Technology Law and Data Privacy Updates

Latest News

Technology Law and Data Privacy Updates

Monthly Edition - August 2025

INDEX 

A. SUMMARY

B. NATIONAL UPDATES 

C. INTERNATIONAL UPDATES

United States of America

European Union

Others

D. ABBREVIATIONS

 

SUMMARY 

Welcome to this edition of Fountainhead Legal’s newsletter!

Laws are effective when they adapt to the changing times. Yet, when change occurs at an accelerated pace, innovation in the legal field becomes indispensable. While regulators worldwide continue to grapple with emerging technologies such as Web 3.0, blockchain, and artificial intelligence, the technology sector has already advanced to its next frontier—quantum technology. Quantum computing has the potential to revolutionize processing power and, with it, introduce a host of new legal and data privacy challenges, particularly given its ability to compromise encryption and password security. As the world awaits these advancements, we present below the key regulatory developments from August.

In India, the Government enacted the country’s first-ever Online Gaming Act, creating a national framework that recognises e-sports and social gaming while banning money-based games outright, with violations carrying up to five years’ imprisonment. On the financial front, the RBI’s FREE-AI Committee unveiled its Framework for Responsible and Ethical Enablement of AI, laying down seven guiding principles and 26 recommendations to balance innovation with accountability. In Parliament, the Union Minister of Information and Broadcasting clarified that amendments to the RTI Act under the DPDP framework do not dilute transparency but harmonise it with privacy protections, ensuring that disclosures still pass the ‘public interest’ test. At the same time, the Standing Committee on Home Affairs sounded alarm bells on cybercrime, flagging industrial-scale threats from ransomware, deepfakes, and ‘digital arrest’ scams, and urging tighter controls on platforms, watermarking of AI-generated content, and dedicated cyber response teams.

On the judicial front, the Supreme Court has stayed the Madras High Court’s order in the Google–Testbook dispute, allowing Google’s in-app billing system to remain in place for now, while it considers whether dominant platforms can compel the use of their proprietary payment models. The Government issued a Data Sharing Policy for the National Transport Repository, unlocking over 60 crore vehicle and licence records for governance, enforcement, and research via secure APIs on NIC’s NAPIX, but only with strict consent, audit, and localisation safeguards. Meanwhile, the Patent Office released revised guidelines for Computer-Related Inventions, clarifying the patentability of AI, blockchain, and quantum innovations, and industry consultations began on the National Data Centre Policy, 2025, aimed at making India a global hub for secure, sustainable digital infrastructure.

On the global front, Wyoming became the first U.S. State to issue its own blockchain-based stable token across seven blockchains, backed by U.S. dollar reserves and subject to monthly audits. In Europe, Austria delivered two GDPR milestones, its Federal Administrative Court struck down the controversial ‘Pay-or-Okay’ consent model as coercive, and its DPA order on user data access rights, rejecting generic privacy policies as insufficient. Elsewhere, New Zealand issued its first legislation governing Biometric data, imposing strict safeguards for sensitive data like facial and fingerprint scans, while the UN General Assembly adopted a resolution calling for international cooperation on AI governance. In Asia, the Thailand SEC launched a sandbox, a controlled pilot for digital payments by international visitors, covering wallets, blockchain settlements, and cross-border services under tight safeguards.

We hope you enjoy our latest updates!

