Author: admin

Legal Updates (Nov 10 – Nov 15, 2025)

Case Updates:  

The absence of a “corporate mind” or a quorate Board of Directors (i.e., a board having a sufficient number of members to form a quorum) will not render the aggrieved party incapable of taking a valid corporate decision to commence or pursue arbitration proceedings, and clever drafting cannot convert what is not an Arbitral Award into an arbitral award. 

The Bombay High Court in the case of Master Drilling India Private Limited vs Sarel Drill & Engineering Equipment India [Commercial Arbitration Petition No. 777 of 2024] dated November 12, 2025, has held that a cleverly drafted challenge under Section 34 of the Arbitration and Conciliation Act, 1996, cannot transform any Arbitral Order into an Interim Award. Though any breach of Section 174(2) of the Companies Act 2013(which relates to quorum of a board meeting) may attract a sanction rather than automatically invalidating all actions, given the potential impact on every corporate decision and operation, given the multiple complexities involved, the Arbitral Tribunal has appropriately rejected Master Drilling’s absolutist argument for an outright non-suit of Sarel Drill under Section 32 of the Arbitration Act.  

The Court observed that the Arbitral Tribunal appropriately refused to non-suit Sarel Drill merely on the claim of an absence of corporate mind. It is only for the Arbitral Tribunal to examine whether a Board Meeting is necessary to initiate arbitration or whether the individuals who acted had existing authority to do so. Essentially, the Court left it to the Arbitral Tribunal to assess whether a Board Resolution is foundational or merely commemorative, and whether decisions taken by a non-quorate Board could be validated retrospectively once quorum is restored. 

The Court rejected the extreme contention that a company can do nothing until its Board is quorate as unsustainable, and held that the absence of a “corporate mind” or a quorate Board of Directors will not render the aggrieved party incapable of taking a valid corporate decision to commence or pursue arbitration proceedings. If the proposition that the company must necessarily be paralysed is accepted, the company (purportedly without a corporate mind) would never be able to file tax returns, enter into a contract, renew an existing contract, terminate a contract, and even employ any person or taken to its logical length, sign any cheque, whether for a routine payment (say pay cheques of employees) or a non-routine payment (say purchase of vital spare parts or of replacement machinery). Such an approach would harm the company’s stakeholders, for whose protection the quorum stipulations for the Board of Directors have been legislated. The Court observed that had the Parliament intended every act of a company without a quorate Board to be void, the legislation would have expressly provided so, likely to prevent the chaotic consequences that would otherwise arise.

Finding that the order passed by the Arbitral Tribunal cannot be treated as an arbitral award, since it does not constitute a final adjudication terminating any issue or the arbitral proceedings, the Court declared that the invocation of Section 34 of the 1996 Act is misconceived. If the impugned award is recognised as an arbitral award, the next consideration is whether the award is so perverse or implausible that it undermines the very foundation of the decision. Only in such exceptional circumstances, a Court under Section 34 of the 1996 Act, can exercise its jurisdiction to interfere with the arbitral award. The Court referred to Section 19 of the 1996 Act, which specifies that the arbitral tribunal is not bound by the procedural requirements of the Code of Civil Procedure, 1908, or the Indian Evidence Act, 1872. The parties are given autonomy to determine the procedure to be followed during the arbitration, and in the absence of an agreement, the arbitral tribunal has the discretion to conduct the proceedings in a manner it deems appropriate, subject to the provisions of the Act.  

Click here to read the original judgment

 

Failure of the financial creditor to show that the sum advanced to the corporate debtor was indisputably interest-bearing and the interest was being realised as consideration for the time value of money, then such advances cannot be treated as ‘financial debt’, and shall not have the commercial effect of borrowing

The NCLAT, New Delhi, in the case of Meck Pharmaceuticals and Chemicals (P.) Ltd. vs Accurate Infrabuild (P.) Ltd. [Company Appeal (AT) (Insolvency) No. 544 of 2024] dated October 29, 2025,  observed that for any debt to be treated as financial debt, the prerequisite is disbursal of money to the borrower for utilisation by the borrower and that the disbursal must be against consideration for the time value of money, even if it is not interest-bearing. As to when a Financial Creditor who has disbursed money to a Corporate Debtor against consideration for time value of money can trigger the insolvency resolution process against the Corporate Debtor, as per the scheme of IBC, that stage arises when a default arises in that a debt which has become due, in fact and in law, but has not been paid in whole or part thereof. 

The Tribunal found that the Appellant had disbursed Rs 1 crore to the account of the Corporate Debtor in 2010, which was not controverted by the Corporate Debtor. However, there was no written contract or agreement between the Appellant and the Corporate Debtor governing the terms and conditions by which the sum was advanced by the Appellant and disbursed to the account of the Corporate Debtor. The Court, however, stated that the requirement of a written financial contract between parties is not a precondition for determining whether any amount disbursed is financial debt or not.

