Data Privacy, AI, And Technology Newsletter | April 2026

Welcome to this edition of the Data Privacy, AI and Technology Newsletter, highlighting key legal, regulatory, and judicial developments across India’s digital ecosystem. This issue captures important updates in technology governance, telecommunications regulation, and fintech oversight, including proposed amendments to intermediary rules, enhanced compliance frameworks, and measures to address unsolicited commercial communications.

The newsletter also covers regulatory actions by MeitY, TRAI, and RBI on data protection, platform accountability, and financial sector norms, reflecting a continued focus on strengthening digital governance and consumer protection.

Additionally, it features key judicial developments on the misuse of AI-driven content, underscoring the evolving legal landscape around digital rights and emerging technologies.

Industry Updates: India

Technology Updates

MeitY published the Draft Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Second Amendment Rules, 2026

March 30, 2026: The Ministry of Electronics and Information Technology (MeitY) released a draft amendment which proposes to further amend the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 (IT Rules 2021).

Key Highlights of the draft amendment rules, inter alia, are:

• The IT Rules 2021 provide that an intermediary, when removing or disabling access to any information hosted by it, is required to preserve relevant information and associated records for 180 days. Additionally, when an intermediary collects information from a user for registration, it is required to retain such information for a period of 180 days after cancellation or withdrawal of registration.

The draft amendment now explicitly clarifies that the retention obligations in the abovementioned cases operate without prejudice to any requirements relating to the preservation or retention of information under Information Technology Act, 2000 or any other laws in force.

• A new rule has been proposed to be inserted which explicitly mandates compliance by intermediaries with Ministry-issued clarifications, advisories, directions, SOPs, codes of practice and guidelines. Such compliance will form part of the due diligence obligations of the intermediary under section 79 of the Information Technology Act, 2000; and
• In its current form, Part III of the IT Rules 2021 ‘Code of ethics and procedure and safeguards in relation to digital media’ applies only to (a) publishers of news and current affairs content; and (b) publishers of online curated content. Further, the IT Rules 2021 provide that Part III also applies to intermediaries for the purposes of rule 15 (procedure for issuing of direction to block, remove or modify digital content) and rule 16 (blocking of information in case of emergency.)

The draft amendment proposes to expand the applicability of Part III of the IT Rules 2021, to (a) intermediaries; and (b) news and current affairs content hosted on the computer resources of the intermediaries by users who are not publishers for the purpose of not only rule 15 and rule 16 but also rule 14 (Inter-Departmental Committee to hear grievances).

Link Here

Telecommunication Updates

Telecom Regulatory Authority of India published the Telecommunication Tariff (Seventy Second Amendment) Order, 2026.

March 24, 2026: The Telecom Regulatory Authority of India (TRAI) by its Telecommunication Tariff (Seventy Second Amendment) Order, 2026, amended financial penalties which may be imposed on service providers, including telecom access provider or internet service provider, for non-compliance with tariff reporting requirement. Service providers are required to report to TRAI of any new tariff offers or any changes therein, within 7 working days from the date of its implementation. Key penal amendments inter alia include:

• Graded disincentives: the amount of disincentive for every day of delay in reporting has been increased from INR 5,000 to INR 10,000 for the first 7 days, and, in the event the contravention continues beyond 7 days, an additional amount of INR 20,000 for each subsequent day of delay has been introduced.
• Ceiling on the total financial disincentive: the maximum limit of penalty per violation has been increased from the earlier INR 2,00,000 to INR 5,00,000.
• Interest on delayed/non-payments of financial disincentives: interest at a rate of 2% (above the 1-year marginal cost of lending rate of State Bank of India applicable at the beginning of the financial year in which last day of the stipulated period falls) on the outstanding financial disincentives, has been introduced on late or non-payment of financial disincentive.
• Deletion of Clause 7A: Clause 7A of the Telecommunication Tariff Order 1999, which pertained to financial disincentives for excess charges levied by the service providers on consumers, has been deleted.

Link Here

Link Here

TRAI published Reporting System on Accounting Separation (Amendment) Regulations, 2026.

