Welcome to the June 2025 edition of the Data Privacy, AI and Technology Newsletter. This issue covers key developments and regulatory updates from the month of May, highlighting significant changes in India's dynamic technology and fintech ecosystem. The Key highlights include the launch of the DHRUVA digital address infrastructure, critical recommendations from TRAI on digital connectivity and satellite spectrum allocation, and new guidelines from the RBI and NPCI aimed at strengthening digital lending and UPI ecosystems. We also cover significant judicial pronouncements from the Supreme Court on deepfake regulation and privacy rights within shared residential spaces.
I. UPDATES: Industry Updates: India
a. Technology Updates
1. India launches the 'Digital Hub for Reference and Unique Virtual Address (DHRUVA)' policy for Digital Address Infrastructure:
May 30, 2025: In a landmark move towards building a robust Digital Public Infrastructure, the Department of Posts under the Government of India has released the policy document for DHRUVA — Digital Hub for Reference and Unique Virtual Address. This initiative seeks to develop a standardised, geo-coded digital address system across the country, enhancing delivery of both public and private services with greater precision and efficiency.
DHRUVA is designed to enable users to securely share precise address information using a geo-coded framework and will comprise two core components:
i. Digital Postal Index Number ('DIGIPIN') – DIGIPIN uniquely identifies locations using geospatial data; and
ii. Digital Address – It is a user-centric, consent-based system built on DIGIPIN, allowing users to create customized labels to represent their DIGIPIN and descriptive addresses.
The policy outlines the institutional and legal framework for implementation, including the creation of a Governance Entity tasked with both operational and standard-setting functions. The Post Office Act, 2023 is identified as the primary legislation conferring legal recognition to DIGIPIN and Digital Address, given their roles as postcode and address identifiers. The policy also proposes the inclusion of clear provisions to define responsibilities, manage grievances and ensure effective oversight.
b. Telecommunication Updates
2. Telecom Regulatory Authority of India ("TRAI") provides its recommendations on 'Rating of Buildings or Areas for Digital Connectivity':
May 22, 2025: TRAI has issued its response to the back reference received from Department of Telecommunication ("DoT") with respect to TRAI's initial recommendations on "Rating of Buildings or Areas for Digital Connectivity" dated February 20, 2023. Following are some of the key responses provided by TRAI:
a) Digital Connectivity Infrastructure ("DCI") "consists of apparatus, appliance, instrument, equipment, and system capable of extending seamless digital connectivity inside buildings or areas. DCI shall include all infrastructure required for establishing Wireless or Wireline Access Networks inside buildings or areas except those which require license under Indian Telegraph Act, 1885 or authorization under Telecommunications Act, 2023 like core network or Radio Access Networks (RAN)".
b) The property manager shall retain ownership of the deployed DCI, and shall be responsible for its maintenance, expansion, and upgradation. It is also the responsibility of the property manager to provide fair, transparent, non-discriminatory, and non-chargeable access to the DCI to all service providers and shall not execute or provide exclusive arrangement to any infrastructure or service provider.
c) The DCI should be regularly expanded and upgraded to address growing user demand, accommodate new technologies, and enhance capacity and coverage.
d) The rating of buildings for digital connectivity shall be made mandatory for all existing central government buildings of public importance within 2 years of issue of the policy guidelines by the government or within 1 year of obtaining occupancy certificate for all new central government buildings or buildings constructed under central government funding (full or partial). Such buildings include, airports, ports, railway/ metro stations, bus stations etc.
e) For buildings constructed by state governments or private developers, the respective state government may determine whether to make digital connectivity rating mandatory or voluntary.
3. TRAI provides recommendations on the 'Terms and Conditions for the assignment of spectrum for certain Satellite-Based Commercial Communication Service':
May 9, 2025: TRAI has provided recommendations on the 'Terms and Conditions for the assignment of spectrum for certain Satellite-Based Commercial Communication Service', which can be accessed Here.
c. Fintech Updates
4. The Reserve Bank of India ("RBI") invites public comments on the draft circular on 'Updation/ Periodic Updation of KYC– Revised Instructions'
May 23, 2025: RBI vide its press release issued a draft circular on 'Updation/ Periodic Updation of KYC – Revised Instructions' which encloses the draft 'Reserve Bank of India (Know Your Customer (KYC)) (Amendment) Directions, 2025' ("KYC Amendment Directions") modifying the existing framework on Master Direction – KYC Direction, 2016. Public comments were invited by June 6, 2025. Some of the key changes proposed are:
a) regulated entities must permit transactions and complete KYC updation for low-risk customers within one year of due date or by June 30, 2026, whichever is late;
b) in cases of no change or only change in address, self-declaration and supporting documents may be obtained through authorized business correspondent of the bank after successful biometric based e-KYC authentication;
c) regulated entities must issue at least three advance intimations, including at least one intimation by letter, to its customers for the updation of their KYC information. In case of non-compliance, at least three reminders, including at least one reminder by letter shall be provided subsequent to the due date, despite the advance intimations, highlighting instructions for updating KYC, escalation mechanism, and the consequences, if any, of failure to update KYC in time.