The Tribunal went on to observe that though the expression ‘time value of money’ finds mention in Section 5(8) of the IBC, the term has not been defined in the said enactment. It is well recognised that the most typical example of ‘time value of money’ is in the form of interest charged on the principal amount that has been borrowed. In the present case, to substantiate the fact that the loan was actually interest-bearing, the Appellant has placed the TDS certificates on record to corroborate that the interest amount was paid by the Corporate Debtor. 

However, the Tribunal explained that for the transaction to have been interest-bearing in the true sense, the interest payment should have been paid annually, and by logical corollary, corresponding TDS deductions ought to have been reflected, while emphasising that deduction of TDS for only two years is insufficient to determinatively conclude that interest liability was a quintessential adjunct of the sum disbursed by the Appellant. Since no debt or default has been established, the Tribunal refused to interfere with the order passed by the Adjudicating Authority and dismissed the appeal. 

 

Dishonour of a cheque issued for returning a bribe amount could not be prosecuted under Section 138 of the Negotiable Instruments Act, as it was not towards repayment of a legally enforceable debt

The Madras High Court in the case of P Kulanthaisamy v. K Murugan and Another [Criminal Appeal (MD)No.758 of 2022] dated October 17, 2025, has held that dishonour of a cheque issued for returning a bribe amount could not be prosecuted under Section 138 of the Negotiable Instruments Act as it was not towards repayment of a legally enforceable debt. 

The Court observed that the agreement to secure a job in exchange for money is an agreement that is void ab initio and would fall under the Illustration to Section 23 of the Indian Contract Act. The court thus noted that when a cheque is issued for discharging a debt which was not legally enforceable, the offence under Section 138 would not be attracted.

The Court clarified that the complainant’s case is based on a specific claim that the money was given for securing a TNSTC job, and the cheque was issued to repay this amount; therefore, there is no legally enforceable debt or liability. The court analysed the legal maxim “in pari delicto potior est conditio possidentis” (in equal fault, the condition of the possessor is better) and noted that when parties in the dispute are equally at fault or equally favour an immoral act, the court will not assist either, and the one who possessed the property or benefits of the transaction would retain it.

The court also observed that the agreement between the parties in the present case was a void contract since it was in the nature of illegal gratification and was unlawful. The doctrine of restitution under Section 65 of the Contracts Act would not apply in this case, as it was in respect of agreements, which are discovered to be void at a subsequent stage by either party. Thus, the doctrine could not be invoked when the contract was void ab initio, like in the present case. 

Click here to read the original judgment

 

Consumer forums possess the trappings of a court, and therefore, the proceedings before them clearly fall within the scope of Section 14 of the Limitation Act. Essentially, the proceedings before consumer forums are equivalent to “civil proceedings”, and the time spent bona fide before them can be excluded while computing the limitation period for initiating proceedings before a Commercial Court

The Delhi High Court in the case of Roopinder Singh vs Emaar MGF [RFA(COMM) 389/2024] dated November 04, 2025, held that the consumer forums possess the trappings of a court, and therefore, the proceedings before them clearly fall within the scope of Section 14 of the Limitation Act. Essentially, the proceedings before consumer forums are equivalent to “civil proceedings”, and the time spent bona fide before them can be excluded while computing the limitation period. 

The Court explained that, when viewed as a whole, the appellant’s conduct demonstrated a continuous, bona fide, and diligent effort to pursue his claim before forums that were subsequently found to lack jurisdiction. Therefore, the Commercial Court’s interpretation and application of Section 14 for denying the benefit of time exclusion to the appellant, who has been running from all consumer forums to the commercial courts, is grossly wrong. 

Reference was made to the Apex Court’s ruling in P. Sarathy v. State Bank of India [(2000) 5 SCC 355], where it was held that the term “court” under Section 14 of the Limitation Act is not confined to civil courts, and any authority or tribunal possessing the trappings of a court, that is, one empowered to summon witnesses, examine evidence, and deliver binding decisions, would fall within its ambit. 

The Court observed that the underlying equity of Section 14 of the Limitation Act requires that time spent diligently pursuing a remedy before a wrong forum should be excluded when computing the limitation. The Bench pointed out that the protection under Section 14 applies to suits, appeals, and revisions, and even to a fresh suit filed with court permission after the earlier one failed due to jurisdictional defects. Further, ‘good faith’ under Section 14 does not depend on the result of the proceedings, but on whether the litigant acted honestly, reasonably, and without negligence. 

