penalties under Article 19(1)(g) (freedom to carry on trade and business) and Article 14 (equality before law), and similar challenges are anticipated once the penalty provisions become operational in 2027 [5].

Third, jurisdictional overlaps with sectoral regulators pose coordination challenges. Banking data is subject to RBI regulations, healthcare data falls under various health ministry frameworks, telecommunications data involves TRAI jurisdiction, and securities transactions implicate SEBI oversight. The Act’s primacy over sectoral regulations in data protection matters requires careful calibration to avoid regulatory conflicts and compliance confusion. The Board will need to develop cooperative enforcement mechanisms with existing regulators to ensure consistency.

Fourth, the Act’s exemption provisions raise concerns about data protection effectiveness. Section 17 exempts government processing for sovereignty, security, public order, friendly relations with foreign states, and maintaining public order, with no requirement for proportionality assessment or judicial warrant. Additionally, processing by courts, tribunals, and bodies performing judicial or quasi-judicial functions is exempt, as is processing for prevention, investigation, or prosecution of offenses. Critics contend these exemptions, lacking procedural safeguards comparable to those in jurisdictions like the United Kingdom’s Investigatory Powers Act, 2016, may dilute the right to privacy recognized in Puttaswamy [8].

Fifth, resource constraints and potential backlogs threaten the Board’s efficacy. India’s digital economy generates massive data processing activities across sectors, and the ease of online complaint filing may result in overwhelming complaint volumes. Ensuring consistent jurisprudence across diverse industries, from social media platforms to healthcare providers to financial institutions, demands significant expertise and resources. The Board’s ability to function effectively depends on adequate staffing, technical infrastructure, and capacity building.

Comparative Perspective: Global Data Protection Authorities

The Data Protection Board’s design reflects influences from global data protection regimes while adapting to Indian constitutional and administrative contexts. The European Union’s General Data Protection Regulation (GDPR) establishes independent national Data Protection Authorities with both regulatory and adjudicatory powers, capable of imposing fines up to 4% of global annual turnover or €20 million, whichever is higher. These authorities function independently of government control, with appointment mechanisms designed to ensure impartiality. India’s Board, with its Rs. 250 crore absolute cap and executive appointment structure, differs significantly.

Singapore’s Personal Data Protection Commission combines regulatory guidance with enforcement authority, imposing penalties up to 10% of annual turnover in Singapore or S$1 million. The United Kingdom’s Information Commissioner’s Office similarly integrates advisory, regulatory, and enforcement functions. In contrast, India’s separation of policymaking (vested in the Ministry of Electronics and Information Technology) from adjudication (vested in the Board) represents a distinctive institutional choice, potentially enhancing focused expertise but risking coordination challenges.

The United States lacks a comprehensive federal data protection framework, instead relying on sectoral laws enforced by agencies like the Federal Trade Commission. State-level regulations like the California Consumer Privacy Act establish attorney general enforcement with civil penalties but lack specialized data protection tribunals. India’s Board thus occupies a unique position—more specialized than generalist regulators, yet less independent than constitutional watchdogs.

Implications for India’s Digital Economy

The Data Protection Board’s establishment carries profound implications for India’s rapidly expanding digital economy. As of 2025, India hosts over 800 million internet users, and sectors from fintech to edtech, healthtech to e-commerce generate vast personal data flows. The Board’s enforcement actions will shape business practices, consumer trust, and innovation trajectories. Penalties reaching Rs. 250 crore per breach create significant financial risk, particularly for startups and MSMEs, potentially chilling innovation if applied disproportionately. Conversely, effective enforcement may enhance consumer confidence, attracting investment and fostering data-driven economic growth.

International data transfers, crucial for India’s IT services and business process outsourcing sectors, depend on the Board’s interpretation and enforcement approach. While the Act permits cross-border transfers except to countries specifically restricted by government notification, uncertainty about restriction criteria and enforcement consistency may affect India’s positioning in global data flows. The Board’s jurisprudence on consent, legitimate purpose, and proportionality will determine whether India’s regime facilitates or constrains digital trade.

The Board’s relationship with Significant Data Fiduciaries, likely including major technology platforms, social media companies, and financial institutions, will test its capacity to regulate powerful entities. Ensuring compliance by entities with vast resources and sophisticated legal teams requires not only legal authority but technical expertise, investigative capability, and institutional resolve. The Board’s early decisions will establish precedents shaping the broader regulatory culture.

Conclusion

The Data Protection Board of India emerges as a novel institution in India’s regulatory landscape—a specialized adjudicatory authority tasked with operationalizing the constitutional right to privacy in the digital age. Established under the Digital Personal Data Protection Act, 2023, and operationalized through the 2025 Rules, the Board embodies India’s attempt to balance individual rights with legitimate data processing needs, privacy protection with innovation promotion, and sovereign governance with global integration. Its quasi-judicial character, wielding significant powers of inquiry, direction, and penalty, positions the Board as a crucial actor in India’s evolving data governance architecture.

However, the Board’s effectiveness and legitimacy depend on addressing structural challenges. Ensuring independence despite executive appointments, maintaining proportionality in penalty imposition, coordinating with sectoral regulators, building adequate capacity to handle complaint volumes, and developing consistent jurisprudence across diverse sectors will determine whether the Board fulfills its promise. The oversight provided by TDSAT and constitutional courts offers essential checks, yet the Board’s day-to-day functioning will shape the lived reality of data protection in India.

As India’s digital transformation accelerates, the Data Protection Board stands at the intersection of technology, law, and fundamental rights. Its evolution from nascent regulator to mature quasi-judicial institution will reflect broader tensions in India’s democratic governance—between state power and individual autonomy, economic efficiency and rights protection, technological innovation and ethical constraints. The Board’s success will ultimately be measured not by the penalties it imposes but by the culture of accountability and trust it fosters in India’s digital ecosystem.

References

[1] Digital Personal Data Protection Act, 2023. Available at: https://www.dpdpact2023.com/ 

[2] Justice K.S. Puttaswamy (Retd.) and Anr. vs Union of India and Ors., Writ Petition (Civil) No. 494/2012, Supreme Court of India (2017). Available at: https://indiankanoon.org/doc/91938676/ 

[3] Press Information Bureau, Government of India. “Digital Personal Data Protection (DPDP) Rules, 2025.” Available at: https://www.pib.gov.in/PressReleasePage.aspx?PRID=2190655 

[4] K. Sandeep & Co. Advocates. “Data Protection Board’s Relationship with Judiciary under the DPDP Act, 2023.” Available at: https://ksandk.com/data-protection-and-data-privacy/judicial-review-and-appeals-under-indias-dpdp-act-2023/ 

[5] K. Sandeep & Co. Advocates. “Penalties and Adjudication under the DPDP Act, 2023.” Available at: https://ksandk.com/data-protection-and-data-privacy/penalties-adjudication-under-indias-dpdp-act-2023/ 

[6] Mondaq. “Enforcement And Penalties Under The Digital Personal Data Protection Act, 2023.” Available at: https://www.mondaq.com/india/data-protection/1543038/enforcement-and-penalties-under-the-digital-personal-data-protection-act-2023 

[7] Telecom Disputes Settlement and Appellate Tribunal (TDSAT) Official Website. Available at: https://tdsat.gov.in/ 

[8] EY India. “DPDP Act 2023 and DPDP Rules 2025: Compliance Guide.” Available at: https://www.ey.com/en_in/insights/cybersecurity/decoding-the-digital-personal-data-protection-act-2023 

[9] PRS Legislative Research. “The Digital Personal Data Protection Bill, 2023.” Available at: https://prsindia.org/billtrack/digital-personal-data-protection-bill-2023 

The post The Data Protection Board: India’s Nascent Privacy Regulator as Quasi-Judicial Sovereign appeared first on Bhatt & Joshi Associates.

Introduction

The Digital Personal Data Protection Act, 2023 represents India’s first attempt at creating a statutory framework for digital data protection, coming into force after years of deliberation following the landmark judgment in Justice K.S. Puttaswamy (Retd.) v. Union of India [1]. Within this legislative architecture lies a particularly intriguing provision that elevates certain data handlers to a status of heightened scrutiny and responsibility. These entities, designated as Significant Data Fiduciaries under Section 10 of the DPDP Act, find themselves at the intersection of technological power and legal accountability. The provision creates what can be termed an “algorithmic accountability paradox” where entities wielding immense data processing capabilities face obligations that demand transparency in systems whose very value proposition depends on proprietary algorithmic complexity. This article examines how the DPDP Act attempts to regulate these powerful actors, the legal framework governing their operations, and the inherent tensions that arise when law seeks to govern algorithmic opacity.

The Constitutional Foundation: Privacy as a Fundamental Right

Before examining the specific provisions governing Significant Data Fiduciaries, one must understand the constitutional bedrock upon which the DPDP Act rests. On August 24, 2017, a nine-judge bench of the Supreme Court of India unanimously recognized privacy as a fundamental right guaranteed under Article 21 of the Constitution [1]. The Court in Justice K.S. Puttaswamy (Retd.) v. Union of India established that privacy is intrinsic to the right to life and personal liberty. Justice D.Y. Chandrachud, writing for the majority, articulated that privacy encompasses three essential elements: the right to make autonomous decisions regarding intimate personal choices, the right to control dissemination of personal information, and the expectation of privacy against state surveillance. This judgment fundamentally altered the trajectory of data protection discourse in India and necessitated the creation of statutory mechanisms to operationalize this constitutional guarantee.

The Puttaswamy judgment did not merely declare privacy a fundamental right; it established a three-pronged test for any law that seeks to restrict this right. Any such restriction must pass the tests of legality (existence of law), necessity (proportionate to a legitimate state aim), and proportionality (no alternative less intrusive measure). This framework became the constitutional lodestar for the DPDP Act, compelling the legislature to balance individual privacy rights against legitimate interests of data processing entities and the state. The Act’s provisions concerning Significant Data Fiduciaries must therefore be understood not merely as regulatory requirements but as constitutional obligations flowing from the fundamental right to privacy.

Understanding Data Fiduciaries and the Concept of Significance

Defining Data Fiduciaries under DPDP Act

The DPDP Act introduces terminology that departs from the European General Data Protection Regulation’s framework while maintaining conceptual similarity. Under Section 2(i) of the Act, a “Data Fiduciary” is defined as any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data. This definition closely mirrors the GDPR’s concept of a “data controller,” but the use of the term “fiduciary” is deliberate and significant. It invokes the legal concept of a fiduciary relationship, one characterized by trust, confidence, and the duty to act in the best interests of another party. By employing this terminology, the Act imposes not merely contractual obligations but a higher standard of care rooted in trust law principles.