NATIONAL 

1.  Government enacts First Ever Online Gaming Legislation [1]

India has entered a new regulatory era with the Promotion and Regulation of Online Gaming Act, 2025, (“Online Gaming Act”) which has now become law following Presidential assent and was published in the Official Gazette on 22 August 2025. This is the country’s first dedicated legislation to establish a uniform, national-level framework for online gaming by balancing innovation, consumer protection, and state oversight. The Online Gaming Act is a two-pronged framework as it promotes and recognises legitimate gaming formats such as e-sports, educational games, and social gaming, while placing an absolute ban on online money games that involve deposits, wagers, or financial stakes.  A dedicated Gaming Authority will oversee classification, registration, and grievance handling, while banks and intermediaries are barred from processing payments linked to money games. Violations, including running, advertising, or facilitating prohibited games, can lead to imprisonment of up to 5 years and fines extending to INR 2 crore for repeat offences, with offences classified as cognizable and non-bailable. The Online Gaming Act provides for user grievance redressal, blocking of illegal platforms, and authorisation of investigation powers for designated officers, including search and seizure across both physical and digital spaces. Further, the Central Government can order blocking of such services, notwithstanding anything in the IT Act or its rules. By combining promotion of skill-based innovation with strict consumer safeguards, the Online Gaming Act seeks to encourage a responsible digital gaming ecosystem while tackling risks of addiction, fraud, and unlawful activities.

The Online Gaming Act has not yet come into effect, though the Government is reportedly planning to implement it in the coming months. In the meantime, the existing patchwork of gaming laws will continue to apply.

While the Online Gaming Act is yet to come into force, this interim period is an opportunity for companies to get ahead. Businesses should review whether their games fall within permitted formats like e-sports or educational/social gaming, start building compliance and grievance redressal processes, reassess payment and advertising models in view of upcoming restrictions, and closely track government notifications. Taking these steps now will help companies avoid last-minute disruptions and position themselves as responsible players in India’s evolving gaming ecosystem.

2. RBI’s FREE-AI Committee charts Ethical Roadmap for AI in Finance[2]

The RBI’s FREE-AI Committee has released, Framework for Responsible and Ethical Enablement of Artificial Intelligence (FREE-AI) (“AI Framework”), setting out a forward-looking blueprint for AI adoption in the financial sector. The AI Framework highlights AI’s potential to enhance customer engagement, fraud detection, credit access, and supervisory tools, while also warning of risks such as bias, opacity, cybersecurity threats, and systemic vulnerabilities.

At the core of the AI Framework are seven guiding ‘Sutras’ i.e., trust, people first, innovation with responsibility, fairness, accountability, explainability, and resilience. These principles flow into 26 specific recommendations across two tracks: enabling innovation and mitigating risks. On the innovation side, the FREE-AI Committee calls for shared data and compute infrastructure, an AI innovation sandbox, funding support for smaller institutions, and development of indigenous financial sector-specific AI models. On the risk side, it prescribes board-approved AI policies, strong data governance, AI-specific audits, incident reporting, consumer protection safeguards, and cybersecurity measures.

The AI Framework stresses that governance must rest with the board, institutions must maintain AI inventories and disclosure frameworks, and accountability for outcomes lies with the deploying entity, not the algorithm or vendor.

The AI Framework is among the most comprehensive regulatory blueprints for AI in finance worldwide. By blending innovation enablement with stringent governance, the RBI signals that AI must serve inclusion, efficiency, and resilience, without compromising ethics or trust. If implemented, this framework could position India as a global leader in responsible AI regulation, shaping the future of fintech governance.

3. Union Minister clarifies RTI–DPDP Overlap[3]

There has been considerable public debate and institutional uncertainty over whether the DPDP Act diluted the right to seek information under the RTI Act, 2005. Section 8(1)(j) of the RTI Act exempts disclosure of personal information that has no relation to public interest or would cause an unwarranted invasion of privacy. Critics argued that the amendment to this provision, in light of the DPDP Act, could expand the scope of privacy exemptions and thereby restrict access to information, undermining transparency.

Addressing these concerns in the Lok Sabha, Union Minister of Information and Broadcasting clarified that the amendment merely aligns the RTI framework with the Supreme Court’s constitutional recognition of privacy in the landmark Justice K.S. Puttaswamy case. It was explained that while personal information is indeed protected from unwarranted disclosure, Section 8(2) of the RTI Act continues to allow release of such information if the larger public interest justifies it. In other words, the amendment harmonises privacy and transparency, rather than curtailing the citizen’s right to information.

