Welcome to the July 2025 edition of the Data Privacy, AI and Technology Newsletter. This issue captures the key developments from June 2025 across India's evolving regulatory and innovation landscape in technology, telecommunications, fintech, and data protection. Notable highlights include the launch of Bharat Gen, India's first government-funded AI-based multimodal large language model, new guidelines from MeitY on consent management under the DPDP Act and significant advisories from Cert-In and the Central Consumer Protection Authority aimed at strengthening cybersecurity and curbing dark patterns. We also cover major telecom reforms extending cybersecurity obligations to OTT and fintech platforms, along with recent judicial pronouncements on phone tapping and online gaming regulations by the Madras High Court.
I. UPDATES: Industry Updates: India
a. Technology Updates
1. NITI Aayog releases report on 'India's Data Imperative: The Pivot Towards Quality':
June 24, 2025: NITI Aayog's Frontier Tech Hub released the third edition of its quarterly insights series Future Front, titled "India's Data Imperative: The Pivot Towards Quality" (Report). The Report critically addresses the challenges arising from poor data quality and outlines six key attributes essential for improving data quality: accuracy, completeness, timeliness, consistency, validity, and uniqueness.
To promote high-quality data, the Report introduces a Data Quality Maturity Framework, a self-assessment tool for public institutions, structured around four pillars:
a. Governance
b. Validation
c. Monitoring
d. Integration
The framework is intended as a diagnostic tool to help institutions identify gaps, prioritize actions, and build resilient, future-ready data systems.
The Report also outlines practical pathways for enterprises to enhance data quality:
a. Fix at the source – through real-time validation during data entry, de-duplicating registries using open-source tools, and maintaining data dictionaries.
b. Keep it clean – by conducting regular sample-based audits, appointing internal designated points of contact, and establishing grievance redressal mechanisms.
c. Make it matter – by using dashboards to track data quality, incentivizing improvements, and organizing internal initiatives like "Data Quality Week".
2. Cert-In issues advisory for online services with regards to broad credential exposure:
June 23, 2025: Due to a significant rise in data breaches and the exposure of nearly 16 billion login credentials including usernames, passwords, authentication tokens etc., there is an increased risk of unauthorized access, identity theft, phishing, account takeovers, ransomware, and business email compromise. In this backdrop, the Cert-In has issued an advisory outlining key recommendations for individuals to mitigate these risks:
a. Regularly update passwords, wherein priority must be given to email, banking, social media, and government accounts.
b. Enable multi-factor authentication using hardware tokens or SMS-based verification.
c. Use passkeys (where supported) for password less, phishing-resistant authentication through biometrics or device PINs.
d. Keep operating systems, browsers, and applications updated, and perform regular antivirus scans.
Organizations, on the other hand, must:
a. Implement intrusion detection systems and security information and event management (SIEM) tools to identify unauthorized access attempts.
b. Encrypt stored credentials and sensitive data and conduct regular audits to ensure databases are not publicly accessible.
c. Conduct cybersecurity awareness training focused on phishing prevention and secure password practices.
3. MeitY issues guidelines for implementing a Consent Management system under the Digital Personal Data Protection Act, 2023:
June 06, 2025: The Ministry of Electronics and Information Technology (MeitY) has released a Business Requirement Document for a Consent Management System (CMS) under the Digital Personal Data Protection Act, 2023 (DPDP Act). The document is a non-binding technical guidance outlining key considerations for developing and implementing an ideal consent management infrastructure. It aims to assist data fiduciaries and consent managers in their compliance efforts, while enabling data principals to exercise greater control over their personal data.
The document goes into great detail, presenting an in-depth model of how a consent management system should ideally work. The document treats consent as a dynamic process, requiring comprehensive consent lifecycle management across four phases:
(i) Collection – At the time of collection, present purpose specific, multilingual notices with granular options that require explicit affirmative action;
(ii) Validation – Following consent collection, the CMS must validate whether a data principal has provided explicit and lawful consent for a specific purpose before the data fiduciary processes their personal data;
(iii) Update and renewal - The CMS must also enable data principals to modify their previously granted consent for specific purposes. Data principals must also be given an option to renew previously granted consent when it expires; and
(iv) Withdrawal - The CMS must allow data principals to withdraw their consent for specific purposes, which would lead to the immediate cessation of related data processing.