March 24, 2026: Reporting System on Accounting Separation (Amendment) Regulations, 2026, substitutes Regulation 6 of the Reporting System on Accounting Separation Regulations, 2016 in its entirety, introducing a more stringent financial disincentive framework for non-submission or false submission of accounting separation reports required to be filed by all service providers having aggregate turnover of not less than INR 1,000 million. Key amendments inter alia include:

• Graded financial disincentive for delayed submission: contravention of the submission timelines prescribed under Regulation 5 shall be liable to pay INR 20,000 per day for the first 7 days of default, and INR 40,000 per day for each subsequent day, subject to a maximum ceiling of INR 10,00,000. In cases of repeated default across 2 or more consecutive years, the applicable disincentive escalates to INR 50,000 per day for the first 7 days and INR 75,000 per day thereafter, subject to a higher ceiling of INR 25,00,000.
• Turnover-linked financial disincentive for false or misleading reporting: tiered, turnover-based financial disincentive framework for cases of false reporting or deliberate omission of material facts. The disincentive is differentiated between ‘minor violations’ and ‘major violations’. This replaces the earlier provision, which permitted a financial disincentive of up to INR 10,00,000 without distinction as to the nature or gravity of the violation.
• Interest on delayed/non-payments of financial disincentives: interest at a rate of 2% (above the 1-year marginal cost of lending rate of State Bank of India applicable at the beginning of the financial year in which last day of the stipulated period falls) on the outstanding financial disincentives, has been introduced on late or non-payment of financial disincentive. 

Link Here

TRAI issued the draft Telecom Commercial Communication Preference (Third Amendment) Regulations, 2026 for public consultation.

March 13, 2026: TRAI issued the Draft Telecom Commercial Communications Customer Preference (Third Amendment) Regulations, 2026, for public consultation until April 12, 2026, aimed at reducing Unsolicited Commercial Communications (UCC), especially in light development such as AI-based detection of UCC by major access providers. Key highlights of the draft regulations inter alia include:

• The definition of ‘Relationship’ which determines the circumstances under which a business may contact a customer without obtaining direct consent has been proposed to be narrowed by removing provisions that previously permitted contact on the basis of: (i) past transactions or purchases; (ii) mere inquiries made by the customer regarding products or services; and (iii) social interactions between the parties. These deletions are proposed with a view to curbing misuse of the inferred consent framework and reducing instances of UCC directed at customers. Additionally, the draft proposes a revised definition of ‘Explicit Consent’ to recognise legacy consents previously obtained by businesses outside the digital Consent Registration Framework, provided such consents are subsequently registered on TRAI's Consent Register in accordance with the specified procedure, ensuring transparency and preserving subscribers' right to notification and revocation of such consent.
• Mandating access providers to deploy AI/ML based systems to flag suspected UCC senders, leading to mandatory KYC re-verification and potential disconnection. Under the existing framework, regulatory action is triggered only upon receipt of 5 or more complaints from unique recipients within 10 days. The draft amendments propose to lower this threshold to 3 or more complaints within 10 days, where the sender's number has already been flagged as a ‘Suspected UCC CLI’ by an AI/ML system during the same period. Upon meeting the threshold, graded enforcement action is prescribed: for first instance, mandatory KYC re-verification of the sender is mandated; for second instance, physical KYC verification along with a 15-day barring of all outgoing services of telecom resources; and subsequent violations attract more stringent action.
• Under the existing framework, upon detection of misuse of SMS headers and/or content templates, all traffic from the concerned sender is suspended immediately by all access providers, which risks large-scale disruption for entities such as government bodies and banks. The draft regulation proposes a more calibrated approach whereby only the specific misused header(s) and/or content template(s) is suspended immediately across all access providers, with the Originating Access Provider (OAP) serving a notice on the sender within 24 hours. The suspension shall remain until the following conditions are fully complied with by the sender: (i) reset all access credentials within 24 hours; (ii) file a complaint with law enforcement within 2 business days; (iii) de-register and re-register all headers and content templates within 5 business days where misuse is established to occur due to leakage, cloning, or compromise of credentials is established; and (iv) conduct a comprehensive review of all registered headers and templates within 10 business days. Failure to comply within the stipulated timeframes will result in suspension of all commercial communication traffic from the sender until compliance is achieved.

Link Here

TRAI issues direction to all access service providers, unified licensees and the internet service providers regarding display of information relating to Complaint Centre and Appellate Authority.

March 12, 2026: TRAI states that while the Telecom Consumers Complaint Redressal Regulations, 2012 mandates every service provider to establish a complaint centre for redressal of complaints, such details are not being prominently displayed on the landing page/ home page of the website / mobile application of service providers. In order to ensure that details regarding complaint centre and Appellate Authority established by service providers are properly displayed and easily accessible by customers, TRAI now mandates all access service providers, unified licensees, and internet service providers to:

• Prominently display on the landing page of their official website and home page of mobile application, a clearly visible and distinct tab/link titled ‘Customer Care’ and ensure that such tab/link directly leads to the dedicated page containing, inter alia following information (i) Consumer Care Number (functional) (ii) contact details such as email and postal address of compliant centre (functional) (iii) procedure for lodging complaints and service requests (iv) time limit for redressal of complaints.
• Ensure that the information displayed is in (i) Hindi, English and the official language of the service area/State and (ii) easily accessible and not placed behind multiple navigational layers.
• Furnish by March 27, 2026, compliance report along with URLs/screenshots.

