Background Six years after the Supreme Court ruled that the right to privacy falls within the ambit of Article 21 of the Constitution of India in Justice Puttaswamy (Retd) v. Union of India, India has finally enacted the Digital Personal Data Protection Act, 2023 (Act), published in the Gazette of India on 11 August 2023. The Act saw a tumultuous path towards enactment which started with the appointment of a special committee headed by Justice B N Srikrishna followed by the introduction of several drafts and severe criticisms surrounding them. This legal update is prepared with the objective to provide you with a brief overview of the Act and implications on its non-compliance as it is applicable to every organisation (small or large) in India. Scope and Applicability | Personal Data The Act defines ``personal data`` as any information that can pinpoint an individual’s identity and processing of personal data entails various activities such as gathering, storing, utilizing, and sharing of such data. The Act covers the handling of digital personal data in India, whether collected online or offline, as long as it is in digital form. Additionally, the Act applies to processing personal data outside India if it is related to providing goods or services within India. The Act however does not apply to personal data that is made publicly available by the person to whom such personal data relates; or to any other person who is obligated under any law for the time being in force in India to make such personal data publicly available. Consent | Data Principal The Act emphasises that before processing any personal data, a Data Fiduciary, i.e. a person who processes personal data (Data Fiduciary), must take consent from the Data Principal, i.e. the individual to whom the personal data relates (Data Principal). In order to take consent, the Data Fiduciaries must first provide a notice specifying the particular personal data to be collected and the specific purpose for which it will be used (Notice). The consent given by the Data Principal shall be limited only to the extent of the specific purpose as made out in the Notice and any consent taken beyond the specific purpose shall not be considered valid. A Data Principal may also appoint a consent manager, i.e. a person registered under the Act to act as a single point of contact to enable a Data Principal to give, manage, review and withdraw their consent through an accessible, transparent and interoperable platform (Consent Manager). A Consent Manager shall be accountable to the Data Principal under the Act and a Data Principal shall have a right of redressal of grievances by the Consent Manager. Further, Data Principals retain the right to revoke their consent at any time upon which the Data Fiduciary shall within a reasonable time cease and cause its data processor, i.e. a person who processes the personal data on behalf of a Data Fiduciary, to cease the processing of the personal data of such Data Principal. Obligations of Data Fiduciaries The Act places substantial responsibilities on the Data Fiduciaries. These obligations encompass making reasonable efforts to ensure data accuracy and completeness, establishing security measures to prevent data breaches, promptly notifying both the Data Protection Board of India and affected Data Principal in the event of a breach, and erasing personal data once its intended purpose is fulfilled and legal retention is no longer necessary. Further, if a Data Fiduciary sends personal data to a data processor, the Data Fiduciary is liable for the actions/ inactions of the data processor. Rights and Duties of Data Principals The Act further acknowledges the rights of the Data Principals. These rights encompass the ability to obtain information about how their data is being processed, request corrections or erasure of their personal information, nominate a representative in case of incapacity or death, and seek remedies from the Data Fiduciary of any grievance they may have. Certain responsibilities have also been imposed upon the Data Principal such as refraining from making false or unnecessary complaints and providing accurate information. Cross-border Data Transfer The Act allows personal data to be transferred beyond India, except to countries which may be specifically notified by the Central Government. This provision however does not restrict the applicability of any law for the time being in force in India that provides for a higher degree of protection for or restriction on transfer of personal data by a Data Fiduciary outside India. Significant Data Fiduciaries Under the Act, the Central Government may notify any Data Fiduciary or class of Data Fiduciaries as a significant data fiduciary, on the basis of an assessment of relevant factors a such as the volume and sensitivity of personal data being processed, potential risk to the rights of Data Principal, impact on the sovereignty and integrity of India, security of the State and public order. Entities that are notified as significant data fiduciaries have to maintain extra compliances such as conducting independent and periodic data audits and appointing a data protection officer and an independent data auditor to gauge the impact of their actions and ensure compliance with the regulations. Data Protection Board of India The Act envisages the appointment of a Data Protection Board of India (Board) to be established through a notification by the Central Government to that effect. The Board shall act as the adjudicating body for any breach of personal data. Breach of Personal Data Personal data breach has been defined under the Act as any unauthorised processing of personal data or accidental disclosure, acquisition, sharing, use, alteration, destruction or loss of access to personal data, that compromises the confidentiality, integrity or availability of personal data.     