Given the widespread use of web and application-based data collection, the document also offers specific guidance on cookie consent management, including: (i) displaying cookie policies with default settings that allow only essential cookies without explicit consent; (ii) granular consent options must be given for specific cookie categories such as analytics and marketing cookies; and (iii) obtaining renewed consent for any changes in cookie policies.
Additionally, the document recommends the implementation of user dashboards that allow data principals to (i) manage their consent in real time, and (ii) receive transparent notifications regarding any changes to their consent.
4. Central Consumer Protection Authority issues an advisory for e-commerce platforms to conduct self-audits for detecting dark patterns:
June 05, 2025: Advisory has been issued by the Central Consumer Protection Authority directing all e-commerce platforms to conduct self-audits within three months from the date of its issuance. The advisory has been issued pursuant to the Guidelines for Prevention and Regulation of Dark Patterns, 2023 (Guidelines), framed under the Consumer Protection Act, 2019 (Act).
Dark pattern is a deliberate user interface design, which are intentionally structured to steer users into making decisions which they may not otherwise make —such as pre-ticked boxes, fake countdowns, false scarcity, or un-cancellable subscriptions. As per the Guidelines use of such dark patterns amounts to (i) misleading advertisement, or (ii) unfair trade practice, or (iii) a violation of consumer rights under the Act.
The advisory also encourages e-commerce platforms to make self-declarations that their platforms do not indulge in the use of any such dark patterns.
5. India launches 'Bharat Gen'- first AI based multimodal large language model for Indian languages:
June 02, 2025: Union Minister of State for Science & Technology, Dr. Jitendra Singh, launched 'Bharat Gen', India's first-of-its-kind, AI based, government-funded, multimodal large language model (LLM) for Indian languages, at the prestigious 'BharatGen Summit'—India's largest generative AI and LLM summit and hackathon. Bharat Gen integrates text, speech, and image modalities, offering seamless AI solutions in 22 Indian languages.
The initiative is aimed to empower critical sectors such as healthcare, education, agriculture, and governance, delivering region-specific AI solutions that understand and serve every Indian.
b. Telecommunication Updates
6. Ministry of Communications issued draft of 'Telecommunications (Telecom Cyber Security) Amendment Rules, 2025':
June 24, 2025: In an effort to strengthen security of telecom networks in India, the Ministry of Communications (MoC), Department of Telecommunications issued draft 'Telecommunications (Telecom Cyber Security) Amendment Rules, 2025' to amend the Telecommunications (Telecom Cyber Security) Rules, 2024. The draft rules are open to public feedback and suggestions until July 24, 2025. Some of the key modifications suggested by the draft rules are as follows:
a. The regulatory scope has been expanded to include Telecommunication Identifier User Entities (TIUEs), covering not only licensed and authorized telecom operators but also non-operator users of telecom identifiers—such as OTT applications and payment platforms—that utilize such identifiers for provisioning and delivery of services. This inclusion brings such entities within the cybersecurity framework under the telecommunication regime. The rules also clarify key definitions to enhance telecom cybersecurity enforcement and compliance.
b. To validate telecommunication identifiers, the government plans to launch a centralized, real time Mobile Number Validation (MNV) platform, enabling verification of whether a mobile number is accurately linked to its legitimate user as per official records.
c. The Central Government will collaborate with manufacturers of telecom equipment bearing International Mobile Equipment Identity (IMEI) numbers to implement stronger cybersecurity safeguards. This includes preventing the use of fake or duplicate IMEI numbers and facilitating the tracking of tampered devices.
d. A centralized database of tampered or restricted IMEI numbers will be maintained by the Government or an authorized agency, herein second-hand mobile resellers will also be required to verify devices against this list prior to resale.
e. TIUEs, under the new framework, will be required to comply with the same cybersecurity obligations applicable to licensed telecom operators, including data protection standards and incident reporting requirements.
7. Telecom Regulatory Authority of India launches pilot project for digital consent management framework in partnership with the Reserve Bank of India and selected banks:
June 16, 2025: In light of the increasing number of spam complaints from consumers against businesses, the Telecom Regulatory Authority of India (TRAI) vide its press release launched the aforementioned pilot project to safeguard consumer interest in the commercial communications by evolving the ecosystem into more consumer-centric practices. It has been observed by TRAI that many spam complaints were from consumers against business entities (they previously purchased goods / services from) claiming to have offline prior consent for sending commercial communications.