The Designation of Significant Data Fiduciaries Under DPDP Act

Section 10 of the DPDP Act empowers the Central Government to notify any Data Fiduciary or class of Data Fiduciaries as Significant Data Fiduciaries based on an assessment of relevant factors [2]. The Act explicitly enumerates six criteria for such designation: the volume and sensitivity of personal data processed; risk to the rights of Data Principals; potential impact on the sovereignty and integrity of India; risk to electoral democracy; security of the State; and public order. This designation mechanism represents a risk-based approach to data protection regulation, recognizing that not all data processing activities pose equal threats to individual privacy or societal interests.

The discretionary nature of this designation power is both a strength and a potential vulnerability. On one hand, it allows regulatory flexibility to respond to evolving technological landscapes and emerging threats. The government could, for instance, designate a relatively smaller entity as a Significant Data Fiduciary if it processes highly sensitive biometric or genetic data, while exempting a larger entity engaged in less sensitive processing. This contextual approach prevents rigid thresholds that might become obsolete or inappropriate. On the other hand, the absence of quantifiable metrics or procedural safeguards in the designation process raises concerns about predictability, consistency, and potential for arbitrary exercise of power.

Enhanced Obligations of Significant Data Fiduciaries under the DPDP Act

Appointment of Data Protection Officer

Section 10(2)(a) of DPDP Act mandates that Significant Data Fiduciaries appoint a Data Protection Officer who must be based in India and serve as an individual responsible to the Board of Directors or similar governing body [2]. The DPO must act as the point of contact for the grievance redressal mechanism under the Act. This requirement elevates data protection from a compliance function to a governance imperative, embedding privacy considerations at the highest level of organizational decision-making. The mandate that the DPO be based in India ensures regulatory accessibility and reflects the Act’s broader emphasis on territorial presence for accountability purposes.

The Digital Personal Data Protection Rules, 2025, notified in November 2025, provide additional clarity on the DPO’s role [3]. The Rules specify that the DPO must possess expertise in privacy law, data governance, and risk management. The officer serves as the primary interface between the organization, data principals, and the Data Protection Board of India. This positioning creates an inherent tension: the DPO must simultaneously serve organizational interests while acting as a champion for data principal rights and regulatory compliance. Navigating this dual mandate requires not merely technical competence but ethical judgment and institutional independence.

Independent Data Auditor and Annual Assessments

Section 10(2)(b) of DPDP Act requires Significant Data Fiduciaries to appoint an independent data auditor to evaluate compliance with the Act’s provisions [2]. Coupled with this is the requirement under Section 10(2)(c) for periodic Data Protection Impact Assessments. Rule 12 of the DPDP Rules, 2025 operationalizes these provisions by mandating that DPIAs and audits be conducted once every twelve months from the date of notification as a Significant Data Fiduciary [3]. The auditor must furnish a report containing “significant observations” to the Data Protection Board of India, creating a mandatory disclosure mechanism that brings regulatory oversight directly into the heart of organizational data practices.

Data Protection Impact Assessments serve a preventive function in the regulatory architecture. They require organizations to conduct a systematic evaluation before implementing new processing activities, particularly those involving novel technologies or large-scale processing of sensitive data. The DPIA must include a description of the rights of Data Principals and the purpose of processing, an assessment and management of risks to these rights, and measures to mitigate identified risks. While the DPDP Act’s DPIA requirements are less prescriptive than those under Article 35 of the GDPR, they nonetheless compel organizations to engage in structured risk thinking rather than reactive compliance.

Algorithmic Due Diligence

Perhaps the most forward-looking provision in Rule 12 is the requirement that Significant Data Fiduciaries observe due diligence to verify that algorithmic software deployed for hosting, display, uploading, modification, publishing, transmission, storage, updating, or sharing of personal data does not pose risks to Data Principal rights [3]. This provision acknowledges a crucial contemporary reality: algorithms themselves, not merely data processing practices, can infringe privacy and autonomy. An algorithm that engages in discriminatory profiling, manipulative targeting, or opaque decision-making poses fundamental risks that traditional data protection principles of notice and consent cannot adequately address.

The algorithmic due diligence requirement represents an attempt to impose transparency and accountability on what are often considered “black box” systems. However, the provision faces significant implementation challenges. What constitutes adequate “due diligence” in verifying algorithmic risk? Must organizations conduct algorithmic impact assessments, maintain model cards documenting training data and performance metrics, or implement explainability mechanisms? The Rules provide no detailed guidance, leaving organizations and regulators to navigate this terrain through iterative practice and potential litigation. This gap between aspiration and operationalization exemplifies the paradox at the heart of algorithmic accountability.

The Data Protection Board of India: Regulator and Adjudicator

Section 18 of the DPDP Act establishes the Data Protection Board of India as the principal regulatory and adjudicatory authority for matters arising under the Act [4]. The Board is constituted as a body corporate with perpetual succession, possessing the power to acquire, hold, and dispose of property, and to enter into contracts. Its primary function is to adjudicate disputes between Data Principals and Data Fiduciaries, hear complaints regarding alleged breaches of obligations under the Act, and impose penalties for non-compliance.

The Board’s penalty powers are substantial. Section 33 authorizes penalties ranging from INR 50 crores to INR 250 crores depending on the nature and gravity of the breach [4]. For failure to take reasonable security safeguards resulting in a personal data breach, the maximum penalty is INR 250 crores. For failure to comply with Data Principal rights, the penalty can reach INR 200 crores. These financial penalties are among the highest in Indian regulatory law, reflecting the seriousness with which the legislature views data protection violations. The Board must consider whether the penalty is proportionate to the specific breach before imposing it, incorporating the constitutional principle of proportionality directly into the penalty framework.

However, the Board’s institutional design raises concerns about independence and accountability. Members and the Chairperson are appointed by the Central Government without clear provisions for multi-stakeholder involvement or parliamentary oversight [4]. This structure contrasts with data protection authorities in jurisdictions like the European Union, where regulators possess greater structural independence from government. The concern is particularly acute given Section 17 of the Act, which grants extensive exemptions to government instrumentalities for processing undertaken in the interests of sovereignty, integrity, security of the state, public order, and other specified purposes. A Board appointed entirely by the executive may face challenges in robustly scrutinizing government data processing activities that implicate fundamental privacy rights.

Judicial Review and Constitutional Safeguards

Recognizing the potential limitations of the administrative enforcement mechanism, the DPDP Act incorporates judicial review provisions. Orders of the Data Protection Board may be appealed to the High Court within a prescribed period [5]. This creates a two-tier system where the Board serves as the specialized first-instance adjudicator, while High Courts and ultimately the Supreme Court provide constitutional oversight. This structure ensures that data protection disputes can benefit from the Board’s technical expertise while remaining subject to judicial scrutiny under constitutional principles.

The Supreme Court’s jurisprudence post-Puttaswamy has begun shaping the contours of privacy protection in the digital age. In Anuradha Bhasin v. Union of India (2020), the Court emphasized that any restrictions on fundamental rights, including privacy, must satisfy the tests of necessity, proportionality, and legality [6]. This principle directly informs the interpretation of the DPDP Act’s provisions, particularly the broad exemptions granted to government entities and the discretionary designation of Significant Data Fiduciaries. Courts can examine whether these provisions, as applied in specific cases, violate constitutional guarantees.

More recently, in Frank Vitus v. Narcotics Control Bureau (2024), the Supreme Court struck down a bail condition requiring GPS tracking through Google Maps, holding that such constant surveillance violated the right to privacy under Article 21 [7]. This judgment demonstrates judicial willingness to scrutinize surveillance mechanisms even when deployed for legitimate law enforcement purposes. The tension between the Frank Vitus precedent and Section 17’s exemptions for law enforcement processing under the DPDP Act suggests that courts will play a crucial role in demarcating the boundaries of permissible government data processing, potentially requiring procedural safeguards beyond those specified in the statute.

The Paradox of Algorithmic Transparency

The Competitive Opacity Dilemma

The enhanced obligations imposed on Significant Data Fiduciaries create a fundamental tension between transparency mandates and commercial imperatives. Many of these entities derive competitive advantage from proprietary algorithms that analyze data to generate insights, predictions, or recommendations. The economic value of platforms operated by large technology companies often resides not in the raw data itself but in the algorithmic models that process this data to deliver personalized services, targeted advertising, or predictive analytics. Requiring extensive disclosure of algorithmic functioning through DPIAs, audits, and due diligence processes potentially exposes trade secrets and undermines competitive positioning.

This paradox is not unique to India; data protection regimes worldwide grapple with balancing transparency against legitimate confidentiality interests. The GDPR attempts to address this through provisions like Article 15(1)(h), which grants data subjects the right to meaningful information about the logic involved in automated decision-making, while simultaneously recognizing that this must not adversely affect the rights and freedoms of others, including trade secrets. The DPDP Act, however, provides less nuanced guidance. The algorithmic due diligence requirement in Rule 12 demands verification that algorithms do not pose risks to Data Principal rights but does not specify how this verification should be conducted, what standards should apply, or how to balance transparency against confidentiality [3].

The Explainability Challenge

Beyond commercial concerns lies a deeper technical challenge: the inherent opacity of certain algorithmic systems, particularly those employing machine learning and artificial intelligence. Modern deep learning models often function as “black boxes” where even their creators cannot fully explain how specific inputs generate particular outputs. These systems identify complex patterns in training data that may not correspond to human-intuitive reasoning. When such algorithms make consequential decisions affecting individuals—whether in credit scoring, employment screening, insurance pricing, or content moderation—the inability to provide clear explanations creates acute accountability problems.

The DPDP Act does not directly mandate algorithmic explainability or a “right to explanation” for automated decisions, unlike some interpretations of the GDPR. Section 6 requires consent to be “informed,” and Section 8 obligates Data Fiduciaries to ensure accuracy and completeness of data, but these provisions do not clearly extend to explaining algorithmic logic [4]. The algorithmic due diligence requirement in Rule 12 could potentially be interpreted to necessitate explainability mechanisms as part of verifying that algorithms do not pose risks, but this remains subject to regulatory guidance or judicial interpretation.