In case of a breach of personal data, the Data Fiduciary must immediately inform the Board as well as the Data Principal, whose personal data was breached. The Board would then inquire into the breach. If the Board is of the opinion that there are insufficient grounds to proceed with the complaint, it may close the proceedings and impose costs if the Board believes that the complaint was frivolous. If after inquiring into the complaint, the Board believes that there are sufficient grounds to proceed with the complaint, it shall conduct a further investigation into the complaint. After investigating into the complaint, the Board may issue interim orders. If the Board believes that there has been a breach of personal data, the Board may impose a penalty which can range from Rs 10,000 (Indian Rupees Ten Thousand) to Rs 250,00,00,000 (Indian Rupees Two Hundred and Fifty Crores). The specific penalties have been laid down in the Schedule of the Act. While deciding the amount of the monetary penalty, the Board shall look into the following matters:   the nature, gravity and duration of the breach;   the type and nature of the personal data affected by the breach;   repetitive nature of the breach;   whether the person, as a result of the breach, has realised a gain or avoided any loss;   whether the person took any action to mitigate the effects and consequences of the breach, and the timeliness and effectiveness of such action;   whether the monetary penalty to be imposed is proportionate and effective, having regard to the need to secure observance of and deter breach of the provisions of the Act; and   the likely impact of the imposition of the monetary penalty on the person.     Any person aggrieved by the order of the Board may appeal to the Telecom Disputes Settlement and Appellate Tribunal (TDSAT) within 60 days from the date of receipt of Order of the Board, and the TDSAT shall dispose of the appeal within 60 days of the presentation of the appeal. The TDSAT shall have all the powers of a civil court. Additionally, the Board has the power to direct any complaint to be resolved through mediation.   MHCO Comment: In this age of inevitable digitalisation of all personal information, the Act comes as a welcome move to protect people’s privacy. However, a perusal of the Act shows that the Central Government has been given significant powers such as the powers of exclusion of specific Data Fiduciaries and instrumentalities of the State from the ambit of the Act and to notify a Data Fiduciary as a significant data fiduciary. Concerns about inordinate Executive interference may hence arise and this could alter the effectiveness of the Act. This would also make the Rules to be notified under the Act essential in carving out the operative aspects of the Act. Further the Act suffers from the practical difficulty of a lack of timeline for the appointment of the Board by the Central Government without which the Act would be remain powerless. It is also very ambitious of the Act to envisage compliance with the heavy obligations imposed upon all the Data Fiduciaries, considering the wide ambit of the term, which would also cover under it the smallest of enterprises such as photocopy stores which receive bulks of personal data on a daily basis. Such obligations also include the establishment of grievance redressal mechanisms by every Data Fiduciary. The severity of the obligations imposed upon the Data Fiduciaries stands further enhanced when the burdensome penalties laid down under the Act are considered. The Act hence has a large feat to accomplish. Author: Bhushan Shah - Partner | Veena Hari - Associate

The Jan Vishwas (Amendment of Provisions) Act, 2023 (Act), was approved by the President on 11 August 2023. Its enforcement will be determined by the Central Government through notification, with varied dates for amendments in the Schedule. The Act led by the Commerce and Industry Minister, seeks to ease daily life and business operations by amending 183 provisions in 42 Central Acts under 19 Ministries. It aims to decriminalize these provisions for a more business-friendly environment. BACKGROUND The Minister of Commerce and Industry spearheading this initiative suggests that the focus might be on creating a more business-friendly environment and fostering a culture of entrepreneurship. By decriminalizing provisions within these Central Acts, the government may intend to encourage risk-taking, innovation and investment by providing greater legal clarity and reducing the fear of unintended legal consequences. However, while the proposal to decriminalize provisions is aimed at streamlining processes and