Under the Telecom Commercial Communications Customer Preference Regulations 2018 (TCCCPR), commercial communications are permitted if explicit consent has been obtained, irrespective of Do Not Disturb (DND) preference of the customer. Verification of such offline consents by TRAI has posed a serious challenge and to address this issue, TRAI now mandates entities to acquire consent digitally and register it in a secure, interoperable digital consent registry maintained by telecom service providers, for easy verification during commercial communication.
To begin the national roll-out, TRAI has launched this pilot project with Reserve Bank of India (RBI) and selected banks, keeping in mind the transaction sensitivity and financial fraud risks involved in the banking sector. This regulatory sandbox pilot will test the operational, technical, and regulatory aspects of the enhanced consent registration function and lay the foundation for sector-wise scaling of the digital consent ecosystem.
c. Fintech Updates
8. Reserve Bank of India issued Master Direction on Electronic Trading Platforms to enhance operational resilience, risk management, and transparency:
June 16, 2025: RBI has issued the Master Direction – Reserve Bank of India (Electronic Trading Platforms) Directions, 2025 (Directions), replacing the earlier Electronic Trading Platforms (Reserve Bank) Directions, 2018. These Directions apply to all entities operating Electronic Trading Platforms (ETPs) that facilitate trading in eligible instruments i.e.: (i) securities, (ii) money market instruments, (iii) foreign exchange instruments, (iv) derivatives, or (v) other instruments of like nature, as may be specified by RBI, from time to time. Following are the key directions issued under the Directions:
a. No entity shall operate an ETP (except those specifically exempted under the Directions) without obtaining prior authorization of the RBI.
b. The eligibility criteria for authorization of ETP is divided in three parts:
(i) General criteria: The entity seeking authorization (a) must be incorporated in India (complying with applicable laws and regulation including Foreign Exchange Management Act, 1999, in case of non-resident shareholding); and (b) have at least two key managerial personnel with a minimum of three years' experience in operating trading infrastructure.
(ii) Financial Criteria: Must have a net worth of INR 50 million, to be maintained at all times.
(iii) Technological Criteria: Must possess robust, secure, scalable tech infrastructure with real-time trade dissemination capability.
c. ETP operator shall undertake due diligence at the time of on-boarding of all members and shall continuously maintain updated information of its members.
d. ETP operators must maintain detailed rules covering onboarding, suspension, cessation of membership, roles and responsibilities, liabilities, trading processes, and risk controls.
e. ETP operator must implement a comprehensive risk, surveillance and internal control framework to identify and prudently manage all operational risks.
f. Where applicable, ETPs must have procedures for testing and onboarding algorithmic trading systems and ensure that their systems and controls are adequate and effective for monitoring and managing risks arising from algo systems.
g. Surveillance systems and controls must be implemented to ensure fair and orderly trading and monitor trading activity on a real time and post facto basis.
h. Any conflict arising from the involvement of related parties or group entities must be disclosed to the RBI.
i. An annual IT/IS audit must be conducted by a Certified Information System Auditor (CISA) -certified or Indian Computer Emergency Response Team (CERT-In) empanelled auditor.
j. A quarterly report must be furnished on the functioning of the platform to RBI on or before the 15th day of the month following the quarter.
k. Annual report on compliance with the Directions and authorization conditions must be submitted to RBI by April 30 of the succeeding financial year.
l. Any event which causes operational disruption or market abuse must be immediately reported by the ETP operator to RBI.
9. Reserve Bank of India issued (Know Your Customer (KYC)) (Amendment) Directions, 2025 to enhance consumer protection and service:
June 12, 2025: RBI has issued the (Know Your Customer (KYC)) (Amendment) Directions, 2025 (Directions) which immediately amends the RBI KYC Directions, 2016. Some of the key amendments are as under:
a. For individual customers classified as low risk, Regulated Entities (REs) must allow all transactions and ensure that their KYC is updated within one year of the due date or by June 30, 2026, whichever is later.
b. Self-declaration from customers whose KYC details have undergone no change (or only change of address) can now be obtained by banks using business correspondent (BC).
c. BCs shall authenticate the self-declaration and supporting documents submitted in person and promptly forward the same to the concerned bank branch. An acknowledgment shall also be provided to the customer. Having said that, ultimate responsibility for ensuring timely KYC updation and informing customers, remains with the bank.
d. At least three advance notices shall be provided by REs to the customers and subsequent to the due date, at least three reminders shall be sent by the REs. These communications must include clear instructions, escalation mechanisms and potential consequences of non-compliance.