After reviewing the findings of the Commercial Court and the legal principles under Section 14 of the Limitation Act, the High Court observed that while the lower court had concluded that the appellant lacked due diligence and good faith in pursuing the case before the NCDRC, such a conclusion was not sustainable in light of the true scope and intent of Section 14, which is meant to protect bona fide litigants acting diligently before a forum lacking jurisdiction. 

The Court noted that no consumer forum found any negligence or bad faith on the appellant’s part. Thus, accepting the Commercial Court’s view would imply that a litigant must forgo their statutory right to appeal to avoid being labelled as acting in bad faith. The Court also noted that since the appellant had succeeded before the District Consumer Forum, he had a genuine and bona fide belief that the matter was rightly pursued before the consumer fora.

Lastly, the Court concluded that the appellant’s decision to file a civil suit before the District Court was based on legal advice and in pursuit of a legitimate remedy. Since the appellant is not a lawyer and lacks a legal background, his reliance on such advice, even if erroneous, cannot be construed as a lack of bona fides. The Court emphasised that pursuing a statutory remedy on legal counsel’s advice does not indicate bad faith or negligence. 

Click here to read/ download the Original Judgment

 

Property sellers are not mandatorily required to show mutation or ‘jamabandi/ holding’ proof before registering sale deeds; Registering authorities cannot refuse registration of sale or gift deeds for failure to produce proof of mutation in favour of the seller

The Supreme Court in the case of Samiullah vs State of Bihar [2025 INSC 1292] dated November 07, 2025, has held that the registering authorities cannot refuse registration of sale or gift deeds for failure to produce proof of mutation in favour of the seller. Thus, the Court quashed the amendments to Rule 19 (xvii) and (xviii) of Bihar Registration Rules, 2008 (amended in 2019), which required sellers to provide mutation certificates (Jamabandi) for registering the sale/gift of property. 

After extensively reviewing the legal, administrative, and technological context of property registration in India, the Court noted that these rules exceeded powers under the Registration Act, violated the ‘right to property’ and arbitrarily restricted property transfers, especially since mutation doesn’t confer legal title. 

The Court found that the impugned rules had no basis in Section 69 of the Registration Act, and improperly added a title inquiry to a registration process meant only to record transactions. The requirement unduly restricted property rights, given the incomplete mutation framework. Thus, the mandatory mutation proof for registration was ultra vires, arbitrary, and a violation of the right to property enshrined under Article 300 of the Constitution.

Finding that 66% of civil litigation involves land disputes, the Court observed that the archaic laws had led to fraud, multiple registrations, and litigation. The Court therefore promoted blockchain’s “immutability, transparency, and traceability”, stating that it could revolutionise public trust in property ownership frameworks, make fraud/tampering nearly impossible, and provide a unified, public-access system. 

Additionally, the Court directed the Law Commission to study and recommend how blockchain can be implemented nationwide for land records, including necessary amendments to the Transfer of Property Act, Registration Act, Evidence Act, Stamp Act, and digital/privacy laws. 

Click here to read/ download the original judgment

 

Notifications and Circulars issued by the EPFO for the purposes of ensuring compliance with the PF Scheme in respect of ‘International Workers’, is for purpose of classification between the foreign employee and the Indian employee based on capping in the pay drawn for applicability of the scheme of the Provident Fund Act, 1952; This classification has intelligible differentia to satisfy the test of Article 14 of the Constitution of India

The Delhi High Court in the case of Spice Jet vs Union of India [W.P.(C) 2941/2012] dated November 04, 2025, observed that the purpose of mandating an employee to be a member of a fund/scheme under the Employees’ Provident Funds and Miscellaneous Provisions Act, 1952, is to provide social security. Hence, the Court held that the classification between the foreign employee and Indian employee based on capping in the pay drawn for applicability of the scheme of the 1952 Act, has some intelligible differentia, to satisfy the test of any State action conforming with Article 14 of the Constitution of India.

WTherefore, while discussing the category of employees who are of foreign origin and with whom India does not have a Social Security Agreement (SSA) on a reciprocal basis or with whom India has not entered into a bilateral comprehensive economic agreement, the Court explained that Constitutional protection as enshrined in Article 14 of the Constitution applies to foreign nationals as well, for the reason that the phrase occurring in Article 14 is not “the citizen”; rather, it is “any person”. Thus, even the foreign nationals, enjoy under Article 14 of the Constitution of India the equality before law and equal protection of laws within the territory of India. However, that right of equality is subject to reasonable classification, which is permissible provided such classification has an intelligible differentia.