International Perspectives and Comparative Analysis

India’s approach to regulating Significant Data Fiduciaries occupies a distinctive position in the global data protection landscape. The European Union’s GDPR does not create an explicit category of “significant” controllers, though it imposes heightened obligations on controllers engaged in large-scale processing or processing of special categories of data. The GDPR’s emphasis on data minimization, purpose limitation, and granular consent requirements applies uniformly to all controllers, albeit with proportionate implementation based on risk and scale.

The United States lacks federal omnibus data protection legislation, instead relying on sector-specific laws and state-level initiatives like the California Consumer Privacy Act. The CCPA and its successor, the California Privacy Rights Act, do not employ the concept of significant data fiduciaries but impose heightened obligations on businesses meeting certain revenue or data volume thresholds. China’s Personal Information Protection Law creates a category of “Personal Information Processors with Large User Scale” subject to enhanced requirements including impact assessments and appointment of protection officers, conceptually similar to India’s approach.

What distinguishes the DPDP Act is its explicit linkage of the Significant Data Fiduciary designation to national security and sovereignty concerns. The criteria enumerated in Section 10 include not only data protection considerations (volume, sensitivity, risk to Data Principal rights) but also broader state interests (sovereignty, integrity, electoral democracy, security, public order) [2]. This reflects India’s strategic approach to data governance as implicating not merely individual privacy but national interest. The potential for designation based on impact on electoral democracy, for instance, could encompass social media platforms whose algorithmic amplification of content might influence electoral outcomes. This jurisdictional assertion of data sovereignty distinguishes India’s model from purely rights-based frameworks.

Sectoral Implications and Practical Challenges

Technology Platforms and Social Media

Large technology platforms operating social media services, search engines, and digital marketplaces are prime candidates for Significant Data Fiduciary designation given the vast volumes of personal data they process and their societal impact. These entities face particular challenges in complying with the DPDP Act’s requirements. The algorithmic curation and recommendation systems that drive user engagement on social platforms rely on processing extensive behavioral data to predict user preferences and optimize content delivery. Conducting meaningful DPIAs for these systems requires assessing not only direct privacy risks but also downstream societal harms like echo chambers, polarization, or manipulation.

Financial Services and Fintech

The financial services sector already operates under stringent data localization and security requirements imposed by sectoral regulators like the Reserve Bank of India. Banks, payment system operators, and fintech companies processing financial data are likely Significant Data Fiduciary candidates. These entities must navigate the interaction between the DPDP Act and existing RBI regulations, which the Act explicitly preserves [8]. The challenge is particularly acute for algorithmic credit scoring and fraud detection systems, where explainability demands may conflict with the statistical complexity of risk models and the competitive sensitivity of scoring methodologies.

Healthcare and Genomic Data

Healthcare providers and particularly genomic testing companies exemplify the sensitivity-based designation pathway. A relatively smaller genomic testing startup could be designated a Significant Data Fiduciary due to the extreme sensitivity of genetic data, which not only identifies individuals but reveals hereditary health predispositions affecting entire families. The algorithmic due diligence requirement takes on heightened importance in this context, as algorithms analyzing genetic data to predict disease risk or recommend treatments must be rigorously validated to avoid medical harm from inaccurate or biased predictions.

Enforcement Challenges and Future Trajectory

The DPDP Act’s effectiveness in regulating Significant Data Fiduciaries will ultimately depend on implementation and enforcement. Several challenges loom large. First, the Data Protection Board must develop institutional capacity and technical expertise to effectively oversee entities employing sophisticated data processing technologies. Evaluating whether algorithms pose risks to Data Principal rights requires understanding of machine learning architectures, bias auditing methodologies, and fairness metrics—capabilities that may require time to develop within a newly constituted regulatory body.

Second, the Act’s phased implementation timeline creates transitional uncertainty. While the DPDP Rules, 2025 were notified in November 2025, companies have been granted a 12-18 month compliance window, with full enforcement expected by May 2027 [3]. During this transition, the government must issue notifications designating which entities or classes qualify as Significant Data Fiduciaries. The absence of such notifications creates planning challenges for organizations uncertain whether they will be subject to enhanced obligations.

Third, the global nature of data flows and digital services complicates enforcement. Many Significant Data Fiduciaries will be multinational corporations with complex organizational structures spanning multiple jurisdictions. Ensuring compliance with the requirement that Data Protection Officers be based in India and that audits and DPIAs meaningfully assess India-specific processing activities requires extraterritorial regulatory reach. Section 3 of the Act asserts applicability to processing outside India if related to offering goods or services to Data Principals in India, mirroring the GDPR’s extraterritorial scope [4]. However, practical enforcement against non-resident entities remains challenging absent international cooperation frameworks.

Conclusion

The concept of Significant Data Fiduciaries under the Digital Personal Data Protection Act, 2023 (DPDP Act) represents an ambitious attempt to impose heightened accountability on entities whose data processing activities pose substantial risks to individual privacy and societal interests. By mandating Data Protection Officers, independent audits, periodic impact assessments, and algorithmic due diligence, the Act seeks to transform data protection from a compliance checklist into a governance imperative embedded in organizational culture and decision-making processes.

Yet the framework also reveals the inherent tensions in regulating algorithmic systems. The transparency and accountability that the law demands often conflicts with the commercial opacity on which business models depend and the technical limitations of explaining complex machine learning systems. This algorithmic accountability paradox—the expectation that entities will be transparent about systems whose value lies partly in their inscrutability—defines the central challenge of contemporary data protection law.

The path forward requires moving beyond binary framings of transparency versus secrecy toward more nuanced approaches. Regulatory frameworks might embrace graduated disclosure mechanisms where different stakeholders receive different levels of algorithmic transparency. Data Protection Officers and auditors might receive detailed technical access to algorithms while the public receives high-level descriptions of processing purposes and safeguards. Independent technical auditing, perhaps through regulatory sandboxes or trusted third parties, could verify algorithmic fairness without full public disclosure. The development of explainability methods that provide meaningful insight without exposing proprietary details represents another promising direction.

As India’s data protection regime matures through the coming years of implementation, judicial interpretation will prove crucial. Courts will need to articulate standards for what constitutes adequate algorithmic due diligence, how to balance transparency against legitimate confidentiality interests, and when government exemptions impermissibly infringe the fundamental right to privacy established in Puttaswamy. The Data Protection Board’s early decisions in cases involving Significant Data Fiduciaries will set important precedents regarding the practical meaning of enhanced obligations.

Ultimately, the success of the Significant Data Fiduciary framework will be measured not merely by formal compliance but by substantive outcomes: whether it genuinely reduces privacy harms, whether it fosters trustworthy algorithmic systems, and whether it empowers individuals with meaningful control over their personal data in an increasingly algorithmically-mediated world. The DPDP Act provides the legal architecture, but building effective algorithmic accountability requires sustained commitment from regulators, judiciary, industry, and civil society alike.

References

[1] Justice K.S. Puttaswamy (Retd.) v. Union of India, (2017) 10 SCC 1. Available at: https://www.scobserver.in/cases/puttaswamy-v-union-of-india-fundamental-right-to-privacy-case-background/

[2] The Digital Personal Data Protection Act, 2023, No. 22 of 2023, § 10. Available at: https://www.meity.gov.in/static/uploads/2024/06/2bf1f0e9f04e6fb4f8fef35e82c42aa5.pdf

[3] Digital Personal Data Protection Rules, 2025. Available at: https://www.hoganlovells.com/en/publications/indias-digital-personal-data-protection-act-2023-brought-into-force-

[4] The Digital Personal Data Protection Act, 2023, No. 22 of 2023. Available at: https://en.wikipedia.org/wiki/Digital_Personal_Data_Protection_Act,_2023

[5] KS&K Advocates, “Judicial Review and Appeals under India’s DPDP Act, 2023.” Available at: https://ksandk.com/data-protection-and-data-privacy/judicial-review-and-appeals-under-indias-dpdp-act-2023/

[6] Anuradha Bhasin v. Union of India, (2020) 3 SCC 637. Available at: https://lawfullegal.in/indias-digital-personal-data-protection-act-2023-a-legal-shift-towards-data-sovereignty-and-privacy/

[7] Frank Vitus v. Narcotics Control Bureau (2024). Available at: https://www.jurist.org/commentary/2024/09/unconstitutional-movement-tracking-exploring-the-tension-between-recent-indian-supreme-court-jurisprudence-and-data-protection-legislation/

Published and Authorized by  Rutvik Desai

The post The Algorithmic Accountability Paradox under India’s DPDP Act, 2023: Regulating Significant Data Fiduciaries appeared first on Bhatt & Joshi Associates.

Introduction

The emergence of deepfake technology and AI-created content detached from real-world impacts has fundamentally changed how people create, consume and interact with digital content. Deepfakes can create realistic videos, images, and audio by using sophisticated machine learning algorithms, especially generative adversarial networks (GANs), to overlay a person’s voice or face onto someone else’s body and speech. While the possible uses for this technology across innovation, entertainment, and education industries are plentiful, its ethical, social, and legal repercussions are equally concerning. This article looks at the legal aspects surrounding deepfakes and AI-generated media, with special focus on their regulation, existing laws, landmark cases, and judicial analysis, seeking to address how society can deal with the challenges brought by this new technology.

Understanding Deepfakes and AI-Generated Media

Deepfakes are the result of highly sophisticated artificial intelligence techniques that use GANs. A GAN uses two neural networks competing against each other. One creates content, while the other seeks to detect it. At the end of each round, the two will swap positions. The AI trained to spot fakes will be better at spotting them while the one trained to generate them will be better at generating them. The result is media content that is extremely convincing but fake. AI-generated media includes deepfakes, but also visual and audio, computer-generated arts, music, literature, and so many more. These developments are transforming what is understood as creativity and bringing moral and legal issues regarding creation, copyright, and responsibility.

The focus of image and video manipulation technology has shifted to the concerns of damage that can be done to people and society as a whole. Some such harmful uses include non-consensual pornography, identity deception, political tampering, and even monetary scams. Legal systems in many regions are struggling with how to enforce laws on this advanced technology without limiting freedom and creativity.

Regulatory Frameworks Governing Deepfakes

Regulating deepfakes involves a delicate balance between mitigating harm and upholding freedom of expression and technological progress. Different jurisdictions have adopted varied approaches, reflecting their legal traditions, cultural values, and levels of technological advancement.