REs are mandatorily required to incorporate the aforementioned requirements of the Directions by no later than January 1, 2026.
II. Judgements:
High Court
1. Madras High Court holds that tapping of an individual's phone would violate the right to privacy:
June 20, 2025: In P Kishore v. The Secretary to Government and Others (Writ Petition No.143 of 2018 & WMP.Nos.206 & 207 of 2018), the Madras High Court (Court) has held that covert phone tapping to detect crime violates an individual's fundamental right to privacy, unless justified by the procedure established by law.
Facts of the case: The petitioner, P. Kishore, was the Managing Director of Everonn Education Limited, Chennai. On August 12, 2011, the Ministry of Home Affairs issued an interception order under Section 5(2) of the Indian Telegraph Act, 1885 (Telegraph Act), and Rule 419 A of the Telegraph Rules, 1951 (Telegraph Rules), authorizing phone tapping of Kishore's mobile in the name of "public safety" and "public order".
A few weeks later, the CBI filed an FIR alleging an IRS officer demanded INR 50 lakh bribe from Kishore to help M/s. Everonn Education Limited evade taxes. Kishore challenged the interception seeking quashing of the order and declaring tapped communications invalid.
Judgement: The Court held that the interception violated both Section 5(2) of the Telegraph Act and Rule 419-A of the Telegraph Rules. Under Section 5(2) of the Telegraph Act, telephone interception is permissible only in the event of a public emergency or in the interest of public safety. Referring to People's Union for Civil Liberties v. Union of India (AIR 1997 SC 568), the Court reiterated that interception is valid only when either of these two conditions exists and when it is necessary in the interest of sovereignty, state security, foreign relations, public order, or prevention of incitement to an offence.
In the present case, the Court held that the surveillance was carried out secretly, which did not meet the statutory thresholds. Further, the intercepted material was not placed before the Review Committee as required under Rule 419-A of the Telegraph Rules. Reaffirming that any intrusion into privacy must follow a procedure established by law, the Court set aside the interception order as unconstitutional and held that the material collected was inadmissible for any purpose.
2. Madras High Court upholds Tamil Nadu government's power to regulate online real money games in public health interest and affirms that the right to privacy is not absolute:
June 03, 2025: In Play Games 24x7 Private Limited Vs. State of Tamil Nadu (2025 SCC OnLine Mad 2615), the Madras High Court upheld the legality of the Tamil Nadu government's regulatory framework that mandates Aadhaar-based KYC verification and imposes a ban on online real money games during late-night hours.
Facts of the case: The petitioners, including companies like Play Games 24x7, Junglee Games, and Winzo Games, argued that the new regulations—framed under the Tamil Nadu Prohibition of Online Gambling and Regulation of Online Games Act, 2022 (Act), and the Tamil Nadu Online Gaming Authority (Real Money Games) Regulations, 2025 (Regulations) — were unconstitutional. In particular, the gaming companies opposed Section 5(2) read with Section 14(1)(c) of the Act, along with Regulation 4(iii) and Regulation 4(viii) of the Regulations, which mandate Aadhaar-based KYC and prohibit access to real money games between 12 am and 5 am.
Judgement: On the aspect of Aadhaar-based KYC, the Court held that Aadhaar is the most effective form of age verification because it includes a two-factor authentication process, making it more difficult for minors to access real money gaming platforms. The Court explained that by insisting on Aadhaar, it would become difficult for minors to misuse the documents unless they have access to the registered mobile number also.
The petitioners also argued that the night ban, termed as "blank hours" violated the principle of proportionality and targeted online gaming unfairly compared to other digital services like OTT platforms and social media. The Court ruled in favour of the State that defended the regulation by highlighting public health concerns. The Court held that regulation becomes a priority to ensure the safety and protection of the general public.
Ultimately, the Court held that the relevant provisions of the Act and Regulations were deemed constitutionally valid and proportionate to the larger goal of societal welfare.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