Link Here

Fintech Updates

Reserve Bank of India issues advisory on Best Practices for Customer Data Protection.

March 25, 2026: The Reserve Bank of India (RBI), through its Cyber Security and IT Risk (CSITE) Group, Department of Supervision, has issued Advisory No. 3/2026 on best practices for customer data protection by Supervised Entities (SEs), summarizing best practices observed during the thematic study on ‘Security of Customer Data’ conducted across multiple categories of SEs in 2025. The advisory serves as illustrative guidance for SEs and does not substitute for, dilute, or override any legal or regulatory requirements applicable to SEs. In recognition of the rapidly evolving digital financial ecosystem, the advisory identifies best practices for the protection of customer data across key areas, which inter alia, include:

• Governance and Regulatory Compliance: board-level oversight of customer data security, clearly defined roles and responsibilities including appointment of a Chief Information Security Officer and Data Protection Officer, and documented accountability structure to ensure that ownership for governance, protection, monitoring, incident handling etc. is transparent across the organisation.
• Data Collection, Classification and Usage: utilising automated data tagging and classification, implementation of centralised consent management, and transparent communication of privacy practices to customers at key interaction points such as during onboarding, account setup and transaction stage.
• Data Sharing and Third-Party Risk Management: requiring thorough vendor due diligence prior to onboarding, purpose limitation in data sharing with appropriate safeguards including anonymisation and automated monitoring of third-party handling of customer data.
• Incident Response and Recovery: requiring a clearly defined incident response framework with structured escalation and root cause analysis, periodic cyber drills involving third parties, and transparent multi-channel customer communication in the event of a data breach, integrated into the entity's cyber crisis management plan.

Link Here

RBI amends Concentration Risk Management and Capital Adequacy Directions for Non-Banking Financial Companies.

March 10, 2026: RBI has issued two amendments to the following Master Directions governing Non-Banking Financial Companies (NBFCs).

• Reserve Bank of India (Non-Banking Financial Companies - Concentration Risk Management) Second Amendment Directions, 2026: revises the definitions of ‘Owned Fund’ and ‘Tier 1 Capital’ for the purpose of credit and investment concentration norms, aligning them with the RBI (NBFCs - Prudential Norms on Capital Adequacy) Directions, 2025, and requires NBFCs to obtain an external auditor's certificate and submit the same to the Department of Supervision of RBI before reckoning any additions to capital funds.
• Reserve Bank of India (Non-Banking Financial Companies – Prudential Norms on Capital Adequacy) Second Amendment Directions, 2026: clarifies the computation of ‘Owned Fund’ by permitting inclusion of quarterly profits, subject to: (i) quarterly limited review or audit by statutory auditors; and (ii) reduction of such profits by the average dividend paid over the last 3 financial years, with losses in the current year being fully deducted from Owned Fund.

Link Here

Link Here

Judgements

Delhi High Court grants ex-parte ad-interim injunction to protect Gautam Gambhir’s personality rights

March 25, 2026: In Gautam Ghambhir vs. Ashok Kumar / John Doe & Ors (CS(COMM) 287/2026), the Delhi High Court granted an ex-parte ad-interim injunction protecting the personality and publicity rights of renowned cricketer Gautam Ghambhir.

Facts and background of the case: The Plaintiff, is a globally recognised former Indian International cricketer and World Cup champion, filed the suit alleging that defendants engaged in infringing, misappropriating, and exploiting Plaintiff’s personality, privacy and publicity rights through digital and online platforms. The Plaintiff highlighted that AI-generated videos impersonating him were disseminated online along with a screenshot falsely purporting to be an official resignation announcement by the Plaintiff, claiming that Plaintiff has stepped down as Head Coach of the Indian Men’s National Cricket Team, which has caused large-scale misinformation.

Judgment: The Delhi High Court issued an ad interim order restraining the defendants from unauthorised use or exploitation of the Plaintiff’s personality rights including his name, image, voice, likeness, and other persona attributes for any commercial or personal gain, particularly through AI-driven technologies such as generative AI, deepfakes, chatbots, and face morphing.

Link Here

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.