The High Court observed that mandating the foreign employees to become member of the provident fund scheme, irrespective of the monthly pay they draw and requiring only those Indian employees to become member of the fund/scheme who are drawing pay below Rs.15,000/- a month, has a rationale based on the economic duress which is caused to the Indian employees, if they are mandated to contribute to the fund/scheme irrespective of quantum of salary they draw, which is absent in case of the foreign employees for the reason that they come to India for employment for shorter period of 2 to 5 years.

The Court emphasised that the modification in the Provident Fund Scheme has been made to implement India’s international treaty obligations, and entering into an international treaty is a sovereign prerogative; Therefore, if such a provision is struck down, that will amount to taking away the legal basis for entering into and applying the SSA. Accordingly, the Court upheld the Notifications and the Circular/ Letters issued by the EPFO for the purposes of ensuring compliance with the PF Scheme in respect of ‘International Workers’. 

Click here to read/ download the Original Judgment

 

Playing dominance in the OTT messaging apps market and compelling expanded user data sharing with Meta without opt-out and creating barriers via network effects and data integration, amounts to abuse of dominant position under section 4(2)(a)(i) and 4(2)(c) of the Competition Act

The NCLAT, New Delhi, in the case of WhatsApp LLC vs. Competition Commission of India [Competition Appeal No. 1 of 2025] dated November 04, 2025, has ruled that the conduct of WhatsApp playing dominance in the OTT messaging apps market in India, and compelling expanded user data sharing with Meta without opt-out and creating barriers via network effects and data integration, amounts to abuse of dominant position under section 4(2)(a)(i) and 4(2)(c) of the Competition Act. 

The Tribunal noted that competition and data-protection laws were complementary, not exclusive, and both could operate simultaneously as they address distinct harms. The privacy laws safeguard personal data, while competition law curbs abuse of dominance through exploitative data practices. Accordingly, mere overlap does not oust CCI’s jurisdiction and its competence to examine competition harms linked with privacy issues.

The Tribunal observed that the CCI’s jurisdiction could not be excluded on the grounds that it was testing competition issues on grounds of privacy and data, and they were entirely outside the realm of a competition regulator and would be covered either by SPDI Rules or DPDP Act or draft DPDP Rules framed thereunder. Thus, the objections of maintainability/ judicial-restraint cannot be based on the claim of repugnancy found between the Competition Act and the DPDPA/IT Rules. 

The Tribunal found that the CCI conducted a detailed assessment of user behaviour, technological features, and market structure, recognising the core market as OTT messaging apps through smartphones, in line with economic realities shaped by consumer preferences and switching costs. Further, the CCI also analysed functional substitutability and proximity of competitors, distinguishing WhatsApp’s position within a distinct digital messaging app market that includes rivals like Telegram and Signal, alongside a complementary online display advertising market, both relevant for assessing dominance and abuse. 

The Tribunal observed that the CCI rightly concluded that WhatsApp holds a dominant position in the OTT messaging apps market in India, with substantial entry barriers and competitive constraints resulting from its market share, network effects, consumer dependence, financial and technological resources, and ecosystem integration. Thus, the Tribunal upheld the CCI’s order holding that WhatsApp’s 2021 Privacy Policy amounted to an abuse of dominance under section 4(2)(a)(i), as it imposed unfair and coercive conditions on users and compelled them to accept the policy on a ‘take-it-or-leave-it’ basis by threatening loss of service access, thereby vitiating free consent. 

 

Regulatory Updates: 

IBBI issues Standard Undertaking to speed release of ED-Attached Assets under PMLA

The Insolvency and Bankruptcy Board of India (IBBI) vide its Circular No. IBBI/CIRP/87/2025, dated November 04, 2025, has issued an advisory to Insolvency Professionals (IPs) addressing situations where the assets of corporate debtors are attached by the Enforcement Directorate (ED) under the Prevention of Money Laundering Act, 2002 (PMLA). The IBBI noted that in several insolvency cases, the assets of corporate debtors remain under attachment by the ED. It is observed that reclaiming such assets can “significantly enhance the value of the corporate debtor,” leading to higher realisations for stakeholders.

The Circular directs insolvency professionals to file applications before Special Courts under Sections 8(7) or 8(8) of the PMLA seeking restitution of attached assets. To facilitate quicker adjudication of such requests, the IBBI, in consultation with the ED, has also prescribed a standard undertaking to accompany each application. Under this undertaking, insolvency professionals must ensure that the restituted assets will not be transferred, sold, or otherwise dealt with in a manner that benefits any ineligible persons under Section 29A of the Insolvency and Bankruptcy Code (IBC) or individuals accused in ED or predicate offences.

The circular requires IPs to maintain strict reporting discipline once restitution is granted. They must submit quarterly status reports to the Special Court detailing the condition and usage of the restituted assets, the steps taken for their monetisation, the details of distribution among stakeholders, and any sale or transfer of such assets. Additionally, insolvency professionals must disclose all ED-attached properties in the Information Memorandum or auction notices issued during the CIRP or liquidation. If new details emerge later, these must be promptly updated in subsequent filings.