4. Parliamentary Committee flags Rising Cybercrime Risks and calls for Stronger Safeguards[4]

The Department-related Parliamentary Standing Committee on Home Affairs (“Committee”) has tabled its 254th Report on Cybercrime – Ramifications, Protection and Prevention (“Cyber Report”) offering one of the most comprehensive reviews of India’s cyber threat landscape to date. The Committee notes that cybercrime has evolved from small-scale frauds to industrialised operations fuelled by Crime-as-a-Service platforms, AI-driven deepfakes, ransomware, and cloud vulnerabilities. Financial scams, identity theft, ransomware, and “digital arrest” frauds have surged, with the National Cybercrime Reporting Portal logging nearly 54 lakh complaints worth over INR 31,500 crore in losses since inception. The Cyber Report underscores the psychological and social toll of cybercrime, particularly on women and children targeted through cyberbullying, sextortion, and deepfakes, and warns of its national security dimension as transnational syndicates exploit cryptocurrencies, dark web markets, and human trafficking networks.

The Committee recommends tightening accountability for social media and digital platforms, including penalties for failing to comply with takedown directions. It calls for legal tools to counter AI-generated content and deepfakes, including watermarking norms to authenticate digital media. To strengthen institutional capacity, it has proposed State Cybercrime Coordination Centres to supplement the national I4C network, along with sector-specific Computer Security Incident Response Teams for healthcare, transport, and telecom. The Cyber Report further urges robust safeguards on OTT platforms, such as stricter age verification and review mechanisms for harmful content, and emphasises the need for transparent grievance redressal systems with fixed timelines to rebuild user trust.

5. Supreme Court steps into Dispute regarding Google’s In-App Billing Policy[5]

The Supreme Court has stayed further proceedings arising from the Madras High Court’s order in the dispute over Google India Digital Services Private Limited’s (“Google”) app store billing practices. The Madras High Court had earlier held that Google could not force Testbook Edu Solutions Private Limited to adopt its proprietary billing system, a ruling that aligned with broader concerns of app developers about high commissions and lack of choice. Google appealed, arguing that its billing system is integral to ensuring secure payments and platform integrity. By granting a stay, the Supreme Court has effectively put the High Court’s order on hold, keeping Google’s billing policy in force for now. The case raises a deeper issue i.e., whether dominant platforms can mandate their own payment systems as a condition of market access, or whether such policies cross into anti-competitive conduct. It sits at the intersection of competition law, digital platform regulation, and consumer rights.

6. Government notifies Policy for Data Sharing from the National Transport Repository[6]

The Ministry of Road Transport & Highways has released a comprehensive Data Sharing Policy for the National Transport Repository (“NTR”) (“Data Sharing Policy”), which houses over 39 crore vehicle records and 22 crore driving licence records from platforms like Vahan, Sarathi, e-Challan, e-DAR, and FASTag. The Data Sharing Policy aims to unlock transport data for governance, enforcement, research, and service delivery, while embedding strong privacy and security safeguards aligned with the DPDP Act.  Under the Data Sharing Policy, law enforcement and national security agencies will have full access to unmasked personal data for legitimate functions. Government departments and State Transport Authorities can draw upon NTR datasets for official duties, while academia and researchers will be restricted to anonymised or aggregated data. Citizens may access their own records and limited verification fields of others’ RCs or DLs, subject to usage limits. Private sector entities such as insurers, banks, and transport service providers may be granted access only with Aadhaar-based, OTP-driven consent from the individual concerned. Access will primarily be through secure APIs hosted on NIC’s NAPIX exchange, supported by audit trails, IP whitelisting, and annual security certifications from CERT-IN empanelled auditors. Bulk transfers are permitted only in exceptional cases, and all shared data must remain stored within India. Crucially, all recipients are deemed Data Fiduciaries under the DPDP Act, making them directly accountable for misuse, non-compliance, or breaches.

7. Patent Office issues New Guidelines for Computer-Related Inventions aligning with New Age Technologies[7]

The Office of the Controller General of Patents, Designs & Trademarks has notified the Revised Guidelines for Examination of Computer Related Inventions (CRIs), 2025 (“Revised Guidelines”) marking a major shift in how India approaches patents in emerging technologies. The Revised Guidelines include a stepwise methodology supported by flowcharts and more than 60 illustrative examples, to help examiners and applicants assess when a claim is excluded from patentability. For the first time, there is a dedicated chapter on AI, ML, Deep Learning, Blockchain, Quantum Computing, and Cloud Computing, offering scenario-based examples and disclosure requirements that highlight when such inventions can move outside the scope of exclusion. A jurisprudence chapter and extensive annexures further aid predictability in decision-making.

