JSA in
News

The freshly-minted data protection rules will require companies to give clear notice seeking consent for processing personal data of individuals, mandate prompt 72-hour data breach notification, and allow for erasure of data after its purpose has been served. Probir Roy Chowdhury, Partner, JSA Advocates & Solicitors, described the rules as a major step in operationalising India’s privacy framework. He called on businesses to move from high-level planning to practical implementation over the next 18 months to balance user rights with regulatory certainty and business needs. Read more

The story also appeared in News Drum. CXO Today

As India enters a new era of enforceable data governance, industry leaders say the next 18 months will determine whether companies simply comply or transform trust into competitive advantage. India’s notification of the Digital Personal Data Protection (DPDP) Rules, 2025 has triggered one of the most significant shifts in the country’s technology and business landscape in over a decade. The regulations transform India from a disjointed patchwork of sectoral and IT guidelines into an organized, enforceable privacy regime supported by quantifiable expectations, explicit requirements, and a new enforcement body called the Data Protection Board (DPB). Probir Roy Chowdhury, Partner, JSA Advocates & Solicitors, adds that with staggered timelines and the DPB now operational, “businesses need to shift focus from high-level planning and sensitisation to actual implementation. The next 18 months will be critical.” Read more

Laying out the operational framework for data protection in India, the Ministry of Electronics and Information Technology (MeitY) has officially notified the Digital Personal Data Protection (DPDP) Rules, 2025. The new notification comes after the government included objections and suggestions on the draft DPDP Rules, 2025, issued in January 2025. Businesses have an 18-month window to comply with core obligations. “With the Data Protection Board now established and staggered compliance timelines taking effect, businesses need to shift focus from high-level planning and sensitisation to actual implementation of obligations. The next 18 months will be critical for achieving the right balance between user rights, regulatory certainty and business practicality,” says Probir Roy Chowdhury, Partner-JSA Advocates & Solicitors. Read more

The Digital Personal Data Protection Rules 2025 give citizens control over their personal data and privacy in online spaces and mitigate misuse. While some provisions will be implemented immediately, others will come in a phased manner over 12-18 months. “With the strict consent requirements, enhanced data security and breach notification protocols, and data retention and erasure being regulated India moves to a more global compliance level for data protection,” feels Sajai Singh, Partner at JSA Advocates & Solicitors. Probir Roy Chowdhury, Partner at JSA Advocates & Solicitors feels that the DPDP Rules notification is a “major step in operationalising India’s privacy framework”. He added that with the compliance roll-out planned, businesses need to shift focus from planning and sensitisation to implementation of obligations. “The next 18 months will be critical for achieving the right balance between user rights, regulatory certainty and business practicality,” Roy Chowdhury added. Read more

The clock has started ticking for enterprises to align with the newly notified Digital Personal Data Protection (DPDP) Rules, with experts saying that the 18-month transition must be treated not as a grace period but as an execution runway. Although the phased rollout offers breathing room, companies will have to move fast on redesigning consent architecture, notices, governance structures, vendor contracts, breach-response systems and international data transfer flows to avoid bottlenecks as the deadline approaches. Probir Roy Chowdhury, Partner, JSA Advocates & Solicitors, said that with the Data Protection Board getting operational first, and staggered compliance kicking in, the next year and a half will be crucial for shifting from planning to on-ground execution while balancing user rights with business practicality. Read more

Big Sale and festival Diwali Dhamaka ads are set to become a thing of the past following the notification of the Digital Personal Data Protection Rules 2025. Under the rules notified on Friday, companies have 18 months to overhaul existing mechanisms and make way for consent-driven management of personal data. Probir Roy Chowdhury, Partner, JSA Advocates & Solicitors, said all of this will drive compliance costs significantly. Until now, companies have never needed to build stringent data protection compliance mechanisms to operate in India. “Key drivers for cost will include legal and consultancy fees, appointing data protection professionals, building, implementing and maintaining technical systems to ensure compliance, staff training and audits,” he said. Read more