United States

The approach to regulating deepfakes in the US is disjointed and fragmented, varying widely by state. Some states like California, Texas, and Virginia have taken steps to legislate certain malicious applications of deepfake technology. For instance, California’s AB 730 bans the use of videos which falsely claim to be deepfakes within 60 days before an election. AB 602 also helps victims of deeply non-consensual pornographic deepfake videos by criminalizing the creation and advertisement of such videos. The legislation in Texas has also evolved to recognize the dangers of deepfake technology by criminalizing the use and creation of deepfakes that cause damage to people or manipulate election outcomes.

At the state level, the DEEPFAKES Accountability introduces legislation that aims to counter the use of deepfake technology from a more holistic point of view. The Act is not yet in effect but suggests deepfake content marked with identifying labels along with penalties for abusive uses failing which will result in severe punishments. While there are other laws such as the Communications Decency Act (Section 230) and some intellectual property laws do aid in trying to address some of the deepfake problems, their influence is quite passive, and vague.

European Union

The European Union has a broader strategy for regulating AI-based media. The outlined Artificial Intelligence Act (AIA) classifies AI systems into distinct risk classes and lays down highly restrictive obligations on those high-risk applications, the deepfakes. Transparency is one of the “cornerstones” of the AIA, and it requires disclosure whenever content is created or changed by an AI system.

The EU’s General Data Protection Regulation (GDPR) is also an important tool for the prevention of deepfakes. An unlawful generation or sharing of deepfake content is commonly achieved by, for instance, processing personal information without permission in a manner prohibited by the provisions of the GDPR. Specifically, the Digital Services Act (DSA) and the Digital Markets Act (DMA) are works in progress that will seek to improve the responsibility of online platforms with respect to tackling harmful content, like deepfakes, amongst others.

India

In India, the legal framework to deal with deepfakes is still in its infancy. Although no specific law specifically criminalizes the use of deepfake technology, the Indian Information Technology Act, 2000, and the Indian Penal Code (IPC) are used as legal frameworks to prosecute the offences that are related to this technology. Section 67A of Ithe T Act makes it unlawful to publish inc. nonconsensual pornographic deepfakes. Relevant other sections are defamation (Section 499 of the IPC) and identity theft (Section 66C of the IT Act). Nevertheless, enforcement difficulties remain because of the anonymity afforded by digital platforms and jurisdictional issues.

Key Legal Issues Surrounding Deepfakes 

Privacy and Consent

Privacy violations and lack of consent are among the most pressing legal concerns associated with deepfakes. Non-consensual pornographic deepfakes disproportionately target women and have devastating consequences for their victims. Legal systems are increasingly recognizing the need to criminalize such conduct. However, the enforcement of privacy laws remains challenging, particularly in the digital age, where anonymity and cross-border platforms complicate accountability.

Intellectual Property

Deepfake and AI media produce a host of questions centred around the issues of intellectual property. The central issue is whether or not AI-generated media is copyrightable and if so who should own the copyright. The United States Copyright Office has clarified that a work will not be eligible for copyright protection simply because it was created solely by AI and as a result. After all, such works lack human authorship. However, when an AI is used as a tool by a human creator the resulting work may qualify for protection. Similar questions are being raised in the EU and other jurisdictions where laws are grappling with the concept of authorship about AI.

Defamation and Misinformation

Deepfakes have been used to create false and damaging representations of individuals, leading to defamation claims. The difficulty lies in proving the falsity and harm caused by the deepfake, as well as identifying the creator. The use of deepfakes in spreading political misinformation further complicates matters, raising concerns about the integrity of democratic processes. Legal frameworks must address these risks while safeguarding freedom of speech and expression.

National Security and Public Safety

Deepfakes pose significant risks to national security and public safety. They can be weaponized to spread disinformation, impersonate public officials, or incite panic. For example, a deepfake of a government leader issuing a false directive could have catastrophic consequences. Addressing these risks requires a multi-faceted approach, including robust legal and regulatory measures, technological interventions, and public awareness campaigns.

Landmark Cases on Deepfakes and AI Media

A myriad of legal cases have framed the debate on deepfakes and AI media, showcasing how the field is shifting:

People v. Tracey (California, 2020) – The case dealt with the nonconsensual deepfake pornography production and its distribution. The court upheld the California AB 602 law which said that there needs to be stronger legal boundaries against the infringement of privacy.

Deepfakes in Political Campaigns: There are still developing cases but there has been some discussion within the courts regarding the use of deepfakes in political elections. The suspension proceedings within California AB 730 cases illustrate the importance of the judicial power in stopping electoral fraud.

Thaler v. Copyright Office (2022): This case dealt with the AI-created works regarding copyright. The United States Copyright Office denied a copyright application for a piece of art generated from an AI program with no human involvement, thus restating the need for human authorship. 

EU Jurisprudence on GDPR Violations: European courts have been increasingly dealing with the issue of personal information being used without consent for the making of deepfakes, demonstrating the relationship between the law and technology.

The Path Forward for Deepfakes and AI-Generated Media

Strengthening Legal Frameworks

To address the challenges posed by deepfakes and AI-generated media effectively, legal systems must evolve. Comprehensive legislation should explicitly define and regulate the creation, distribution, and use of deepfakes. Transparency requirements, such as labelling AI-generated content, should be mandated, and malicious uses of the technology, including non-consensual pornography and disinformation campaigns, must be penalized.

Enhancing International Cooperation

The borderless nature of the internet necessitates international collaboration to combat the misuse of deepfake technology. Harmonizing legal standards and facilitating cross-border enforcement through treaties and agreements are crucial steps in this direction.

Leveraging Technology

Regulators and law enforcement agencies can harness AI and machine learning to detect and combat deepfakes. Developing robust detection tools and integrating them into online platforms can help mitigate the spread of harmful content and reduce the technology’s misuse.

Promoting Ethical AI Development

Governments, tech companies, and civil society must share the responsibility of ensuring that AI technologies are developed and deployed responsibly. Ethical guidelines and industry standards can play a pivotal role in minimizing the risks associated with deepfakes.

Conclusion

The rise of deepfakes and AI-generated media creates unprecedented legal difficulties which must be dealt with creatively and proactively. While the existing laws provide some protection for the issues at hand they cannot address some of the issues that the tremendous evolution of technology creates. A forward-thinking view must be taken alongside innovative solutions to make use of the potential offered by these technologies while also protecting individual rights, public safety and democracy. Robust legal frameworks, international cooperation, technological development and ethical AI techniques will be essential in dealing with the complexities of this crucial turning point.

The post The Legal Status of Deepfakes and AI-Generated Media appeared first on Bhatt & Joshi Associates.

Introduction

Taking into consideration a country’s ability to maintain control of its technological assets, data and digital infrastructure, digital sovereignty can be defined as the status of individual countries having the ability to govern themselves in the digital domain. The rapid development of technology coupled with the growing availability of the internet has made issues of digital sovereignty increasingly important. This construct has in addition come to cover the questions of how states control themselves in the digital environment, such as by regulating data flow, protecting cyberspace and controlling essential technologies. The issue of how to exercise these sovereign powers is also coming to be considered through processes of international relations and law. Digital sovereignty helps more than just the protection of national interests it also enables the protection of privacy and the answer to corporate moral and social responsibility as well as morality in the advancement of technology. This article details everything that affects the legal regulation of digital sovereignty encompassing laws, case laws and the most important judicial decisions which determine the direction of regulation.

The Concept of Digital Sovereignty

Digital sovereignty represents the nation’s ability to regulate and control its digital assets including data storage, processing and infrastructure within its territorial boundaries. This is in part recognising the broader concept of state sovereignty in the digital domain. The growing use of technology for governance, economic operations and societal interactions shows the need for a robust legal framework to ensure digital sovereignty. At its heart, digital sovereignty is the need to ensure that digital infrastructures such as servers, software and communication networks remain within the control of the state and are not subject to interference from foreign entities. Furthermore, it is desired for citizens’ data to be protected from exploitation by multinational corporations or foreign governments. In recent years geopolitical tensions and trade disagreements have increased the importance of digital sovereignty as nation states understand the strategic significance of what they can control over their digital environment. States are constantly seeking to ensure that citizen’s data is not abused by foreign entities in which they do not have pre-agreed upon consent by an external jurisdiction. This objective requires a balance to be reached between the protection of national interests and adherence to current and past international trade and data-sharing agreements. The increasing influence of multinational technology companies has complicated matters, as they operate across many jurisdictions which makes regulation a very difficult proposition to solve.

Legal Frameworks Governing Digital Sovereignty

International Legal Frameworks

Digital sovereignty is regulated by international treaties, agreements, and guidelines which vary in scope. The Budapest Convention on Cybercrime, for example, seeks to deal with internet-related crimes and promote international collaboration. At the same time, it has been criticized for allowing state data access through the border without sufficient consent which is considered a violation of state sovereignty. This situation underscores the challenge of crafting agreements that states find universally acceptable as far as sovereign rights are concerned, while achieving global engagement is a requirement. 

The Tallinn Manual on the International Law Applicable to Cyber Warfare is yet another document of profound importance in this regard. It is not a statute, but it suggests how international law should guide cyber activities and warfare. It delineates the delineation of state obligations bordering on responsibility and authority in cyberspace with the expectation that each state will establish adequate laws to govern its domain. 

Other frameworks such as the UN Guiding Principles on Business and Human Rights focus on the obligation of businesses to uphold human rights as they conduct their digital operations. On the other hand, the General Agreement on Trade in Services (GATS) offered by the World Trade Organization (WTO) establishes principles for conducting trade over the Internet but tends to conflict with the exercise of national digital sovereignty, such as requirements for data localization.

National Legal Frameworks

Asserting digital sovereignty has become a global trend with countries adopting specific laws and regulations for its enforcement. Here are some notable examples:

Within the European Union, there is a transnational legal framework known as the General Data Protection Regulation (GDPR). It enforces strict data protection policies not only within EU member states but also for foreign entities dealing with EU citizens’ data. GDPR showcases how digital sovereignty can be exercised when organizations are required to observe data protection protocols regardless of their geographical jurisdictions. Its extraterritorial scope obligates foreign countries processing data of EU nationals to comply with the regulation, therefore ensuring the EU’s might beyond borders.

In the United States, the federal government has not yet implemented comprehensive data protection laws. Indeed, there are sector-verified laws such as the Health Insurance Portability and Accountability Act (HIPAA) and the California Consumer Privacy Act (CCPA) that provide some level of protection. The CLOUD Act (Clarifying Lawful Overseas Use of Data) also exemplifies the application of U.S. law to data stored in other countries, which often causes conflicts of jurisdiction. This demonstrates the U.S.’s focus on law and order alongside national security.