This development is a landmark moment for India’s patent ecosystem. By directly addressing AI, quantum, and blockchain within the CRI framework, the Patent Office has given inventors and applicants much-needed clarity on how disruptive technologies will be treated under Indian law.

8. Government holds Industry Consultation on National Data Centre Policy[8]

Government through the National e-Governance Division, recently convened an industry consultation on the draft National Data Centre Policy, 2025 (“Policy”), which seeks to position India as a global hub for trusted digital infrastructure. The Policy aims to expand India’s data centre capacity, streamline clearances, promote energy-efficient operations, and build resilience against cyber and physical risks. During the consultation, stakeholders from the data centre industry, cloud service providers, and allied sectors engaged with policymakers on land, power, connectivity, and regulatory bottlenecks.

The consultation highlights the Government’s push to make data centres not just enablers of cloud and AI adoption but also pillars of cyber resilience and green growth. The final contours of the policy will be closely watched by investors, as it could shape the competitiveness of India’s digital infrastructure ecosystem for the next decade.

INTERNATIONAL 

UNITED STATES OF AMERICA

9. Wyoming launches First State-Issued Stable Token[9]

Wyoming has become the first U.S. state to issue its own blockchain-based stable token with the launch of the Frontier Stable Token (“FRNT”). Backed by U.S. dollar, FRNT is designed to provide a secure and transparent medium for digital transactions.  This launch is considered a milestone in the State’s ongoing leadership in blockchain regulation, noting its track record of passing over 45 digital asset laws since 2016. FRNT aims to deliver instant settlement, low fees, and global accessibility, marking a new chapter in public-sector involvement in digital finance. FRNT has been deployed across seven blockchain networks, including Ethereum, Solana, and Polygon, with oversight mechanisms such as independent audits and monthly attestations to ensure transparency. It will soon be available on platforms like Kraken and Visa-linked payment systems, signalling Wyoming’s intent to set the benchmark for state-backed stable tokens in the U.S.

EUROPEAN UNION

10. Court ruled on ‘Pay-or-Okay’ Models for Online Publishers[10]

In a significant development for digital privacy, the Austrian Federal Administrative Court has upheld a ruling that a widely-used ‘Pay-or-Okay’ widely used by online publishers to force users into either accepting extensive tracking or paying a subscription is unlawful under the GDPR. The case arose from DerStandard.at, a major Austrian news outlet, which gave readers only two options, consent to advertising cookies and behavioural tracking, or pay to access content without such profiling. The Court found this approach to be incompatible with GDPR’s standard of ‘freely given’ consent, stressing that true choice requires both granularity and the absence of coercion. By conditioning free access on blanket tracking, the model left users with no meaningful option to refuse, effectively pressuring them into consent. The judgment also pointed to the abnormally high consent rates under such systems as evidence that users were being nudged rather than exercising autonomy.

This decision reshapes the debate on the future of online monetisation. Publishers argue that “Pay-or-Okay” helps sustain ad-funded journalism, but regulators and privacy advocates view it as a coercive trade-off between privacy and access to information. The ruling signals that simply offering a paid alternative does not legitimise invasive tracking practices. It sets a precedent not only for Austria but potentially for courts and regulators across Europe, raising the bar for what counts as genuine consent in the digital economy.

11. Austrian DPA upholds User’s Right to Data Access[11]

The Austrian Data Protection Authority has ruled against YouTube LLC for failing to properly respond to a user’s request for access to their personal data, reaffirming one of the core rights under the GDPR the right of every individual to receive a full copy of their data and details of how it is processed. The case was initiated by privacy group None of Your Business, which argued that YouTube’s incomplete disclosures fell short of the law. At issue was YouTube’s practice of directing users to general resources such as privacy policies or account dashboards, rather than providing a comprehensive, case-specific response. The DPA found that YouTube withheld critical details, including information about tracking cookies and data retention periods, which are essential for users to understand and exercise control over their information. By making clear that such evasive responses do not meet GDPR standards, the decision underscores that companies must deliver clear, complete, and individualised disclosures when users exercise their access rights.