fostering economic growth, it is important to carefully consider the implications of such amendments. Striking a balance between promoting ease of business and ensuring accountability and responsible conduct is crucial. Some provisions might be related to public safety, consumer protection, environmental safeguards, and more, which need to be assessed thoroughly to prevent any negative consequences. The effectiveness of this legislation would depend on the specifics of the amendments, the clarity of language used, and the mechanisms put in place to ensure that the intended benefits are realized without compromising on the larger interests of society. PURPOSE OF THE ACT The Act serves a twofold purpose; one to elevate both the quality of everyday life and second to promote the business environment in the nation. By targeting a wide array of sectors like agriculture, media, health, and the environment, the proposed amendments aim to address outdated or problematic aspects of these Acts. The Act’s intent is to streamline and modernize these regulations, fostering a more business-friendly climate and simplifying the lives of citizens. The Act reflects a comprehensive effort to harmonize legal frameworks with contemporary needs, thereby promoting ease of living and facilitating smoother business operations across diverse sectors. KEY HIGHLIGHTS     Fines and penalties in multiple provisions to increase by ten percent of the minimum amount every three years. A total of 183 provisions across 42 Central Acts, overseen by 19 Ministries/Departments, to be decriminalized. Decriminalization achieved through various methods:   Elimination of both imprisonment and/or fines in certain provisions;   Removal of imprisonment while retaining fines in select provisions;   Elimination of imprisonment while increasing fines in specific provisions;   Conversion of imprisonment and fines to penalties in some cases;   Introduction of compounding of offenses in a few provisions;   NATURE OF AMENDMENTS The changes suggested in the Act aim to make certain provisions less focused on punishment by taking actions like eliminating imprisonment and increasing the fines, and introducing penalties or alternatives. These changes aim to streamline punitive measures within the legal framework to achieve desired outcomes. For example, some of the proposed amendments in the Drugs and Cosmetics Act, 1940 (Drugs and Cosmetics Act) are: the current provisions of Section 27(d) and Section 27A(ii) of the Drugs and Cosmetics Act mandate imprisonment of up to 2 years and a minimum fine of INR 20,000 for spurious cosmetics, adulterated drugs, certain drug and cosmetics-related convictions. Proposed amendments suggest a compounding option for violations, through an addition to Section 32(B) of the Drugs and Cosmetics Act. Similarly, Section 29 of the Drugs and Cosmetics Act provides for penalties for misusing a government analyst's report for drug/cosmetic advertising. The Act proposes to increase the penalty for the above mentioned violation from INR 5,000 to INR 1,00,000. The amendment to Section 30(2) of the Drugs and Cosmetics Act proposes replacing imprisonment with a fine of INR 5,00,000 for subsequent offenses involving the same violation. These changes aim to provide legal clarity and streamline penalties. Under the proposed amendments to the Trade Marks Act, 1999 (Trade Marks Act), the Act aims to strengthen penalties for specific offenses and introduce two new sections concerning penalties and appeals. It grants authority to a designated officer for adjudication and penalties related to Trade Marks Act violations. Proposed Section 112B outlines the appeal process, requiring the aggrieved party to appeal within 60 days, and the appellate authority to address appeals within 60 days of filing. Additionally, the Act empowers the Central Government to create rules for inquiry and appeals. Further, under the Customs Act, 1962 (Customs Act) the Commissioner of Customs can request information on goods with false trademarks, and non-compliance results in a fine of INR 10,000. The Act extends this power to the Customs Act authority for penalty imposition and collection.   MHCO Comment: In conclusion, the Act marks a significant step towards fostering a business-friendly environment and enhancing ease of living. By decriminalizing provisions and introducing streamlined penalties, it aims to encourage innovation, investment, and entrepreneurship. This proactive approach has the potential to boost economic growth and simplify legal processes. However, the challenge lies in striking the right balance between promoting ease of business and ensuring answerability, especially in cases involving public safety and consumer protection. While the Act holds promise for improving the regulatory landscape, careful implementation and monitoring will be crucial to prevent any unintended negative consequences and to maintain societal interests.   Author: Shreya Dalal - Associate Partner | Sayali Puri - Senior Associate