Through the localization of data and other cross-border relations, China’s Cybersecurity Law and Data Security Law pay special attention to various policies. These laws give the state unprecedented authority over digital affairs by ensuring that critical data stored in China remains within the country’s borders. Additionally, the Personal Information Protection Law (PIPL) pairs personal data with a distinct form of protection and also has data protection clauses like the GDPR but with significantly more state control. 

With the Digital Personal Data Protection Act of 2023, India also joins the list of countries attempting to claim digital sovereignty. This legislation intends to control data processing operations and be responsible for data from any information system which belongs to an Indian citizen. The Act’s provisions for data localization and the creation of a Data Protection Board reflect India’s attempt at managing privacy and security rights.

Regulation of Digital Sovereignty

Just like any other political domain, legislation, administration, and to some extent enforcement come together to form the structure of digital sovereignty. Most governments create a special regulatory body or department responsible for the supervision of internet activity and ensuring adherence to national legislation. For example, both the EU’s Data Protection Authorities (DPAs) and the American Federal Trade Commission (FTC) have separate jurisdictions, but both share the responsibility for consumer privacy and data protection issues in their respective areas.  

Moreover, international treaties, as well as diplomatic and trade agreements are just as important in defining the scope and boundaries of digital sovereignty. Member nations form qualitative protocols which balance economic exchange and the ethical treatment of citizens’ data. The EU and US are currently debating the EU-US Data Privacy Framework, which aims to facilitate the transfer of data across the Atlantic while complying with the rulings of the Schrems II case. Such agreements often receive heavy criticism for lacking sufficient measures against unauthorized foreign spying.

In the same light, interpretation of the law has a major impact on digital sovereignty. Increasingly, courts in various countries have to deal with cases of restriction associated with geolocation, data movement, invasion of privacy, and conflict of laws among nations, which all have borders, but no clear boundaries. Through these judicial actions, states are provided with the limits and logic, which the law imposes on digital sovereignty concerning the rights and powers of each state, the corporations, and the individuals.

Key Case Laws and Judicial Precedents

One of the most important cases regarding digital sovereignty is Google LLC v. CNIL, which was ruled in 2019. The Court of Justice of the European Union (CJEU) made a ruling on the spatial jurisdiction of “the right to be forgotten” within the scope of the GDPR. The court found that search engine operators are required to remove information from their EU domains, but not from the rest of the world. This ruling exemplifies the scope of boundaries of digital sovereignty as well as the battle between local and international legislation. 

Microsoft Corp. v. United States (2018) is a classic U.S. case that deals with if the U.S. authorities had the power to force Microsoft to provide emails stored in Irish servers. With the introduction of the CLOUD Act, this case went moot, but it certainly brought into focus national jurisdiction against cross-national borders data storage. This case also helped put into focus the power domestic laws could employ beyond their borders and international cooperation to resolve these issues.

The Schrems I and II cases (2015, 2020) are especially important when it comes to data transfers between the EU and the U.S. These landmark rulings called into question the legitimacy of the Safe Harbor and Privacy Shield agreements, respectively. The CJEU struck down both accords due to a lack of protective measures for EU citizens’ data within the United States, further emphasizing the need for strong safeguards when claiming digital sovereignty. Such decisions have forced the EU and the U.S. to come up with new agreements which try to address the concerns of privacy and, at the same time, enable data exchange across the Atlantic.

In India, the most notable decision is Justice K.S. Puttaswamy v. Union of India (2017) where the court attributed the right to privacy to the fundamental rights guaranteed under the Constitution. That case initiated the development of data protection policies and called attention to the duty of the state to protect citizens’ digital rights. In addition, the ruling sought to achieve a balance between one’s privacy and the interests of the state concerning security and governance.

Challenges to Digital Sovereignty

Pursuing digital sovereignty is not a walk in the park; there are inter-jurisdictional issues, technological dependencies, and the strife between securing information and invading privacy. For instance, the Microsoft United States case illustrates how the international boundaries of the internet can lead to controversies. Nations are required to resolve those disputes while safeguarding their sovereign interests and encouraging diplomacy.

Technological dependence makes claiming sovereignty over digital spaces more complex. Countries that are dependent on external technologies can’t have sovereignty, since they are chained to foreign service providers for the vital infrastructure and services. A dependency could be lessened if there was a drive towards innovation and the development of infrastructure. However, these strategies necessitate great resources and motivation from the government.

Governments have a hard time striking a balance between protecting the security of the nation and the privacy of the individual. Overreach into people’s cyberspace in the name of fighting crime or terrorists can lead to anger and rejection. The need for legislation to give back-door access to secured communication will, for example, be opposed by privacy champions and IT firms.

Policies such as data localization often interfere with international business, trade, and cooperation. Data localization is helpful because it gives greater control, but it can also increase restrictions on businesses and their access to foreign markets. Finding local limits that do not harm global cooperation is, therefore, a key challenge for global policymaking.

Future of Digital Sovereignty

With advances in technology, artificial intelligence, quantum computing and blockchain technologies will pose new issues for digital sovereignty. The legal policies of countries need to adapt to these changes within the scope of international standards.

The development of AI poses distinct problems and possibilities for the concept of digital sovereignty. Countries must engage in healthy competition to manage the ethical issues concerning AI’s development and usage. Equally, as advancements are made in quantum computing, new security measures will need to be implemented to protect digital assets as current encryption standards are disrupted. 

Equally, a multilateral approach to setting standards is required to deal with the increasingly digital nature of the world. The creation of a Global Digital Compact is an example of an initiative that strives to ensure a collaborative approach and flexible governance. It captures how national responsibilities must merge with international considerations in the modern world.

Conclusion

Digital sovereignty is an evolving concept which reflects the intersection of law, technology and policy. The effective implementation of digital sovereignty requires robust legal frameworks, vigilant regulation and effective adjudication. While challenges continue to exist there is a requirement for continued debate as the protection of national trade and the rights of individual citizens remain still very important in today’s interconnected world. Through the use of a combination of national legislation international cooperation and technological innovation nations may navigate the complexities of the digital age and uphold their autonomy. As technology continues to advance, digital sovereignty will remain a potent basis of governance in the 21st century.

The post Legal Framework for Digital Sovereignty appeared first on Bhatt & Joshi Associates.

Introduction

Quantum computing is an area that might transform technology as we know it. It can shift the boundaries of what computers can do. Quantum computers, unlike classical computers, do not operate in binary systems with 0’s and 1’s. Instead, they work with quantum bits, or qubits, which makes them capable of existing in various forms at the same time. This ability gives quantum computers the power to execute very complex calculations with unmatched speed. There is no doubt that these advancements will be helpful, but they also threaten a lot of areas, perhaps most importantly, cryptography, which is the primary faith of modern communication systems. This article analyzes the legal aspects of cryptography in quantum computing, the policies that deal with this juncture, and the legal system wherein these novel issues are arising.

Cryptography: An Overview

Cryptography is the practice of protecting messages and information so that only a specific person can access them using encoded text or phrases. It guarantees confidentiality, integrity, and a combination of data. The current cryptographic systems are primarily divided into two categories: symmetric key cryptography and public key cryptography. Symmetric-key cryptography works using a single key to encryption and decryption processes, which is unlike public-key cryptography where the transmission of secured communications is done with a pair of keys, known as public key and private key. These systems form the backbone of digital security and encryption infrastructures that defend private information from being accessed by people without the proper clearance and certify communications on numerous fronts such as financial dealings, government actions, and personal information.

Integer factorization and discrete logarithms are common problems that are noteworthy in the modern public-key cryptography systems context, thence most of them rely on these methods. RSA, ECC, and DSA are famous for being utilization algorithms in digital communication systems. The effectiveness of these algorithms is based on the inability of classical computers to solve problems in a reasonable amount of time. The violent reality of quantum computing is how it diabolically disintegrates the sense of security these algorithms were initially built upon due to rendering the problems solvable in a reasonable time.

The Threat of Quantum Computing to Cryptography

An important feature of quantum computing is the ability to solve some problems significantly faster than classical computers. There is a range of quantum algorithms, which incorporates Shor’s algorithm that enables efficient factorization of large integers and calculating discrete logarithms. Such capability negatively impacts the security of RSA and ECC, which rests on the assumption that these problems are computationally infeasible for classical computers. Once there is a quantum computer powerful enough, Shor’s algorithm could break the cryptographic systems, encrypted information would be accessible to unauthorized users, and secure channels would not remain safe anymore.

In comparison, symmetric-key cryptography remains at low risk of quantum computing intervention. Another quantum algorithm is Grover’s algorithm, which is capable of increasing the effective security key size for encrypted algorithms like AES (Advanced Encryption Standard). Accessing information via a quantum attack through symmetric algorithms that feature 128-bit keys in AES would calculate the security ability as 64 bits. This does not mean it’s better though, the vulnerability may be lessened with longer key lengths, which makes symmetric cryptography comparatively more vulnerable to quantum damage.

The advancements in quantum computing have the potential to make current cryptography systems outdated, which puts data security and privacy at risk. The risk of losing data security goes beyond sensitive information. It includes critical infrastructure, financial systems, health records, communication from the government, and so much more. To defend against these threats, there is an immediate call for quantum-resilient encryption solutions. This has in turn sparked the creation of multi-layered encryption which focuses on algorithm design that is impenetrable by quantum weapons. Developing post-quantum cryptography relies on problems that require a lot of time and are tough for both classical and quantum computers to work with: lattice-based, code-based, multivariate, and hash-based cryptography. Even though the promise is there, it will take more study, experimentation, and uniformity before systems become widely accepted.

Regulatory Frameworks Governing Cryptography and Quantum Computing

The legal and regulatory landscape surrounding cryptography and quantum computing is complex and rapidly evolving. Cryptography is governed by a combination of international agreements, regional frameworks, and national laws. These regulations address a range of issues, including export controls, data protection, cybersecurity standards, and the ethical use of advanced technologies.

International Regulations 

The Wassenaar Agreement describes how two or more countries maintain the currency and goods associated with matters such as the export of software used for encryption. This means that member states have to control the spread of ever-advancing and more sophisticated systems of cryptography that can be used for harmful reasons. The control of such technologies is further demanded by the Budapest Convention on Cybercrime, a treaty designed to combat cybercrime and the retrieval of electronic evidence that relates to a crime, which puts significant emphasis on encryption as a means to maintain cybersecurity. This treaty balances the needs of law enforcement with the increasing need for privacy in society moderation by asking for such a balance and security. This balance is made difficult by quantum computing’s capability to breach the safeguards put in place which results in the existing treaties and frameworks becoming obsolete.