To ensure transparency and cooperation, IPs are required to extend full assistance to the ED in its investigations. This includes providing information on the (i) Preferential, undervalued, fraudulent, or extortionate (PUFE) transactions; (ii) The composition and voting share of the Committee of Creditors (CoC); and (iii) Details of the Successful Resolution Applicant (SRA) or bidder, along with relevant NCLT orders. Where the ED seeks access to documents, IPs must supply them promptly. However, commercially sensitive materials, such as valuation reports or resolution plans, may be shared only after the ED acknowledges the sensitivity in writing.

Click here to read/download the Original Circular

 

RBI updates Repo Repurchase Transactions Directions to include Municipal Debt Securities

The Reserve Bank of India (RBI) vide its Master Direction – Repurchase Transactions (Repo) Directions, 2025, No. RBI/FMRD/2025-26/142 dated November 11, 2025, has updated the 2018 framework to include Municipal Debt Securities as eligible collateral for repo and reverse repo transactions. 

The Directions apply immediately to repos conducted on recognised stock exchanges, electronic trading platforms, and over-the-counter markets, while excluding Liquidity Adjustment Facility and Marginal Standing Facility transactions. They define eligible securities, participants, tenors, tri-party repo mechanisms, trading and reporting requirements, settlement procedures, pricing, haircuts, accounting, and regulatory compliance. 

Notably, government securities, corporate bonds, commercial papers, certificates of deposit, debt ETFs, and now municipal debt securities can serve as collateral. Participants include regulated entities, listed corporates, unlisted companies with government-issued special securities, and All India Financial Institutions. 

The Directions also standardise tri-party repo roles, trading processes, and reporting obligations, superseding all prior circulars and guidelines on repo transactions, thereby providing a consolidated, modernised regulatory framework for India’s repo market. 

Click here to read/ download the Original Master Direction

 

MeitY notifies DPDP Rules, 2025, with cross-border data restriction to safeguard data sovereignty and prevent casual offshore transfers

The Digital Personal Data Protection (DPDP) Rules 2025, implemented under the authority of the Digital Personal Data Protection Act 2023, represent a significant update in India’s data protection framework. These rules were finalised and notified by the Ministry of Electronics and Information Technology (MeitY) on 13 November 2025, following a rigorous legislative process that started with the draft rules’ public release on 3 January 2025.

Legislative Process and Timeline

The journey of the DPDP Rules began with the publication of the Draft Rules on 3 January 2025 in the Official Gazette of India. This step was a statutory requirement under sub-section (1) of section 40 of the DPDP Act, 2023. The draft rules were circulated to invite public feedback, objections, and suggestions from all stakeholders likely to be impacted. The government allotted a window for receiving these responses, fostering transparency and public participation in shaping the final regulation.

Following a deliberation on the feedback received from diverse stakeholders throughout this consultation phase, the Ministry finalised and notified the Rules in the Official Gazette of India dated 13 November 2025. Notably, the Rules provide for a phased implementation approach: certain provisions took effect immediately upon notification, others after one year, and some after eighteen months.

As far as the application is concerned, Rules 1, 2 and 17-21 are applicable onwards 13 November; Rule 4 (regarding Consent Managers) will be applicable onwards one year from 13 November; and Rules 3, 5 to 16-21 will be applicable onwards eighteen months from 13 November. This phased implementation approach aims to give data fiduciaries adequate time to comply while safeguarding personal data effectively.

Key Provisions

The DPDP Rules comprise 23 substantive rules organised to create a coherent regulatory architecture. The rules open with foundational provisions: 

Rules 1 to 2 establish short title, commencement dates, and essential definitions, including key terms like “techno-legal measures,” “user account,” and “verifiable consent.” 

Rule 3 mandates that notices provided by Data Fiduciaries to Data Principals be clear, independent, and sufficiently detailed to enable informed consent. The notice must itemise the specific personal data processed, specify purposes, and provide accessible links to withdraw consent or exercise data subject rights.

Rule 4 governs Consent Manager registration and obligations. Part A of the First Schedule outlines conditions for registration, including incorporation in India, minimum net worth of two crore rupees, and independent certification of interoperable platforms. Part B details obligations, requiring Consent Managers to maintain consent records for at least seven years, act in a fiduciary capacity, avoid conflicts of interest with Data Fiduciaries, and publish transparency information. The Board shall have the power to suspend or cancel the registration of the Consent Manager after following the prescribed procedure. 

Rule 5 addresses the processing of personal data by the State and its instrumentalities for the provision of subsidies, benefits, services, and licenses, requiring adherence to standards specified in the Second Schedule.