The ruling sends a strong signal to global platforms that GDPR compliance is not satisfied by generic tools or references to policies. For regulators, it strengthens the enforcement of transparency obligations; for companies, it is a reminder that the right of access is non-negotiable and enforceable. This decision could prompt stricter scrutiny of how digital giants handle user requests, reshaping the practical landscape of data rights in Europe.

OTHERS

12. New Zealand introduces Legislation for processing of Biometric Information[12]

New Zealand has formally issued the Biometric Processing Privacy Code 2025 (“Biometric Code”) under its Privacy Regulations. This Biometric Code is the first of its kind in the country and sets legally binding rules on how organizations may collect, use, and store biometric information such as facial images, fingerprints, voice data, and iris scans. The primary objective of the Biometric Code is to ensure that the use of biometrics, often considered highly sensitive because of its permanent and unique nature, is subject to stronger safeguards than ordinary personal information.  Under the Biometric Code, businesses and Government agencies must meet stricter requirements before deploying biometric systems. They are required to show a clear and lawful purpose for using biometrics, ensure transparency with individuals, and adopt a “least intrusive” approach to achieve their goals. The Biometric Code also mandates conducting privacy impact assessments for high-risk activities, stronger security standards to prevent misuse or unauthorized access, and enhanced rights for individuals to understand and challenge how their biometric data is processed. Importantly, the Biometric Code prohibits certain practices outright, such as using biometrics for mass surveillance without explicit legal authority.

By introducing this framework, New Zealand aims to strike a balance between innovation and the protection of fundamental rights. Biometric technologies are becoming increasingly common in banking, travel, employment, and even everyday apps, but without clear rules, they risk eroding privacy and trust. The Biometric Code signals that while these tools can bring efficiency and security, they must be deployed responsibly, with fairness, accountability, and public confidence at the core.

13. UN Adopts Resolution on Global AI Governance[13]

The UN General Assembly has adopted Resolution A/79/L.118[14] (“Resolution”) on the promotion of safe, secure, and trustworthy artificial intelligence systems, recognising AI as a transformative technology that must be developed and deployed responsibly. The Resolution emphasises that AI should advance sustainable development, respect human rights, and be subject to safeguards that reduce risks of misuse.

Member States have been encouraged to strengthen cooperation on standards, capacity-building, and knowledge-sharing, while also addressing cross-border challenges such as bias, disinformation, and cybersecurity vulnerabilities. The Resolution further calls on Governments and private actors to ensure transparency, accountability, and inclusiveness in AI deployment.

This Resolution reflects a growing international consensus that AI governance requires multilateral frameworks rather than fragmented national approaches. While not binding, it underscores the UN’s intent to shape global norms, especially for developing countries seeking equitable access to AI benefits. The real test will be whether these commitments translate into practical cooperation such as interoperable standards and cross-border safeguards that can keep pace with the speed of AI innovation.

14. Thailand SEC launched Sandbox to Test Digital Payment for Visitors[15]

The SEC has introduced an innovative regulatory sandbox called TouristDigiPay (“Sandbox”) designed to test and promote safe digital payment solutions for international visitors. The Sandbox will run for 18 months and allows financial institutions, fintech firms, and other authorized service providers to pilot new payment products in a controlled environment. By creating this supervised space, the SEC aims to encourage innovation in Thailand’s financial ecosystem while ensuring that consumer protection and financial stability remain intact.

For tourists, the initiative seeks to make spending in Thailand easier, faster, and more secure by supporting payment tools beyond traditional banking channels. This could include digital wallets, blockchain-based settlement options, and cross-border payment services tailored for travelers. Importantly, companies joining the sandbox must comply with strict safeguards on cybersecurity, anti-money laundering, and data privacy, ensuring that experimental products do not put users at risk.