National Regulations 

Countries have developed particular regulations concerning the use of cryptographic technologies at the national level, and most countries appear to be preparing for the quantum era. Within the United States, the Export Administration Regulations (EAR) and the International Traffic in Arms Regulations (ITAR) serve to monitor the trade of encryption technologies. The Federal Information Security Management Act (FISMA) stresses the importance of strong encryption in safeguarding federal systems against all forms of cyber threats. In addition, the National Institute of Standards and Technology (NIST) is working toward developing post-quantum cryptography standards which attempt to tackle the problem of quantum computing. These are clear signs of willingness to engage with the issue.

The European Union’s General Data Protection Regulation (GDPR) compliance also stipulates the use of encryption when storing any personal data for privacy purposes. The ePrivacy Directive builds on the GDPR by governing online communications and requiring a higher level of protection to be afforded. In India, the only possible law that could govern the cryptographic acts is the Information Technology Act, of 2000, which grants powers to the government to undertake interception of encrypted information under certain conditions. The Reserve Bank of India (RBI) has compliances for the encryption of electronic payment systems and financial transactions as well.

The growth in quantum computing abilities demands revisions of these rules. Governments and regulatory institutions must guarantee that the cryptosystems are quantum-proof while balancing national security, privacy, and technology progression. It is important to engage in international cooperation to align regulations and avoid loopholes that can be abused by criminal elements.

Judicial Interpretations and Case Laws

The implications of cryptography and quantum computing are starting to be addressed by Courts across the globe, even if in a restricted manner. Several landmark cases have shed light on how courts attempt to balance security, privacy, and new technological inventions.

For instance, in the United States, Apple Inc. v. FBI brought forward issues at the core of decryption and the limits of encryption, as well as the powers of the government to mandatorily decrypt it. While quantum computing was not considered during the proceedings, the case did much to highlight the importance of encryption in protecting people’s privacy and national security. In the same manner, within the European Union, the Schrems II case is another example that highlights strong data protection compliance with GDPR. The judgement declared the EU-US Privacy Shield to be invalid, due to inadequate protection of EU citizens’ data and surveillance by US state authorities. Concerns regarding quantum computing’s ability to expose encryption already raise significant questions and hence more rigid data protection laws will have to be put forth in the legal realm.

The case of K.S. Puttaswamy v. Union of India identified the right to privacy as a fundamental right protected by Article 21 of the Constitution. The landmark ruling underscored the necessity of robust encryption for the protection of privacy in the modern world. With quantum computing looming over as a danger to conventional encryption, the courts will have to deal with the question of whether there are stringent enough standards in the field of cryptography to protect these basic rights and secure personal information.

The Future of Cryptographic Regulation

Switching over to quantum-resistance cryptography has major impacts on policy for regulators, lawmakers, and legal professionals. The challenges that arise from this transition include creating and implementing necessary benchmarks regarding the new algorithms, meeting the compliance requirements, attending to the issues of international scope, and managing security and privacy concerns. Since digital communication and commerce are global on all levels, some regulations have to be put in place to avoid fragmentation as well as make the transition to quantum-safe systems simple.

Attempting to resolve these issues is underway. NIST is helping to pioneer the development of a standardized post-quantum cryptographic document while other organizations are focused on creating treaties and other documents that will incorporate the real-life applications of quantum computing. To make quantum-safe cryptography adoption smoother as well as enhance the security of digital communication in the quantum computation age, the collaboration of private and public sectors as well as more funding for R&D is crucial.

Ethical and Policy Considerations for Quantum Computing in Cryptography

The matters of ethics in quantum computing and cryptography is exceptional. Governments and corporations need to ensure that new technologies do not worsen existing inequalities or violate basic rights. When providing equitable access to quantum technologies, the transparency of their development and use is of immense importance, as is the responsible utilization of quantum computing to prevent hostile uses such as cyberwar. Stakeholders can be educated on quantum computing and its impact through campaigns to raise public awareness.

Conclusion

Quantum computing poses a pretty unique challenge to cryptography because it can transform industries and technology. This interrelated legal aspect is quite important and needs solid regulatory structures that involve judicial and international collaboration. Society can take full advantage of quantum computing technology’s benefits by proactively tackling these issues, all while protecting the privacy and security of digital communications. An adjustment of laws has to be done to make sure that it considers the ever-advancing quantum technology as an innovation enabler and fundamental rights defender. Along with properly coordinated action, and active commitment to ethical standards, an evident shift towards a quantum-secure world can be made that ensures the security of digital communications in a world that is more connected than ever.

The post Legal Implications of Quantum Computing on Cryptography appeared first on Bhatt & Joshi Associates.

Introduction

With globalization and the digital world being so intertwined, data has become an essential resource that propels innovation, commerce, and even governance. The movement of data across borders supports several facets of global life such as trade, communication, and even joint research and development projects. However, these increases in reliance on cross-border data exchange foster a lot of concern concerning data privacy, national security and individual rights. This article discusses the multi-faceted intersection of these conflicting interests and the regulations, laws, case laws, and rules that govern cross-border data privacy.

The Importance of Cross-Border Data Privacy

Data privacy is the safeguarding of personal information from unauthorized collection, use, or disclosure. While cross-border data flows facilitate the transfer of data between countries, it also raises privacy concerns due to different legal and regulatory frameworks in place. For a person, control over utilization of their data is core to their right to privacy which is a fundamental aspect of human autonomy. On the other hand, unrestricted data flow has the potential to undermine national security, economic order, and law enforcement and public safety functions of the state.

A comprehensive means of addressing such highly divergent concerns is necessary to satisfy the valid interests of governments, but especially protecting the individual. The intricacies arise from cultural, legal, and political nuances that shape data privacy laws in different countries. These factors have a profound influence on global business today more than ever.

Key Regulatory Frameworks Governing Cross-Border Data Privacy

A patchwork of international, regional, and national laws governs the regulation of cross-border data privacy. These frameworks aim to provide guidelines for the transfer and processing of data while addressing concerns related to sovereignty, privacy, and security.

The European Union: GDPR and Beyond

The European Union (EU) has established a worldwide leading example in matters of Data Handling, Protection, And Control through the General Data Protection Regulation (GDPR). Put into effect in 2018, the GDPR sets forth extremely high standards regarding the collection, processing, storage, and transfer of personally identifiable information. The regulation obligates the entities transferring the data outside the European Union to guarantee that the host country meets “adequate” protection standards as defined by the European Commission. Alternatively, entities can make use of standard contractual clauses (SCCs) or binding corporate rules (BCRs). 

The consequences of the GDPR privacy restrictions are notable for every country’s data policy. It guarantees that all organizations outside the EU that deal with data from EU residents must adhere to its requirements. Such rules show how the EU prefers to assert the rights of individuals rather than the business and state concerns. 

Apart from GDPR, the EU has also adopted other responsive policies to meet other particular problems posed by the transfers of data across borders. One example is “Schrems II” brought by the Court of Justice of the European Union (CJEU, 2020) which cancelled the EU-US Privacy Shield because it focused too much on the protection of data against heavy-handed governmental spying. This highly publicized ruling has given rise to the EU-US Data Privacy Framework among others.

The United States: A Sectoral Approach

Unlike the EU’s holistic strategy, the U.S. employs a piecemeal approach to data privacy regulation. The Health Insurance Portability and Accountability Act (HIPAA) and Children’s Online Privacy Protection Act (COPPA) deal with particular categories of data while other privacy laws are not as comprehensive. Nonetheless, California is leading the way with the California Consumer Privacy Act (CCPA) and its successor, the California Privacy Rights Act (CPRA), which are more extensive at the state level.

The lack of a single federal law on data protection creates problems for U.S. entities involved in international data transfers. The now-defunct EU-U.S. Privacy Shield attempted to create such mechanisms but was criticized for weak promises of protection. The “Schrems II” ruling showed the weaknesses of these systems and prompted US legislators to reconsider their stance on privacy and surveillance policy.

Asia-Pacific Region: A Diverse Landscape

Countries within the Asia-Pacific region are at various levels of implementing regulations. While Japan, South Korea, and Singapore have robust data protection laws, other nations have yet to solidify their frameworks. Japan’s Act on the Protection of Personal Information (APPI) is one of the few statutory instruments that provides for a smooth data flow between Japan and the EU by enabling the country to use the GDPR’s provisions. South Korea’s PIPA is, like APPI, considered to have high standards of privacy protection as it grants data subjects rights while catering to state objectives.

Unlike other nations, India is currently crafting its comprehensive data protection regulation. The proposed Digital Personal Data Protection Act (DPDPA) addresses data flow by mandating explicit consent for data transfers and restricting sharing with countries deemed to not have sufficient protections. This shows India’s effort to position itself as a global tech player while still trying to protect its citizens’ rights.

International Organizations and Guidelines

In addition to national and regional frameworks, international organizations such as the Organization for Economic Cooperation and Development (OECD) and the Asia-Pacific Economic Cooperation (APEC) have developed guidelines to promote cross-border data privacy. The OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data and the APEC Cross-Border Privacy Rules (CBPR) system seek to harmonize standards and facilitate interoperability. However, their voluntary nature and lack of enforcement mechanisms remain significant limitations.

National Security vs. Individual Rights

The tension between national security and individual rights is a recurring theme in cross-border data privacy debates. Governments often justify data access and surveillance measures as necessary to combat terrorism, cybercrime, and other threats. However, such measures can encroach on individual rights, raising concerns about mass surveillance, data misuse, and lack of accountability.

Surveillance Laws and Practices

The U.S. FISA and FISA Amendment 702 give intelligence agencies sweeping powers to tap into data from US entities, even when the data is related to non-U.S. citizens. Many privacy advocates have raised concerns about these blurs in the law. These concerns were further illuminated when Edward Snowden leaked information related to the NSA’s surveillance programs.

Critics claim that laws like China’s Cyber Security Law do more harm than good as they complement state surveillance policies at the cost of privacy and set a dangerous trend for international data exchange.

Judicial Scrutiny and Balancing Acts

Judicial bodies serve as the primary venue for adjudicating the tension existing between securing the nation’s borders and protecting the rights and freedoms of the people. As an example, the case Carpenter v. United States (2018) determined that obtaining historical cell site information without a warrant constituted a violation of the Fourth Amendment. This case was a milestone for privacy protection in the contemporary world.