Rule 6 prescribes reasonable security safeguards, including encryption, access controls, anomaly monitoring, data backups, and retention of logs for one year.

Rule 7 establishes a two-tiered breach notification framework: immediate notification to affected Data Principals in plain language, such as nature, extent and timing of breach consequences thereof, etc., followed by detailed notification to the Data Protection Board within seventy-two hours.

Rule 8 specifies timeframes for data erasure based on Data Fiduciary class and processing purpose, as detailed in the Third Schedule. E-commerce entities, gaming intermediaries, and social media platforms holding two crore, fifty lakh, and two crore registered users, respectively, must erase data three years after the Data Principal’s last interaction, unless otherwise required by law.

Rules 9 to 11 address transparency and vulnerable populations. Rule 9 requires the publication of the Data Protection Officer or designated contact information. Rules 10 and 11 establish verifiable consent mechanisms for children and persons with guardians, leveraging identity verification through government-issued tokens and Digital Locker services.

Rule 12 provides exemptions from parental consent requirements for specific Data Fiduciary classes (healthcare providers, educational institutions, crèches) and particular purposes (health protection, educational tracking, safety monitoring).

Rule 13 imposes stringent obligations on Significant Data Fiduciaries: annual Data Protection Impact Assessments and independent audits, algorithmic risk assessments, and restrictions on cross-border transfer of personal data classified by a government committee.

Rules 14 to 16 guarantee Data Principal rights, encompassing means of exercising access, correction, and deletion rights; a ninety-day grievance redressal window; transfer of data outside India and exemptions for research, archival, and statistical processing consistent with Second Schedule standards.

Rules 17 to 22 address administrative mechanics: appointment of Data Protection Board members through Search-cum-Selection Committees, compensation, digital office functioning enabling virtual proceedings, and appeal provisions to the Appellate Tribunal with digital filing requirements.

Rule 23 empowers the Central Government to call for information from Data Fiduciaries and intermediaries for purposes specified in the Seventh Schedule, including sovereign security, and notified government functions, with confidentiality protections where disclosure threatens State interests.

 

Key Changes from Previous Legislation

1. Introduction of Consent Managers as Regulated Intermediaries: The DPDP Rules introduce Consent Managers, representing a conceptual shift from traditional consent management. Unlike historical frameworks focusing on consent as a binary transaction between Data Fiduciary and Data Principal, the Rules embed Consent Managers as trusted intermediaries managing consent lifecycle events. This architecture theoretically decouples consent management from commercial incentives, potentially reducing conflicts of interest. By mandating financial net worth thresholds and independent platform certification, the framework aims to ensure stability and credibility.

However, the minimum net worth requirement of two crore rupees, while protecting against fly-by-night operators, may inadvertently create barriers to entry for innovative fintech or tech startups attempting to enter the consent management space. Additionally, the obligation to act in a fiduciary capacity while maintaining financial viability remains untested, and conflicts could emerge if Consent Managers face commercial pressures to prioritise data flows or face deregistration for regulatory non-compliance. 

The framework would benefit from clearer guidance on fiduciary duty limits, particularly regarding scenarios where Data Principals’ consent preferences conflict with Data Fiduciaries’ processing needs. Establishing a dispute resolution mechanism between Consent Managers and regulated parties could pre-empt potential conflicts.

 

2. Phased Implementation Architecture: The previous draft rules were expected to take effect uniformly; the 2025 Rules adopt a staggered enforcement model, with eighteen-month timelines for core provisions. This pragmatic approach recognises operational realities. Organisations require time to redesign consent collection mechanisms, audit existing data processing, implement technological safeguards, and train personnel. The phased timeline mitigates disruption while ensuring regulatory coherence.

The eighteen-month delay for Rules 3, 5 to 16, and 22 creates a compliance vacuum. During this period, Data Fiduciaries lack legal certainty regarding standards for notices, security safeguards, and breach protocols, potentially incentivising status quo behaviour rather than proactive alignment with the new regime. Organisations with internal momentum may exceed regulatory minimums; those with limited resources may delay investments pending rule implementation.

The Data Protection Board should issue guidance or interpretive circulars during the transition period, signalling expected compliance trajectories and best practices. This would provide regulatory clarity without creating binding enforcement obligations.

 

3. Framework for Parental Consent for Children: Rule 10 and the Fourth Schedule establish detailed mechanisms for verifying parental consent for children’s data processing, incorporating government-issued identity tokens and Digital Locker services. The framework addresses legitimate child protection imperatives. By requiring age verification through authoritative sources (government entities or Digital Locker providers), the Rules aim to prevent adults from falsely claiming parental authority and accessing children’s accounts. The ability for parents to verify identity through multiple channels, be it pre-existing platform accounts or government-issued tokens, offers flexibility.

