I. UPDATES:
Industry Updates: India
1. Publication of Draft Digital Personal Data Protection Rules, 2025:
January 3, 2024: Pursuant to Digital Personal Data Protection Act, 2023 ("DPDPA") the Ministry of Electronics and Information Technology ("MeitY") published the Draft Digital Personal Data Protection Rules, 2025 ("Draft Rules") for public consultation, wherein the stakeholder shall submit their comments by February 18, 2025. In line with the objectives of DPDPA, the Draft Rules appear to be an attempt to introduce a robust framework for protection, management, collection, storage, retention of digital personal data of individuals. With the release of the Draft Rules, it is anticipated that DPDPA, along with the rules, will soon be implemented (in a phased manner) following the completion of the consultation process. Wherein, the Draft Rules related to the Act's commencement, definitions and matters concerning the Data Protection Board ("DPB") are expected to come into effect upon their publication in the Official Gazette, while the enforcement of other Draft Rules will occur at a later date (yet to be specified). For a comprehensive analysis of the Draft Rules, please refer to our detailed review here.
2. Department of Telecommunications ("DoT") has notified the Telecommunications (Telecom Cyber Security) Rules, 2024:
November 21, 2024: Telecommunications (Telecom Cyber Security) Rules, 2024 is the first set of rules to be issued under the newly issued Telecommunication Act, 2023. Following are the key features of Telecommunications (Telecom Cyber Security) Rules, 2024:
1. The telecom companies are mandated to report cyber security incidents within six (6) hours of becoming aware of such incidents and shall furnish more information such as number of users affected, duration of incident, remedial measures undertaken, etc. within twenty-four (24) hours.
2. Telecommunication entities shall ensure compliance and implement measures to ensure telecom cyber security, including policy changes, testing, timely responses, forensic analysis and periodic audits.
3. Telecommunication equipment, identifier, network or services shall not be used for the following activities like fraud, cheating, personation, transmitting any messages which are fraudulent and committing or intending to commit any security incident.
4. Telecommunication entities are required to appoint a Chief Telecommunication Security Officer who shall be responsible for coordinating with the Central Government on behalf of the telecommunication entity for the implementation of these rules.
3. MeitY issued 'Email Policy of Government of India, 2024' for Ministries and Central Departments:
October 30, 2024: MeitY has introduced a policy requiring all government employees, contractors and consultants to exclusively use official government email addresses managed by the National Informatics Centre ("NIC") for all public functions. This policy aims to enhance cybersecurity and accountability by ensuring sensitive information remains within government-controlled domains.
Under the policy, NIC is authorized to monitor email accounts for malicious content, conduct forensic analysis and remove harmful attachments or links as necessary. In cases of complex threats, NIC may collaborate with third parties to ensure robust security measures.
The policy establishes two types of official email addresses:
- Organization-linked emails: Designated for specific roles, such as "jointsecretary-section69a@meity.gov.in."
- Individual-linked emails: Assigned to individuals based on rank or designation, e.g., IPS officers with addresses ending in "@ips.gov.in."
Additionally, the policy states that private contractors and consultants engaged in non-permanent roles with the government will use distinct email addresses with the suffix "-contractor" appended to the domain, such as name@meity-external.gov.in. This structured approach reinforces the government's commitment to secure communication and transparency across all official interactions.
4. Advisory issued by MeitY for observance of due diligence by the Intermediaries:
October 25, 2024: In response to a surge of hoax bomb threats affecting India's aviation sector, compounded by the rapid dissemination of such threats through social media via forwarding, re-sharing and reposting. As a result, MeitY has issued an advisory emphasizing intermediaries' responsibilities under the Information Technology Act, 2000 ("IT Act") and the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021. MeitY cautions intermediaries that failure to adhere to these due diligence requirements could result in the loss of 'safe harbour' protection under Section 79 of the IT Act, which otherwise shield them from liability for third-party content. Further, under the Bharatiya Nagarik Suraksha Sanhita ("BNSS") 2023, intermediaries are obligated to report content threatening national security, public order, or economic stability, thus reinforcing their accountability in safeguarding national safety. The advisory directs intermediaries to quickly remove bomb threats from their platforms within the prescribed timelines, report these threats to relevant authorities and share information with law enforcement agencies within seventy-two (72) hours.