In the same vein, the European Union’s decision on Schrems II brought attention to the necessity of having stronger legal protection against state monitoring. It scrutinized and disbanded the EU-U.S. Privacy Shield because it failed to safeguard the personal data of citizens of the EU about American spying policies. A continuation of these movements is also visible in The European Court of Human Rights (ECHR) which has issued judgments enhancing the protection of privacy rights about state security.

The Role of International Agreements in Data Privacy

International accords are critical for aligning data privacy policies and enabling international data movement. The APEC CBPR system and the OECD Guidelines create frameworks to close regulatory gaps and enhance cross-border cooperation. The Global Privacy Assembly, a world gathering of privacy regulators, has also helped promote the harnessing of global efforts toward data privacy.

Notwithstanding, broad international agreements are often critiqued for being voluntary and difficult to enforce. Improving those frameworks and making compliance mandatory could improve trust and collaboration on a global scale. Bilateral agreements like the EU-U.S. Data Privacy Framework exemplifies how collaboration can support solving common problems.

Challenges and the Way Forward for Cross-Border Data Privacy

In the age of rapidly evolving technology and politics, border data privacy faces constant difficulties. Innovations such as artificial intelligence, blockchain, and IoT (the Internet of Things) collect and create huge sets of data that demand accountability, consent, and sovereignty. Furthermore, the enforcement of data localization laws, that stipulate data storage and processing within a country’s borders, presents additional relativities for international corporations. While these laws seek to emphasize security and data protection, they further stifle innovation and economic development by segments of the digital economy. 

Finding a reasonable middle ground is necessary to confront these gaps. Policymakers need to incorporate the interests of a larger array of actors that include governments, businesses, civil societies, and individual citizens. Building global standards for data usage and security backed with reliable enforcement allows movement towards a more inclusive, structured, and protected data environment.

Conclusion 

The right to cross-border data privacy touches on multiple intricacies like an individual’s privacy, the national security needs of the state, and the global economy’s requirement for minimal barriers to data movement. Achieving this balance is possible through careful regulation, judicial, and international cooperation.

With rapid advancements in technology, the laws and regulations designed for cross-border data privacy protection have to adapt. When countries lead with transparency and human rights-centered regulations, finding the balance needed becomes easier. Most importantly, uniting to protect privacy while working on acceptable security measures is essential for trust in the ecosystem.

The post Cross-Border Data Privacy: Balancing National Security and Individual Rights appeared first on Bhatt & Joshi Associates.

Introduction

The rapid advancement of artificial intelligence (AI) and other emerging technologies has brought transformative changes across industries, promising innovation, efficiency, and economic growth. These advancements have created opportunities for enhanced productivity, novel services, and groundbreaking solutions to societal challenges. However, these technologies also pose significant legal and regulatory challenges that demand comprehensive governance frameworks. In India, the regulation of AI and emerging technologies is still evolving, raising critical questions about data privacy, accountability, intellectual property, and ethical use. This article delves into the multifaceted legal challenges in regulating AI and emerging technologies in India, the existing legal framework, relevant case laws, and judicial pronouncements shaping this domain.

Understanding AI and Emerging Technologies

Artificial intelligence, broadly defined, encompasses systems capable of performing tasks that typically require human intelligence, such as decision-making, problem-solving, and learning. Emerging technologies, including blockchain, the Internet of Things (IoT), robotics, and biotechnology, share a common feature: their potential to disrupt established systems and practices. The convergence of these technologies has led to the creation of highly interconnected ecosystems, profoundly altering traditional methods in healthcare, finance, education, and governance.

In India, these technologies are being rapidly adopted across various sectors. The government and private enterprises are leveraging AI and IoT for initiatives like smart cities, digital health solutions, and agricultural automation. Yet, their adoption has outpaced the development of corresponding legal and regulatory frameworks, resulting in a complex landscape of opportunities and risks. The lack of a clear governance model raises concerns about privacy breaches, misuse, and the unintended consequences of autonomous decision-making systems.

The Need for Regulation in AI and Emerging Technologies

The regulation of AI and emerging technologies is crucial to ensure their ethical deployment, protect public interest, and prevent misuse. These technologies, by their very nature, present novel challenges that do not fit neatly into existing legal frameworks. The potential for harm—whether through biased decision-making, security vulnerabilities, or loss of privacy—necessitates a proactive approach to regulation. However, regulation must also be carefully crafted to avoid stifling innovation and economic growth.

AI and emerging technologies are characterized by their reliance on data, which often includes sensitive personal information. This creates an urgent need for data governance frameworks that prioritize privacy, consent, and security. Additionally, AI’s decision-making processes are often opaque, leading to the phenomenon known as “black box AI.” The lack of transparency in how AI systems reach decisions complicates efforts to assign responsibility and mitigate harm.

Existing Legal Framework in India

India does not yet have a comprehensive legal framework dedicated to AI and emerging technologies. However, various existing laws touch upon aspects relevant to their regulation, albeit in a fragmented manner.

The Information Technology Act, 2000

The Information Technology (IT) Act serves as the primary legislation governing cyber activities in India. While it does not explicitly address AI or emerging technologies, its provisions related to data protection, cybersecurity, and intermediary liability are indirectly applicable. Sections 43A and 72A address data protection and privacy, holding entities accountable for data breaches and unauthorized access. Meanwhile, Section 79 provides safe harbor protection for intermediaries, which could extend to platforms deploying AI-powered services.

The Personal Data Protection Bill, 2019

The Personal Data Protection Bill aims to establish a framework for data protection in India. Although it has yet to be enacted, the bill proposes significant changes to how data is processed, stored, and shared. Its provisions on consent, data localization, and penalties for breaches will have significant implications for AI-driven systems relying on personal data. However, the absence of provisions directly addressing the unique challenges posed by AI, such as algorithmic transparency and fairness, highlights gaps that need to be filled.

The Copyright Act, 1957

The Copyright Act governs intellectual property in India, including works created through AI. Questions about ownership of AI-generated works and whether AI can be considered an author remain unresolved under this legislation. The Act’s reliance on human authorship creates ambiguity in scenarios where AI systems produce creative works such as music, art, or literature. Courts may eventually need to clarify how copyright laws apply to such creations.

Consumer Protection Act, 2019

AI systems deployed in consumer-facing applications, such as e-commerce platforms and customer service bots, are subject to the provisions of the Consumer Protection Act. Issues of accountability, product liability, and redressal mechanisms become especially relevant when consumers interact with AI-driven services. Misrepresentation of products or services by AI systems could lead to legal disputes under this Act.

Key Legal Challenges in Regulating AI and Emerging Technologies

Data Privacy and Protection

AI systems thrive on data, often requiring access to sensitive personal information. The absence of a comprehensive data protection law in India has resulted in inadequate safeguards for individuals’ privacy. The reliance on consent-based models for data collection can be problematic, as users often lack a clear understanding of how their data will be used. Furthermore, AI’s ability to infer insights from seemingly innocuous data points raises additional privacy concerns.

The delayed enactment of the Personal Data Protection Bill leaves a significant regulatory gap. Without robust data protection measures, individuals are vulnerable to exploitation, and businesses face uncertainty regarding compliance requirements. Moreover, the advent of biometric data collection through technologies like facial recognition necessitates stricter safeguards to prevent misuse.

Algorithmic Bias and Discrimination

AI systems are only as good as the data they are trained on. Biases in training data can lead to discriminatory outcomes, violating constitutional guarantees of equality under Articles 14 and 15. For instance, facial recognition systems have been criticized for disproportionately misidentifying individuals based on their gender or ethnicity. These issues have already surfaced in global contexts and are likely to manifest in India as AI adoption grows.

Addressing algorithmic bias requires a combination of technical solutions, such as diverse training datasets, and regulatory interventions mandating fairness audits. However, India’s legal framework currently lacks specific provisions to address such biases, leaving affected individuals with limited avenues for redress.

Liability and Accountability

Determining liability for harm caused by AI systems is another significant challenge. Unlike traditional systems, AI systems can make autonomous decisions, complicating questions of accountability. For instance, if an AI-driven healthcare application provides an incorrect diagnosis, it is unclear whether liability lies with the developer, the healthcare provider, or the AI system itself. This uncertainty poses a challenge for courts and regulators tasked with adjudicating disputes.

The absence of explicit legal standards for AI systems means that courts may rely on traditional principles of tort and contract law to assign liability. However, these principles were not designed to address the complexities of AI, leading to potential inconsistencies in judicial outcomes.

Intellectual Property Rights

AI-generated content raises questions about intellectual property ownership. Under current laws, copyright is granted to natural persons or legal entities, not to AI systems. This creates ambiguity in scenarios where AI systems produce creative works, such as music, art, or literature. Furthermore, the use of copyrighted material to train AI models has sparked debates about fair use and infringement.

In India, these issues remain largely unaddressed by legislation or judicial pronouncements. As AI systems become more sophisticated, the need for clarity on intellectual property rights will only grow. Potential solutions may include granting limited rights to AI-generated works or recognizing joint authorship between AI and its developers.

Ethical and Social Implications

The ethical deployment of AI requires adherence to principles such as transparency, fairness, and accountability. However, these principles often conflict with the commercial interests driving AI innovation. For instance, AI developers may prioritize speed and cost-efficiency over fairness and inclusivity, leading to outcomes that harm vulnerable populations.

The lack of ethical guidelines for AI in India exacerbates these challenges. Policymakers must consider the broader societal implications of AI, such as its impact on employment, inequality, and public trust. Fostering an ethical AI ecosystem will require collaboration between regulators, industry stakeholders, and civil society.

Judicial Approach to Artificial Intelligence Regulation

Indian courts have started addressing issues related to AI and emerging technologies, although jurisprudence in this area is still in its infancy. Notable judgments include:

Justice K.S. Puttaswamy v. Union of India (2017)

The Supreme Court’s landmark judgment in the Puttaswamy case recognized the right to privacy as a fundamental right under Article 21 of the Constitution. This judgment has significant implications for AI systems that process personal data, reinforcing the need for robust data protection laws.

Aadhar Judgment (2018)

In the Aadhar case, the Supreme Court upheld the constitutionality of the Aadhar scheme while emphasizing the need for safeguards to protect individuals’ privacy. The judgment highlights the importance of balancing technological innovation with constitutional rights.

State of Maharashtra v. Praful Desai (2003)

Although not directly related to AI, this judgment recognized the admissibility of video conferencing as evidence in court. It demonstrates the judiciary’s openness to leveraging technology, which could influence future cases involving AI.