5. National Payments Corporation of India ("NPCI") issued guidelines on usage of Unified Payments Interface ("UPI"), Application Programming Interface ("API"):
May 21, 2025: To enhance the performance and ensure appropriate usage of the UPI system, Payment Service Provider ("PSP") banks and/or acquiring banks are required to monitor and moderate all API requests sent to UPI. The following key guidelines have been issued and must be implemented by all stakeholders and their partners by July 31, 2025
- Balance check via UPI App: Limited to 50 customer-initiated requests per app per day and issuer banks shall add 'available balance' details with every successful UPI transaction communication.
- Fetching linked account list: Limited to 25 customer-initiated requests per app per day, only after selecting the issuer bank in the UPI App.
- UPI autopay mandates: Restricted to 1 attempt and 3 retries per mandate, which must be initiated during non-peak hours.
- Validation of UPI IDs/Virtual payment addresses: Allowed only when the customer intends to make a payment. Initiator credentials must be appropriately populated in the payer details API.
To ensure that (a) PSP systems are not a pass through for back-end generated API transactions to UPI systems; and (b) an immediate audit of the system is undertaken by CERT-In empanelled auditor to review the API usage and existing system behaviour; an undertaking to this effect along with the audit report shall be submitted to NPCI by August 31, 2025.
6. RBI issued the 'Digital Lending Directions, 2025' to promote digital lending while safeguarding the interest of depositors' and borrowers':
May 8, 2025: In order to promote innovation in financial systems, products and credit delivery methods while ensuring orderly growth, financial stability and protection of depositors' and borrowers' interest, the RBI issued the Digital Lending Directions, 2025 ("Directions, 2025"). The Directions, 2025 mandate inter alia the following compliances by regulated entities:
a) engagement of Lending Service Providers ("LSPs") shall be only pursuant to a contractual agreement which shall be entered into only after undertaking an enhanced due diligence on the LSPs;
b) loans can be extended only after collecting all necessary information from borrowers and the same shall be kept on record for audit purposes. Credit limits shall not be increased automatically, unless an explicit request is received, evaluated and kept on record from the borrower;
c) a website shall be maintained by regulated entities which shall be kept up to date, inter-alia, with the following details:
- Details of all of its digital lending products and its Digital Lending Apps ("DLAs");
- Details of all engaged LSPs, their DLAs, and the nature of their services;
- Contact details for customer support and internal grievance redressal;
- Link to RBI's Complaint Management System (CMS);
- Privacy policies and other disclosures as per RBI guidelines.
d) ensure that loan is always disbursed directly to the borrower's bank account except for disbursals covered exclusively under statutory or regulatory mandate or specific use;
e) ensure that collection and sharing of personal data is need-based and with prior and explicit consent of the borrower having audit trail. Furthermore, the purpose of collecting consent must be clearly disclosed at every stage;
f) ensure that no biometric information is stored unless permitted by law. Only minimal personal details (e.g., name, address) should be retained which shall be stored on servers located in India, in case the data is processed outside India, the same shall be deleted from there and repatriated within 24 hours;
g) all digital lending transactions via DLAs must be reported to Credit Information Companies (CICs), furthermore, all DLAs (owned or operated by LSPs) must be reported on RBI's Centralised Information Management System (CIMS) portal by June 15, 2025.
II. Judgements:
Supreme Court
1. Supreme Court rejects writ petition to regulate AI-generated deepfakes:
May 16, 2025: In Narendra Kumar Goswami Vs. Union of India and Ors., (W.P.(C) No. 300/2025), the Supreme Court ("SC") rejected the writ petition to regulate AI-generated deepfakes. In the writ, the petitioner had specifically urged the SC to constitute an expert committee under its supervision to draft a model law for AI regulation. The petitioner also raised concerns about the unregulated proliferation of deepfakes and the inaction of the authorities in curbing such content.
The SC remarked that it did not see the need for parallel proceedings, given that the Delhi High Court has already been examining the issue over the past few years and issuing interim orders. However, the SC granted the liberty to the petitioner to intervene in the pending matters before the Delhi High Court.
2. SC upholds order of the Calcutta High Court that CCTV must not be installed inside the home without the consent of all occupants
May 9, 2025: In Indranil Mullick & Ors. vs. Shuvendra Mullick (SLP(c) 12384/2025), the SC upheld the Calcutta High Court's ("CHC") ruling that CCTV cameras cannot be installed in a residential property without the consent of all occupants, emphasizing the protection of privacy rights.
The dispute originated between two brothers who shared a residential property. One of the brothers attempted to install CCTV cameras in the residential area of the property without obtaining consent from the other. The CHC ruled that installing CCTV cameras in a shared residential area without the consent of all co-occupants or co-trustees is a clear violation of their right to privacy. The CHC strongly emphasized the fundamental right to privacy, referencing the landmark SC judgment in Justice K.S. Puttaswamy (Retd.) and Anr. vs. Union of India, where the right to privacy was recognized as an intrinsic part of Article 21 of the Indian Constitution.
The SC, upholding the CHC's judgment, confirmed that the right to privacy of all individuals, as guaranteed under Article 21, must be respected. The SC dismissed the Special Leave Petition, maintaining that the installation of CCTV cameras without consent cannot be justified under any circumstances.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