Businesses, especially SMEs, are going to be hard-pressed when it comes to complying with consent management, data processing restrictions and other provisions of the Digital Personal Data Protection (DPDP) Rules within 18 months, according to experts. Probir Roy Chowdhury, Partner -JSA Advocates & Solicitors, said the firm had raised concerns regarding this provision during consultations. “This requirement/disclosure will definitely be operationally burdensome to implement – particularly, when dealing with an ongoing breach. This will not create significant company liability, provided companies can demonstrate a bona fide effort to comply,” said Chowdhury. Read more

India’s newly notified Digital Personal Data Protection (DPDP) Rules have triggered a moment of reckoning for the country’s micro, small and medium businesses- many of whom rely heavily on digital customer acquisition, third-party tech tools, and low-cost data infrastructure. While the law marks a long-awaited shift toward global-grade privacy protections, its operational demands pose the steepest challenge for the smallest players in the ecosystem. JSA Partner Raj Ramachandran says stakeholders “have about 12–18 months to comply… a welcome move,” but for MSMEs with no existing data frameworks, even 18 months will require accelerated execution. Read more

India’s Digital Personal Data Protection (DPDP) Act, 2023, was brought into effect on Friday as the ministry of electronics and IT (Meity) notified the rules and set up a four-member board for data protection. For startups, compliance with the Act becomes increasingly important, not just for the sake of running their businesses, but also for ensuring they’re above board when venture capital investors, looking to fund them, conduct their due diligence. “There’s been unnecessary hoarding of data, which startups will now have to re-evaluate, because now the law is very clear,” said Raj Ramachandran, partner at JSA Advocates & Solicitors. Read more

Are the new norms for banks in M&As restrictive? Anish Mashruwala, finance chair and partner at JSA Advocates & Solicitors, reasons the draft has a clear regulatory lens in signalling the proposed relaxation. Besides the value limit cap, there’s also the fact that Tier-I capital of banks will be at varying levels and that may itself not provide a level playing field as the restriction will not apply equally in terms of value. “Having said that, I understand that even banks having larger Tier-I capital reserves have voiced that the value limit based on the 10 per cent cap is limiting in the current market scenario,” he says. Read more

The Reserve Bank of India’s (RBI) proposed guidelines to revamp the external commercial borrowings (ECB) framework is likely to become a game changer in acquisition financing, believe bankers and analysts. However, banks added that further relaxation, in terms of an increase in acquisition financing limit from the proposed 10% of their Tier-1 capital to anywhere between 20%-40%, will help in funding bigger deals. “Raising this limit is not just a matter of competitiveness, it’s a strategic imperative taking into consideration the risk factors associated with this line of credit,” said Pratish Kumar, Partner at JSA. He added that Indian banks, especially those with overseas subsidiaries and IFSC branches, are now empowered under the draft ECB norms to extend rupee or foreign currency-denominated ECBs. “This means they can directly participate in acquisition financing deals without being constrained by jurisdictional compliance hurdles. A higher cap would allow these offshore arms to deploy capital more meaningfully, supporting Indian borrowers in cross-border M&A and private credit transactions,” he added.  Read more

UK high court recently ruled in favour of the London based artificial intelligence firm Stability Al in a copyright infringement case in which international photo agency Getty Images had claimed the former had copied millions of its images. Getty’s pictures were used to train the Stability AI model, and the ruling is seen as a setback for copyright Owners. Last week also saw online marketplace Amazon filing a case against Perplexity Al in the US for its ‘agentic’ shopper that helps consumers choose the best and cheapest products online. “As more Al-generated content is out, the number of lawsuits will increase. Cases by music labels are already pending in the Indian courts claiming their copyright music content was used for training AL,” said Akshaya Suresh, partner at national law firm JSA. An expert in technology laws, AI, privacy and data protection, Suresh said that the row with Perplexity could affect Prime Video too. “Amazon has said that Perplexity’s AI agent is messing with its algorithms and bypassing its technical safeguards in e-commerce. Nothing stops it from altering recommendations for Prime Video audiences affecting viewership and eventually the economics of the business,” she said. Read more