Information Technology Law Practice
Our Information Technology practice advises on the Digital Personal Data Protection Act, 2023, the Information Technology Act, 2000, intermediary guidelines compliance, cybersecurity incident response obligations, and the IT law dimensions of technology contracts and digital infrastructure. For businesses operating digital products, platforms, and data-dependent services in India, compliance is both a legal obligation and a commercial necessity — data breaches, regulatory non-compliance, and cybersecurity incidents carry consequences that are difficult to manage retrospectively.
- The DPDP Act, 2023 requires data fiduciaries to obtain valid consent before processing personal data, observe purpose limitation and data minimisation, implement security safeguards, respond to data principal rights requests, and notify breaches.
- Intermediaries under the IT Act, 2000 and the IT (Intermediary Guidelines) Rules, 2021 must meet specific due diligence requirements to qualify for safe harbour protection from liability for third-party content.
- Cybersecurity incidents affecting specified categories of entities must be reported to CERT-In within six hours under the CERT-In Directions, 2022. Many businesses outside the critical infrastructure definition also face mandatory reporting obligations.
- Technology service contracts must address data processing obligations, IP ownership, security requirements, and breach notification in a manner that is operationally meaningful under the current regulatory framework.
- The IT Act, 2000 creates civil liability under Section 43A for bodies corporate handling sensitive personal data with inadequate security practices, alongside the DPDP Act obligations.
-
DPDP Act Compliance — Our Implementation Advisory
We implement DPDP Act compliance programmes: data mapping and classification; consent architecture design meeting the Act’s requirements for valid consent; privacy notice and policy documentation; data retention and deletion frameworks; data principal rights workflows (handling access, correction, and erasure requests within the Act’s required timelines); security safeguard implementation; and breach notification procedures. We advise clients that DPDP Act compliance is a product and operational design exercise — it must be built into the product and business processes, not added as a legal layer on top of a non-compliant architecture.
Intermediary Obligations and Safe Harbour
We advise digital platforms, social media intermediaries, online marketplaces, and content platforms on their obligations under the IT (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021. Safe harbour protection under Section 79 of the IT Act, 2000 is conditioned on the intermediary meeting specified due diligence obligations — publishing terms of service and privacy policy, removing specified categories of unlawful content within prescribed timelines, and appointing a Grievance Officer. We advise on compliance with these requirements and on the response to court orders and government directions for content removal.
“DPDP Act compliance is a product and operational design exercise, not a legal drafting one. We engage at the product architecture stage alongside engineering teams — not retrospectively after a product is live.”Cybersecurity Incident Response
We advise on cybersecurity incident response planning and on managing the legal obligations that arise when an incident occurs. The CERT-In Directions, 2022 impose mandatory incident reporting within six hours for specified categories of incidents affecting cloud service providers, data centres, VPS providers, and VPN providers. For incidents involving personal data, the DPDP Act imposes separate breach notification obligations. We advise on the interaction between these requirements and on building a response process that satisfies both simultaneously.
Technology Contracts and Digital Infrastructure
We draft and review technology contracts — software licensing agreements, SaaS agreements, cloud services agreements, system integration contracts, and data processing agreements — advising on IP ownership, data protection obligations, service levels, liability allocation, and exit mechanisms. For digital infrastructure investments, we advise on data localisation obligations under applicable sector-specific regulations, and on the structuring of infrastructure transactions. Across 13 partners and 220+ professionals from offices in New Delhi, Mumbai, Chennai, Hyderabad, and Bangalore.
Frequently Asked Questions
information-technology-law-practice-faq
The Digital Personal Data Protection Act, 2023 requires data fiduciaries (entities that determine the purpose and means of processing digital personal data) to: obtain valid and informed consent from data principals before processing; process personal data only for the specified purpose; implement security safeguards proportionate to the risk; respond to data principal requests for access, correction, and erasure within prescribed timelines; notify data principals and the Data Protection Board of significant data breaches; and appoint a Data Protection Officer where designated as a significant data fiduciary. The Act’s rules are pending and will add further detail to these requirements.
Section 79 of the Information Technology Act, 2000 provides that an intermediary is not liable for third-party information, data, or links made available through its system if it does not initiate the transmission, does not select the receiver, and does not select or modify the information transmitted. Safe harbour is conditioned on the intermediary observing the due diligence requirements under the IT (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021. An intermediary that fails to observe these requirements loses safe harbour protection.
The CERT-In Directions issued in April 2022 require cloud service providers, data centre operators, virtual private server providers, VPN service providers, and virtual asset service providers to report specified categories of cybersecurity incidents to CERT-In within six hours of becoming aware. All entities are required to report incidents involving vulnerabilities, malicious code, ransomware, and targeted scanning within six hours. System clocks must be synchronised to the NTP server of the National Informatics Centre or NPL, and logs must be maintained for 180 days within Indian jurisdiction.
The IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 under the IT Act, 2000 apply to bodies corporate collecting sensitive personal data (biometric, financial, medical, sexual orientation, etc.) and require reasonable security practices and the consent of the provider before disclosure. The Digital Personal Data Protection Act, 2023 creates a broader framework applying to all digital personal data, not only sensitive data, and introduces the consent, rights, and Board framework that the 2011 Rules do not. Both instruments continue in force until the DPDP Act fully displaces the 2011 Rules in their overlapping scope.
Data ownership in a SaaS arrangement is determined by the contract between the parties, not by any general rule of law. In the absence of express contractual provisions, the data generated by the customer’s use of a SaaS platform is likely to be treated as the customer’s data (since it relates to the customer’s business), but the platform provider may have a contractual licence to use aggregated or anonymised data for product improvement. The DPDP Act, 2023 overlays data principal rights on this commercial framework — the customer remains the data fiduciary for personal data of its users even where it processes that data through a SaaS platform.