5. Cybersecurity and Cyber Resilience Framework ("CSCRF") issued by Securities and Exchange Board of India ("SEBI"):
August 20, 2024: The CSCRF has been issued to provide standards and guidelines for strengthening cyber resilience and maintaining robust cyber security of SEBI regulated entities. The CSCRF applies to five categories of Regulated Entities ("REs") based on specific parameters such as the scope of operations, number of clients, trade volume, assets under management, and more. These categories include Market Infrastructure Institutions ("MIIs"), Qualified REs, Mid-size REs, Small-size REs, and Self-certification REs.
Following are the key aspects of the framework:
1. The CSCRF mandates that any data generated by REs shall be kept available and easily accessible in a legible and usable form within India's legal boundaries. For investors whose country of incorporation is outside India those REs must also store the original data in a legible and usable form within India. Such data retained shall receive annual approval from the Board, Partners, or Proprietor. Furthermore, this data must be made available to SEBI, CERT-In, or any other government agency within 48 hours of a request.
2. REs must follow data security standards, guidelines and other government regulations, such as the IT Act, DPDPA 2023, or any future laws or regulations issued by SEBI or the Government of India.
3. Periodic audits by CERT-In empaneled, Information Security ("IS") auditing organizations for Vulnerability Assessment and Penetration Testing ("VAPT") shall be conducted.
4. MIIs and Qualified REs are required to obtain the ISO 27001:2022 Information security, cybersecurity and privacy protection- Information security management systems- Requirements certification.
5. Any cybersecurity incident as specified under the direction of Cert-In shall be notified to SEBI, Cert-In and National critical information infrastructure protection center (as applicable) within the prescribed timelines.
6. MIIs are required to undergo third-party assessments on a half-yearly basis while Qualified REs are required to perform self-assessments annually.
7. All REs except for small-size and self-certifying REs shall utilize strong data-in-use encryption methods for cloud deployments.
II. Judgements
Supreme Court
1. Supreme Court held possessing of child pornography punishable under Protection of Children from Sexual Offences Act, 2012 ("POCSO Act"):
September 23, 2024: In Just Rights for Children Alliance Vs. S. Harish Criminal (Appeal nos. 2161-2162 of 2024) the Apex Court held that mere viewing, possessing and storage of material depicting minors engaged in sexual activity constitutes an offence and is punishable under section 15 of POCSO Act and section 67B of the IT Act. This judgement overturned the Madras High court decision which had quashed criminal proceedings against S. Harish after finding that "mere possession or storage" of 'child pornography' was not an offence under POCSO or IT Act.
The Apex Court held that section 15(1) of POSCO penalizes the failure to 'delete, destroy or report' child pornography. Therefore, its interpretation is that the mere possession of the material, unless and until deleted, destroyed or reported by the accused, is an offence under Section 15. The Court also clarified the scope of section 67B stating that section 67B(a) penalizes the "direct or indirect involvement" in dissemination, publication or transmission of child pornography while section 67B(b) adds onto it by criminalizing the "acts of creating, propagating or engaging with or using" child pornography. Therefore, observing that section 67B also criminalizes possession and consumption of child pornography. Furthermore, the Court observed that if an intermediary is notified of such content, it is required to promptly remove or disable access to it. Failure to do so would result in the loss of the "safe harbor" protection provided under Section 79 of the IT Act. This judgment is a landmark decision, as it highlights the progressive stance taken under Indian law in explicitly criminalizing the viewing and possession of child pornography—an area where many countries still lack clear and specific legal provisions.