The recent judgement of Shreepati Build Infra Investment vs Abhiyan Developers, NCLT illustrates amendments to the Insolvency and Bankruptcy Code, 2016 (IBC) can significantly impact the maintainability of insolvency proceedings. This case revolves around a dispute stemming from a real estate transaction and hinges on the crucial provisions of the IBC that dictate the eligibility of applicants to initiate Corporate Insolvency Resolution Process (CIRP). BACKGROUND The dispute centres on a real estate transaction between Abhiyan Developers Private Limited (Financial Creditor) and Shreepati Build Infra Investment Limited (Corporate Debtor). The Financial Creditor entered into an agreement to purchase a flat for consideration of INR 3,50,00,000. However, due to inadequate permissions and approvals, the Corporate Debtor was unable to proceed with construction. Subsequently, the amount was restructured into a loan account, with an agreement for repayment, inclusive of a 15% cumulative interest, compounded quarterly. Despite these terms, no payment was forthcoming. On 10 August 2018, the Financial Creditor filed a company petition under Section 7 of the IBC, which was admitted on 29 October 2021. However, the Corporate Debtor challenged the admission order, leading the NCLAT to set it aside and remand the case back to the NCLT. Thereafter, the Corporate Debtor filed an Interim Application (IA) under Section 60(5) of the IBC, along with Rule 11 of the NCLT Rules, 2016 to bring forth the NCLAT's order and to consider the objection regarding the maintainability of the case, particularly in light of the amended provisions of the IBC. HELD The NCLT allowed the IA while holding that the CIRP application filed by the Financial Creditor is not maintainable. The NCLT’s decision was profoundly influenced by the amended provisions of the IBC, particularly Section 7, which reads in the following manner: “7. Initiation of corporate insolvency resolution process by financial creditor.— (1) A financial creditor either by itself or jointly with 5 [other financial creditors, or any other person on behalf of the financial creditor, as may be notified by the Central Government,] may file an application for initiating corporate insolvency resolution process against a corporate debtor before the Adjudicating Authority when a default has occurred. …. Provided further that for financial creditors who are allottees under a real estate project, an application for initiating corporate insolvency resolution process against the corporate debtor shall be filed jointly by not less than one hundred of such allottees under the same real estate project or not less than ten percent of the total number of such allottees under the same real estate project, whichever is less: …” Nature of Transaction: The NCLT affirmed the core nature of the transaction as a builder-allottee relationship, as per the agreement dated 15 February 2011. According to the NCLT, even in the presence of subsequent agreements, the fundamental nature of the transaction remained unaltered. Consequently, the Financial Creditor retained its status as an allottee within the purview of Section 2(d) of the Real Estate (Regulation and Development) Act, 2016 (RERA). This classification positioned it as a "financial creditor" to whom a "financial debt" is owed, as per Section 5(7) and Section 5(8)(f) of the IBC respectively. Amendment to Section 7: The NCLT drew attention to the critical amendment to Section 7 of the IBC, which came into effect on 28 December 2019. This amendment, as extracted hereinabove, stipulated that applications for initiating CIRP against Corporate Debtors involved in real estate projects must be filed by not less than 100 allottees under the same real estate project or not less than 10% of the total number of such allottees, whichever is less. Non-Maintainability: The pivotal outcome was that the main Company Petition had been filed by a single allottee, without complying with the revised provisions, rendering it non-maintainable. The Financial Creditor had not taken the necessary measures to ensure that the application was jointly filed by the required number of allottees. MHCO Comment: The above-mentioned case underscores the critical significance of the amended provisions in the IBC, particularly the requirement for not less than 100 allottees or not less than 10% of the total number of such allottees to initiate CIRP proceedings against a Corporate Debtor in the context of real estate transactions. However, the Hon’ble NCLT seems to have forgone one of the cardinal rules of contractual relations i.e., parties to the contract are free to alter its terms by mutual consent as long as such alterations are permissible by law. Despite the Corporate Debtor having consented to change the amount given as a loan transaction, the NCLT chose to stick to its original nature. This draws attention to the extent to which the NCLT can go in order to determine the true nature of a debt and where it falls under the scope of IBC. In essence, it highlights the need for stakeholders to stay abreast of changes in the law and adapt their strategies accordingly to navigate the complex terrain of insolvency in the real estate sector. Author: Bhushan Shah - Partner | Aditya Sarangarajan - Associate