The reliance on government identity infrastructure assumes near-universal Digital Locker adoption and seamless interoperability between Data Fiduciaries and Digital Locker providers. For millions of Indian children lacking access to government-issued identity tokens or parental Digital Locker accounts, this may create de facto exclusions from platforms requiring such verification. Moreover, the four illustrative scenarios in Rule 10 suggest complexity that could overwhelm smaller platforms lacking sophisticated identity verification systems. Another structural barrier to this implementation is the limitations on digital know-how and the accessibility of infrastructure.

The Data Protection Board should publish standardised templates and APIs for identity verification integration, reducing implementation friction. A grace period or safe harbour for good-faith parental consent verification attempts could encourage compliance while the technical systems mature and awareness spreads.

 

4. Significant Data Fiduciary Obligations and Cross-Border Data Restrictions: Rule 13 imposes mandatory annual Data Protection Impact Assessments and audits for Significant Data Fiduciaries, alongside algorithmic risk assessments and restrictions on cross-border transfers based on government committee recommendations. This represents a material tightening of the fist compared to prior expectations. By mandating impact assessments and independent audits, the Rules create accountability checkpoints, potentially surfacing systemic risks and harms before they metastasise. The cross-border data restriction, contingent on government committee deliberation, safeguards data sovereignty and prevents casual offshore transfers.

The vagueness surrounding “Significant Data Fiduciary” classification, which is dependent on government notification rather than defined within the Rules themselves, creates regulatory uncertainty. Entities may not know if they fall within its scope until notified, hindering compliance planning. Additionally, the government committee tasked with identifying restricted data categories lacks fixed composition or procedural transparency requirements. This could lead to opaque determinations unconstrained by public input, creating opportunities for arbitrary or strategic classifications. For multinational companies operating in India, such opacity makes compliance planning nearly impossible.

The framework should establish objective criteria for Significant Data Fiduciary classification (e.g., processing volume, data sensitivity, user count) rather than relying on open-ended notification. The government committee should issue published determinations with reasoned justifications for data transfer restrictions, allowing affected entities to understand and respond to rationales.

 

5. Data Breach Notification Timelines and Board Reporting: Rule 7 mandates breach notification to the Data Protection Board within seventy-two hours of awareness, accompanied by detailed information regarding the nature, scope, remedial measures, and affected individual notifications. The seventy-two-hour window balances investigation time with victim protection. Unlike more punitive frameworks penalising delayed disclosure, this grace period acknowledges the operational realities of breach investigation while still prioritising affected individuals’ right to timely information.

The phrase “without delay” in communicating with Data Principals, absent a defined timeline, creates ambiguity. Organisations may interpret this permissively, especially in complex breaches requiring weeks of forensic investigation. Additionally, the requirement to report “broad facts related to events, circumstances and reasons leading to the breach” presumes sophisticated breach investigation capabilities. For smaller organisations or those operating distributed systems, determining root cause within seventy-two hours may be infeasible, creating compliance dilemmas.

The Board should establish a tiered reporting framework: initial notification within 72 hours with available information, followed by supplementary updates as the investigation proceeds. This would incentivise rapid disclosure without penalising organisations discovering evolving breach scope.

 

6. Data Retention and Erasure Timelines: Rule 8 and the Third Schedule specify that e-commerce entities, gaming intermediaries, and social media platforms must erase user data three years after the Data Principal’s last interaction, with a minimum one-year retention for logs. This represents a principled approach to data minimisation and retention proportionality. By linking erasure to user inactivity rather than maintaining indefinite data silos, the Rules encourage ongoing data governance and reduce exposure surface area.

The three-year timeline may conflict with financial or regulatory record-keeping requirements. For financial services platforms (often classified as e-commerce), banking regulation may mandate seven-year retention of transaction records. The Rules create potential tension between DPDP erasure timelines and sectoral regulations, leaving organisations navigating conflicting obligations. Additionally, the one-year log retention requirement for forensic and detection purposes, while reasonable in principle, demands substantial storage infrastructure for high-volume platforms processing billions of transactions.

The Framework should explicitly provide that DPDP retention requirements yield to other applicable laws, with clear guidance on hierarchy. Additionally, technical guidance on efficient log anonymisation and summarisation could reduce storage burdens while preserving forensic utility.

Key Takeaways

The Digital Personal Data Protection Rules, 2025, reflect India’s ambition to establish a world-class data protection regime balancing individual privacy, organisational operability, and State interests. The framework’s achievements (particularly the Consent Manager model, vulnerable population protections, and phased implementation) signal regulatory maturity. 