High Court
2. Rajasthan High Court took suo moto cognizance of 'Digital Arrest Scams':
January 22, 2025: A suo moto cognizance was taken by Rajasthan High Court of the increasing trend of one of the insidious forms of cybercrime 'digital arrest scams'. The Court opined that public campaigns through print, electronic, social media, television and FM Radio shall be organized every day to make public aware about digital arrests having no legal standing under the Indian laws as well as to educate people about the lawful process of arrests in India and the rights associated with it. Additionally, the Court observed that RBI shall also develop a mechanism to stop transfer of money in such trap transactions.
3. Rajasthan High Court held collecting voice samples against the wish of accused not violative of right to privacy, right against self-incrimination:
December 4, 2024: In Badri Prasad Vs. Central Bureau of Investigation & Others (S.B. Cr. Miscellaneous (Petition) No. 6518/2024) the petitioner was accused of accepting 1% commission from contractors as undue gratification for clearing their bills. A charge sheet was filed, supported by telephonic conversation recordings between the petitioner and the contractors. Subsequently, the Public Prosecutor applied for the petitioner's voice samples to enable forensic comparison with the recorded conversations. The petitioner was directed to provide the voice samples which was later challenged in Court. Here the Court observed Article 20(3) of the Indian Constitution states that the accused could not be compelled to be a witness against himself and not that the accused could not be compelled to be a witness at all. As a result, asking the accused to furnish his/her voice samples did not amount to self-incrimination when the incrimination was contingent on comparing that voice sample with the recordings available.
The Court held that voice is a unique personal trait and furnishing a voice sample is comparable to providing a blood sample. It cannot be equated with a statement made by the petitioner. Furthermore, the voice samples are needed for investigation in a corruption matter and thus was necessary in public interest.
4. Delhi High Court held right to privacy includes right to be forgotten and right to live with dignity:
November 6, 2024: In ABC Vs. State & Another (CRL.M.C. 495/2019) a criminal complaint against the petitioner led to the registration of an FIR, but the petitioner was later acquitted. Despite the dismissal of the case, details about the petitioner and the case remained accessible online via simple google searches, negatively impacting their career prospects and reputation. The petitioner filed the present case seeking the removal of this information.
The Court held that retaining such information after the quashing of criminal proceedings, where the petitioner was cleared of guilt, serves no public interest and infringes on the individual's right to privacy. It emphasized that the right to privacy, including the right to be forgotten and the right to live with dignity under Article 21 of the Constitution, outweighs public access to such information. While access to information is essential to democracy, it must be balanced with an individual's privacy rights. The Court directed the registry to remove the petitioner's and the complainant's names from case records and search results. It also allowed the petitioner to approach relevant platforms and search engines to mask the judgment, ensuring only anonymized party names are displayed.
5. Madras High Court held that fundamental right to privacy includes spousal privacy:
October 30, 2024: In R v. B (SCC OnLine Mad 6084) the husband filed for dissolution of marriage, alleging cruelty, adultery and desertion by the wife and submitted her call data records as evidence. The Court, referencing Section 63 and Section 39 of the Bhartiya Sakshya Adhiniyam, 2023 ("BSA") and Section 79A of the IT Act, held that any electronic record submitted as evidence must be accompanied by a valid certificate. This certificate must include Part A and Part B, wherein the latter shall be completed by an expert notified under Section 79A. The Court found the certificate submitted by the husband to be invalid as it was issued by the husband himself, lacked the required certification under Section 65B(4) of the Evidence Act, 1872 and was not provided by an authorized official from the telecom provider, Jio, as mandated by law.
The Court asserted that the husband's actions constituted a clear invasion of the wife's right to privacy, as he obtained her call history without her consent. It was noted that he was neither the owner of the mobile device nor the registered user of the SIM card and his possession of the phone was only temporary and clandestine. As a result, the Court held that privacy as a fundamental right includes spousal privacy also and evidence obtained by invading this right is inadmissible.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