A well-functioning capital market is the backbone of the financial structure of a nation. As competition and complexities in the market increase, it becomes imperative to address customer disputes promptly and efficiently. Securities and Exchange Board of India (SEBI) plays a vital role in regulating and monitoring the Indian capital and securities market, where investors expect a fair and accessible system for complaint management and dispute resolution when their funds are affected by market participants’ errors or misconduct. A robust mechanism is essential for increasing retail investor engagement and ensuring efficient capital market operations SCORES The complaint management system of SEBI includes an online platform known as the 'SEBI Complaint Redress System (SCORES). Investors can use SCORES to lodge complaints with SEBI against the authorized intermediaries and listed firms under (a) SEBI Act, 1992; (b) Depositories Act 1996; (c) Securities Contract Regulation Act, 1956; and (d) Companies Act 2013. Investors having accounts with depository participants or brokers can resolve disputes within a three-year limitation period for complaint submission from the date of cause of action. If a stock exchange or depository does not resolve an investor grievance, then Investors can file for arbitration under the rules and regulations of that stock exchange or depository. Arbitration Mechanism of SEBI SEBI provides for an arbitration mechanism for resolving disputes between clients and members in accordance with the provisions of the Circular dated 11 August 2010, read with Section 2(4) of the Arbitration and Conciliation Act, 1996 (1996 Act) The panel of arbitrators is formed by considering the following factors: age, qualifications, and experience in financial services. Arbitrators from all stock exchanges with nationwide trading terminals will form a "Common Pool." If parties fail to choose arbitrators from this pool, an automated process will randomly select arbitrators. The limitation period for filing arbitration claims is 3 years. An arbitration reference for a claim/counterclaim up to Rs 25 lakhs shall be dealt with by a sole arbitrator, while a panel of 3 arbitrators shall deal with claims above Rs 25 lakhs. The appointment of arbitrators should be completed within 30 days from the date of receipt of the application from the applicant. The arbitration shall be concluded by issuing an arbitral award within four months from the date of appointment of arbitrators. The arbitration facility must be available at centers specified by SEBI as the place of arbitration. A party dissatisfied with an arbitral award has the right to appeal to the appellate panel of arbitrators. The appeal must be filed within one month of receiving the award, and the appellate panel must conclude the appeal within three months from the date of its appointment. SEBI`s New Dispute Resolution Mechanisms for Securities Market Entities On 3 July 2023, SEBI made a significant move by issuing amendments to the Alternative Dispute Resolution Mechanism. This amendment was approved during the SEBI Board Meeting in June 2023, wherein the they approved linking SCORES with the Online Dispute Resolution (ODR) platform. The Board has also accepted the proposals aimed at revitalizing SEBI SCORES. One significant change is to reduce response timelines and ensure quicker resolution for complainants. Moreover, complaints will now be automatically routed to the relevant regulated entities, expediting the process further. To ensure adherence to prescribed timelines, an auto-escalation mechanism will come into effect in cases where regulated entities fail to meet the required deadlines. This move emphasizes the importance of timely action and accountability. The SEBI has introduced an amendment through SEBI (Alternative Dispute Resolution Mechanism) (Amendment) Regulations, 2023 (ADR Regulations) in its following regulated entities, namely: merchant bankers, registrars to an issue and share transfer agents, debenture trustees, mutual funds, custodians, credit rating agencies, collective investment management companies, KYC registration agencies, alternative investment funds, investment advisers, research analysts, infrastructure investment trusts, real estate investment trusts, portfolio managers, foreign portfolio investors, and vault managers. These existing regulated entities were amended by the addition of a provision for a Dispute Resolution Mechanism through arbitration /conciliation /mediation. ADR Regulations mandate that all claims, differences, or disputes between these regulated entities and their clients/ investors arising from their activities in the securities market shall be submitted by the standardized procedure for the ADR mechanism. Additionally, the Board has embraced a hybrid mode of conducting proceedings, allowing for a more flexible and accessible approach. This decision aims to streamline the dispute resolution process.   MHCO Comment: SEBI's recent amendments to the ADR Regulations represent a significant advancement in safeguarding investor interests by implementing various measures to enhance the resolution process within the securities market. The primary objective is to create a transparent and efficient system by streamlining the process of resolving disputes between financial entities and their clients. These amendments are geared towards providing a secure market for investors and addressing their issues. Author: Purvi Shah - Partner