The Sandbox effectively functions as a controlled regulatory environment, enabling the development and evaluation of innovative digital payment mechanisms under the close supervision of the SEC. By allowing pilot projects to operate within a structured framework, the regulator ensures that novel payment solutions are subject to rigorous compliance standards before any wider adoption. Should these initiatives prove successful, they are expected to be scaled across Thailand’s financial landscape, thereby enhancing transactional efficiency for international visitors and reinforcing overall confidence in the country’s digital economy.

ABBREVIATIONS

CERT-In Indian Computer Emergency Response Team
DPA- Data Protection Authority
DPDP Act Digital Personal Data Protection Act, 2023
GDPR – General Data Protection Regulation (EU) 2018/1725
IT Act Information Technology Act, 2000
NAPIX – National Informatics Centre’s NIC API Exchange
NIC – National Informatics Centre
RTI – Right to Information Act, 2005
SEC – Security and Exchange Commission

Authors:

  • Rashmi Deshpande
  • Aarushi Ghai

Download File:

[1] https://www.meity.gov.in/static/uploads/2025/08/4f673438a686e3fa81dd2d277b445f42.pdf
[2] https://website.rbi.org.in/web/rbi/-/publications/reports/free-ai-committee-report-framework-for-responsible-and-ethical-enablement-of-artificial-intelligence
[3] https://www.pib.gov.in/PressReleasePage.aspx?PRID=2158506#:~:text=The%20amendment%20to%20Section%208,with%20the%20right%20to%20information
[4] https://drive.google.com/file/d/1VsFYPgrRk9HtdtfW9tYzdOcOdE-XiAM2/view
[5] Google India Digital Services Pvt. Ltd v. Testbook Edu Solution Pvt. Ltd, Petition for Special Leave Appeal (C) No. 19740/2025
[6] https://parivahan.gov.in/sites/default/files/policy/data-sharing-policy.pdf
[7] https://www.pib.gov.in/PressReleasePage.aspx?PRID=2149719
[8] https://negd.gov.in/events/industry-consultation-meeting-of-national-data-centre-policy-2025/
[9] https://content.govdelivery.com/accounts/WYGOV/bulletins/3ee734a
[10] https://noyb.eu/sites/default/files/2025-08/DSB_Entscheidung_YouTube_geschw%C3%A4rzt.pdf
[11] https://noyb.eu/sites/default/files/2025-08/20250818145608738p_Redacted.pdf
[12] https://www.privacy.org.nz/tuhono-connect/statements-media-releases/privacy-commissioner-announces-new-rules-for-biometrics/
[13] https://www.un.org/sg/en/content/sg/statement/2025-08-26/statement-attributable-the-spokesperson-for-the-secretary-general-%E2%80%93-the-general-assembly-decision-new-artificial-intelligence-governance-mechanisms-within-the-united
[14] https://docs.un.org/en/A/79/L.118
[15] https://www.sec.or.th/EN/Pages/News_Detail.aspx?SECID=11966&utm

Disclaimer

Current rules of the Bar Council of India impose restrictions on maintaining a web page and do not permit lawyers to provide information concerning their areas of practice. Fountainhead Legal is, therefore, constrained from providing any further information on this web page except as stated below.

The rules of the Bar Council of India prohibit law firms from soliciting work or advertising in any manner. By clicking on ‘I AGREE’, the user acknowledges that:

The user wishes to gain more information about Fountainhead Legal, its practice areas and the firm’s lawyers, for his/her own information and use;

The information is made available/provided to the user only on his/her specific request and any information obtained or material downloaded from this website is completely at the user’s volition and any transmission, receipt or use of this site is not intended to, and will not, create any lawyer-client relationship; and

None of the information contained on the website is in the nature of a legal opinion or otherwise amounts to any legal advice.

Fountainhead Legal, is not liable for any consequence of any action taken by the user relying on material/information provided under this website. In cases where the user has any legal issues, he/she in all cases must seek independent legal advice.

I Agree I Disagree