Moving forward, the Data Protection Board should prioritise transparent guidance, procedural clarity, and stakeholder engagement during the eighteen-month transition period. Clear standards and published criteria/ guidance will go a long way in transforming these rules from aspirational principles into a coherent, trustworthy regulatory framework: one that genuinely protects individuals while enabling innovation and organisational compliance.

Click here to read/ download the Original DPDP Rules, 2005

 

Award
IBLJ-2020
Chambers-Global-2020
awards-circle-iblj-22
awards-circle-Forbes-22
AsiaLaw-Highly-Recommended-2020
legal-500-2021
awards-circle-IFLR-22

Clients’ Experiences

“SNG & PARTNERS (SNG, the Firm) is a relationship based Firm. Philosophically, we are driven by a service oriented approach to find simple legal solutions to complex legal problems with high ethical standards.”
John Doe
John DoeCEO
“SNG & PARTNERS (SNG, the Firm) is a relationship based Firm. Philosophically, we are driven by a service oriented approach to find simple legal solutions to complex legal problems with high ethical standards.”
John Doe
John DoeCEO
“SNG & PARTNERS (SNG, the Firm) is a relationship based Firm. Philosophically, we are driven by a service oriented approach to find simple legal solutions to complex legal problems with high ethical standards.”
John Doe
John DoeCEO
“SNG & PARTNERS (SNG, the Firm) is a relationship based Firm. Philosophically, we are driven by a service oriented approach to find simple legal solutions to complex legal problems with high ethical standards.”
John Doe
John DoeCEO
“SNG & PARTNERS (SNG, the Firm) is a relationship based Firm. Philosophically, we are driven by a service oriented approach to find simple legal solutions to complex legal problems with high ethical standards.”
John Doe
John DoeCEO
“SNG & PARTNERS (SNG, the Firm) is a relationship based Firm. Philosophically, we are driven by a service oriented approach to find simple legal solutions to complex legal problems with high ethical standards.”
John Doe
John DoeCEO

Latest Articles

Legal Updates (Nov 10 – Nov 015, 2025)

Legal Updates (Nov 3 – Nov 08, 2025)

Legal Updates (Oct 27 – Nov 01, 2025)

Legal Updates (Oct 13 – Oct 17, 2025)

Legal Updates (Oct 6 – Oct 11, 2025)

SNG & Partners advises secured rupee term loan facility of ₹3,250 Crores extended by HDFC Bank Limited to Atrium Place Developers Private Limited

SNG & Partners advises secured rupee term loan facility of ₹3,250 Crores extended by HDFC Bank Limited to Atrium Place Developers Private Limited

Internship & Articleship

Error: Contact form not found.

Disclaimer

By proceeding further and clicking on the “I ACCEPT” button below, you acknowledge that you of your own accord wish to know more about SNG & Partners (“The Firm”) for your own information and use. You further acknowledge that there has been no solicitation, invitation or inducement of any sort whatsoever from SNG & Partners or any of its employees, partners, associates or members to create an attorney-client relationship through this website. You further acknowledge having read and understood this Disclaimer.

This website is a resource for informational purposes only and is intended, but not promised or guaranteed, to be correct, complete, and up-to-date. While SNG & Partners has taken utmost care to ensure accuracy and completeness of the information contained on this website, the Firm does not warrant that the information contained on this website is accurate or complete, and hereby disclaims any and all liability for any loss or damage caused or alleged to have been caused to any person by relying on any information contained on this website. The contents of this website should not be construed as an opinion, legal or otherwise, on any issue or subject. 

SNG & Partners further assumes no liability for the interpretation and/or use of the information contained in this website, nor does it offer a warranty of any kind, either expressed or implied. The owner of this website does not intend links from this site to other Internet websites to be referrals to, endorsements of, or affiliations with the linked entities. The Firm is not responsible for, and makes no representations or warranties about the contents of websites to which links may be provided from this website.

Furthermore, the owner of this website does not wish to represent anyone desiring representation based solely upon viewing this website or in a Country/State where this website fails to comply with local laws and ethical rules of that state. You may note that the use of the internet or email for conveying confidential or sensitive information is susceptible to risks of disclosure associated with sending email over the internet.

The Firm advises against the use of the communication platform provided on this website for exchange of any confidential, business or politically sensitive information. User is expected to use his or her judgment and such information shared will be solely at the user’s risk.

Communication through this website in any form shall be for the purpose of enquiries only and shall not hold good for service of any kind of court proceedings, summons, advance notice, pleadings etc. For service of any such document and/or notice to the Firm and/or to any of its partners under the act or rules including under CPC, Cr. PC and/or any other law shall be served at our concerned office or to the concerned advocate dealing with the matter.

I Accept