Regulatory Efforts and International Comparisons

India can draw lessons from other jurisdictions actively regulating AI. The European Union’s AI Act, for instance, adopts a risk-based approach to AI regulation, categorizing AI systems based on their potential harm. Similarly, the United States has issued guidelines promoting ethical AI use while encouraging innovation.

Domestically, the NITI Aayog’s discussion paper on AI highlights the need for a robust regulatory framework, focusing on ethical and inclusive AI. However, these efforts remain at a preliminary stage, with no binding legislation enacted thus far.

Way Forward

Regulating AI and emerging technologies in India requires a multi-pronged approach. Comprehensive legislation tailored to the unique challenges of AI is essential to provide clarity and consistency. This legislation should address issues such as data protection, algorithmic accountability, and intellectual property rights while promoting innovation.

Collaboration between policymakers, industry stakeholders, and civil society is crucial to ensure balanced regulation. Judicial training on the nuances of AI and emerging technologies will also play a key role in shaping jurisprudence. Finally, India must engage in international cooperation to align its regulatory standards with global best practices.

Conclusion

AI and emerging technologies present immense opportunities for growth and innovation in India. However, their unregulated deployment poses significant risks to privacy, fairness, and accountability. Addressing these challenges requires a forward-looking legal framework that balances innovation with public interest. As India embarks on this journey, it must ensure that its regulatory approach is inclusive, ethical, and aligned with global best practices. By doing so, India can position itself as a leader in the responsible adoption and regulation of AI and emerging technologies.

The post Legal Challenges in Regulating AI and Emerging Technologies in India appeared first on Bhatt & Joshi Associates.

Introduction

The rapid advancement of technology and its pervasive integration into personal, professional, and governmental domains have necessitated robust legal frameworks to address issues of cybersecurity and data protection. India, as a global hub for technology and data processing, has recognized the pressing need for legislative mechanisms to safeguard digital information and ensure cybersecurity. This article delves into the legal framework governing cybersecurity and data protection in India, discussing its evolution, key laws, regulatory bodies, case laws, and notable judicial pronouncements while exploring the challenges and future directions for a secure digital landscape.

The Evolution of Cybersecurity and Data Protection Laws in India

The journey of cybersecurity and data protection laws in India began in the late 1990s, coinciding with the rise of the internet. Recognizing the need for a legal framework to regulate digital transactions and combat cybercrimes, the Indian government enacted the Information Technology Act, 2000 (IT Act). This seminal legislation laid the foundation for regulating electronic commerce and addressing offenses committed using electronic means.

Initially, the IT Act focused on enabling e-governance and e-commerce by providing legal recognition for electronic contracts, digital signatures, and records. However, as cyber threats evolved in scale and sophistication, the inadequacy of the original provisions became evident. Amendments introduced in 2008 marked a significant shift toward cybersecurity and data protection. These amendments expanded the scope of the IT Act by criminalizing activities such as identity theft, phishing, cyberstalking, and hacking. They also introduced the concept of data protection, albeit with limited coverage and clarity.

Over the years, the legal framework has undergone gradual evolution, responding to the growing interconnection of systems and the increasing importance of data as a valuable resource. However, the absence of comprehensive legislation solely dedicated to cybersecurity and data protection has necessitated reliance on a patchwork of laws and sector-specific regulations.

The Legal Framework for Cybersecurity in India

India’s approach to cybersecurity is predominantly governed by the Information Technology Act, 2000. The IT Act, supplemented by various policies and regulatory bodies, forms the backbone of the country’s cybersecurity framework. This section explores its key provisions and their implications.

The IT Act defines cybercrimes and prescribes penalties for offenses such as unauthorized access to computer systems, data theft, and hacking. Sections 43 and 66 of the Act address these issues by penalizing individuals or entities involved in such activities. For national security and public safety, Section 69 empowers the government to intercept, monitor, or decrypt information. Although this provision is intended to combat terrorism and other threats, it has sparked debates over privacy and the scope of surveillance powers.

Section 70 of the IT Act designates certain computer systems as “protected systems,” aiming to secure critical information infrastructure from cyberattacks. Unauthorized access to such systems is met with stringent penalties. The Act also emphasizes the protection of sensitive information by criminalizing its unauthorized disclosure under Sections 72 and 72A.

Complementing the IT Act, the National Cyber Security Policy, 2013, outlines a strategic framework to safeguard the nation’s cyberspace. It emphasizes creating a secure ecosystem, fostering public-private partnerships, and promoting research and innovation. The policy also envisions building a resilient infrastructure capable of withstanding cyber threats, but its implementation has been criticized for lacking clarity and enforceability.

The Indian Computer Emergency Response Team (CERT-In) plays a pivotal role in India’s cybersecurity landscape. As the national nodal agency, CERT-In monitors cyber threats, issues advisories, and coordinates responses to cybersecurity incidents. Under the IT Act, organizations are mandated to report specified cybersecurity incidents to CERT-In, ensuring a collaborative approach to threat mitigation.

Data Protection in India: The Current Framework

Data protection in India operates under a fragmented legal regime, with the IT Act and sector-specific regulations forming its core. A comprehensive and unified data protection law has been long overdue, leaving various sectors to adopt their own guidelines and practices. Despite this, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, represent a significant step toward establishing standards for data privacy and security.

These rules, framed under Section 43A of the IT Act, require organizations handling sensitive personal data or information (SPDI) to implement reasonable security practices. They mandate obtaining consent from individuals before collecting or processing their data and require entities to disclose their data-handling policies. However, the scope of these rules is limited, focusing only on SPDI and excluding general personal data.

In the absence of comprehensive legislation, sector-specific regulations attempt to address data privacy. The Reserve Bank of India (RBI) mandates data localization for payment systems, requiring entities to store financial data exclusively in India. Similarly, the Telecom Regulatory Authority of India (TRAI) regulates data protection in the telecom sector, emphasizing consumer privacy. Initiatives like the National Digital Health Mission (NDHM) highlight the growing importance of data protection in the healthcare sector, advocating secure handling of sensitive health information.

The Personal Data Protection Bill, 2019

The introduction of the Personal Data Protection Bill (PDP Bill) in 2019 marked a milestone in India’s data protection journey. Modeled on the European Union’s General Data Protection Regulation (GDPR), the PDP Bill seeks to establish a robust framework for personal data protection. It proposes principles such as purpose limitation, data minimization, and accountability, aiming to balance individual rights with the needs of innovation and national security.

A key feature of the PDP Bill is the delineation of roles between the Data Principal (the individual to whom the data pertains) and the Data Fiduciary (the entity processing the data). The bill seeks to empower individuals with rights such as access, correction, and erasure of their data while placing obligations on fiduciaries to ensure transparency and accountability. Data localization provisions require critical personal data to be stored in India, reflecting concerns over sovereignty and national security.

To oversee compliance, the bill proposes establishing a Data Protection Authority (DPA) with powers to investigate violations, impose penalties, and ensure adherence to the law. However, the bill has faced criticism for providing broad exemptions to the government under the guise of national security and public order, raising concerns over potential misuse of surveillance powers.

Judicial Approach to Cybersecurity and Data Protection

Indian courts have played a crucial role in shaping the discourse on cybersecurity and data protection. Landmark judgments have highlighted the need for a robust legal framework to protect individual rights in the digital era.

In the case of Justice K.S. Puttaswamy v. Union of India (2017), the Supreme Court recognized the right to privacy as a fundamental right under Article 21 of the Constitution. The judgment underscored the importance of data protection in safeguarding privacy and called for a comprehensive legal framework to address the challenges posed by technological advancements.

The Shreya Singhal v. Union of India (2015) judgment struck down Section 66A of the IT Act, which criminalized offensive messages sent through communication devices. The court held that the provision violated the right to free speech under Article 19(1)(a) of the Constitution. While the judgment was hailed as a victory for free expression, it also underscored the need for precise and balanced legislation to address cyber offenses without curbing fundamental rights.

In Anvar P.V. v. P.K. Basheer (2014), the Supreme Court established the admissibility of electronic evidence in legal proceedings, emphasizing the need for authenticity and compliance with procedural safeguards. This decision highlighted the growing significance of digital evidence in the justice system and the need for robust mechanisms to ensure its reliability.

Challenges and Criticisms of the Current Framework

India’s cybersecurity and data protection framework faces several challenges. The lack of a unified law has resulted in fragmented regulations, leading to inconsistencies across sectors. Surveillance provisions under Section 69 of the IT Act have drawn criticism for enabling mass surveillance without adequate checks and balances, raising concerns over privacy violations.

Enforcement remains a significant challenge, with limited resources and expertise hindering the effectiveness of regulatory bodies like CERT-In. Delays in enacting the PDP Bill have created uncertainty for businesses and individuals, impeding progress toward a secure digital ecosystem.

International Comparisons and Lessons for India

The General Data Protection Regulation (GDPR) of the European Union sets a global benchmark for data protection laws, emphasizing individual rights, accountability, and cross-border data flows. The United States adopts a sectoral approach, with laws like the Health Insurance Portability and Accountability Act (HIPAA) for healthcare data and the California Consumer Privacy Act (CCPA) for consumer data.

India can draw lessons from these models, particularly in ensuring transparency, proportionality in surveillance, and balancing innovation with privacy protection. Adopting a rights-based approach and fostering international cooperation will be crucial in addressing cross-border cyber threats and ensuring a secure digital environment.

The Way Forward

To address emerging challenges, India must expedite the enactment of the PDP Bill or its revised version and ensure its implementation. Strengthening regulatory bodies, fostering public awareness, and encouraging public-private partnerships will be critical in building a resilient cybersecurity framework. Comprehensive legislation that addresses both cybersecurity and data protection, coupled with robust enforcement mechanisms, will pave the way for a secure and privacy-respecting digital ecosystem.

Conclusion

The legal framework for cybersecurity and data protection in India is evolving, reflecting the dynamic nature of technology and its associated risks. While existing laws like the IT Act provide a foundational structure, emerging challenges necessitate comprehensive reforms. The balance between innovation, economic growth, and individual rights will be crucial in shaping a secure and privacy-respecting digital ecosystem in India. The enactment of robust legislation, coupled with proactive enforcement and awareness initiatives, will pave the way for a resilient cyber landscape, fostering trust and confidence in India’s digital future.

Download Booklet on Data Privacy Laws in India – Protection & Compliance Guide

The post Analyzing the Legal Framework for Cybersecurity and Data Protection in India appeared first on Bhatt & Joshi Associates.